Github user mmiklavc commented on the issue:
https://github.com/apache/metron/pull/970
Just finished testing this in full dev. Everything basically looks good.
I'll take another spin through the source code as well. This is a good test
script @justinleet.
Here are my findings:
> Find two alerts
I get 2 alerts, however the index shows as null
```
{
"facetCounts": null,
"results": [
{
"id": "10ececfc-8c1a-4039-9a4e-2027caa92491",
"index": null,
"score": 0.0,
"source": {
"guid": "10ececfc-8c1a-4039-9a4e-2027caa92491"
}
},
{
"id": "d1b8491b-24b3-4181-a206-fe05bf6d6218",
"index": null,
"score": 0.0,
"source": {
"guid": "d1b8491b-24b3-4181-a206-fe05bf6d6218"
}
}
],
"total": 2992
}
```
>Change the meta alert status to inactive
Just confirming expected behavior. When I set the meataalert to inactive
and search for it, the child alerts still show the metaalerts array. Searching
individual alerts does not include this array, as expected by the manual test
instructions.
**Note**
In case it's helpful to anyone else, I did the following to run the 11
queries with all child guids and filter on the metaalerts array. I didn't want
to copy paste and reconstruct every command:
```
for guid in 5c582812-7b7f-489e-bf69-f2235fd44044
3229525c-d31b-4083-b335-0a9f0645093d 0ce6f10a-f960-4da5-920f-a8bdc5350ebc
9174cbdc-5cea-42d0-a6c3-d656735744ae af610b0c-b978-44aa-adfd-efbc4b1dcc0d
e0c40f3f-76ac-489e-af6b-831fb67eaa0f 2cab8b73-4bef-4b3c-9edd-4246d1c10bf3
be9037f0-4bf7-441b-8baa-4006a079e1f2 d0dc7bb6-011a-4004-8aa7-65a8ded0be78
5443fcae-6ded-48f3-b3de-b19f54b81f11 3a0dfcde-2408-4585-b90c-a5e0797667e0;
do
curl -s -u user:password -X POST --header 'Content-Type:
application/json' --header 'Accept: application/json' -d '{
"guid":"'$guid'",
"sensorType": "snort"
}' 'http://node1:8082/api/v1/search/findOne' | python -m json.tool | grep
-A 2 metaalerts
done;
```
---
