[jira] [Commented] (METRON-1272) Hide child alerts from searches and grouping if they belong to meta alerts

Wed, 25 Oct 2017 04:28:20 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-1272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16218427#comment-16218427
 ] 

ASF GitHub Bot commented on METRON-1272:
----------------------------------------

Github user justinleet commented on a diff in the pull request:

    https://github.com/apache/metron/pull/811#discussion_r146827154
  
    --- Diff: 
metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/ElasticsearchMetaAlertDao.java
 ---
    @@ -295,19 +341,199 @@ protected Document 
buildCreateDocument(MultiGetResponse multiGetResponse, List<S
       /**
        * Process an update to a meta alert itself.
        * @param update The update Document to be applied
    -   * @param index The optional index to update to
        * @throws IOException If there's a problem running the update
        */
    -  protected void handleMetaUpdate(Document update, Optional<String> index) 
throws IOException {
    -    // We have an update to a meta alert itself
    -    // If we've updated the alerts field (i.e add/remove), recalculate 
meta alert scores.
    +  protected void handleMetaUpdate(Document update) throws IOException {
    --- End diff --
    
    I'll try to reproduce. I'm not sure what the potential cause could be.  
Could you see if the alerts you added have the properly populated "metaalerts" 
field in the original alert?  It's possible an issue occurs during that update, 
but I don't really have any evidence in any direction.


> Hide child alerts from searches and grouping if they belong to meta alerts
> --------------------------------------------------------------------------
>
>                 Key: METRON-1272
>                 URL: https://issues.apache.org/jira/browse/METRON-1272
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Justin Leet
>            Assignee: Justin Leet
>
> If an alert is already grouped into a meta alert, it's nice to route 
> everything through the same query structure and allow sorting alongside them, 
> etc.  However, showing alerts that are already contained in a meta alert is 
> potential clutter for a user and gives the impression an event has occurred 
> twice if it's in a standalone alert and a metaalert.
> This should hide alerts contained in a meta alert from searches (which will 
> always match the enclosing meta alert anyway, so nothing will be lost from 
> the search).
> They should also be hidden from grouping calls, because the user has already 
> manually grouped them during prior slicing and dicing.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to