Github user nickwallen commented on a diff in the pull request:
https://github.com/apache/metron/pull/845#discussion_r152083195
--- Diff:
metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/ElasticsearchMetaAlertDao.java
---
@@ -614,8 +625,15 @@ protected void calculateMetaScores(Document metaAlert)
{
}
metaScores = new MetaScores(scores);
}
+
+ // add a summary (max, min, avg, count, sum) of all the threat scores
from the child alerts
metaAlert.getDocument().putAll(metaScores.getMetaScores());
- metaAlert.getDocument().put(threatTriageField,
metaScores.getMetaScores().get(threatSort));
+
+ // the overall threat score for the metaalert; either max, min, avg,
count or sum of all child scores
--- End diff --
I think it is really just a matter of what we'd expect a user to define as
scores for their threat triage rules. Are they really going to define values
greater than a 32-bit float? Or values that sum to greater than a 32-bit float?
I think it is a good point to discuss, Otto. I'd suggest we go with the
float approach now, as it minimizes the scope of change in this PR. But we can
revisit whether a double should be used after we migrate to ES 5.x.
---
