Github user justinleet commented on a diff in the pull request:
https://github.com/apache/metron/pull/802#discussion_r145378015
--- Diff:
metron-platform/metron-elasticsearch/src/test/java/org/apache/metron/elasticsearch/integration/ElasticsearchMetaAlertIntegrationTest.java
---
@@ -302,12 +310,126 @@ public void test() throws Exception {
}
}
- protected boolean findUpdatedDoc(Map<String, Object> message0, String
guid)
+ /**
+ {
+ "guid": "search_by_status_active",
+ "source:type": "metaalert",
+ "alert": [],
+ "status": "active"
+ }
+ */
+ @Multiline
+ public static String activeMetaAlert;
+
+ /**
+ {
+ "guid": "search_by_status_inactive",
+ "source:type": "metaalert",
+ "alert": [],
+ "status": "inactive"
+ }
+ */
+ @Multiline
+ public static String inactiveMetaAlert;
+
+ @Test
+ public void shouldSearchByStatus() throws Exception {
+ List<Map<String, Object>> metaInputData = new ArrayList<>();
+ Map<String, Object> activeMetaAlertJSON =
JSONUtils.INSTANCE.load(activeMetaAlert, new TypeReference<Map<String,
Object>>() {});
+ metaInputData.add(activeMetaAlertJSON);
+ Map<String, Object> inactiveMetaAlertJSON =
JSONUtils.INSTANCE.load(inactiveMetaAlert, new TypeReference<Map<String,
Object>>() {});
+ metaInputData.add(inactiveMetaAlertJSON);
+
+ // We pass MetaAlertDao.METAALERT_TYPE, because the "_doc" gets
appended automatically.
+ elasticsearchAdd(metaInputData, MetaAlertDao.METAALERTS_INDEX,
MetaAlertDao.METAALERT_TYPE);
+ // Wait for updates to persist
+ findUpdatedDoc(inactiveMetaAlertJSON, "search_by_status_inactive",
MetaAlertDao.METAALERT_TYPE);
+
+ SearchResponse searchResponse = metaDao.search(new SearchRequest() {
+ {
+ setQuery("*");
+ setIndices(Collections.singletonList(MetaAlertDao.METAALERT_TYPE));
+ setFrom(0);
+ setSize(5);
+ setSort(Collections.singletonList(new SortField(){{
setField(Constants.GUID); }}));
+ }
+ });
+ Assert.assertEquals(1, searchResponse.getTotal());
+ Assert.assertEquals(MetaAlertStatus.ACTIVE.getStatusString(),
searchResponse.getResults().get(0).getSource().get(MetaAlertDao.STATUS_FIELD));
+ }
+
+ /**
+ {
+ "guid": "search_by_nested_alert_0",
+ "source:type": "test",
+ "ip_src_addr": "192.168.1.1",
+ "ip_src_port": 8010
+ }
+ */
+ @Multiline
+ public static String searchByNestedAlert0;
+
+ /**
+ {
+ "guid": "search_by_nested_alert_1",
+ "source:type": "test",
+ "ip_src_addr": "192.168.1.2",
+ "ip_src_port": 8009
+ }
+ */
+ @Multiline
+ public static String searchByNestedAlert1;
+
+ @Test
+ public void shouldSearchByNestedAlert() throws Exception {
+ List<Map<String, Object>> inputData = new ArrayList<>();
+ Map<String, Object> searchByNestedAlert0JSON =
JSONUtils.INSTANCE.load(searchByNestedAlert0, new TypeReference<Map<String,
Object>>() {});
+ inputData.add(searchByNestedAlert0JSON);
+ Map<String, Object> searchByNestedAlert1JSON =
JSONUtils.INSTANCE.load(searchByNestedAlert1, new TypeReference<Map<String,
Object>>() {});
+ inputData.add(searchByNestedAlert1JSON);
+ elasticsearchAdd(inputData, INDEX, SENSOR_NAME);
--- End diff --
Can we either modify this case, or add a new one with multiple alerts?
Basically just to make sure things function as expected when there's multiple
nested alerts.
---
