Hortonworks Docs » Hortonworks Cybersecurity Platform 1.8.0 » Enriching Telemetry Events
Enriching Telemetry Events
Also available as:
PDF

Map Fields to HBase Enrichments Using CLI

As an alternative to using the HCP Management user interface to map fields to HBase enrichment, you can use the CLI.

  1. Edit the new data source enrichment configuration at $METRON_HOME/config/zookeeper/enrichments/$DATASOURCE to associate the ip_src_addr with the user enrichment: 
    {
  "index" : "squid",
  "batchSize" : 1,
  "enrichment" : {
    "fieldMap" : {
      "hbaseEnrichment" : [ "ip_src_addr" ]
    },
    "fieldToTypeMap" : {
      "ip_src_addr" : [ "whois" ]
    },
    "config" : { }
  },
  "threatIntel" : {
    "fieldMap" : { },
    "fieldToTypeMap" : { },
    "config" : { },
    "triageConfig" : {
      "riskLevelRules" : { },
      "aggregator" : "MAX",
      "aggregationConfig" : { }
    }
  },
  "configuration" : { }
}
  2. Push this configuration to ZooKeeper: 
    $METRON_HOME/bin/zk_load_configs.sh -m PUSH -z $ZOOKEEPER_HOST:2181 -i $METRON_HOME/zookeeper

After you finish enriching telemetry events, you should ensure that the enriched data is displaying on the Metron dashboard.

© 2012–2019, Hortonworks, Inc.
Document licensed under the Creative Commons Attribution ShareAlike 4.0 License.
Hortonworks.com | Documentation | Support | Community