Github user nickwallen commented on the issue:
https://github.com/apache/metron/pull/811
> @nickwallen suppose you have a metaalert that contains 2 alerts. Then
suppose each alert has a different value for the host field. If you grouped on
host, which group would you expect the metaalert to appear in?
I would say both. Let me try and explain that.
To me, the "group by" functionality is super-powerful for digging down deep
into the alerts data. When I group by hostname and open that accordian, I
expect to see all the alerts related to that hostname. That would include a
meta-alert that has even 1 contained alert related to that hostname.
Maybe there are other corner cases that I am not considering, but that's
what I would expect.
---
