Github user merrimanr commented on the issue:
https://github.com/apache/metron/pull/796
I tested this as well. First a couple things I'm curious about:
- when I open the date/time range picker why does it say "now/d"? I would
expect just "now" or "Now"
- when I first navigate to the Alerts UI or select "All time" why do I see
a timestamp clause in the query? Why not just leave it out?
I also found some issues. The first is related to time-range selections
that include 'Now' as part of the range (Last 7 days, Last 5 minutes, Today so
far, etc). This should be a sliding window so I would expect the search query
to be different every time the results are refreshed. For example when I
select "Last 5 minutes" this is the query that is immediately sent (only query
field is shown for simplicity):
```
{
"query": "timestamp:(>=1508426193000 AND <=1508426493000)"
}
```
After several cycles the query does not change although "Last 5 minutes" is
a different time window now:
```
{
"query": "timestamp:(>=1508426193000 AND <=1508426493000)"
}
```
I would also expect the time range to change in the time range selector
dropdown ("2017-10-19 10:16:33 to Now" for example) as well.
I also found the time range selector value isn't populated correctly when
loading a saved or recent search. For example when I select a recent or saved
search the time range clause is included in the search bar and the searches now
return a 500 error:
```
"query": "timestamp:\\(\\>\\=0 AND :\\ \\<\\=4102444800000\\) AND
source\\:type:bro"
```
Based on how it works normally I would expect there to be no time range
clause in the search bar and the time range dropdown to be populated correctly
instead.
A couple other minor issues:
- if I select a cell in the table to apply a filter, then remove the filter
by hovering over it in the search bar and clicking 'x', the time range dropdown
is disabled.
- when I select a Quick Range filter or open the drop down after a , the
Time Range inputs are not updated and still say "now/d"
- when I click the 'X' or clear button in the search bar, I would expect
the time range selector to be reset to "All time"
- when I open the drop down and change the "FROM" time range, I would
expect the "TO" input to still say "now" (it's automatically set to end of the
day picked in "FROM")
- when I open the drop down and change either "FROM", "TO" or both, I would
expect those inputs to reset if I closed the dropdown without hitting "Apply"
(they are still populated when I open the dropdown again)
As far as testing is concerned, this is my understanding of the tests
included in this PR:
- verify all the links and time/date inputs are present in the time range
selector
- verify the drop down label changes to the correct value when a Quick
Range is selected (time range below the label is not tested)
- verify the result count in the table changes when a Time Range is entered
This is a good start but I think we need more to cover the issues I found.
I would suggest adding tests to:
- ensure saved/recent searches includes and functions properly when a Time
Range/Quick Range is selected
- test all the Quick Range filters to ensure they produce the correct time
range (I realize this could be tedious to test using search results so I would
compromise and just test that the correct range is populated in the drop down
and time range inputs)
- add validations for the time range selector when filters are
added/removed in the search bar
- expand tests on setting "FROM" and "TO" inputs to cover the issues noted
above
---
