[jira] [Commented] (METRON-1272) Hide child alerts from searches and grouping if they belong to meta alerts

Wed, 25 Oct 2017 08:42:15 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-1272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16218920#comment-16218920
 ] 

ASF GitHub Bot commented on METRON-1272:
----------------------------------------

Github user nickwallen commented on a diff in the pull request:

    https://github.com/apache/metron/pull/811#discussion_r146899435
  
    --- Diff: 
metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/ElasticsearchMetaAlertDao.java
 ---
    @@ -295,19 +341,199 @@ protected Document 
buildCreateDocument(MultiGetResponse multiGetResponse, List<S
       /**
        * Process an update to a meta alert itself.
        * @param update The update Document to be applied
    -   * @param index The optional index to update to
        * @throws IOException If there's a problem running the update
        */
    -  protected void handleMetaUpdate(Document update, Optional<String> index) 
throws IOException {
    -    // We have an update to a meta alert itself
    -    // If we've updated the alerts field (i.e add/remove), recalculate 
meta alert scores.
    +  protected void handleMetaUpdate(Document update) throws IOException {
    --- End diff --
    
    Here is the exception that pops out with that 500.
    
    ```
    "fullMessage":"IOException: class org.apache.metron.indexing.dao.HBaseDao: 
KeyValue size too large
    java.lang.IllegalArgumentException: KeyValue size too large
    \tat org.apache.hadoop.hbase.client.HTable.validatePut(HTable.java:1521)
    \tat 
org.apache.hadoop.hbase.client.BufferedMutatorImpl.validatePut(BufferedMutatorImpl.java:147)
    \tat 
org.apache.hadoop.hbase.client.BufferedMutatorImpl.doMutate(BufferedMutatorImpl.java:134)
    \tat 
org.apache.hadoop.hbase.client.BufferedMutatorImpl.mutate(BufferedMutatorImpl.java:105)
    \tat org.apache.hadoop.hbase.client.HTable.put(HTable.java:1050)
    \tat org.apache.metron.indexing.dao.HBaseDao.batchUpdate(HBaseDao.java:140)
    \tat 
org.apache.metron.indexing.dao.MultiIndexDao.lambda$batchUpdate$3(MultiIndexDao.java:78)
    \tat 
java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
    \tat 
java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1374)
    \tat java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
    \tat 
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
    \tat java.util.stream.ReduceOps$ReduceTask.doLeaf(ReduceOps.java:747)
    \tat java.util.stream.ReduceOps$ReduceTask.doLeaf(ReduceOps.java:721)
    \tat java.util.stream.AbstractTask.compute(AbstractTask.java:316)
    \tat java.util.concurrent.CountedCompleter.exec(CountedCompleter.java:731)
    \tat java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
    \tat java.util.concurrent.ForkJoinTask.doInvoke(ForkJoinTask.java:401)
    \tat java.util.concurrent.ForkJoinTask.invoke(ForkJoinTask.java:734)
    \tat 
java.util.stream.ReduceOps$ReduceOp.evaluateParallel(ReduceOps.java:714)
    \tat java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:233)
    \tat java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
    \tat 
org.apache.metron.indexing.dao.MultiIndexDao.batchUpdate(MultiIndexDao.java:83)
    \tat 
org.apache.metron.elasticsearch.dao.ElasticsearchMetaAlertDao.indexDaoUpdate(ElasticsearchMetaAlertDao.java:374)
    \tat 
org.apache.metron.elasticsearch.dao.ElasticsearchMetaAlertDao.handleMetaUpdate(ElasticsearchMetaAlertDao.java:361)
    \tat 
org.apache.metron.elasticsearch.dao.ElasticsearchMetaAlertDao.update(ElasticsearchMetaAlertDao.java:248)
    \tat org.apache.metron.indexing.dao.IndexDao.patch(IndexDao.java:130)
    \tat 
org.apache.metron.rest.service.impl.UpdateServiceImpl.patch(UpdateServiceImpl.java:44)
    \tat 
org.apache.metron.rest.controller.UpdateController.patch(UpdateController.java:52)
    ```


> Hide child alerts from searches and grouping if they belong to meta alerts
> --------------------------------------------------------------------------
>
>                 Key: METRON-1272
>                 URL: https://issues.apache.org/jira/browse/METRON-1272
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Justin Leet
>            Assignee: Justin Leet
>
> If an alert is already grouped into a meta alert, it's nice to route 
> everything through the same query structure and allow sorting alongside them, 
> etc.  However, showing alerts that are already contained in a meta alert is 
> potential clutter for a user and gives the impression an event has occurred 
> twice if it's in a standalone alert and a metaalert.
> This should hide alerts contained in a meta alert from searches (which will 
> always match the enclosing meta alert anyway, so nothing will be lost from 
> the search).
> They should also be hidden from grouping calls, because the user has already 
> manually grouped them during prior slicing and dicing.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to