metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Otto Fowler <ottobackwa...@gmail.com>
Subject Re: Post-parsing and Enrichment test framework
Date Sat, 08 Jul 2017 13:25:17 GMT
Hi Ali,

Would you consider creating a jira with some test framework requirement
ideas based on your experience
using GetProfileTest?



On July 8, 2017 at 07:11:53, Ali Nazemian (alinazemian@gmail.com) wrote:

Hi Nick,

Something like GetProfileTest is exactly what I am looking for. Although
following this test case is good enough at this step, It would be great if
a test-framework can be implemented to make that easier. Probably it is not
a very critical requirement, but it would be nice to have it.

Cheers,
Ali

On Sat, Jul 8, 2017 at 1:02 AM, Nick Allen <nick@nickallen.org> wrote:

> >
> > Is there any other approach to check
> > that through writing Java test-cases? Righting test-cases would be
easier
> > for keeping track of changes.
>
>
> While the Shell is great, it does not serve as an automated, repeatable
> test case.
>
> An alternative approach along these lines, is to create your own JUnit
test
> cases that leverage a Stellar executor to execute arbitrary expressions
and
> validate the result. This is what we do in any unit tests for Stellar
> functions. For example, see `GetProfileTest` that tests the Profiler's
> `PROFILE_GET` function.
>
> Do you think these examples get you 80% there?
>
>
>
>
>
>
>
> On Fri, Jul 7, 2017 at 10:54 AM, Nick Allen <nick@nickallen.org> wrote:
>
> > For experimenting or validating specific Stellar expressions, the
Stellar
> > Shell is perfect. To do this, you just have to remember than when your
> > Stellar expressions execute all of the fields of the message are
> in-scope.
> >
> > For example, here is a quick session where I mock-up some logic that
> sends
> > a message to Triage if a hypothetical "count" field is greater than 22.
> In
> > this example, I expect my telemetry to look-like the following.
> >
> > {
> > "ip_src_addr": "10.0.0.2",
> > "ip_dst_addr": "10.0.0.3",
> > "ip_src_port": "22",
> > "ip_dst_port": "12345",
> > "source.type": "bro",
> > "count": "22"
> > }
> >
> >
> > Like I said, when my Stellar expression executes each of the fields
from
> > the message are in-scope as variables. To replicate this in the shell,
> all
> > I have to do is create those variables as I would expect them to exist
in
> > the telemetry.
> >
> > [Stellar]>>>
> > [Stellar]>>> ip_src_addr := "10.0.0.2"
> > [Stellar]>>> ip_dst_addr := "10.0.0.3"
> > [Stellar]>>> ip_src_port := 22
> > [Stellar]>>> ip_dst_port := 12345
> > [Stellar]>>> source.type := "bro"
> > [Stellar]>>> count := 22
> > [Stellar]>>> is_alert := if count > 22 then true else false
> > [Stellar]>>> is_alert
> >
> > false
> >
> > This session helped me validate the `is_alert` expression that I will
add
> > as an enrichment expression.
> >
> > Hope that answered at least some of your questions.
> >
> >
> >
> >
> > On Tue, Jul 4, 2017 at 10:23 AM, Ali Nazemian <alinazemian@gmail.com>
> > wrote:
> >
> >> Hi Simon,
> >>
> >> Yeah, it does, but we are looking for a way to mock a specific message
> and
> >> check some post-parse/enrichments stuff. Is that achievable via
Stellar
> >> shell? Right now we are checking that either through end-to-end
testing,
> >> or
> >> changing flux files to check them section by section. Unfortunately,
> both
> >> approaches are time-consuming. We are using the Stellar shell for only
> >> checking the validity of Stellar functions one by one right now.
> >>
> >> Suppose there is an approach we can define a JSON object as an output
> of a
> >> parser. Then, we can apply a set of post-parsing and enrichment
process
> on
> >> that JSON object and check the output. Is that achievable via Stellar
> >> shell? Do you have any sample that we can follow to understand Stellar
> >> shell capabilities for this scenario? Is there any other approach to
> check
> >> that through writing Java test-cases? Righting test-cases would be
> easier
> >> for keeping track of changes.
> >>
> >> Cheers,
> >> Ali
> >>
> >>
> >> On Wed, Jul 5, 2017 at 12:06 AM, Simon Elliston Ball <
> >> simon@simonellistonball.com> wrote:
> >>
> >> > You should probably use the Stellar REPL (../metron/bin/stellar -z
> $ZK)
> >> > which gives you a kind of Stellar playground.
> >> >
> >> > Simon
> >> >
> >> > > On 4 Jul 2017, at 15:02, Ali Nazemian <alinazemian@gmail.com>
> wrote:
> >> > >
> >> > > Hi all,
> >> > >
> >> > > I was wondering if there is a test framework we can use for
Stellar
> >> > > post-parsing and enrichment use cases. It is very time-consuming
to
> >> > verify
> >> > > use cases end-to-end. Therefore, I am looking for a way of mocking
> use
> >> > > cases step by step to speed up our development.
> >> > >
> >> > > Regards,
> >> > > Ali
> >> >
> >> >
> >>
> >>
> >> --
> >> A.Nazemian
> >>
> >
> >
>



-- 
A.Nazemian

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message