<div dir="ltr">Hi, <br><div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 6, 2016 at 10:30 PM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">Hi,</p><span class="">
<p dir="ltr">On Jun 6, 2016 11:17 AM, "Fekete, Róbert" <<a href="mailto:robert.fekete@balabit.com" target="_blank">robert.fekete@balabit.com</a>> wrote:<br>
><br>
> Hi Bazsi, <br>
><br>
> I've started to document the grouping-by parser, and have a few questions/comments about it:<br>
><br>
> * It seems that some of the grouping-by options are the same (or very similar) to the correlation-related attributes of the pattern database, but have different names. Could we name them consistently where they are the same? (I haven't checked the correlation module from Rust, but maybe we could align that as well.) <br>
> For example:<br>
> grouping-by | patterndb<br>
> scope | context-scope<br>
> timeout | context-timeout<br>
> aggregate | message or action<br>
></p>
</span><p dir="ltr">I omitted the "context" prefix on purpose, they are important in the patterndb context as rules have correllation and non correllation related groups of options. With groupingby it would be kind of redundant.</p></blockquote><div>I think that the concept is the same, even though it is heavily based on a similar functionality.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p dir="ltr">I was thinking on aggregate() a lot, and decided to use something that is closer to the "groupingby" term, group by in SQL works with aggregate functions, in a sense they produce aggregates over various dimensions. In patterndb, you can generate multiple actions for a rule.</p>
<p dir="ltr">Anyway, naming should probably be discussed in person.</p><span class="">
<p dir="ltr">><br>
> * In the original commit message, you mention three possible values for the 'scope' option, whereas the context-scope in the patterndb has four (program). Are these deliberately different, or they use the same code?</p>
</span><p dir="ltr">They use the same code, so it should be the same<br><br></p></blockquote><div>Ok. <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr"></p><span class="">
<p dir="ltr">><br>
> * grouping-by doesn't look to me as an actual parser. From the existing objects, it resembles a filter more (IMHO), but I'd rather categorize it as something else that transforms/processes the incoming data, and should be therefore in a separate configuration object (along with the geoip parser). </p>
</span><p dir="ltr">I agree, we currently only have parsers/rewrite/filter stuff only. It might make sense to create a more generalized concept though. I am not sure it is worth it, but we already had similar usecases where we couldnt categorize some kind of functionality. But let's test whether we can find a descriptive name for it. How would you call "generic processing" in the config?</p></blockquote><div>Well, it might not be generic enough, but both the grouping-by and the geoip parsers add auxiliary data to a message, so in a sense the 'enrich()' the existing data. (My first idea was 'transform', but we do not transform anything directly.) Anyway, I'll try to come up with some other ideas.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p dir="ltr">Btw, I stand by my decision that it is not a filter, it never drops messages, whereas the primary function of filters is to drop messages.</p>
<p dir="ltr">><br>
> Robert</p>
</blockquote></div><br></div></div></div>