Github user nickwallen commented on the issue:
https://github.com/apache/metron/pull/811
Another thing I noticed is that there does not seem to be a way to retrieve
meta-alerts that you have created.
For example, I created a meta-alert where `host:ip-addr.es`. Assuming we
exclude metaalerts from all the nice "group by" functionality, then I need to
find it using search. But if I search with `host:ip-addr.es` or even
`alert.host.ip-addr.es` it does not return any results.
When using `alert.host` the UI submits the following which returns no
results.
```
{
"indices": [
"websphere",
"snort",
"asa",
"bro",
"yaf",
"metaalert"
],
"facetFields": [
"source:type",
"ip_src_addr",
"ip_dst_addr",
"host",
"enrichments:geo:ip_dst_addr:country"
],
"query": "(host:ip\\-addr.es OR alert.host:ip\\-addr.es)",
"from": 0,
"size": 25,
"sort": [
{
"field": "host",
"sortOrder": "asc"
}
]
}
```
I ran this by @justinleet and we found that it is the `sort` field that
prevents the meta-alerts from being returned. Removing the sort field like the
following query does actually return the meta-alert.
```
{
"indices": [
"websphere",
"snort",
"asa",
"bro",
"yaf",
"metaalert"
],
"facetFields": [
"source:type",
"ip_src_addr",
"ip_dst_addr",
"host",
"enrichments:geo:ip_dst_addr:country"
],
"query": "(host:ip\\-addr.es OR alert.host:ip\\-addr.es)",
"from": 0,
"size": 25
}
```
---
