Github user anandsubbu commented on a diff in the pull request: https://github.com/apache/metron/pull/817#discussion_r147708307 --- Diff: metron-platform/metron-elasticsearch/README.md --- @@ -81,3 +81,13 @@ curl -XPUT "http://${ELASTICSEARCH}:9200/${SENSOR}_index*/_mapping/${SENSOR}_doc ' rm ${SENSOR}.template ``` + +## Installing Elasticsearch Templates + +The stock set of Elasticsearch templates for bro, snort, yaf, error index and meta index are installed automatically during the first time install and startup of Metron Indexing service. + --- End diff -- Okay, let me try to explain more using examples: **Scenario 1 - Happy Path** * Fresh install * ES service up and running * When the Indexing service comes up, it also installs the ES templates * Admin can start ingesting into sensors, launch alerts UI and everything works **Scenario 2 - ES service down** * Fresh install * For some reason, the ES service is down when the Indexing service is coming up * We log a warning message in the Ambari install logs, and the Indexing service starts up fine. * Once the ES service issue is resolved, the Admin needs to install the ES templates manually before s/he can start ingesting into sensors. This can be done in two ways: 1) Using the Ambari UI -> Services -> Metron -> Service Actions -> Elasticsearch Template Install 2) By stopping the Metron Indexing service from Ambari UI, and starting it again so that it can trigger the piece of code to install the template. Now, from a documentation perspective, point 2 above is counter intuitive IMHO, since it would not make sense to ask the Admin to stop/start Indexing service in order to have the ES template installed. I have hence documented only the first option--which is also the same way it is done presently. Let me know if this helps clarify.
---