Github user justinleet commented on the issue:
https://github.com/apache/metron/pull/824
## Adding alerts and adding a preexisting alert
### Find two alerts
```
/api/v1/search/search
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"fields": [
"guid"
],
"from": 0,
"indices": [
"snort"
],
"query": "ip_dst_addr:192.168.66.121",
"size": 2
}' 'http://node1:8082/api/v1/search/search'
```
Results in two guids:
```
8b8314d4-277b-44dc-a75b-04b0cdcedb40
4ac26cf7-ab93-4940-9a0e-8e7f4d67736d
```
### Create a metaalert with only one of the alerts
```
/api/v1/metaalert/create
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"alerts": [
{
"guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
}
],
"groups": [
"test"
]
}' 'http://node1:8082/api/v1/metaalert/create'
```
Make sure to get the resulting guid from the response.
```
6a4affe4-02ce-4d25-80b1-bfc4ca53f557
```
### Retrieve the meta alert and ensure it contains the provided alert
```
/api/v1/search/findOne
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid": "6a4affe4-02ce-4d25-80b1-bfc4ca53f557",
"index": "metaalert_index",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Retrieve the child alert and ensure the 'metaalerts' field contains the
new GUID of the new metaalert
```
/api/v1/search/findOne
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid":"8b8314d4-277b-44dc-a75b-04b0cdcedb40",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Add the same alert to the meta alert
```
/api/v1/metaalert/add/alert
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"alerts": [
{
"guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
}
],
"metaAlertGuid": "6a4affe4-02ce-4d25-80b1-bfc4ca53f557"
}' 'http://node1:8082/api/v1/metaalert/add/alert'
```
It should return "false" as no alerts have been added. The meta alert
should be retrieved again to validate.
### Run the add alert again but with the second alert
```
/api/v1/metaalert/add/alert
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"alerts": [
{
"guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
},
{
"guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
}
],
"metaAlertGuid": "6a4affe4-02ce-4d25-80b1-bfc4ca53f557"
}' 'http://node1:8082/api/v1/metaalert/add/alert'
```
It should return true, because the second alert will be added. The meta
alert should be retrieved again to validate.
### Retrieve the child alerts
Ensure they have the 'metaalerts' field populated with their parent.
```
/api/v1/search/findOne
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid":"8b8314d4-277b-44dc-a75b-04b0cdcedb40",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
```
---
