[ML] Add include categorical filter type to detector rules #27
Conversation
|
Is this not still a Alternatively, if done at that level, how about |
davidkyle
changed the title
👍 It's an improvement |
lib/api/CDetectionRulesJsonParser.cc
Outdated
| @@ -35,6 +35,7 @@ const std::string TARGET_FIELD_NAME("target_field_name"); | |||
| const std::string TARGET_FIELD_VALUE("target_field_value"); | |||
| const std::string TYPE("type"); | |||
| const std::string CATEGORICAL("categorical"); | |||
| const std::string NOT_MATCH("not_match"); | |||
There was a problem hiding this comment.
I think we should rename both these strings to be consistent, i.e. categorical_include and categorical_exclude or something similar. There is going to be a break to backwards compatibility of rule syntax anyway and as it is I think this naming is confusing.
There was a problem hiding this comment.
I've realised backwards compatibility isn't an issue here we can replace the categorical string with anything we want as the job config is created in x-pack java on the same node the job runs on. C++ and Java are upgraded in step so on a v7 node there will be v7 java writing config v7 autodetect can read. The BWC problems are in x-pack.
There was a problem hiding this comment.
I wondered whether mixed version clusters in rolling upgrades would cause a problem, but I guess in these cases do we ensure only compatible versions talk to one another. In any case, I think we only have one user of rules at this point except one (who needs to update their rules configuration anyway) so any BWC is surely moot.
| condition.fieldName(attributeFieldName); | ||
| condition.valueFilter(valueFilter); | ||
| CDetectionRule rule; | ||
| rule.addCondition(condition); | ||
|
|
||
| bool isCategoricalType = CRuleCondition::E_Match == conditionType; |
There was a problem hiding this comment.
As per Sophie's suggestion, I think renaming this, and subsequent examples, to something like isCategoricalInclude would make this clearer.
|
The rules have a condition (gt, lte, etc) and an action (filter results) I think using include/exclude confuses the condition with the action. If The best I can come up with is |
|
Another option would be to introduce a new action |
|
We have <, <=, >, >= for numerical conditions so we can effectively negate those anyway |
|
Yes, it is definitely less useful. There are still some cases where it will make rules involving metric conditions slightly more concise because of the implied logical connectives we use in conditions, but if it is a much larger change I'm happy to keep as is. I sort of wondered as well whether this is really more logically an action, keep vs remove, rather than a condition when you originally suggested this change, but don't have strong feelings. |
|
I pushed another commit with renaming E_Categorical -> E_CategoricalMatch and using E_CategoricalComplement |
|
I pushed another commit enabling backwards compatibility for parsing the rules with the old style |
* Add whitelist rule condition type * Enable BWC for parsing categorical rules
* Add whitelist rule condition type * Enable BWC for parsing categorical rules
|
Marking as a non-issue for release notes purposes as this code was reworked significantly in #119 and was never released in this form. |
Detector rules have a
E_Categoricalcondition that applies to text fields, when used in conjunction with the actionE_FilterResultsthe effect is to filter the results i.e. don't generate results for these field valuesThis PR introduces the inverse functionality i.e. generate results only for those field values in the filter list.
I renamed the enum
E_CategoricaltoE_Matchbut left the JSON parsing code as is for backwards compatibility. I'm not entirely happy with the naming any suggestions are welcome or perhaps this is best left for the anticipated rewrite of rules