StreamAlert is a serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define.
to: @ryandeivert @chunyong-lin
cc: @airbnb/streamalert-maintainers
Background
Alert Merging doesn't properly merge context together, which makes it really tough for rules to pass information from individual records to a consolidated alert publisher. This means the alert publisher has to be "super smart" in order to extract out the proper fields and this is just too much work.
Changes
During alert output dispatching ONLY (doesn't affect Firehose), when you have a rule with alert merging enabled, the alert.context field of each alert will now merge properly as such:;
to: @ryandeivert @chunyong-lin cc: @airbnb/streamalert-maintainers
Background
Alert Merging doesn't properly merge
contexttogether, which makes it really tough for rules to pass information from individual records to a consolidated alert publisher. This means the alert publisher has to be "super smart" in order to extract out the proper fields and this is just too much work.Changes
alert.contextfield of each alert will now merge properly as such:;Example
Suppose two alerts:
alert 1
alert 2
Old way The merged alert would look like:
NEW way The merged alert now looks like:
Testing
Deployed internally.
Steps for how this change was tested and verified