The first thing I would do is figure out which indices are included in the
Alerts UI. If you open the network tab in your browser there should be a
"search" request sent to REST. There is an "indices" property that will
have a list of indices include in the search. If it's empty ("[]") then
this call should tell you what the default indices are:
curl -X GET --header 'Accept: application/json' 'http://{rest
host}:8082/api/v1/sensor/indexing/config/list/indices/solr'
Verify your collection is in the list and we can go from there.
On Wed, Aug 22, 2018 at 4:47 PM Stefan Kupstaitis-Dunkler <
[email protected]> wrote:
> Hey Anil,
>
> do you use any kind of policies to prevent access by the metron user? Do
> you use Ranger to manage access policies?
>
> The user running the Metron REST service (normally "metron") needs to have
> access to all collections.
>
> Check the (Ranger) audit log to see if access to the collections is
> denied/allowed.
>
> If you use Ranger + Solr with Metron you might run into a current Solr
> plugin bug. I've run into that a few weeks ago and provided a workaround
> here:
>
>
> https://community.hortonworks.com/articles/203326/searching-in-multiple-collections-in-one-query-wit.html
>
> Best,
> Stefan
>
>
> On Wed, Aug 22, 2018, 18:40 Anil Donthireddy <[email protected]>
> wrote:
>
>> Yes, necessary two fields are set properly as below
>>
>>
>>
>> "source.type.field" : "source.type",
>>
>> "threat.triage.score.field" : "threat.triage.score"
>>
>>
>>
>>
>>
>> *From:* Anand Subramanian [mailto:[email protected]]
>> *Sent:* Wednesday, August 22, 2018 10:07 PM
>> *To:* [email protected]
>> *Subject:* Re: Unable to see alerts in metron alert UI with solr
>>
>>
>>
>> Hey Anil,
>>
>>
>>
>> You might also want to check if the “source.type.field” is set to
>> “source.type” (and NOT source:type) in global config.
>>
>>
>>
>> See:
>>
>>
>> https://github.com/apache/metron/blob/master/metron-interface/metron-alerts/README.md#global-configuration-properties
>>
>>
>>
>> HTH,
>>
>> Anand
>>
>>
>>
>> *From: *Anil Donthireddy <[email protected]>
>> *Reply-To: *"[email protected]" <[email protected]>
>> *Date: *Wednesday, August 22, 2018 at 10:04 PM
>> *To: *"[email protected]" <[email protected]>
>> *Subject: *RE: Unable to see alerts in metron alert UI with solr
>>
>>
>>
>> Hi Stefan,
>>
>>
>>
>> I can see the events being written to solr collection. There are no
>> issues upto storing data to Solr. There are events which have
>> is_alert=true. But in the metron alerts UI I dint see any events.
>>
>>
>>
>> Thanks,
>>
>> Anil.
>>
>>
>>
>> *From:* Stefan Kupstaitis-Dunkler [mailto:[email protected]
>> <[email protected]>]
>> *Sent:* Wednesday, August 22, 2018 9:52 PM
>> *To:* [email protected]
>> *Subject:* Re: Unable to see alerts in metron alert UI with solr
>>
>>
>>
>> Hi Anil,
>>
>>
>>
>> The alerts UI just queries your Solr collections and displays them
>>
>>
>>
>> Things you could do:
>>
>> ? You could check the collection the event is supposed to be
>> directly
>>
>> ? If it’s not there you could check the Solr “error” collection.
>>
>> ? Use the Kafka console consumer and
>>
>> o check the parser topic (you define the name in the management ui) if
>> events are being written to it
>>
>> o check the “enrichments” topic if events are being written to it
>>
>> o check the “indexing” topic if events are being written to it.
>>
>>
>>
>> Hope that helps as a start.
>>
>>
>>
>> Best,
>>
>> Stefan
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *From: *Anil Donthireddy <[email protected]>
>> *Reply-To: *"[email protected]" <[email protected]>
>> *Date: *Wednesday, 22. August 2018 at 18:07
>> *To: *"[email protected]" <[email protected]>
>> *Subject: *Unable to see alerts in metron alert UI with solr
>>
>>
>>
>> Hi,
>>
>>
>>
>> I have created a collection in solr for my source as documented in
>> metron-slor readme in git to enable solr and writing data to solr. I see
>> the data is being loaded to Solr for my new source and is_alert is set to
>> tru. But still I am not seeing any data in metron alerts UI.
>>
>>
>>
>> I checked the metron alerts UI logs, but could not find any error logs. I
>> am blocked to proceed further to display alerts in the metron alerts ui.
>> May I get any suggestions to debug the issue.
>>
>>
>>
>> Thanks,
>>
>> Anil.
>>
> --
> Stefan Kupstaitis-Dunkler
> https://datahovel.com/
> https://www.meetup.com/Hadoop-User-Group-Vienna/
> https://twitter.com/StefanDunkler
>
