Github user nickwallen commented on the issue:
https://github.com/apache/metron/pull/811
It appears to me that the alerts contained within a meta-alert are not
contributing to the facet counts returned by a search request. I think we
still do want that to happen. Let me explain with an example and screenshots.
Note: I am testing this together with the UI changes in #803 .
1. First, I isolate 10 alerts with a specific host name that I want to work
with. I have turned off ingest so that no additional alerts should appear
during the running of this example. I can see that the facet counts are what I
would expect.
2. Next, I group by host so that I can create my meta-alert.
3. Immediately after creating the meta-alert, I do not immediately see it.
I think this is a problem with the UI itself not refreshing after creating the
alert. This might need fixed in #803 .
4. If I then trigger another search, I do see the meta-alert. Great!
5. Next I just expand the meta-alert to validate that the 10 original
alerts were added. You can see from this screenshot that the facet counts all
show 0. This tells me that the facet counts are not including meta-alerts.
---
