[jira] [Commented] (METRON-1272) Hide child alerts from searches and grouping if they belong to meta alerts

Mon, 23 Oct 2017 12:30:16 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-1272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16215711#comment-16215711
 ] 

ASF GitHub Bot commented on METRON-1272:
----------------------------------------

Github user nickwallen commented on the issue:

    https://github.com/apache/metron/pull/811
  
    It appears to me that the alerts contained within a meta-alert are not 
contributing to the facet counts returned by a search request.  I think we 
still do want that to happen.  Let me explain with an example and screenshots.
    
    Note: I am testing this together with the UI changes in #803 .
    
    1. First, I isolate 10 alerts with a specific host name that I want to work 
with.  I have turned off ingest so that no additional alerts should appear 
during the running of this example.  I can see that the facet counts are what I 
would expect.
    
    ![screen shot 2017-10-23 at 3 01 45 
pm](https://user-images.githubusercontent.com/2475409/31908592-6de23998-b805-11e7-8201-c9983bfdc476.png)
    
    2. Next, I group by host so that I can create my meta-alert.
    
    ![screen shot 2017-10-23 at 3 01 58 
pm](https://user-images.githubusercontent.com/2475409/31908646-97cf304e-b805-11e7-9ca4-14bb0269fc0c.png)
    
    ![screen shot 2017-10-23 at 3 02 09 
pm](https://user-images.githubusercontent.com/2475409/31908665-a1bea3e6-b805-11e7-96e1-572faaf38e7a.png)
    
    3. Immediately after creating the meta-alert, I do not immediately see it.  
I think this is a problem with the UI itself not refreshing after creating the 
alert.  This might need fixed in #803 .
    
    ![screen shot 2017-10-23 at 3 02 37 
pm](https://user-images.githubusercontent.com/2475409/31908754-edf3aebe-b805-11e7-86ff-838a1572a27d.png)
    
    4. If I then trigger another search, I do see the meta-alert.  Great!
    
    ![screen shot 2017-10-23 at 3 03 14 
pm](https://user-images.githubusercontent.com/2475409/31908976-a74e13cc-b806-11e7-860b-8a86aac8d36a.png)
    
    5. Next I just expand the meta-alert to validate that the 10 original 
alerts were added.  You can see from this screenshot that the facet counts all 
show 0.  This tells me that the facet counts are not including meta-alerts.
    
    ![screen shot 2017-10-23 at 3 08 55 
pm](https://user-images.githubusercontent.com/2475409/31909047-d7384738-b806-11e7-8a88-8391be7a2807.png)
    
    



> Hide child alerts from searches and grouping if they belong to meta alerts
> --------------------------------------------------------------------------
>
>                 Key: METRON-1272
>                 URL: https://issues.apache.org/jira/browse/METRON-1272
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Justin Leet
>            Assignee: Justin Leet
>
> If an alert is already grouped into a meta alert, it's nice to route 
> everything through the same query structure and allow sorting alongside them, 
> etc.  However, showing alerts that are already contained in a meta alert is 
> potential clutter for a user and gives the impression an event has occurred 
> twice if it's in a standalone alert and a metaalert.
> This should hide alerts contained in a meta alert from searches (which will 
> always match the enclosing meta alert anyway, so nothing will be lost from 
> the search).
> They should also be hidden from grouping calls, because the user has already 
> manually grouped them during prior slicing and dicing.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to