Yeah, +1 to that. We'll definitely need a GUID (well, event ID, so GUEID). Probably calculated pre-parse.
-D... On Fri, Feb 24, 2017 at 9:48 AM, Casey Stella <ceste...@gmail.com> wrote: > Regarding alert ID, it seems like this is the kind of thing which should be > uniform for all the different types of indices: solr and HDFS. You might > (and probably do) want to be able to join between IDs in HDFS and ES or > Solr, for instance, so it probably shouldn't be tied to the ES ID. We > might want to make a Metron ID that is baked into the parsers and is a > SHA-2 hash of the data. > > > > On Fri, Feb 24, 2017 at 9:29 AM, Ryan Merriman <merrim...@gmail.com> > wrote: > > > Related to the 'What does "Escalate" do' question, one topic that needs > > some discussion is how we integrate with 3rd party ticketing systems. > How > > should we design this extension point? Some basic requirements could be > > that a call is made to somewhere with the alert as the payload and some > > kind of ticket or issue id is received as a response. This is a very > > open-ended question and there are likely several different ways we go do > > it. > > > > As for Casey's other points: > > > > - The most obvious choice for alert id would be the id in elasticsearch. > > Are there other ids we should consider? > > - Configurable display fields makes a lot of sense to me and should not > be > > complex to implement. > > - Agreed on offering intuitive ways to filter messages by fields. > > > > Ryan > > > > On Thu, Feb 23, 2017 at 6:42 PM, Casey Stella <ceste...@gmail.com> > wrote: > > > > > - What does "Escalate" do exactly? > > > - Where does the Alert ID come from? > > > - Are the fields displayed configurable? > > > - It'd be nice to be able to select a set of fields for a message > and > > > have the list of messages filter to just those where those fields > are > > > the > > > same as the one viewed. > > > > > > > > > On Thu, Feb 23, 2017 at 3:24 PM, Houshang Livian < > > hliv...@hortonworks.com> > > > wrote: > > > > > > > Hello Metron Community, > > > > > > > > We have mocked up an Alerts UI for Metron for your consideration. > > Please > > > > take a look and share your thoughts. > > > > > > > > Here is a link to our thoughts on this: > > > > http://imgur.com/a/KMTKN > > > > > > > > Does this look like a reasonable place to start? > > > > Is there anything that is an absolute MUST have or MUST NOT have? > > > > > > > > Houshang Livian > > > > > > > > > > > > > > > > > >
