Create test cases in QA enviroment for bloomfilter

[elliVM]

Test note of bloom filter functionality in QA

• Create test note than can be run from start to finish
• Unique datasource for tests
• Test common patterns
• Test correct results fetched
• Test many vs few bloomfilter matches
• Test performance on large objects and estimated matches
• info about note

Testing datasource

• _raw data should include many common patterns UUID, IPV4, Date, words etc. for testing matching
• separate (by date or some other way) to be able to use for simple tests and for heavier performance testing
• for performance testing a large number of matches

note specs not set in stone

please add questions or suggestions if you have any improvement ideas, aim is to test the functionality of bloom filtering the best way we can in QA

[StrongestNumber9]

Can you provide some example events (_raw is fine, headers are not important)? Are any of the current indexes relevant such as index=alert_examples?

Nearly all of the example indexes in QA are generated by dozen lines of python so it is not that hard to make the data but the important question is what is the data we want.

Also how many events do we actually want, thousand? million?

Any need for different amount of events per day or can the timestamp increase in linear way making each day have same amount of events?

Are any of the hostnames or appnames relevant or do we just care about _raw and potentially _time?

Do all the events need to have all the keys or can some include UUID and another doesn't?

What are the words that are needed to exist in the event, and are they standalone or part of key=value combination?

A script or pseudocode for the wanted content that I can use or implement would be appreciated.