You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@metron.apache.org by nickwallen <gi...@git.apache.org> on 2017/10/02 18:12:44 UTC
[GitHub] metron pull request #780: METRON-1220: Create documentation around alert nes...
Github user nickwallen commented on a diff in the pull request:
https://github.com/apache/metron/pull/780#discussion_r142214035
--- Diff: metron-platform/metron-indexing/README.md ---
@@ -163,6 +163,36 @@ Both of these functions are handled under the hood.
In addition, an API endpoint is added for the meta alert specific features of creation and going from meta alert to alert.
The denormalization handles the case of going from meta alert to alert automatically.
+With Elasticsearch 2.x, there is an additional requirement that all sensors templates have a nested alert field defined. This field is a dummy field, and will be obsolete in Elasticsearch 5.x. See [Ignoring Unmapped Fields](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-sort.html#_ignoring_unmapped_fields) for more information
+
+Definition of the expected field:
+```
+ "alert": {
+ "type": "nested"
+ }
+```
+
+Without this field, an error will be thrown during ALL searches (including from UIs, resulting in no alerts being found for any sensor):
--- End diff --
Where exactly would I see this error message? In the UI itself or is it only logged by the REST API?
Maybe this error message with a link to your explanation could go in a separate **FAQ** section (in whatever README you decide to land this in.)
---