Open siskojr opened 4 years ago
This also came up in an inquiry from a community user on the Brim public Slack:
https://brimsec.slack.com/archives/C010DR0HHMF/p1586091392037100
Another community request for this feature in a Slack thread:
what kind of lift would it be to let users tag individual records? for e.g I want to right click a row and tag "follow-up" or something similar
We also asked the user a follow-up question about persisting the data.
Q: Maybe this goes without saying, but can we assume that you’ll want the tags to persist with the data, e.g., your tags should live with the saved pool data rather than being unique to a single session in the app? I ask because in the prior discussions we’ve had about the challenges of implementing this, being able to do something “lite” that only persists within a single session of the app would probably be easier to bang out sooner, but we also recognize that something persistent is what many users probably imagine.
A:
Yea exactly - ideally it should get saved in the pool somewhere. Otherwise if it's staying with a session - maybe a dialogue prompt to save session data somewhere - that can then be re- imported later on or automatically... I can see that working too
We had a discussion as a team to assess the current feasibility of implementing, given the evolution in the Zed technology since the time the issue was opened. There was consensus that the CRUD-like operations envisioned in https://github.com/brimdata/zed/issues/4024 may indeed make this easier to implement than it had been in the past. It was also noted that a short term solution might be to commit tags/notes to a separate pool and then do a join
on this
to re-attach them to the original records in another pool.
Request As a User I would like to tag logs with a color classification so that I can mark my threat hunting results.
User flow
Tagging options The different types should have a different color for easier identifications "Interesting", "Suspicious", "Malicious" or "Evidence"
Log selection options
Desired functionality
Reference Wireframe:
Reference from Molo.ch: