There'll be a JIRA and a PR tonight ;) It sprung from the keyboard. I've
been waiting for a good reason for some time. heh
On Thu, Apr 6, 2017 at 8:08 PM, Otto Fowler <ottobackwa...@gmail.com> wrote:
> Is there a Jira for the MAP Casey?
>
>
> On April 6, 2017 at 14:07:15, Casey Stella (ceste...@gmail.com) wrote:
>
> Ok, so yeah, you've hit upon a limitation currently. Right now, via
> Stellar you can use ENRICHMENT_GET which takes the following parameters:
>
> - enrichment_type - The enrichment type
> - indicator - The string indicator to look up
> - hbase_table - The HBase Table to use
> - column_family - The Column Family to use
>
> Right now we only accept a string for the indicator (which likely would be
> your user_id). You'd probably like to call ENRICHMENT_GET for each id in
> the user_id variable. We can't quite do that yet. There has been some
> talk about a MAP function created where you can apply a stellar function
> across a list of values. i.e. MAP( user_id, @ENRICHMENT_GET('et', $,
> 'enrichments', 't')) which would return a list containing the output of
> ENRICHMENT_GET for each call.
>
> There is another, more immediate change that could be made for this
> specific case. We could enable ENRICHMENT_GET to take a list of indicators
> as the second argument.
>
> Sorry, that doesn't exactly solve your problem in the immediate-case, but
> it provides some context for future fixes. ;) I don't suppose you know the
> length of the list beforehand, right? Even the maximum size?
>
> Casey
>
>
> On Sun, Apr 2, 2017 at 10:26 AM, Ali Nazemian <alinazem...@gmail.com>
> wrote:
>
>> Hi all,
>>
>>
>> I was wondering how I can achieve the following use case in the current
>> version of Metron?
>>
>>
>>
>> I want to have attributes in the Metron JSON object that are an array.
>> For example, if a threat is impacting multiple users, they are all
>> contained in an attribute (e.g. user_id:[id1, id2, id3]). Now if I want
>> to enrich the event with data that requires the user_id as a key in
>> enrichment stored in HBASE, how would I do this?
>>
>>
>> Cheers,
>> Ali
>>
>
>
