Skip to content

WIP - Add Exception Duplication Checking#5689

Draft
eric-forte-elastic wants to merge 1 commit intomainfrom
5664-dac-fr-addressing-duplicate-exceptions
Draft

WIP - Add Exception Duplication Checking#5689
eric-forte-elastic wants to merge 1 commit intomainfrom
5664-dac-fr-addressing-duplicate-exceptions

Conversation

@eric-forte-elastic
Copy link
Contributor

@eric-forte-elastic eric-forte-elastic commented Feb 5, 2026
edited
Loading

Pull Request

Issue link(s):

Resolves: #5664

Summary - What I changed

Note

It is unclear and needs to be determined if item_ids are unique across spaces and can function as an identifier similarly to list_ids

1. New helper: _deduplicate_comments()

  • Purpose: Removes duplicate comments on an exception item by comment text.
  • Behavior: Takes an exception item dict, shallow-copies it, and builds a new comments list that keeps only the first occurrence of each comment (using a seen_texts set).
  • Return: The copied item with comments replaced by the deduplicated list; the original is not mutated.

2. Changes to parse_exceptions_results_from_api()

  • Item deduplication by item_id:
    • Added seen_item_ids: set[str] to track already-seen exception item IDs.
    • For each API result that is an exception item: if it has an item_id and that ID is already in seen_item_ids, the result is skipped (duplicate).
    • When an item is kept and has an item_id, that ID is added to seen_item_ids.
  • Comment deduplication: Before appending an exception item, the code calls _deduplicate_comments(result) and appends the returned item instead of the raw result.

Result

  • Items: Duplicate exception items from the Kibana export API (same item_id) are dropped before building TOML.
  • Comments: Duplicate comments within each kept item are removed so the repo doesn’t accumulate repeated comments (e.g. auto-generated “pre-filled from alert” text).
image

How To Test

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

Contributor checklist

@eric-forte-elastic eric-forte-elastic linked an issue Feb 5, 2026 that may be closed by this pull request
[DAC] [FR] Addressing Duplicate Exceptions #5664
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mikaayenson Mikaayenson Awaiting requested review from Mikaayenson Mikaayenson will be requested when the pull request is marked ready for review Mikaayenson is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[DAC] [FR] Addressing Duplicate Exceptions

1 participant

@eric-forte-elastic