[
https://issues.apache.org/jira/browse/METRON-1289?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16251768#comment-16251768
]
ASF GitHub Bot commented on METRON-1289:
----------------------------------------
Github user justinleet commented on the issue:
https://github.com/apache/metron/pull/824
@iraghumitra I'm unable to duplicate the grouping on the current code
(although I admittedly ran through a pretty basic example). Here's what I did,
so let me know if I missed something, or you have a particular query you made.
### Find an alert
```
/api/v1/search/search
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"fields": [
"guid"
],
"from": 0,
"indices": [
"snort"
],
"query": "ip_dst_addr:192.168.66.121",
"size": 1
}' 'http://node1:8082/api/v1/search/search'
```
In this case, I just grabbed one:
```
"d29925a7-da80-49d0-b7b5-0663380d526f":"snort_index_2017.11.14.15"
```
### Retrieve that alert from findOne to get something to group by
```
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid": "d29925a7-da80-49d0-b7b5-0663380d526f",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
I'll group, arbitrarily, with:
```
"ip_dst_addr": "192.168.66.121"
```
### Run a group by
```
/api/v1/search/group
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"groups": [
{
"field": "ip_dst_addr"
}
],
"indices": [
"snort",
"metaalert"
],
"query":"ip_dst_addr:192.168.66.121"
}' 'http://node1:8082/api/v1/search/group'
```
Results in:
```
{
"groupedBy": "ip_dst_addr",
"groupResults": [
{
"key": "192.168.66.121",
"total": 1299,
"score": null
}
]
}
```
### Create a metaalert with that GUID
```
/api/v1/metaalert/create
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"groups": [
"test"
],
"guidToIndices": {
"adf65dbb-73fd-4347-a61d-a990166fbbb1":"snort_index_2017.11.14.15"
}
}' 'http://node1:8082/api/v1/metaalert/create'
```
It returns the guid, in this case:
```
715538d9-7f4f-4316-b149-a9659df06de4
```
### (Optionally) Look up the metaalert to double check it was created as
expected.
```
/api/v1/search/findOne
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"guid": "715538d9-7f4f-4316-b149-a9659df06de4",
"sensorType": "metaalert"
}' 'http://node1:8082/api/v1/search/findOne'
```
### Run the group by from before
```
/api/v1/search/group
curl -X POST --header 'Content-Type: application/json' --header 'Accept:
application/json' -d '{
"groups": [
{
"field": "ip_dst_addr"
}
],
"indices": [
"snort",
"metaalert"
],
"query":"ip_dst_addr:192.168.66.121"
}' 'http://node1:8082/api/v1/search/group'
```
Validate that the count has gone down by one (since the metaalert doesn't
return and the child alert is now hidden:
```
{
"groupedBy": "ip_dst_addr",
"groupResults": [
{
"key": "3232252537",
"total": 1298,
"score": null
}
]
}
```
> Alert fields are lost when a MetaAlert is created
> -------------------------------------------------
>
> Key: METRON-1289
> URL: https://issues.apache.org/jira/browse/METRON-1289
> Project: Metron
> Issue Type: Bug
> Reporter: Ryan Merriman
> Assignee: Ryan Merriman
>
> When a MetaAlert is created, the included results are being updated
> incorrectly with only the "metaalert" field. This causes subsequent findOne
> operations to only return the "metaalert field for that alert. All fields
> should continue to be present.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
