Github user mmiklavc commented on the issue:
https://github.com/apache/metron/pull/893
# Testing
## Set Up Base Data
We're going to set up a bit of base data.
Retrieve the current list of indices so we know where to put our data
```
curl 'node1:9200/_cat/indices?v'
health status index pri rep docs.count docs.deleted
store.size pri.store.size
green open snort_index_2017.09.06.14 1 0 130 0
180.9kb 180.9kb
green open bro_index_2017.09.06.14 1 0 160 0
564.3kb 564.3kb
green open .kibana 1 0 52 0
71.2kb 71.2kb
green open metaalert_index 1 0 6 0
62.3kb 62.3kb
```
In this case, we care about bro_index_2017.09.06.14. To make our lives
easier, we'll add a couple of stripped down messages to the our snort index
**(Make sure to sub in the correct index name)**:
curl -XPUT 'node1:9200/bro_index_2017.09.06.14/bro_doc/bro_test_1?pretty'
-H 'Content-Type: application/json' -d'
{
"bro_timestamp": "1515445236.077529",
"status_code": 200,
"enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068",
"ip_dst_port": 80,
"enrichments:geo:ip_dst_addr:latitude": "55.7386",
"protocol": "http",
"source:type": "bro",
"ip_dst_addr": "95.163.121.204",
"host": "7oqnsnzwwnm6zb7y.gigapaysun.com",
"ip_src_addr": "192.168.138.158",
"enrichments:geo:ip_dst_addr:longitude": "37.6068",
"timestamp": 1515445236077,
"method": "GET",
"request_body_len": 0,
"uri": "/img/bitcoin.png",
"tags": [ ],
"referrer": "http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg";,
"ip_src_port": 49205,
"status_msg": "OK",
"guid": "bro_test_1",
"enrichments:geo:ip_dst_addr:country": "RU",
"response_body_len": 5523,
"proxied": "yep",
"resp_fuids": "blahblah"
}
'
curl -XPUT 'node1:9200/bro_index_2017.09.06.14/bro_doc/bro_test_2?pretty'
-H 'Content-Type: application/json' -d'
{
"guid": "bro_test_2",
"bro_timestamp": "1515445236.077530",
"status_code": 200,
"enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068",
"ip_dst_port": 80,
"enrichments:geo:ip_dst_addr:latitude": "55.7386",
"protocol": "http",
"source:type": "bro",
"ip_dst_addr": "95.163.121.204",
"host": "7oqnsnzwwnm6zb7y.gigapaysun.com",
"ip_src_addr": "192.168.138.158",
"enrichments:geo:ip_dst_addr:longitude": "37.6068",
"timestamp": 1515445236077,
"method": "GET",
"request_body_len": 0,
"uri": "/img/bitcoin.png",
"tags": [ ],
"referrer": "http://7oqnsnzwwnm6zb7y.gigapaysun.com/11iQmfg";,
"ip_src_port": 49205,
"status_msg": "OK",
"enrichments:geo:ip_dst_addr:country": "RU",
"response_body_len": 5523,
"proxied": "yep",
"resp_fuids": "blahblah"
}
'
## Searching
In Ambari, go to Metron -> Quick Links -> Swagger UI and go to the "Search
Controller". After the above data has been created, use the search endpoint to
run these queries:
```
{
"from": 0,
"size": 2,
"indices": [
"*"
],
"query": "guid=bro_test_1",
"sort": [
{
"field": "resp_fuids",
"sortOrder": "ASC"
}
]
}
```
```
{
"from": 0,
"size": 2,
"indices": [
"*"
],
"query": "guid=bro_test_2",
"sort": [
{
"field": "proxied",
"sortOrder": "ASC"
}
]
}
```
Verify that bro_test_1 and bro_test_2 are returned by their respective
queries.
---
