There'll be a JIRA and a PR tonight ;) It sprung from the keyboard. I've been waiting for a good reason for some time. heh
On Thu, Apr 6, 2017 at 8:08 PM, Otto Fowler <ottobackwa...@gmail.com> wrote: > Is there a Jira for the MAP Casey? > > > On April 6, 2017 at 14:07:15, Casey Stella (ceste...@gmail.com) wrote: > > Ok, so yeah, you've hit upon a limitation currently. Right now, via > Stellar you can use ENRICHMENT_GET which takes the following parameters: > > - enrichment_type - The enrichment type > - indicator - The string indicator to look up > - hbase_table - The HBase Table to use > - column_family - The Column Family to use > > Right now we only accept a string for the indicator (which likely would be > your user_id). You'd probably like to call ENRICHMENT_GET for each id in > the user_id variable. We can't quite do that yet. There has been some > talk about a MAP function created where you can apply a stellar function > across a list of values. i.e. MAP( user_id, @ENRICHMENT_GET('et', $, > 'enrichments', 't')) which would return a list containing the output of > ENRICHMENT_GET for each call. > > There is another, more immediate change that could be made for this > specific case. We could enable ENRICHMENT_GET to take a list of indicators > as the second argument. > > Sorry, that doesn't exactly solve your problem in the immediate-case, but > it provides some context for future fixes. ;) I don't suppose you know the > length of the list beforehand, right? Even the maximum size? > > Casey > > > On Sun, Apr 2, 2017 at 10:26 AM, Ali Nazemian <alinazem...@gmail.com> > wrote: > >> Hi all, >> >> >> I was wondering how I can achieve the following use case in the current >> version of Metron? >> >> >> >> I want to have attributes in the Metron JSON object that are an array. >> For example, if a threat is impacting multiple users, they are all >> contained in an attribute (e.g. user_id:[id1, id2, id3]). Now if I want >> to enrich the event with data that requires the user_id as a key in >> enrichment stored in HBASE, how would I do this? >> >> >> Cheers, >> Ali >> > >