Github user justinleet commented on the issue:
https://github.com/apache/metron/pull/824
## Removing alerts and removing an already removed alert
### Find two alerts
```
/api/v1/search/search
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"fields": [
"guid"
],
"from": 0,
"indices": [
"snort"
],
"query": "ip_dst_addr:192.168.66.121",
"size": 2
}' 'http://node1:8082/api/v1/search/search'
```
Results in two guids:
```
8b8314d4-277b-44dc-a75b-04b0cdcedb40
4ac26cf7-ab93-4940-9a0e-8e7f4d67736d
```
### Create a metaalert with the alerts
```
/api/v1/metaalert/create
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"alerts": [
{
"guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
},
{
"guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
}
],
"groups": [
"test"
]
}' 'http://node1:8082/api/v1/metaalert/create'
```
Make sure to get the resulting guid from the response.
```
b25b663e-39c9-42d5-a52c-e6380235d43f
```
### Retrieve the meta alert and ensure it contains the provided alerts
```
/api/v1/search/findOne
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid": "b25b663e-39c9-42d5-a52c-e6380235d43f",
"index": "metaalert_index",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Remove one of the alerts
```
/api/v1/metaalert/remove/alert
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"alerts": [
{
"guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
}
],
"metaAlertGuid": "b25b663e-39c9-42d5-a52c-e6380235d43f"
}' 'http://node1:8082/api/v1/metaalert/remove/alert'
```
### Retrieve the meta alert again, and ensure it only contains the second
alert.
```
/api/v1/search/findOne
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid": "b25b663e-39c9-42d5-a52c-e6380235d43f",
"index": "metaalert_index",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Rerun the delete
```
/api/v1/metaalert/remove/alert
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"alerts": [
{
"guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
}
],
"metaAlertGuid": "b25b663e-39c9-42d5-a52c-e6380235d43f"
}' 'http://node1:8082/api/v1/metaalert/remove/alert'
```
### Retrieve the meta alert again, and ensure it only contains the second
alert.
```
/api/v1/search/findOne
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid": "b25b663e-39c9-42d5-a52c-e6380235d43f",
"index": "metaalert_index",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Retrieve the child alerts
Ensure only the second alert has the 'metaalerts' field populated with the
parent met alert.
```
/api/v1/search/findOne
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid":"8b8314d4-277b-44dc-a75b-04b0cdcedb40",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
```
---
