metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kyle Richardson <kylerichards...@gmail.com>
Subject [DISCUSS] Parsing messages without IP addresses
Date Sun, 18 Sep 2016 17:05:00 GMT
All,

I've run into an edge case while working on METRON-363
<https://issues.apache.org/jira/browse/METRON-363>. There are some log
events which do not contain IP addresses and thus cannot be fully
normalized into the standard Metron JSON fields.

What are folks thoughts on how to handle this situation? (Or how have you
handled it in other, existing parsers?) We could omit the fields, write
them out as nulls, or not continue processing the events at all.

I'm interested in your feedback. It seems to me that we would want all the
events to be indexed/persisted for long term archival; however, currently
enrichment relies heavily on IP addresses.

What do you think?

Thanks,
Kyle

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message