Github user james-sirota commented on the issue:
https://github.com/apache/metron/pull/811
+1 from me as well. Great job @justinleet
---
Github user nickwallen commented on the issue:
https://github.com/apache/metron/pull/811
+1 This was more challenging than meets the eye. Thanks for working
through this @justinleet . We have some use cases to figure out, but this is a
good first step toward metaalerts.
---
Github user justinleet commented on the issue:
https://github.com/apache/metron/pull/811
Master is merged in, so this Travis run should be legit
---
Github user justinleet commented on the issue:
https://github.com/apache/metron/pull/811
Travis failure should be resolved once
https://github.com/apache/metron/pull/816 is in, and I'll merge in master and
push again once it is.
---
Github user justinleet commented on the issue:
https://github.com/apache/metron/pull/811
@nickwallen I added testing around the status stuff, and a couple docs. Let
me know if there's anything else that should be updated (or isn't clear or
whatever else).
---
Github user justinleet commented on the issue:
https://github.com/apache/metron/pull/811
### Testing
Testing purely based on the REST API. Having said that, if you want to do
like @nickwallen did and pull in https://github.com/apache/metron/pull/803 into
the same branch, you
Github user nickwallen commented on the issue:
https://github.com/apache/metron/pull/811
Thanks @justinleet . This is working well with @iraghumitra UI work in
#803.
The metalerts show-up in the left-side "Filters" panel, which provides a
decent short-cut to retrieve the
Github user justinleet commented on the issue:
https://github.com/apache/metron/pull/811
@nickwallen It's not a perfect solution, but I added the "source:type"
field for consistency and to allow for filtering and retrieval of just meta
alerts in an obvious way. Should just be
Github user justinleet commented on the issue:
https://github.com/apache/metron/pull/811
Kick Travis
---
Github user nickwallen commented on the issue:
https://github.com/apache/metron/pull/811
Another thing I noticed is that there does not seem to be a way to retrieve
meta-alerts that you have created.
For example, I created a meta-alert where `host:ip-addr.es`. Assuming we
Github user james-sirota commented on the issue:
https://github.com/apache/metron/pull/811
@nickwallen to avoid scope creep on this PR I created a follow-on PR to
figure out how to represent meta alerts in the facet panel.
https://issues.apache.org/jira/browse/METRON-1276
I
Github user nickwallen commented on the issue:
https://github.com/apache/metron/pull/811
> @nickwallen suppose you have a metaalert that contains 2 alerts. Then
suppose each alert has a different value for the host field. If you grouped on
host, which group would you expect the
Github user nickwallen commented on the issue:
https://github.com/apache/metron/pull/811
> I find that extremely confusing as a user of the tool.
To explain that a bit more (and continuing with that same basic example)...
As a user I created a meta-alert where the
Github user merrimanr commented on the issue:
https://github.com/apache/metron/pull/811
@nickwallen suppose you have a metaalert that contains 2 alerts. Then
suppose each alert has a different value for the host field. If you grouped on
host, which group would you expect the
Github user nickwallen commented on the issue:
https://github.com/apache/metron/pull/811
@james-sirota I find that extremely confusing as a user of the tool. We
need to document that fact and some reasoning behind it at the very least.
---
Github user james-sirota commented on the issue:
https://github.com/apache/metron/pull/811
@nickwallen what you are looking at is a desired behavior. If the alerts
are a part of the meta alert they do not appear in the facets
---
Github user merrimanr commented on the issue:
https://github.com/apache/metron/pull/811
I believe excluding metaalerts from the group by view is the desired
behavior.
---
Github user nickwallen commented on the issue:
https://github.com/apache/metron/pull/811
I am seeing another issue that may or may not be related. It seems that
when I am using the "group by" functionality, I cannot see meta-alerts at all.
(1) If I am not using the "group
Github user nickwallen commented on the issue:
https://github.com/apache/metron/pull/811
It appears to me that the alerts contained within a meta-alert are not
contributing to the facet counts returned by a search request. I think we
still do want that to happen. Let me explain
19 matches
Mail list logo
