Event Fields Keys help text is ambiguous, should clarify that grouping only applies to correlated events

[drewmiranda-gl]

We've had a customer ask us about an issue where events are not being deduplicated by key when using Event fields. The event fields keys help text says that this feature does perform group bys:

However, this seems to only apply to correlated events.

Can this text be updated to remove the ambiguity and make it clear that the grouping only applies to the correlated event type?

Expected Behavior

Help text is clear and unambigous.

Current Behavior

Help text is unclear and states this feature can be used to do group by for 'filter & aggregation' events when this is not true.

Possible Solution

Update text? Suggestion:

Event Keys are Fields used to arrange Events into groups for. When used with condition type Event Correlation, a group is created for each unique Key, so Graylog will generate as many Events as unique Keys are found. To group events when using condition type 'Filter & Aggregation', use 'Create Events for Definition if...Aggregation of results reaches a threshold' and configure Group by Field(s).

Steps to Reproduce (for bugs)

Context

Your Environment

• Graylog Version: 6.0, 6.1
• Java Version: Bundled
• OpenSearch Version: 2.x
• MongoDB Version: 7.x
• Operating System: Ubuntu 22.04 LTS
• Browser version: Google Chrome Version 128.0.6613.138 (Official Build) (arm64)

Please let me know if there are any questions.

[drewmiranda-gl]

I believe this text lives here:

graylog2-server/graylog2-web-interface/src/components/event-definitions/common/EventKeyHelpPopover.tsx

Line 21 in 1f06618

Event Keys are Fields used to arrange Events into groups. A group is created for each unique Key, so