Hello Metron community, I have been delving further into the replication of records that our users are experiencing in the Metron Alerts ui.
What we have picked up is that when there is a status change, ie from “NEW” to “OPEN”. We do not get a replication of the record. However, when the user inserts a comment, the record is replicated. When looking at the payload, the replicated record has a different document id to the original record. Then, when either another comment is added or if the status is changed (say from “OPEN” to “RESOLVE”) either of these operations will result in more replications of the record. After searching around, I came across this pull request (METRON-1677). I was wondering if what we are facing is related? Thanking you in advance for any assistance on this. On Tue, 12 May 2020 at 15:44, Euan Hope <hopee...@gmail.com> wrote: > My sincerest apologies for the very late response to this. > > We haven’t changed any of the default settings. > > We did define the elasticsearch index ourselves based on the data we are > consuming with the sensor. > > It does occur on other sensors as well. > > It seems to replicate the original record. Further, when the action is > changed from new to open, then another duplicate is create but with the > updated alert_status (in this example with the open alert_status). I am not > sure if this is expected behavior? > > Apologies once again for my late response and thank you for your time and > assistance. > > > > On Fri, 13 Mar 2020 at 23:15, Nick Allen <n...@nickallen.org> wrote: > >> Have you changed any default settings? Have you changed the Elasticsearch >> index templates at all? Does the duplication occur for only one sensor >> type or for all sensor types? >> >> On Wed, Mar 11, 2020 at 7:20 AM Euan Hope <hopee...@gmail.com> wrote: >> >>> Hello Metron community. >>> >>> My users have encountered a duplication of records in the alerts ui when >>> the user places a comment for that specific record. >>> >>> I’m not sure why this is happening. >>> >>> Could anyone advise and provide some guidance? >>> >>> Thanking you in advance for your assistance >>> >>> Regards >>> >>
