[jira] [Commented] (METRON-1289) Alert fields are lost when a MetaAlert is created

Wed, 15 Nov 2017 10:34:18 -0800 

    [ 
https://issues.apache.org/jira/browse/METRON-1289?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16253921#comment-16253921
 ] 

ASF GitHub Bot commented on METRON-1289:
----------------------------------------

Github user justinleet commented on the issue:

    https://github.com/apache/metron/pull/824
  
    ## Removing alerts and removing an already removed alert
    
    ### Find two alerts
    ```
    /api/v1/search/search
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "fields": [
        "guid"
      ],
      "from": 0,
      "indices": [
        "snort"
      ],
      "query": "ip_dst_addr:192.168.66.121",
      "size": 2
    }' 'http://node1:8082/api/v1/search/search'
    ```
    Results in two guids:
    
    ```
    8b8314d4-277b-44dc-a75b-04b0cdcedb40
    4ac26cf7-ab93-4940-9a0e-8e7f4d67736d
    ```
    
    ### Create a metaalert with the alerts
    ```
    /api/v1/metaalert/create
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "alerts": [
        {
          "guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40",
          "index": "snort_index_2017.11.15.17",
          "sensorType": "snort"
        },
         {
          "guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d",
          "index": "snort_index_2017.11.15.17",
          "sensorType": "snort"
        }
    
      ],
      "groups": [
        "test"
      ]
    }' 'http://node1:8082/api/v1/metaalert/create'
    
    ```
    
    Make sure to get the resulting guid from the response.
    ```
    b25b663e-39c9-42d5-a52c-e6380235d43f
    ```
    
    ### Retrieve the meta alert and ensure it contains the provided alerts
    ```
    /api/v1/search/findOne
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "guid": "b25b663e-39c9-42d5-a52c-e6380235d43f",
      "index": "metaalert_index",
      "sensorType": "metaalert"
    }' 'http://node1:8082/api/v1/search/findOne'
    ```
    
    ### Remove one of the alerts
    ```
    /api/v1/metaalert/remove/alert
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "alerts": [
        {
          "guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40",
          "index": "snort_index_2017.11.15.17",
          "sensorType": "snort"
        }
      ],
      "metaAlertGuid": "b25b663e-39c9-42d5-a52c-e6380235d43f"
    }' 'http://node1:8082/api/v1/metaalert/remove/alert'
    ```
    
    ### Retrieve the meta alert again, and ensure it only contains the second 
alert.
    ```
    /api/v1/search/findOne
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "guid": "b25b663e-39c9-42d5-a52c-e6380235d43f",
      "index": "metaalert_index",
      "sensorType": "metaalert"
    }' 'http://node1:8082/api/v1/search/findOne'
    ```
    
    ### Rerun the delete
    ```
    /api/v1/metaalert/remove/alert
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "alerts": [
        {
          "guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40",
          "index": "snort_index_2017.11.15.17",
          "sensorType": "snort"
        }
      ],
      "metaAlertGuid": "b25b663e-39c9-42d5-a52c-e6380235d43f"
    }' 'http://node1:8082/api/v1/metaalert/remove/alert'
    ```
    
    ### Retrieve the meta alert again, and ensure it only contains the second 
alert.
    ```
    /api/v1/search/findOne
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "guid": "b25b663e-39c9-42d5-a52c-e6380235d43f",
      "index": "metaalert_index",
      "sensorType": "metaalert"
    }' 'http://node1:8082/api/v1/search/findOne'
    ```
    
    ### Retrieve the child alerts
    Ensure only the second alert has the 'metaalerts' field populated with the 
parent met alert.
    
    ```
    /api/v1/search/findOne
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "guid":"8b8314d4-277b-44dc-a75b-04b0cdcedb40",
      "sensorType": "snort"
    }' 'http://node1:8082/api/v1/search/findOne'
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d",
      "sensorType": "snort"
    }' 'http://node1:8082/api/v1/search/findOne'
    ```


> Alert fields are lost when a MetaAlert is created
> -------------------------------------------------
>
>                 Key: METRON-1289
>                 URL: https://issues.apache.org/jira/browse/METRON-1289
>             Project: Metron
>          Issue Type: Bug
>            Reporter: Ryan Merriman
>            Assignee: Ryan Merriman
>
> When a MetaAlert is created, the included results are being updated 
> incorrectly with only the "metaalert" field.  This causes subsequent findOne 
> operations to only return the "metaalert field for that alert.  All fields 
> should continue to be present.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to