[jira] [Commented] (METRON-1272) Hide child alerts from searches and grouping if they belong to meta alerts

Wed, 25 Oct 2017 12:43:10 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-1272?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16219386#comment-16219386
 ] 

ASF GitHub Bot commented on METRON-1272:
----------------------------------------

Github user justinleet commented on a diff in the pull request:

    https://github.com/apache/metron/pull/811#discussion_r146965770
  
    --- Diff: 
metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/ElasticsearchMetaAlertDao.java
 ---
    @@ -295,19 +341,199 @@ protected Document 
buildCreateDocument(MultiGetResponse multiGetResponse, List<S
       /**
        * Process an update to a meta alert itself.
        * @param update The update Document to be applied
    -   * @param index The optional index to update to
        * @throws IOException If there's a problem running the update
        */
    -  protected void handleMetaUpdate(Document update, Optional<String> index) 
throws IOException {
    -    // We have an update to a meta alert itself
    -    // If we've updated the alerts field (i.e add/remove), recalculate 
meta alert scores.
    +  protected void handleMetaUpdate(Document update) throws IOException {
    --- End diff --
    
    I added a comment on https://github.com/apache/metron/pull/803/, because 
the 999 limit is actually only established there, it's not something in master.


> Hide child alerts from searches and grouping if they belong to meta alerts
> --------------------------------------------------------------------------
>
>                 Key: METRON-1272
>                 URL: https://issues.apache.org/jira/browse/METRON-1272
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Justin Leet
>            Assignee: Justin Leet
>
> If an alert is already grouped into a meta alert, it's nice to route 
> everything through the same query structure and allow sorting alongside them, 
> etc.  However, showing alerts that are already contained in a meta alert is 
> potential clutter for a user and gives the impression an event has occurred 
> twice if it's in a standalone alert and a metaalert.
> This should hide alerts contained in a meta alert from searches (which will 
> always match the enclosing meta alert anyway, so nothing will be lost from 
> the search).
> They should also be hidden from grouping calls, because the user has already 
> manually grouped them during prior slicing and dicing.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to