search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.33k stars 1.06k forks source link

Event Fields Keys help text is ambiguous, should clarify that grouping only applies to correlated events #20480

Open drewmiranda-gl opened 2 days ago

drewmiranda-gl commented 2 days ago

We've had a customer ask us about an issue where events are not being deduplicated by key when using Event fields. The event fields keys help text says that this feature does perform group bys:

image

However, this seems to only apply to correlated events.

Can this text be updated to remove the ambiguity and make it clear that the grouping only applies to the correlated event type?

Expected Behavior

Help text is clear and unambigous.

Current Behavior

Help text is unclear and states this feature can be used to do group by for 'filter & aggregation' events when this is not true.

Possible Solution

Update text? Suggestion:

Event Keys are Fields used to arrange Events into groups for. When used with condition type Event Correlation, a group is created for each unique Key, so Graylog will generate as many Events as unique Keys are found. To group events when using condition type 'Filter & Aggregation', use 'Create Events for Definition if...Aggregation of results reaches a threshold' and configure Group by Field(s).

Steps to Reproduce (for bugs)

1. 2. 3. 4.

Context

Your Environment

Please let me know if there are any questions.

drewmiranda-gl commented 2 days ago

I believe this text lives here: https://github.com/Graylog2/graylog2-server/blob/1f066183707cde53c92fbea7d05a4de0bada6a54/graylog2-web-interface/src/components/event-definitions/common/EventKeyHelpPopover.tsx#L21