[GitHub] metron issue #811: METRON-1272: Hide child alerts from searches and grouping...

[nickwallen]

Github user nickwallen commented on the issue:

    https://github.com/apache/metron/pull/811
  
    I am seeing another issue that may or may not be related.  It seems that 
when I am using the "group by" functionality, I cannot see meta-alerts at all.
    
    (1) If I am not using the "group by", I can see the meta-alert perfectly 
fine.
    
    ![screen shot 2017-10-23 at 4 40 01 
pm](https://user-images.githubusercontent.com/2475409/31912118-e88c9548-b810-11e7-830f-034acefbc8ed.png)
    
    (2) Now I want to group by host.  I click the "host" group by widget, but 
there are no results.  I am left thinking... Where did the meta-alert go?   The 
only way I can see the meta-alert is to not use the "group by" functionality.
    
    ![screen shot 2017-10-23 at 4 42 29 
pm](https://user-images.githubusercontent.com/2475409/31912220-2cdc3f82-b811-11e7-86c6-27c297408b3a.png)
    
    (3) And the UI screenshots match what is returned by the underlying API.  
In the case of the missing meta-alert, this is the request/response. 
    
    Request:
    ```
    {
      "indices": [
        "websphere",
        "snort",
        "asa",
        "bro",
        "yaf",
        "metaalert"
      ],
      "scoreField": "threat:triage:score",
      "groups": [
        {
          "field": "host",
          "order": {
            "sortOrder": "desc",
            "groupOrderType": "term"
          }
        }
      ],
      "query": "(host:ip\\-addr.es OR alert.host:ip\\-addr.es)"
    }
    ```
    
    Response:
    ```
    {"groupedBy":"host","groupResults":[]}
    ```


---