Graph's group ? should or must?


(Peng Lin) #1

When I use graph ,to group two terms such as A AND B , i think if the conditions are met must have both A
AND B the query relation shoud “must” not “should”,but i find the query used should not “must” .
Am I using the wrong one?

this is a ex
{"bool":{"minimum_should_match":1,"should":[{"bool":{"should":[{"terms":{"request.user-agent.keyword":["Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"]}},{"terms":{"realUrl.keyword":["/mopng/v1/qixi/lottery/award"]}}]}}]}}
in graph i group Mozill and /mopng 。

(Mark Harwood) #2

Are you talking about grouping in the graph UI?

If so, then that is treated as an OR, typically because there might be two different ways of describing the same entity in an index e.g. you might want to consider @realdonaldtrump and @potus as the same entity.
There are no individual tweets that have both @potus and @realdonaldtrump as the author so it is logically ORed rather than ANDed when querying or linking to other graph vertices

(Peng Lin) #3

Hi thank you for you reply 。
I knew what you say ,but if i want realtionship is and not or what should i do ?
for ex if i have two log,and have tree attribute。
log1 A B C
log2 A D E
i only want to show log1 both attr.has A AND B not only A :slight_smile:

(Mark Harwood) #4

Entities in Graph are defined by concrete terms that we can:
a) query quickly
b) aggregate quickly

If we allow entities to be arbitrary queries things would start to slow down.
The grouping we offer in the UI is a convenience which tackles the common problem of there being multiple terms meaning the same thing (essentially, synonyms). We have discussed the idea of expanding this support to include arbitrary queries but don't have any immediate plans to support this.
For now, you'd have to index a single concrete term that combined both log1 and A and B into a single token to get ANDing.

(Peng Lin) #5

I know ,thank you very much . BUT I hope this function will be developed soon, and the relationship between AND is really needed :slight_smile:

(Mark Harwood) #6

What business problem are you trying to solve? Can you talk about it in less abstract terms?

(Peng Lin) #7

I think I have some risk control scenes to use
for ex some hacker in access log have both same user-agent and vister same url ,so i group user-agent and url to
find them 。

(Mark Harwood) #8

This video might be of interest.
It's about using the Graph API to discover unusual sharing of attributes between accounts and creating investigation tasks using the Graph UI for the (hopefully) less than 1% of actors that look suspicious. The comments include a link to example scripts/data.

(Peng Lin) #9

OK ,thank you very much:grinning:

(system) #10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.