Github user merrimanr commented on the issue:
https://github.com/apache/metron/pull/620
Here's an idea to get us started. A search request could look like:
```
{
"query": "ip_src_addr:192.168.66.1",
"from": 0,
"size": 25,
"sort": [
{ "timestamp": "desc"},
{ "some_other_field": "asc"}
]
}
```
where the query field is a lucene-style query (which is supported by both
ES and Solr I believe). A search response could look like:
```
{
"total": 10000,
"results":
[
{
"id": "1234abcd",
"score": 1.0,
"source": {
"source:type": "bro",
"host": "some host",
"ip_src_addr": "192.168.66.1"
}
},
{
"id": "5678efgh",
"score": 1.0,
"source": {
"source:type": "snort",
"ip_src_port": 8080,
"ip_src_addr": "192.168.66.1"
}
}
]
}
```
We can add other fields (aggregations for example) as we add more features.
What do you think? Is this enough to drive the current alerts UI or are there
more fields needed? Would it be helpful to add a 'filters' field to the
request or can we assume the client-side code will handle adding filters to the
lucene query?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
