THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
We now have to configure what element of a tuple should be enriched with what enrichment type. This configuration will be stored in zookeeper.
- LogLog $HOST_WITH_ENRICHMENT_TAG as root user
- Cut and paste the following into file into a file called "enrichment_config_temp.json" (make sure to set ZOOKEEPER_HOST with your specific value)
{
"zkQuorum" : "$ZOOKEEPER_HOST:2181"
,"sensorToFieldList" : {
"squid" : {
"type" : "ENRICHMENT"
,"fieldToEnrichmentTypes" : {
"domain_without_subdomains" : [ "whois" ]
}
}
}
} Because copying and pasting from this blog will include some non-ascii invisible characters, to strip them out, ru the following:
iconv -c -f utf-8 -t ascii enrichment_config_temp.json -o enrichment_config.json
...
- Go to the Metron UI: http://METRON_UI_HOST:5000
- Select Dashboard Tab
- Edit the Squid Event Details Panel that you created in the Add Telemetry Docs by clicking on the edit icon. You will be taken to the Discover page.
- Add the following new enrichment fields to the selected fields section (see section highlighted in red)
- Click the Save Button to save the Search and save it with same name "Squid Event Details".
- Click on the Dashboard Page and delete the Squid Event Details panel and re-add it.
- The Squid Event Details panel should now have the new enriched fields.
Notice the enrichments here (whois.owner, whois.domain_created_timestamp, whois.registrar, whois.home_country)