[Data Normalization] Make logs optional when datatypes is defined
#307
Conversation
| payload.normalized_types, | ||
| rule.datatypes) | ||
| record['normalized_types'] = types_result | ||
| if rule.datatypes is not None: |
There was a problem hiding this comment.
Optional: The is not None here is implicit with just if rule.datatypes:
| return False | ||
|
|
||
| for datatype in datatypes: | ||
| if not datatype in normalized_types: | ||
| LOGGER.error('The datatype [%s] is not defined!', datatype) |
There was a problem hiding this comment.
Is this logging statement no longer helpful? I understand why the one above was removed but can you explain why this one was also?
There was a problem hiding this comment.
Since we removed log_sources constrain, one rule will matched to multiple records. Normalized types dictionaries are defined based on each log source though. It is not an error if normalized type foo doesn't defined in Record A, it just doesn't match and return False is enough. Does it make sense to you?
|
@chunyong-lin - For the testing, please ensure there is a test for all possible permutations and update the PR description:
|
ghost
changed the title
log_source constrain.logs optional when datatypes is defined
chunyong-lin
force-pushed
the
remove_log_source_constrain
branch
from
2f16953 to
c725c7c
Compare
|
@mime-frame @ryandeivert PTAL, I also updated my test status to PR description. Thanks 😸 |
* Add unit tests to test `logs` and `datatypes` in rule header. They cover 4 cases: * logs is present, datatypes is not - working as expected * logs is present, datatypes is - working as expected * logs is not present, datatypes is not - log an ERROR * logs is not present, datatypes is - working as expected.
chunyong-lin
force-pushed
the
remove_log_source_constrain
branch
from
b6c4741 to
3dd0e15
Compare
* Remove this field from record before sending record to outputs (slack, PD, etc).
chunyong-lin
force-pushed
the
remove_log_source_constrain
branch
from
3dd0e15 to
201aa1e
Compare
|
@chunyong-lin - to confirm, this is ready for review? |
|
@mime-frame Yes, it is ready for review. |
ghost
merged commit 
to @ryandeivert @mime-frame
cc @airbnb/streamalert-maintainers
size: tiny
contributes to: #304
Summary
Remove
log_sourceconstrain which meanslogskeyword is optional when we define a rule ifdatatypeskeyword present. Otherwiselogskeyword is required.Apply Data Normalization feature to a rule, we can define a rule in this format
Changes
Testing
logsis present,datatypesis notlogsis present,datatypesislogsis not present,datatypesislogsis present,datatypesis not - working as expectedlogsis present,datatypesis - working as expectedlogsis not present,datatypesis not - log an ERRORlogsis not present,datatypesis - working as expected.