Closed fukusuket closed 3 months ago
fukusuket
commented
3 months ago Specification memo:
Provider_Name optionalProvider_Name(It is preferable to have one yaml file)ExtraFieldInfo (csv/json)fukusuket
commented
3 months ago
- Do not output the value before field value conversion to ExtraFieldInfo (csv/json)
I have looked into the feasibility of implementation and it does not appear to be easy to achieve π€ The main reasons are the following two points:
Data field is an array (not simple key value)Details and ExtraFieldInfo is a bit complicated
@YamatoSecurity
I think I'm going to create the issue of output to ExtraFieldInfo as a separate issue and hold off on implementation, what do you think?
YamatoSecurity
commented
3 months ago @fukusuket I see, sure, we can hold off on the implementation for now. I'm thinking it might be better to save the Data fields as different fields instead of in an array for JSON. For example: Data-1, Data-2, etc... This way it will be easier to deal with when importing records into elastic stack, etc...
fukusuket
commented
3 months ago @YamatoSecurity
Do not output the value before field value conversion to ExtraFieldInfo (csv/json)
Sorry many times, I looked into it more and found how to implement this just now(though my current implementation is even more complicated...π). I'll create PR.
I see, It would be nice if eliminating Array would make it easier to integrate with things like ElasticSearch :)
Currently, the field mapping feature does not support following point:
Provider_namematchingProvider_names, we need to convert the field value only when theProvider_namematches.(in addition toChannel,EventID)Data[x]notation filed mappingWe want to support following rule/field conversion, so I'll implement above point.