Github user justinleet commented on the issue:
https://github.com/apache/metron/pull/824
## Changing Metaalert status
### Find two alerts
```
/api/v1/search/search
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"fields": [
"guid"
],
"from": 0,
"indices": [
"snort"
],
"query": "ip_dst_addr:192.168.66.121",
"size": 2
}' 'http://node1:8082/api/v1/search/search'
```
Results in two guids:
```
8b8314d4-277b-44dc-a75b-04b0cdcedb40
4ac26cf7-ab93-4940-9a0e-8e7f4d67736d
```
### Create a metaalert with the alerts
```
/api/v1/metaalert/create
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"alerts": [
{
"guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
},
{
"guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
}
],
"groups": [
"test"
]
}' 'http://node1:8082/api/v1/metaalert/create'
```
Make sure to get the resulting guid from the response.
```
da60ccc9-9e79-45c5-be07-0a322c8791f0
```
### Retrieve the meta alert and ensure it contains the provided alerts
```
/api/v1/search/findOne
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid": "da60ccc9-9e79-45c5-be07-0a322c8791f0",
"index": "metaalert_index",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Change the meta alert status to active
This makes sure nothing happens when we set active status to the same
active status.
```
/api/v1/metaalert/update/status/{guid}/{status}
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json'
'http://node1:8082/api/v1/metaalert/update/status/da60ccc9-9e79-45c5-be07-0a322c8791f0/active'
```
It should return false, as no status has changed.
### Retrieve the metaalert and ensure it is still active
Look for the 'status' field.
```
/api/v1/search/findOne
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid": "da60ccc9-9e79-45c5-be07-0a322c8791f0",
"index": "metaalert_index",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Retrieve the child alerts
Ensure both alerts have the 'metaalerts' field populated with the parent
meta alert.
```
/api/v1/search/findOne
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid":"8b8314d4-277b-44dc-a75b-04b0cdcedb40",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Change the meta alert status to inactive
Look for the 'status' field. Running this once will set it to 'inactive'.
Subsequent runs have no effect ('inactive' -> 'inactive' does nothing).
```
/api/v1/metaalert/update/status/{guid}/{status}
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json'
'http://node1:8082/api/v1/metaalert/update/status/da60ccc9-9e79-45c5-be07-0a322c8791f0/inactive'
```
It should return true, because the status has changed.
### Retrieve the metaalert and ensure it is inactive
```
/api/v1/search/findOne
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid": "da60ccc9-9e79-45c5-be07-0a322c8791f0",
"index": "metaalert_index",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Retrieve the child alerts
Ensure neither alert has the 'metaalerts' field populated with the parent
meta alert.
```
/api/v1/search/findOne
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid":"8b8314d4-277b-44dc-a75b-04b0cdcedb40",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Change status back to active
```
/api/v1/metaalert/update/status/{guid}/{status}
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json'
'http://node1:8082/api/v1/metaalert/update/status/da60ccc9-9e79-45c5-be07-0a322c8791f0/active'
```
It should return false, as no status has changed.
### Retrieve the metaalert and ensure it is active again
Look for the 'status' field.
```
/api/v1/search/findOne
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid": "da60ccc9-9e79-45c5-be07-0a322c8791f0",
"index": "metaalert_index",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Retrieve the child alerts
Ensure both alerts have the 'metaalerts' field populated with the parent
meta alert.
```
/api/v1/search/findOne
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid":"8b8314d4-277b-44dc-a75b-04b0cdcedb40",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
```
---
