Draft: parse correlation rules #33
Conversation
AnthonyAspen
changed the title
|
Hey @AnthonyAspen, I think in its current state it could probably be merged with only some small tidy up. That would only be for parsing correlation rules though, actually evaluating them is significantly more work. Is just parsing the correlation rule format useful for you? |
Yeah It seems that we may need to refactor the evaluator to a "Matcher" interface, rather than using rules. Additionally, the correlation rules should have a storage interface to allow for state increments and sharing of state, in case one correlation rule relies on another.
I think it'd be a great start. If you have something in your mind about implementing the correlation rules you can try to summarize it for me and I'll help In brief, I came up with the idea of parsing the correlation rules after discovering that they have deprecated aggregations and appear to be planning to release the correlation rules in the future. However, the correlation rules are currently only in "version 2.0" of the specification, which makes me concerned that they could make significant changes that would render our (potential) work useless. |
What's your thoughts about the correlation rules? I'd like to understand the state of the correlation rules branch. Have you had any plans on finishing it?