Map Fields to HBase Enrichments Using CLI

As an alternative to using the HCP Management module to map fields to HBase enrichment, you can use the CLI.

Edit the new data source enrichment configuration at


                        $METRON_HOME/config/zookeeper/enrichments/$DATASOURCE

to associate the ip_src_addr with the user enrichment:

{
  "index" : "squid",
  "batchSize" : 1,
  "enrichment" : {
    "fieldMap" : {
      "hbaseEnrichment" : [ "ip_src_addr" ]
    },
    "fieldToTypeMap" : {
      "ip_src_addr" : [ "whois" ]
    },
    "config" : { }
  },
  "threatIntel" : {
    "fieldMap" : { },
    "fieldToTypeMap" : { },
    "config" : { },
    "triageConfig" : {
      "riskLevelRules" : { },
      "aggregator" : "MAX",
      "aggregationConfig" : { }
    }
  },
  "configuration" : { }
}

Push this configuration to ZooKeeper:

$METRON_HOME/bin/zk_load_configs.sh -m PUSH -z $ZOOKEEPER_HOST:2181 -i $METRON_HOME/zookeeper

After you finish enriching telemetry events, you should ensure that the enriched data is displaying on the Metron dashboard.