Github user justinleet commented on the issue:
https://github.com/apache/metron/pull/824
## Create meta alert with more than 10 alerts
### Find more than 10 alerts alerts
```
/api/v1/search/search
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"fields": [
"guid"
],
"from": 0,
"indices": [
"snort"
],
"query": "ip_dst_addr:192.168.66.121",
"size": 11
}' 'http://node1:8082/api/v1/search/search'
```
Note the alerts that come back
```
62a53a5f-78e6-417a-8078-fb850baa3e84
876b72cb-9d72-4706-ac99-46cf91a8f359
5fd8b0a0-1f68-494a-ae20-633542a7045d
aee597a0-4255-499a-a4e2-ec7d756babb2
bf9e0e73-e64c-4759-b4f7-efad0a60be82
5ab9ce98-30db-45b2-a4e6-6489f136c839
0a4a7019-04f8-4a8c-af0b-d2e3908ecdc9
3423fdca-cefa-402a-b57d-60b75a15f046
2eb63002-e5f2-467a-8675-30b653ae145b
53f38cfd-aa89-4e49-ba5f-827eb73774cd
5f71a515-4976-4b0d-be85-bb6879b1e151
```
### Create a metaalert with the alerts
```
/api/v1/metaalert/create
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"alerts": [
{
"guid": "62a53a5f-78e6-417a-8078-fb850baa3e84",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
},
{
"guid":"876b72cb-9d72-4706-ac99-46cf91a8f359",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
},
{
"guid": "5fd8b0a0-1f68-494a-ae20-633542a7045d",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
},
{
"guid": "aee597a0-4255-499a-a4e2-ec7d756babb2",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
},
{
"guid":"bf9e0e73-e64c-4759-b4f7-efad0a60be82",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
},
{
"guid": "5ab9ce98-30db-45b2-a4e6-6489f136c839",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
},
{
"guid":"0a4a7019-04f8-4a8c-af0b-d2e3908ecdc9",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
},
{
"guid": "3423fdca-cefa-402a-b57d-60b75a15f046",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
},
{
"guid": "2eb63002-e5f2-467a-8675-30b653ae145b",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
},
{
"guid":"53f38cfd-aa89-4e49-ba5f-827eb73774cd",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
},
{
"guid":"5f71a515-4976-4b0d-be85-bb6879b1e151",
"index": "snort_index_2017.11.15.17",
"sensorType": "snort"
}
],
"groups": [
"test"
]
}' 'http://node1:8082/api/v1/metaalert/create'
```
Make sure to get the resulting guid from the response.
```
00eae5ba-6137-4601-ae3a-fbf0003e58e6
```
### Retrieve the meta alert and ensure it contains the provided alerts
```
/api/v1/search/findOne
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid": "00eae5ba-6137-4601-ae3a-fbf0003e58e6",
"index": "metaalert_index",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Retrieve the child alerts
Ensure all alerts have the 'metaalerts' field populated with the parent
meta alert.
```
/api/v1/search/findOne
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid":"62a53a5f-78e6-417a-8078-fb850baa3e84",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne'
... // 10 more times
```
---
