...
echo "scan 'enrichment'" | hbase shell
Note, you should also see a separate HBase table, enrichment_list, automatically populated with a single new enrichment type named "whois."
[root@node1(127.0.0.1 192.168.66.121): ~]
# echo "scan 'enrichment_list'" | hbase shell
HBase Shell; enter 'help<RETURN>' for list of supported commands.
Type "exit<RETURN>" to leave the HBase Shell
Version 1.1.2.2.6.5.1175-1, r897822d4dd5956ca186974c10382e9094683fa29, Thu Jun 20 17:08:24 UTC 2019
scan 'enrichment_list'
ROW COLUMN+CELL
whois column=t:v, timestamp=1566586822992, value={}
1 row(s) in 0.4950 seconds
You should see the table bulk loaded with data from the CSV file. Now check if Zookeeper enrichment tag was properly populated:
${METRON_HOME}/bin/zk_load_configs.sh -m DUMP -z $ZOOKEEPER -c ENRICHMENT -n squid
This spits out all of the configs to standard out. We provided a sensor name arg, so you should find see one named "squid."
In order to demonstrate the enrichment capabilities of Metron you need to drop all existing indexes for Squid where the data was ingested prior to enrichments being enabled. To do so go back to the head plugin and deleted the indexes like so:
No need to drop index
If you want to start with a fresh index for squid, you can delete the existing index by doing the following:
curl -XDELETE "http://node1:9200/squid*"
ReMake sure you delete all Squid indexes. Re-ingest the data (see previous blog post for more detail)
cat /var/log/squid/access.log | ${HDP_HOME}/kafka-broker/bin/kafka-console-producer.sh --broker-list $BROKERLIST --topic squid
and the new messages should be automatically enriched. The Using the ES Head browser plugin, the new message should look as follows:
...