Hortonworks Cybersecurity Platform
Also available as:
PDF

Selecting Profile Measurements

The PROFILE_GET command allows you to select all of the profile measurements written.

This command takes the following arguments:

REQUIRED::

profile

The name of the profile

entity

The name of the entity

periods

The list of profile periods to grab. These are ProfilePeriod objects. This field is generally the output of another Stellar function which defines the times to include.

OPTIONAL:

groups_list

List (in square brackets) of groupBy values used to filter the profile. Default is an empty list, which means that groupBy was not used when creating the profile. This list must correspond to the 'groupBy' list used in profile creation.

The groups_list argument in the client must exactly correspond to the groupBy configuration in the profile definition. If groupBy was not used in the profile, groups_list must be empty in the client. If groupBy was used in the profile, then the client groups_list is not optional; it must be the same length as the groupBy list, and specify exactly one selected group value for each groupBy criterion, in the same order. For example:

If in Profile, the groupBy criteria are:  [ “DAY_OF_WEEK()”, “URL_TO_PORT()” ]
Then in PROFILE_GET, an allowed groups value would be:  [ “3”, “8080” ]
which will select only records from Tuesdays with port number 8080.
config_overrides

Map (in curly braces) of name:value pairs, each overriding the global config parameter of the same name. Default is the empty Map, meaning no overrides.

Note
Note

There is an older calling format where groups_list is specified as a sequence of group names, "varargs" style, instead of a List object. This format is still supported for backward compatibility, but it is deprecated, and it is disallowed if the optional config_overrides argument is used.

By default, the Profiler creates profiles with a period duration of 15 minutes. This means that data is accumulated, summarized, and flushed every 15 minutes. The Client API must also have knowledge of this duration to correctly retrieve the profile data. If the Client is expecting 15 minute periods, it will not be able to read data generated by a Profiler that was configured for 1 hour periods, and will return zero results.

Similarly, all six Client configuration parameters listed in the table below must match the Profiler configuration parameter settings from the time the profile was created. The period duration and other configuration parameters from the Profiler topology are stored in a local file system at $METRON_HOME/config/profiler.properties. The Stellar Client API can be configured correspondingly by setting the following properties in HCP's global configuration, on a local file system at $METRON_HOME/config/zookeeper/global.json, then uploaded to ZooKeeper (at /metron/topology/global) by using zk_load_configs.sh:

                              ```
$ cd $METRON_HOME
$ bin/zk_load_configs.sh -m PUSH -i config/zookeeper/ -z node1:2181
```

                           

Any of these six Client configuration parameters may be overridden at run time using the config_overrides Map argument in PROFILE_GET. The primary use case for overriding the client configuration parameters is when historical profiles have been created with a different Profiler configuration than is currently configured, and the analyst, needing to access them, does not want to change the global Client configuration so as not to disrupt the work of other analysts working with current profiles.

Table 1. Profiler Client Configuration Parameters
Key Description Required Default
profiler.client.period.duration The duration of each profile period. This value should be defined along with profiler.client.period.duration.units. Optional 15
profiler.client.period.duration.units The units used to specify the profile period duration. This value should be defined along with profiler.client.period.duration. Optional MINUTES
profiler.client.hbase.table The name of the HBase table used to store profile data. Optional profiler
profiler.client.hbase.column.family The name of the HBase column family used to store profile data. Optional P
profiler.client.salt.divisor The salt divisor used to store profile data. Optional 1000
hbase.provider.impl The name of the HBaseTableProvider implementation class. Optional