Github user justinleet commented on the issue: https://github.com/apache/metron/pull/824 ## Removing alerts and removing an already removed alert ### Find two alerts ``` /api/v1/search/search curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "fields": [ "guid" ], "from": 0, "indices": [ "snort" ], "query": "ip_dst_addr:192.168.66.121", "size": 2 }' 'http://node1:8082/api/v1/search/search' ``` Results in two guids: ``` 8b8314d4-277b-44dc-a75b-04b0cdcedb40 4ac26cf7-ab93-4940-9a0e-8e7f4d67736d ``` ### Create a metaalert with the alerts ``` /api/v1/metaalert/create curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "alerts": [ { "guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40", "index": "snort_index_2017.11.15.17", "sensorType": "snort" }, { "guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d", "index": "snort_index_2017.11.15.17", "sensorType": "snort" } ], "groups": [ "test" ] }' 'http://node1:8082/api/v1/metaalert/create' ``` Make sure to get the resulting guid from the response. ``` b25b663e-39c9-42d5-a52c-e6380235d43f ``` ### Retrieve the meta alert and ensure it contains the provided alerts ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid": "b25b663e-39c9-42d5-a52c-e6380235d43f", "index": "metaalert_index", "sensorType": "metaalert" }' 'http://node1:8082/api/v1/search/findOne' ``` ### Remove one of the alerts ``` /api/v1/metaalert/remove/alert curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "alerts": [ { "guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40", "index": "snort_index_2017.11.15.17", "sensorType": "snort" } ], "metaAlertGuid": "b25b663e-39c9-42d5-a52c-e6380235d43f" }' 'http://node1:8082/api/v1/metaalert/remove/alert' ``` ### Retrieve the meta alert again, and ensure it only contains the second alert. ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid": "b25b663e-39c9-42d5-a52c-e6380235d43f", "index": "metaalert_index", "sensorType": "metaalert" }' 'http://node1:8082/api/v1/search/findOne' ``` ### Rerun the delete ``` /api/v1/metaalert/remove/alert curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "alerts": [ { "guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40", "index": "snort_index_2017.11.15.17", "sensorType": "snort" } ], "metaAlertGuid": "b25b663e-39c9-42d5-a52c-e6380235d43f" }' 'http://node1:8082/api/v1/metaalert/remove/alert' ``` ### Retrieve the meta alert again, and ensure it only contains the second alert. ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid": "b25b663e-39c9-42d5-a52c-e6380235d43f", "index": "metaalert_index", "sensorType": "metaalert" }' 'http://node1:8082/api/v1/search/findOne' ``` ### Retrieve the child alerts Ensure only the second alert has the 'metaalerts' field populated with the parent met alert. ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid":"8b8314d4-277b-44dc-a75b-04b0cdcedb40", "sensorType": "snort" }' 'http://node1:8082/api/v1/search/findOne' curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d", "sensorType": "snort" }' 'http://node1:8082/api/v1/search/findOne' ```
---