All, I am following the instructions located here for creating a parser which detects user logins distant from their recent logins, and raising alarms: https://github.com/apache/metron/tree/master/use-cases/geographic_login_outliers. I have been able to successfully see the data show up in Kibana, including the is_alarm field, which shows true when distant logins are reported, and null or empty otherwise (I believe this is the correct behavior?).
The issue I'm having is that none of these distant logins are reported in the Alarms UI. I have made the condition the same as the one I'm using for is_alarm, and also used conditions that should always be true, but the only alarms that show up are alarms from some sample Bro data that I can pass through the system and see alerts for. Any ideas for how I can get alarms to show up correctly in the UI, or where else I can check? I am not very familiar with the process of going from enrichments to alerts UI at this point. Thanks! -- David McGinnis Staff Hadoop Consultant | Avalon Consulting, LLC <http://www.avalonconsult.com/>M: (513) 439-0082 LinkedIn <http://www.linkedin.com/company/avalon-consulting-llc> | Google+ <http://www.google.com/+AvalonConsultingLLC> | Twitter <https://twitter.com/avalonconsult> ------------------------------------------------------------------------------------------------------------- This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
