Skip to content

Add a Type filter and column to the Event Definitions list#26279

Open
danotorrey wants to merge 13 commits into
masterfrom
add-event-definition-type-filter
Open

Add a Type filter and column to the Event Definitions list#26279
danotorrey wants to merge 13 commits into
masterfrom
add-event-definition-type-filter

Conversation

@danotorrey

@danotorrey danotorrey commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Overview

Add a Type filter and column to the Event Definitions list.

Allows:

  • Filtering the list by a specific event definition type (multi-selecting types OR-joined)
  • Showing an optional, resizable Type column (off by default)

This matches the Event Definition Type filter that is already available on the Alerts page.

image image

Motivation

The Event Definitions page (Alerts → Event Definitions) can be filtered by Source, Status, and Tags, but not by the definition's type. On instances with many definitions there's no quick way to narrow to a single type.

Approach

  • Backend: expose config.type as a filterable, sortable EntityAttribute on the event definitions list — same mechanism as the existing status filter.
  • Frontend: a filter component that sources its options from the eventDefinitionTypes plugin registry, so any plugin-registered type is selectable by its display name. Options are gated by useCondition() so only available types are offered.
  • Adds an optional Type column (off by default).

Notes

Multiple selected types are OR-joined (DbFilterExpressionParser groups same-field filters). Option labels come from the plugin registry rather than a backend filterOptions enum, so plugin-contributed type names stay out of the server.

A new optional hideFromCreation flag on EventDefinitionType lets a type be hidden from the create wizard's condition-type dropdown while still appearing as a filter option. See the paired enterprise PR.

/prd Graylog2/graylog-plugin-enterprise#14625

Assisted with Claude Code

danotorrey and others added 6 commits June 9, 2026 16:07
@danotorrey @claude
Add a Type filter to the Event Definitions list
5ef89c9 
Expose the event definition config type as a filterable, sortable
attribute so the Event Definitions list can be narrowed by type
(Filter & Aggregation, plus any plugin-contributed types). Options are
sourced from the eventDefinitionTypes plugin registry and gated by the
same useCondition() check the create form uses, so only available types
are offered. Also adds an optional (non-default) Type column.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@danotorrey @claude
Make the Type column resizable
c1bb7b8 
Use a flexible width with a minimum instead of staticWidth, which
disables column resizing (enableResizing: \!staticWidth).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@danotorrey @claude
Drop the search field from the Type filter
c1fb3c2 
Render the type options as the same searchless menu the Status/Source
filters use (StaticOptionsList) instead of SuggestionsList. With only a
handful of types a search box adds no value, and this keeps the filter
consistent with the other static-enum filters on the page.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@danotorrey @claude
Keep the search field on the Type filter and add changelog
7d91eed 
Revert the StaticOptionsList change and keep the SuggestionsList-based
filter (with the search field), so the Event Definitions and Security
Events type filters stay consistent. Adds the changelog entry for the
new filter.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@danotorrey
Cleanup CL
9a9832f
@danotorrey @claude
Refine changelog wording and enterprise issue reference
e8ad229 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@danotorrey danotorrey requested review from kingzacko1 and zeeklop June 15, 2026 19:07
@danotorrey danotorrey changed the title Add a Type filter to the Event Definitions list Add a Type filter and column to the Event Definitions list Jun 15, 2026
@kingzacko1

kingzacko1 commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

@danotorrey Just a heads up there are some merge conflicts.

Also functionality looks good! Is it possible to get the pretty print version of the type value in the selected filter area. We use it everywhere else, but in the selected filter we use the actual type name like sigma-v1, correlation-v1:
image

danotorrey and others added 4 commits June 24, 2026 17:18
@danotorrey @claude
Merge branch 'master' into add-event-definition-type-filter
5de1e69 
Resolve conflict in useEventDefinitions.ts: master refactored the hook to
use direct fetch/PaginationURL instead of EventDefinitionsStore. Re-applied
the type filter_component splice on top of master's fetchEventDefinitions.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@danotorrey @claude
Pretty-print event definition type in the active filter chip
c65fee5 
The selected-type filter chip showed the raw config.type value (e.g.
`sigma-v1`) because the list reused the Streams FilterValueRenderers,
which has no `type` renderer. Add an event-definitions FilterValueRenderers
with a `type` renderer that reuses EventDefinitionTypeRenderer, so the chip
shows the plugin display name to match the Type column.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@danotorrey
Merge remote-tracking branch 'origin/master' into add-event-definitio…
e72f256 
…n-type-filter
@danotorrey
Merge branch 'master' into add-event-definition-type-filter
edc2969
@kingzacko1

kingzacko1 commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

@danotorrey I no longer see Sigma Rule as a filter option:
image

danotorrey and others added 2 commits June 26, 2026 14:00
@danotorrey
Merge remote-tracking branch 'origin/master' into add-event-definitio…
3e882f7 
…n-type-filter
@danotorrey @claude
Separate wizard visibility from type availability in event definitions
3d6d9ef 
Add an optional hideFromCreation flag to EventDefinitionType so a type can be
hidden from the create wizard's condition-type dropdown while still being
listed as a filter option. Previously both the wizard and the type filter
keyed off useCondition, conflating availability/licensing with wizard
visibility.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
kingzacko1
kingzacko1 approved these changes Jun 26, 2026
View reviewed changes

@kingzacko1 kingzacko1 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM and tests successfully.

Separate issue that we may want to do the same human readable filter on the Alerts & Events tab too, but definitely think it can be done in a small separate PR:

Image

@danotorrey

danotorrey commented Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

@kingzacko1 Thanks for testing again! Had my comment all drafted up but forgot to post:

Good catch, that should be fixed with the latest. Sigma was hidden from the create wizard in Graylog2/gr,aylog-plugin-enterprise#14484 by setting its useCondition to false, which this filter was also keying off of. That's been split now in Graylog2/graylog-plugin-enterprise#14625: useCondition just gates availability, and a separate hideFromCreation flag keeps Sigma out of the wizard. So Sigma's back as a filter option but still isn't selectable when creating a definition.

Good catch on the Alerts side. I'll add a PR to address that too...

@danotorrey danotorrey added the e2e-tests Run PR build with e2e tests. label Jun 26, 2026
@danotorrey

danotorrey commented Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

@kingzacko1 Also dropping e2e-tests label on this just to be sure. I'll merge if all is clear.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kingzacko1 kingzacko1 kingzacko1 approved these changes
@zeeklop zeeklop Awaiting requested review from zeeklop

Assignees

No one assigned

Labels

e2e-tests Run PR build with e2e tests.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danotorrey @kingzacko1