[ https://issues.apache.org/jira/browse/METRON-1289?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16253921#comment-16253921 ]
ASF GitHub Bot commented on METRON-1289: ---------------------------------------- Github user justinleet commented on the issue: https://github.com/apache/metron/pull/824 ## Removing alerts and removing an already removed alert ### Find two alerts ``` /api/v1/search/search curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "fields": [ "guid" ], "from": 0, "indices": [ "snort" ], "query": "ip_dst_addr:192.168.66.121", "size": 2 }' 'http://node1:8082/api/v1/search/search' ``` Results in two guids: ``` 8b8314d4-277b-44dc-a75b-04b0cdcedb40 4ac26cf7-ab93-4940-9a0e-8e7f4d67736d ``` ### Create a metaalert with the alerts ``` /api/v1/metaalert/create curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "alerts": [ { "guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40", "index": "snort_index_2017.11.15.17", "sensorType": "snort" }, { "guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d", "index": "snort_index_2017.11.15.17", "sensorType": "snort" } ], "groups": [ "test" ] }' 'http://node1:8082/api/v1/metaalert/create' ``` Make sure to get the resulting guid from the response. ``` b25b663e-39c9-42d5-a52c-e6380235d43f ``` ### Retrieve the meta alert and ensure it contains the provided alerts ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid": "b25b663e-39c9-42d5-a52c-e6380235d43f", "index": "metaalert_index", "sensorType": "metaalert" }' 'http://node1:8082/api/v1/search/findOne' ``` ### Remove one of the alerts ``` /api/v1/metaalert/remove/alert curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "alerts": [ { "guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40", "index": "snort_index_2017.11.15.17", "sensorType": "snort" } ], "metaAlertGuid": "b25b663e-39c9-42d5-a52c-e6380235d43f" }' 'http://node1:8082/api/v1/metaalert/remove/alert' ``` ### Retrieve the meta alert again, and ensure it only contains the second alert. ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid": "b25b663e-39c9-42d5-a52c-e6380235d43f", "index": "metaalert_index", "sensorType": "metaalert" }' 'http://node1:8082/api/v1/search/findOne' ``` ### Rerun the delete ``` /api/v1/metaalert/remove/alert curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "alerts": [ { "guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40", "index": "snort_index_2017.11.15.17", "sensorType": "snort" } ], "metaAlertGuid": "b25b663e-39c9-42d5-a52c-e6380235d43f" }' 'http://node1:8082/api/v1/metaalert/remove/alert' ``` ### Retrieve the meta alert again, and ensure it only contains the second alert. ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid": "b25b663e-39c9-42d5-a52c-e6380235d43f", "index": "metaalert_index", "sensorType": "metaalert" }' 'http://node1:8082/api/v1/search/findOne' ``` ### Retrieve the child alerts Ensure only the second alert has the 'metaalerts' field populated with the parent met alert. ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid":"8b8314d4-277b-44dc-a75b-04b0cdcedb40", "sensorType": "snort" }' 'http://node1:8082/api/v1/search/findOne' curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d", "sensorType": "snort" }' 'http://node1:8082/api/v1/search/findOne' ``` > Alert fields are lost when a MetaAlert is created > ------------------------------------------------- > > Key: METRON-1289 > URL: https://issues.apache.org/jira/browse/METRON-1289 > Project: Metron > Issue Type: Bug > Reporter: Ryan Merriman > Assignee: Ryan Merriman > > When a MetaAlert is created, the included results are being updated > incorrectly with only the "metaalert" field. This causes subsequent findOne > operations to only return the "metaalert field for that alert. All fields > should continue to be present. -- This message was sent by Atlassian JIRA (v6.4.14#64029)