Github user merrimanr commented on the issue:
https://github.com/apache/metron/pull/803
I did an initial review of this and I see several things we need to work
through. It's a pretty significant feature so that's not surprising. I know
there are some other PRs being worked on that this PR depends on
(https://github.com/apache/metron/pull/806). Some questions I have:
- In this PR description, what does 'Change the state of meta alert' mean?
- Can I create a new empty metaalert?
- Can I create a metaalert by manually selecting alerts?
- How do I create a metaalert from a group that is >1 levels deep?
- How do I see all metaalerts? I was able to query with "_exists_:alert.*"
but that is not intuitive.
- Can I only remove 1 alert from a metaalert at a time?
- Would it be useful to assign a name to your metaalert in the confirmation
form rather than having to find it after you create it and rename in the detail
view?
- Not a fan of vertical scrolling through alerts in metaalert detail, would
it be possible to add pagination?
Some initial bugs I found (commented on some of these):
- metaalert index name throughout code is wrong, should be 'metaalert'
- metaalerts have alert_status set to 'NEW'
- when you group by ip address fields, then expand group, count goes to 0
and corrects after the next search (not sure if this existed before this PR)
- clicking on a metaalert fires this findOne call:
```
{
"guid": "ca80f4fc-0cdb-431c-b972-c460dad022ee",
"sensorType": "undefined"
}
```
- not obvious from a user perspective what happens when I remove all alerts
from a metaalert (I can see rest call that sets metaalert status to inactive)
- missing space in alert merge confirmation and 1 alert displays as
'1alerts'
- need to add metaalert index to e2e npm environment
- when metaalerts and alerts are in the same result set, sorting on fields
other than timestamp causes metaalerts to be excluded
- when I select an alert and then select Add to Alert in bulk actions,
metaalerts display 0 alerts ie.
(0)
- adding a comment to metaalert is failing because sensorType is undefined
in patch request:
```
{
"patch": [
{
"op": "add",
"path": "/comments",
"value": [
{
"comment": "test",
"username": "user",
"timestamp": 1508446386940
}
]
}
],
"guid": "b9479340-316b-46db-baa5-0a0376ff015a",
"index": "metaalert_index",
"sensorType": "undefined"
}
```
- when I change/assign a metaalert name, reverts back to id in search
result list on next search
- comment icons in the list view are not appearing after I add a comment
even though comments are displayed in the metaalert default view (likely
related to failed add comment call, being written only to hbase and not ES)
I'm also assuming more e2e tests are coming soon.
---
