Hi David, One quick thing just in case, is_alert, not is_alarm.
That said that should not affect what’s in the alerts ui. You should see data from your geo source as well (whatever you called it). It is possible there may be a problem with your elastic template. You might be interested in https://github.com/simonellistonball/metron-field-demos/blob/master/geo/es.json <https://github.com/simonellistonball/metron-field-demos/blob/master/geo/es.json> which is based on the use case. Note that there is a field in there: { alert: { type: nested } } this is necessary for the Alerts UI and specifically the meta alerts capability. Note that you may also need to reload your alerts ui, and possibly restart the REST service to pickup new index types in the alerts ui, there may be issues with caching. Simon > On 1 Mar 2018, at 15:46, David McGinnis <mcginn...@avalonconsult.com> wrote: > > All, > > I am following the instructions located here for creating a parser which > detects user logins distant from their recent logins, and raising alarms: > https://github.com/apache/metron/tree/master/use-cases/geographic_login_outliers > > <https://github.com/apache/metron/tree/master/use-cases/geographic_login_outliers>. > I have been able to successfully see the data show up in Kibana, including > the is_alarm field, which shows true when distant logins are reported, and > null or empty otherwise (I believe this is the correct behavior?). > > The issue I'm having is that none of these distant logins are reported in the > Alarms UI. I have made the condition the same as the one I'm using for > is_alarm, and also used conditions that should always be true, but the only > alarms that show up are alarms from some sample Bro data that I can pass > through the system and see alerts for. > > Any ideas for how I can get alarms to show up correctly in the UI, or where > else I can check? I am not very familiar with the process of going from > enrichments to alerts UI at this point. > > Thanks! > > -- > David McGinnis > Staff Hadoop Consultant | Avalon Consulting, LLC > <http://www.avalonconsult.com/>M: (513) 439-0082 > LinkedIn <http://www.linkedin.com/company/avalon-consulting-llc> | Google+ > <http://www.google.com/+AvalonConsultingLLC> | Twitter > <https://twitter.com/avalonconsult> > ------------------------------------------------------------------------------------------------------------- > This message (including any attachments) contains confidential information > intended for a specific individual and purpose, and is protected by law. If > you are not the intended recipient, you should delete this message. Any > disclosure, copying, or distribution of this message, or the taking of any > action based on it, is strictly prohibited.
