You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@metron.apache.org by merrimanr <gi...@git.apache.org> on 2018/11/05 19:59:37 UTC

[GitHub] metron issue #1253: METRON-1857 Fix Metaalert Nested Alert Field Name in Ind...

Github user merrimanr commented on the issue:

    https://github.com/apache/metron/pull/1253
  
    I'm not sure if you know the answer to this @nickwallen because it predates this PR, but is the intention to convert all `metron_alert.*` fields to keyword types?  I can see the  motivation behind doing this because we may not be aware of all field types in the various sensors that could be added to a metaalert.  Maybe @justinleet knows?
    
    If my assumption is true then we need another small change to make that happen.  Currently the `match_mapping_type` attribute is set to `string` which will only convert string types.  If we want to convert all fields, it needs to be:
    ```
    "dynamic_templates": [
            {
              "alert_template": {
              "path_match": "metron_alert.*",
              "match_mapping_type": "*",
              "mapping": {
                "type": "keyword"
              }
            }
    ```
    
    Notice `string` has been changed to `*`.


---