Github user nickwallen commented on the issue:
https://github.com/apache/metron/pull/768
When grouping, we are implicitly filtering any alerts that do not have a
value defined for the 'group by' field.
For example, in this screenshot there are roughly 44k alarms. I have
grouped by host and all my groups add up to about 17k. The other 27k alarms
are actually from Snort where the 'host' field is not defined.
Would it be better to treat undefined, blank or missing fields as their own
group? So in this example, we would have another group that has no value and
would have an alert count of roughly 27k.
The advantages I see with this...
* My group subtotals will always add up to the total number of alarms,
which eliminates the mystery of missing alarms.
* Digging into alarms where a field is not defined or blank is a reasonable
thing that a user would want to do.
This may very well be something to fix on the backend.
---
