[GitHub] metron issue #780: METRON-1220: Create documentation around alert nested fie...

Wed, 04 Oct 2017 09:26:04 -0700 

Github user justinleet commented on the issue:

    https://github.com/apache/metron/pull/780
  
    @cestella @nickwallen Hopefully took care of comments that don't involve 
migrating wiki docs.  Let me know if I looked over anything.  Sidenote, does 
anybody know how to actually link to a head in a different doc?  Anything 
inside the same doc works fine, but across docs would be better.
    
    ## Test Plan
    
    ### Setup
    Rather than creating a new parser, let's just break the Bro one.
    1. Spin up full dev
    1. Stop bro in monit.
    1. Pull down the bro template and delete the extra JSON tag we don't need
        ```
        curl -XGET "http://node1:9200/_template/bro_index*?pretty"; -o 
"bro.template"
        sed -i '' '2d;$d' ./bro.template
        ```
    1. Open it in an editor and remove the `alert` field under `properties`
    1. Push the template back.
        ```
        curl -XPUT "http://node1:9200/_template/bro_index"; -d 
@${SENSOR}.template
        ```
    1. Ensure the `alert` field does **NOT** show up in the template:
        ```
        curl -XGET 'node1:9200/_template/bro_index*?pretty' | grep '"alert"'
        ```
    1. Delete any existing bro indices
        ```
        curl -XDELETE 'localhost:9200/bro*?pretty'
        ```
    1. Turn bro back on in Monit.
    1. Wait until new data flows through the system into the bro indexes.
    1. Make sure that the mapping has no `alert` field (i.e. Did our updated 
template apply as expected?).  At this point we should have a sensor without 
the proper template and existing data.
        ```
        curl -XGET 'node1:9200/bro*/_mapping?pretty' | grep '"alert"'
        ```
    1. Go into the Swagger UI and run the following search.  It should fail 
with a 500:
        ```
        {
          "fields": [
            "*"
          ],
          "from": 0,
          "indices": [
            "bro"
          ],
          "query": "*",
          "size": 10
        }
        ```
    1. Run through the commands given in the metron-elasticsearch README to 
update both the template and the mappings.
    1. Ensure the `alert` field shows up in the mappings:
        ```
        curl -XGET 'node1:9200/bro*/_mapping?pretty' | grep '"alert"'
        ```
    1. Ensure the `alert` field shows up in the template:
        ```
        curl -XGET 'node1:9200/_template/bro_index*?pretty' | grep '"alert"'
        ```
    1. Rerun the query from the Swagger UI.  Results should be returned now 
with no error.


---

Reply via email to