Alerts are not being removed for the searches that were deleted

[AGirin]

If I delete Search before I resolve all alerts that it produced those alerts are staying forever on Alerts page - no matter what I do (Resolve, Acknowledge etc):

[kbiedermann]

They can be deleted manually from the elasticsearch index that should look something like: 411_alerts_1 Haven't figured out a better way yet.

Maybe when deleting a search the user could be prompted if they would like to delete all related alerts? Might be hard though since the alerts are not stored with a search pattern name, matching the alert to the search name must be done somewhere else.

[kiwiz]

Not optimal, but you can delete that index and do a resync with "bin/es_sync.php --site=1". I'll take a look at this when I have time.

On Fri, Oct 14, 2016, 13:30 kbiedermann notifications@github.com wrote:

They can be deleted manually from the elasticsearch index that should look something like: 411_alerts_1 Haven't figured out a better way yet

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/etsy/411/issues/45#issuecomment-253867920, or mute the thread https://github.com/notifications/unsubscribe-auth/AC-jwl2MLKlGddJI2Tl_jiqLn4FgzY9Xks5qz7xQgaJpZM4KO5lI .

[AGirin]

I was actually deleting index :-). But it would be harder to do when it is in actual production and more people use it.

[kiwiz]

It would be much easier to delete these alerts if we changed the type to encode the search id as well. Ex: 411_alerts_1/ping_1234 The downside is this would require a re-index.

[LFBernardo]

I am running a Siemonster instance with 411 included and there is no Elasticsearch index for the alerts. So the above solution doesn't work in this instance.

[LFBernardo]

Leaving this here for other Siemonster users that run into this problem

Open Rancher Execute shell to es-client-1-1 Install curl apk --no-cache add curl curl -XDELETE 0:9200/411_alerts_1 Reload 411 page

[khulfreedos]

@LFBernardo - what does this commands do? Will this delete all the alerts including the Searches created? I have been trying to delete this but there has been no luck. Appreciate your help. Thanks!

By the way, I am also running SIEMonster instance with 411.

[LFBernardo]

@khulfreedos This will only delete the orphaned (all alerts) in your Elastic instance. The searches you have configured is stored elsewhere (in db if memory serves). It seems a bit nuke like to do to clean orphaned searches but I haven't been able to spend more time on it. If I come up with a better way to do it I will come share it here. I will also be posting howto's on my git page as well as on the Siemonster support site. P.S. your searches will be lost if you upgrade the 411 container, just bear that in mind.

[kiwiz]

Added a new job to delete Alerts via f6bfc4c798a2c18b969a2753dfb4af4d860b702e.