Ok, so yeah, you've hit upon a limitation currently. Right now, via
Stellar you can use ENRICHMENT_GET which takes the following parameters:
- enrichment_type - The enrichment type
- indicator - The string indicator to look up
- hbase_table - The HBase Table to use
- column_family - The Column Family to use
Right now we only accept a string for the indicator (which likely would be
your user_id). You'd probably like to call ENRICHMENT_GET for each id in
the user_id variable. We can't quite do that yet. There has been some
talk about a MAP function created where you can apply a stellar function
across a list of values. i.e. MAP( user_id, @ENRICHMENT_GET('et', $,
'enrichments', 't')) which would return a list containing the output of
ENRICHMENT_GET for each call.
There is another, more immediate change that could be made for this
specific case. We could enable ENRICHMENT_GET to take a list of indicators
as the second argument.
Sorry, that doesn't exactly solve your problem in the immediate-case, but
it provides some context for future fixes. ;) I don't suppose you know the
length of the list beforehand, right? Even the maximum size?
Casey
On Sun, Apr 2, 2017 at 10:26 AM, Ali Nazemian <alinazem...@gmail.com> wrote:
> Hi all,
>
>
> I was wondering how I can achieve the following use case in the current
> version of Metron?
>
>
>
> I want to have attributes in the Metron JSON object that are an array.
> For example, if a threat is impacting multiple users, they are all
> contained in an attribute (e.g. user_id:[id1, id2, id3]). Now if I want
> to enrich the event with data that requires the user_id as a key in
> enrichment stored in HBASE, how would I do this?
>
>
> Cheers,
> Ali
>
