Details
-
Improvement
-
Status: To Do
-
Major
-
Resolution: Unresolved
-
None
-
None
Description
When grouping in the Alerts UI (metron-interface/metron-alerts), we are implicitly filtering any alerts that do not have a value defined for the 'group by' field.
For example, in the attached screenshot there are roughly 44k alarms. I have grouped by host and all my groups add up to about 17k. The other 27k alarms are actually from Snort where the 'host' field is not defined.
It would be better to treat undefined, blank or missing fields as their own group. So in this example, we would have another group that has no value and would have an alert count of roughly 27k. When expanding that group, I would be able to see that all of the alarms missing that field are Snort.
The advantages I see with this...
- My group subtotals will always add up to the total number of alarms, which eliminates the mystery of missing alarms.
- Digging into alarms where a field is not defined or blank is a reasonable thing that a user would want to do.
https://github.com/apache/metron/pull/768#issuecomment-335281376
Attachments
Attachments
Issue Links
- links to
