[jira] [Commented] (METRON-1272) Hide child alerts from searches and grouping if they belong to meta alerts

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/METRON-1272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16215806#comment-16215806
 ] 

ASF GitHub Bot commented on METRON-1272:
----------------------------------------

Github user nickwallen commented on the issue:

    https://github.com/apache/metron/pull/811
  
    I am seeing another issue that may or may not be related.  It seems that 
when I am using the "group by" functionality, I cannot see meta-alerts at all.
    
    (1) If I am not using the "group by", I can see the meta-alert perfectly 
fine.
    
    ![screen shot 2017-10-23 at 4 40 01 
pm](https://user-images.githubusercontent.com/2475409/31912118-e88c9548-b810-11e7-830f-034acefbc8ed.png)
    
    (2) Now I want to group by host.  I click the "host" group by widget, but 
there are no results.  I am left thinking... Where did the meta-alert go?   The 
only way I can see the meta-alert is to not use the "group by" functionality.
    
    ![screen shot 2017-10-23 at 4 42 29 
pm](https://user-images.githubusercontent.com/2475409/31912220-2cdc3f82-b811-11e7-86c6-27c297408b3a.png)
    
    (3) And the UI screenshots match what is returned by the underlying API.  
In the case of the missing meta-alert, this is the request/response. 
    
    Request:
    ```
    {
      "indices": [
        "websphere",
        "snort",
        "asa",
        "bro",
        "yaf",
        "metaalert"
      ],
      "scoreField": "threat:triage:score",
      "groups": [
        {
          "field": "host",
          "order": {
            "sortOrder": "desc",
            "groupOrderType": "term"
          }
        }
      ],
      "query": "(host:ip\\-addr.es OR alert.host:ip\\-addr.es)"
    }
    ```
    
    Response:
    ```
    {"groupedBy":"host","groupResults":[]}
    ```


> Hide child alerts from searches and grouping if they belong to meta alerts
> --------------------------------------------------------------------------
>
>                 Key: METRON-1272
>                 URL: https://issues.apache.org/jira/browse/METRON-1272
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Justin Leet
>            Assignee: Justin Leet
>
> If an alert is already grouped into a meta alert, it's nice to route 
> everything through the same query structure and allow sorting alongside them, 
> etc.  However, showing alerts that are already contained in a meta alert is 
> potential clutter for a user and gives the impression an event has occurred 
> twice if it's in a standalone alert and a metaalert.
> This should hide alerts contained in a meta alert from searches (which will 
> always match the enclosing meta alert anyway, so nothing will be lost from 
> the search).
> They should also be hidden from grouping calls, because the user has already 
> manually grouped them during prior slicing and dicing.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)