Repository: metron Updated Branches: refs/heads/master 40796c06a -> edec7b18b
METRON-1601: Rename metaalert alert nested field to metron_alert to avoid collision closes apache/incubator-metron#1049 Project: http://git-wip-us.apache.org/repos/asf/metron/repo Commit: http://git-wip-us.apache.org/repos/asf/metron/commit/edec7b18 Tree: http://git-wip-us.apache.org/repos/asf/metron/tree/edec7b18 Diff: http://git-wip-us.apache.org/repos/asf/metron/diff/edec7b18 Branch: refs/heads/master Commit: edec7b18bc40e40f35916489ba2fde2ca4916dc5 Parents: 40796c0 Author: cstella <ceste...@gmail.com> Authored: Fri Jun 8 09:49:54 2018 -0400 Committer: cstella <ceste...@gmail.com> Committed: Fri Jun 8 09:49:54 2018 -0400 ---------------------------------------------------------------------- .../METRON/CURRENT/package/files/bro_index.template | 2 +- .../METRON/CURRENT/package/files/error_index.template | 2 +- .../METRON/CURRENT/package/files/metaalert_index.template | 2 +- .../METRON/CURRENT/package/files/snort_index.template | 2 +- .../METRON/CURRENT/package/files/yaf_index.template | 2 +- .../e2e/mock-data/alerts_ui_e2e_index.template | 2 +- .../app/alerts/alert-details/alert-details.component.ts | 2 +- .../src/app/alerts/alerts-list/alerts-list.component.ts | 2 +- .../alerts-list/table-view/table-view.component.html | 10 +++++----- .../alerts/alerts-list/table-view/table-view.component.ts | 2 +- .../metron-alerts/src/app/model/alert-source.ts | 2 +- .../controller/MetaAlertControllerIntegrationTest.java | 4 ++-- metron-platform/metron-elasticsearch/README.md | 8 ++++---- .../ElasticsearchMetaAlertIntegrationTest.java | 10 +++++----- .../java/org/apache/metron/indexing/dao/MetaAlertDao.java | 2 +- .../apache/metron/indexing/dao/InMemoryMetaAlertDao.java | 2 +- 16 files changed, 28 insertions(+), 28 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/metron/blob/edec7b18/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template ---------------------------------------------------------------------- diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template index 30f2591..17ad4d2 100644 --- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template +++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template @@ -143,7 +143,7 @@ "uid": { "type": "keyword" }, - "alert": { + "metron_alert": { "type": "nested" }, "ip_src_addr": { http://git-wip-us.apache.org/repos/asf/metron/blob/edec7b18/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/error_index.template ---------------------------------------------------------------------- diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/error_index.template b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/error_index.template index 00aaf87..d119509 100644 --- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/error_index.template +++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/error_index.template @@ -38,7 +38,7 @@ "error_type": { "type": "keyword" }, - "alert": { + "metron_alert": { "type": "nested" } } http://git-wip-us.apache.org/repos/asf/metron/blob/edec7b18/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/metaalert_index.template ---------------------------------------------------------------------- diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/metaalert_index.template b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/metaalert_index.template index 24e8357..05d5e32 100644 --- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/metaalert_index.template +++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/metaalert_index.template @@ -36,7 +36,7 @@ "type": "date", "format": "epoch_millis" }, - "alert": { + "metron_alert": { "type": "nested" }, "source:type": { http://git-wip-us.apache.org/repos/asf/metron/blob/edec7b18/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/snort_index.template ---------------------------------------------------------------------- diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/snort_index.template b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/snort_index.template index 43b3ca4..f7c6e59 100644 --- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/snort_index.template +++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/snort_index.template @@ -198,7 +198,7 @@ "guid": { "type": "keyword" }, - "alert": { + "metron_alert": { "type": "nested" } } http://git-wip-us.apache.org/repos/asf/metron/blob/edec7b18/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/yaf_index.template ---------------------------------------------------------------------- diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/yaf_index.template b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/yaf_index.template index b6965f9..f4093ba 100644 --- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/yaf_index.template +++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/yaf_index.template @@ -208,7 +208,7 @@ "type": "text", "fielddata": "true" }, - "alert": { + "metron_alert": { "type": "nested" }, "guid": { http://git-wip-us.apache.org/repos/asf/metron/blob/edec7b18/metron-interface/metron-alerts/e2e/mock-data/alerts_ui_e2e_index.template ---------------------------------------------------------------------- diff --git a/metron-interface/metron-alerts/e2e/mock-data/alerts_ui_e2e_index.template b/metron-interface/metron-alerts/e2e/mock-data/alerts_ui_e2e_index.template index caf593c..0d6b420 100644 --- a/metron-interface/metron-alerts/e2e/mock-data/alerts_ui_e2e_index.template +++ b/metron-interface/metron-alerts/e2e/mock-data/alerts_ui_e2e_index.template @@ -143,7 +143,7 @@ "uid": { "type": "keyword" }, - "alert": { + "metron_alert": { "type": "nested" }, "ip_src_addr": { http://git-wip-us.apache.org/repos/asf/metron/blob/edec7b18/metron-interface/metron-alerts/src/app/alerts/alert-details/alert-details.component.ts ---------------------------------------------------------------------- diff --git a/metron-interface/metron-alerts/src/app/alerts/alert-details/alert-details.component.ts b/metron-interface/metron-alerts/src/app/alerts/alert-details/alert-details.component.ts index e1c1685..c8d0d7a 100644 --- a/metron-interface/metron-alerts/src/app/alerts/alert-details/alert-details.component.ts +++ b/metron-interface/metron-alerts/src/app/alerts/alert-details/alert-details.component.ts @@ -92,7 +92,7 @@ export class AlertDetailsComponent implements OnInit { this.searchService.getAlert(this.alertSourceType, this.alertId).subscribe(alertSource => { this.alertSource = alertSource; this.selectedAlertState = this.getAlertState(alertSource['alert_status']); - this.alertSources = (alertSource.alert && alertSource.alert.length > 0) ? alertSource.alert : [alertSource]; + this.alertSources = (alertSource.metron_alert && alertSource.metron_alert.length > 0) ? alertSource.metron_alert : [alertSource]; this.setComments(alertSource); if (fireToggleEditor) { http://git-wip-us.apache.org/repos/asf/metron/blob/edec7b18/metron-interface/metron-alerts/src/app/alerts/alerts-list/alerts-list.component.ts ---------------------------------------------------------------------- diff --git a/metron-interface/metron-alerts/src/app/alerts/alerts-list/alerts-list.component.ts b/metron-interface/metron-alerts/src/app/alerts/alerts-list/alerts-list.component.ts index 776a083..a70f2b4 100644 --- a/metron-interface/metron-alerts/src/app/alerts/alerts-list/alerts-list.component.ts +++ b/metron-interface/metron-alerts/src/app/alerts/alerts-list/alerts-list.component.ts @@ -219,7 +219,7 @@ export class AlertsListComponent implements OnInit, OnDestroy { onSelectedAlertsChange(selectedAlerts) { this.selectedAlerts = selectedAlerts; - this.isMetaAlertPresentInSelectedAlerts = this.selectedAlerts.some(alert => (alert.source.alert && alert.source.alert.length > 0)); + this.isMetaAlertPresentInSelectedAlerts = this.selectedAlerts.some(alert => (alert.source.metron_alert && alert.source.metron_alert.length > 0)); if (selectedAlerts.length > 0) { this.pause(); http://git-wip-us.apache.org/repos/asf/metron/blob/edec7b18/metron-interface/metron-alerts/src/app/alerts/alerts-list/table-view/table-view.component.html ---------------------------------------------------------------------- diff --git a/metron-interface/metron-alerts/src/app/alerts/alerts-list/table-view/table-view.component.html b/metron-interface/metron-alerts/src/app/alerts/alerts-list/table-view/table-view.component.html index d2b1108..78410af 100644 --- a/metron-interface/metron-alerts/src/app/alerts/alerts-list/table-view/table-view.component.html +++ b/metron-interface/metron-alerts/src/app/alerts/alerts-list/table-view/table-view.component.html @@ -26,7 +26,7 @@ <tbody> <ng-container *ngFor="let alert of alerts; let alertIndex = index;"> - <ng-container *ngIf="!alert.source.alert || alert.source.alert.length === 0"> + <ng-container *ngIf="!alert.source.metron_alert || alert.source.metron_alert.length === 0"> <tr (click)="showDetails($event, alert)" [ngClass]="{'selected' : selectedAlerts.indexOf(alert) != -1}"> <td width="15" class="icon-cell"></td> <td (click)="addFilter(threatScoreFieldName, alert.source[threatScoreFieldName])"> @@ -50,7 +50,7 @@ </tr> </ng-container> - <ng-container *ngIf="alert.source.alert && alert.source.alert.length > 0"> + <ng-container *ngIf="alert.source.metron_alert && alert.source.metron_alert.length > 0"> <tr (click)="showDetails($event, alert)" [ngClass]="{'selected' : selectedAlerts.indexOf(alert) != -1}"> <td width="15" class="icon-cell dropdown-cell" (click)="toggleExpandCollapse($event, alert)"> <i class="fa" aria-hidden="true" @@ -62,7 +62,7 @@ </td> <td [attr.colspan]="alertsColumnsToDisplay.length - 1"> <a (click)="addFilter('guid', alert.id)" [attr.title]="alert.id" style="color:#689AA9"> {{ alert.source['name'] ? alert.source['name'] : alert.id | centerEllipses:20:cell }}</a> - <span> ({{ alert.source.alert.length }})</span> + <span> ({{ alert.source.metron_alert.length }})</span> </td> <td> <a *ngIf="isStatusFieldPresent" (click)="addFilter('alert_status', alert.source['alert_status'])" style="color:#689AA9"> @@ -80,7 +80,7 @@ <label attr.for="{{ alert.id }}"></label> </td> </tr> - <tr *ngFor="let metaAlerts of alert.source.alert; let metaAlertIndex = index;" (click)="showMetaAlertDetails($event, metaAlerts)" + <tr *ngFor="let metaAlerts of alert.source.metron_alert; let metaAlertIndex = index;" (click)="showMetaAlertDetails($event, metaAlerts)" [ngClass]="{'selected' : selectedAlerts.indexOf(metaAlerts) != -1 , 'd-none': metaAlertsDisplayState[alert.id] === metronAlertDisplayState.COLLAPSE}"> <td width="15" class="icon-cell" class="dropdown-cell"></td> <td (click)="addFilter(threatScoreFieldName, alert.source[threatScoreFieldName])" style="padding-left: 15px"> @@ -114,4 +114,4 @@ <div class="col-md-3 push-md-5"> <metron-table-pagination [(pagination)]="pagination" (pageChange)="onPageChange()"> </metron-table-pagination> </div> -</div> \ No newline at end of file +</div> http://git-wip-us.apache.org/repos/asf/metron/blob/edec7b18/metron-interface/metron-alerts/src/app/alerts/alerts-list/table-view/table-view.component.ts ---------------------------------------------------------------------- diff --git a/metron-interface/metron-alerts/src/app/alerts/alerts-list/table-view/table-view.component.ts b/metron-interface/metron-alerts/src/app/alerts/alerts-list/table-view/table-view.component.ts index 0176ff0..411baab 100644 --- a/metron-interface/metron-alerts/src/app/alerts/alerts-list/table-view/table-view.component.ts +++ b/metron-interface/metron-alerts/src/app/alerts/alerts-list/table-view/table-view.component.ts @@ -122,7 +122,7 @@ export class TableViewComponent implements OnInit, OnChanges, OnDestroy { updateExpandedStateForChangedData(expandedMetaAlerts: string[]) { this.alerts.forEach(alert => { - if (alert.source.alert && alert.source.alert.length > 0) { + if (alert.source.metron_alert && alert.source.metron_alert.length > 0) { this.metaAlertsDisplayState[alert.id] = expandedMetaAlerts.indexOf(alert.id) === -1 ? MetronAlertDisplayState.COLLAPSE : MetronAlertDisplayState.EXPAND; } http://git-wip-us.apache.org/repos/asf/metron/blob/edec7b18/metron-interface/metron-alerts/src/app/model/alert-source.ts ---------------------------------------------------------------------- diff --git a/metron-interface/metron-alerts/src/app/model/alert-source.ts b/metron-interface/metron-alerts/src/app/model/alert-source.ts index d5477dc..3330960 100644 --- a/metron-interface/metron-alerts/src/app/model/alert-source.ts +++ b/metron-interface/metron-alerts/src/app/model/alert-source.ts @@ -44,7 +44,7 @@ export class AlertSource { guid: string; sig_id: number; sig_generator: number; - alert: AlertSource[] = []; + metron_alert: AlertSource[] = []; comments: AlertComment[] = []; 'threat:triage:score': number; 'threatinteljoinbolt:joiner:ts': number; http://git-wip-us.apache.org/repos/asf/metron/blob/edec7b18/metron-interface/metron-rest/src/test/java/org/apache/metron/rest/controller/MetaAlertControllerIntegrationTest.java ---------------------------------------------------------------------- diff --git a/metron-interface/metron-rest/src/test/java/org/apache/metron/rest/controller/MetaAlertControllerIntegrationTest.java b/metron-interface/metron-rest/src/test/java/org/apache/metron/rest/controller/MetaAlertControllerIntegrationTest.java index 3e69e37..f86f227 100644 --- a/metron-interface/metron-rest/src/test/java/org/apache/metron/rest/controller/MetaAlertControllerIntegrationTest.java +++ b/metron-interface/metron-rest/src/test/java/org/apache/metron/rest/controller/MetaAlertControllerIntegrationTest.java @@ -98,8 +98,8 @@ public class MetaAlertControllerIntegrationTest extends DaoControllerTest { /** * [ - *{"guid":"meta_1","alert":[{"guid":"bro_1"}],"average":"5.0","min":"5.0","median":"5.0","max":"5.0","count":"1.0","sum":"5.0"}, - *{"guid":"meta_2","alert":[{"guid":"bro_1"},{"guid":"bro_2"},{"guid":"snort_1"}],"average":"5.0","min":"0.0","median":"5.0","max":"10.0","count":"3.0","sum":"15.0"} + *{"guid":"meta_1","metron_alert":[{"guid":"bro_1"}],"average":"5.0","min":"5.0","median":"5.0","max":"5.0","count":"1.0","sum":"5.0"}, + *{"guid":"meta_2","metron_alert":[{"guid":"bro_1"},{"guid":"bro_2"},{"guid":"snort_1"}],"average":"5.0","min":"0.0","median":"5.0","max":"10.0","count":"3.0","sum":"15.0"} * ] */ @Multiline http://git-wip-us.apache.org/repos/asf/metron/blob/edec7b18/metron-platform/metron-elasticsearch/README.md ---------------------------------------------------------------------- diff --git a/metron-platform/metron-elasticsearch/README.md b/metron-platform/metron-elasticsearch/README.md index 1e15018..d889e27 100644 --- a/metron-platform/metron-elasticsearch/README.md +++ b/metron-platform/metron-elasticsearch/README.md @@ -271,13 +271,13 @@ Notes on other settings for types in ES ## Using Metron with Elasticsearch 5.6.2 -There is a requirement that all sensors templates have a nested alert field defined. This field is a dummy field. See [Ignoring Unmapped Fields](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-sort.html#_ignoring_unmapped_fields) for more information +There is a requirement that all sensors templates have a nested `metron_alert` field defined. This field is a dummy field. See [Ignoring Unmapped Fields](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-sort.html#_ignoring_unmapped_fields) for more information Without this field, an error will be thrown during ALL searches (including from UIs, resulting in no alerts being found for any sensor). This error will be found in the REST service's logs. Exception seen: ``` -QueryParsingException[[nested] failed to find nested object under path [alert]]; +QueryParsingException[[nested] failed to find nested object under path [metron_alert]]; ``` There are two steps to resolve this issue. First is to update the Elasticsearch template for each sensor, so any new indices have the field. This requires retrieving the template, removing an extraneous JSON field so we can put it back later, and adding our new field. @@ -290,7 +290,7 @@ export SENSOR="bro" curl -XGET "http://${ELASTICSEARCH}:9200/_template/${SENSOR}_index*?pretty=true"; -o "${SENSOR}.template" sed -i '' '2d;$d' ./${SENSOR}.template sed -i '' '/"properties" : {/ a\ -"alert": { "type": "nested"},' ${SENSOR}.template +"metron_alert": { "type": "nested"},' ${SENSOR}.template ``` To manually verify this, you can optionally pretty print it again with: @@ -309,7 +309,7 @@ To update existing indexes, update Elasticsearch mappings with the new field for curl -XPUT "http://${ELASTICSEARCH}:9200/${SENSOR}_index*/_mapping/${SENSOR}_doc"; -d ' { "properties" : { - "alert" : { + "metron_alert" : { "type" : "nested" } } http://git-wip-us.apache.org/repos/asf/metron/blob/edec7b18/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchMetaAlertIntegrationTest.java ---------------------------------------------------------------------- diff --git a/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchMetaAlertIntegrationTest.java b/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchMetaAlertIntegrationTest.java index 5222a38..b001050 100644 --- a/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchMetaAlertIntegrationTest.java +++ b/metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchMetaAlertIntegrationTest.java @@ -92,7 +92,7 @@ public class ElasticsearchMetaAlertIntegrationTest { /** { "properties": { - "alert": { + "metron_alert": { "type": "nested" } } @@ -175,7 +175,7 @@ public class ElasticsearchMetaAlertIntegrationTest { "score" : { "type" : "integer" }, - "alert" : { + "metron_alert" : { "type" : "nested" } } @@ -761,7 +761,7 @@ public class ElasticsearchMetaAlertIntegrationTest { SearchResponse searchResponse = metaDao.search(new SearchRequest() { { setQuery( - "(ip_src_addr:192.168.1.1 AND ip_src_port:8009) OR (alert.ip_src_addr:192.168.1.1 AND alert.ip_src_port:8009)"); + "(ip_src_addr:192.168.1.1 AND ip_src_port:8009) OR (metron_alert.ip_src_addr:192.168.1.1 AND metron_alert.ip_src_port:8009)"); setIndices(Collections.singletonList(MetaAlertDao.METAALERT_TYPE)); setFrom(0); setSize(5); @@ -781,7 +781,7 @@ public class ElasticsearchMetaAlertIntegrationTest { { setQuery( "(ip_src_addr:192.168.1.1 AND ip_src_port:8010)" - + " OR (alert.ip_src_addr:192.168.1.1 AND alert.ip_src_port:8010)"); + + " OR (metron_alert.ip_src_addr:192.168.1.1 AND metron_alert.ip_src_port:8010)"); setIndices(Collections.singletonList("*")); setFrom(0); setSize(5); @@ -804,7 +804,7 @@ public class ElasticsearchMetaAlertIntegrationTest { { setQuery( "(ip_src_addr:192.168.1.3 AND ip_src_port:8008)" - + " OR (alert.ip_src_addr:192.168.1.3 AND alert.ip_src_port:8008)"); + + " OR (metron_alert.ip_src_addr:192.168.1.3 AND metron_alert.ip_src_port:8008)"); setIndices(Collections.singletonList("*")); setFrom(0); setSize(1); http://git-wip-us.apache.org/repos/asf/metron/blob/edec7b18/metron-platform/metron-indexing/src/main/java/org/apache/metron/indexing/dao/MetaAlertDao.java ---------------------------------------------------------------------- diff --git a/metron-platform/metron-indexing/src/main/java/org/apache/metron/indexing/dao/MetaAlertDao.java b/metron-platform/metron-indexing/src/main/java/org/apache/metron/indexing/dao/MetaAlertDao.java index 4530d2a..8807849 100644 --- a/metron-platform/metron-indexing/src/main/java/org/apache/metron/indexing/dao/MetaAlertDao.java +++ b/metron-platform/metron-indexing/src/main/java/org/apache/metron/indexing/dao/MetaAlertDao.java @@ -70,7 +70,7 @@ public interface MetaAlertDao extends IndexDao { String METAALERT_DOC = METAALERT_TYPE + "_doc"; String THREAT_FIELD_DEFAULT = "threat:triage:score"; String THREAT_SORT_DEFAULT = "sum"; - String ALERT_FIELD = "alert"; + String ALERT_FIELD = "metron_alert"; String STATUS_FIELD = "status"; String GROUPS_FIELD = "groups"; http://git-wip-us.apache.org/repos/asf/metron/blob/edec7b18/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/InMemoryMetaAlertDao.java ---------------------------------------------------------------------- diff --git a/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/InMemoryMetaAlertDao.java b/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/InMemoryMetaAlertDao.java index baa5416..5ab5c48 100644 --- a/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/InMemoryMetaAlertDao.java +++ b/metron-platform/metron-indexing/src/test/java/org/apache/metron/indexing/dao/InMemoryMetaAlertDao.java @@ -61,7 +61,7 @@ public class InMemoryMetaAlertDao implements MetaAlertDao { /** * { * "indices": ["metaalert"], - * "query": "alert|guid:${GUID}", + * "query": "metron_alert|guid:${GUID}", * "from": 0, * "size": 10, * "sort": [
