Hi Guys - @rmerriman tracked down some problems that were introduced with my PR #1218. Thanks to him for finding this. The change was intended to improve Elasticsearch write performance by allowing Elasticsearch to set its own document ID.
The problem is that if you then go to the Alerts UI and escalate an alert, it will create a duplicate alert in the index, rather than updating the existing alert. I've been looking at how to fix the problem and the scope of the fix is larger than I'd like to handle as a follow-on. There are some prerequisites I'd like to tackle before introducing this change. I am going to revert the change on master, which will introduce an additional commit that is an "undo" of the original commit. I will then open a separate PR that introduces this new functionality. https://github.com/apache/metron/pull/1218 Thanks
