metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From JonZeolla <...@git.apache.org>
Subject [GitHub] incubator-metron pull request #326: Update the bro_index elasticsearch templ...
Date Wed, 26 Oct 2016 03:12:14 GMT
GitHub user JonZeolla opened a pull request:

    https://github.com/apache/incubator-metron/pull/326

    Update the bro_index elasticsearch template to index *_body_len properly

    ## Problem
    
    [METRON-510](https://issues.apache.org/jira/browse/METRON-510)
    
    The bro *_body_len fields in [HTTP::Info](https://www.bro.org/sphinx/scripts/base/protocols/http/main.bro.html#type-HTTP::Info)
can exceed the range of an int, and so writing to ElasticSearch fails with the following exception:
    ```
    MapperParsingException[failed to parse [response_body_len]]; nested: JsonParseException[Numeric
value (9876543210) out of range of int
    ```
    
    ## Solution
    
    I updated the bro_index elasticsearch template to use a datatype of `long` for {request,response}_body_len,
as opposed to an `integer`.  

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/JonZeolla/incubator-metron master

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/incubator-metron/pull/326.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #326
    
----
commit d8efbf7af37a0a03131c7baaed74f197abc4f1de
Author: Jon Zeolla <zeolla@gmail.com>
Date:   2016-10-24T13:29:21Z

    Update the bro_index elasticsearch template to use a datatype of long for {request,response}_body_len

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message