metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kyle Richardson <>
Subject Stellar field transformations cannot use input fields with dashes
Date Sun, 09 Apr 2017 18:26:47 GMT
So, I learned something the hard way today and thought I would share. I'm
sure most of you already knew this but here goes.

It turns out that, while you can use message field names with dashes in
them (e.g. cs-host) you cannot perform Stellar operations with them. In my
case, this was a field transformation but I'm assuming it would apply to
other uses of Stellar as well. Looking at it after the fact, it makes a lot
more sense, but it took me a while to realize that the dashes in the field
name were being treated as a minus in Stellar, thus returning zero for the
string operations I was trying to perform.

Example field transform config:
"fieldTransformations": [
    "transformation": "STELLAR",
    "output": ["proto"],
    "config": {
      "proto": "TO_UPPER(cs-uri-scheme)"

Example message:
    "cs-host": "",
    "cs-uri-scheme": "http",
    "s-action": "TCP_HIT",
    "timestamp": 1491759661030,
    "proto": "0"

My solution, change the field names to not contain dashes and everything
works as expected :).

Lesson learned; read the docs carefully. It clearly states in the README
that '-' is a reserved keyword. Sharing this to save someone else like me a
little time.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message