Martin,
as pointed out on the Security Onion mailing list
https://groups.google.com/forum/#!topic/security-onion/6nXu_vDWI4U I was asking
myself if this documentation is correct:
https://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation#A
dding_Parsers
Given that the "fields" table has "UNIQUE KEY `field` (`field`,`field_type`)",
it might happen that the query below fails because the inner subquery returns
more than one result:
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES
((SELECT id FROM classes WHERE class="NEWCLASS"), (SELECT id FROM fields WHERE
field="dstip"), 7);
Don't you think it would be better to change the UNIQUE KEY to "field" only, or
changing the documentation in order to use both "field" and "field_type" in the
WHERE clause (like below)?
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES
((SELECT id FROM classes WHERE class="NEWCLASS"), (SELECT id FROM fields WHERE
field="dstip" AND field_type="int"), 7);
Original issue reported on code.google.com by and...@de-pasquale.name on 5 Dec 2014 at 4:36
Original issue reported on code.google.com by
and...@de-pasquale.nameon 5 Dec 2014 at 4:36