Radko Krkoš wrote:
I would advise against altering the Event search view and instead for introducing a new "Analytics" view capable of such arbitrary queries. From experience the users (such as UPJŠ Košice with timelines) are more accepting of a new feature that is not optimized yet, than breaking existing stuff. Also the proposed output grouping is in my opinion not really useful for event search.
My thought behind that was similar in that we can hide that "Postprocess" or "Analytics" button for admins, such as "Admins" button, until we're ready to publish it.
Pros/cons:
- additional button in Alerts means we would have to make result table display more flexible (because columns from grouping can be very different, and also we can have different sort). So I see what you mean by possibility of breaking existing stuff.
- Different view means duplication of pretty much all of Alerts query view plus adding some more.
Not sure which is better, maybe you're right for the beginning and we'll see if it can be integrated better somewhere.
Thinking about that, maybe it overlaps in funcionality partially with Timeline view - Timeline view is in fact very simple query grouped by various attributes (Counts, #abuses, #analysers, ...), sorted by resulting counts and shown on both timeline and piechart.
I've asked Martin for usecase CTI document to have more tangible image of what the customer actually wants, I'll post relevant excerpt here as soon as I have it.