Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Metron Alerts UI not showing alerts after adding enrichment

Highlighted

Metron Alerts UI not showing alerts after adding enrichment

New Contributor

Hi,

I have a single node cluster with metron installed. I have integrated Squid, Bro and Snort sensors. The problem I am facing is that if I simply run the squid sensor without adding geo enrichments the alerts get logged in the alerts UI. However, once I add geo enrichments they stop showing. The alerts are getting indexed with geo data in elastic search and can be viewed in Kibana. But they don't show in the alerts UI. What could be the problem?

Parser Config (Added 5 Transformations which work fine)

{
 "parserClassName": "org.apache.metron.parsers.GrokParser",
 "filterClassName": null,
 "sensorTopic": "abc2",
 "writerClassName": null,
 "errorWriterClassName": null,
 "invalidWriterClassName": null,
 "readMetadata": false,
 "mergeMetadata": false,
 "numWorkers": null,
 "numAckers": null,
 "spoutParallelism": 1,
 "spoutNumTasks": 1,
 "parserParallelism": 1,
 "parserNumTasks": 1,
 "errorWriterParallelism": 1,
 "errorWriterNumTasks": 1,
 "spoutConfig": {},
 "securityProtocol": null,
 "stormConfig": {},
 "parserConfig": {
  "grokPath": "/apps/metron/patterns/abc2",
  "patternLabel": "SQUID_DELIMITED",
  "timestampField": "timestamp"
 },
 "fieldTransformations": [
  {
   "output": [
    "full_hostname",
    "domain_name",
    "year",
    "month"
   ],
   "config": {
    "full_hostname": "URL_TO_HOST(url)",
    "domain_name": "DOMAIN_REMOVE_SUBDOMAINS(full_hostname)",
    "year": "YEAR(DAY_OF_MONTH(timestamp))",
    "month": "MONTH(timestamp)+1"
   },
   "transformation": "STELLAR"
  }
 ]
}

Enrichment Config

{
 "enrichment": {
  "fieldMap": {
   "geo": [
    "ip_dst_addr"
   ]
  },
  "fieldToTypeMap": {},
  "config": {}
 },
 "threatIntel": {
  "fieldMap": {},
  "fieldToTypeMap": {},
  "config": {},
  "triageConfig": {
   "riskLevelRules": [],
   "aggregator": "MAX",
   "aggregationConfig": {}
  }
 },
 "configuration": {}
}

Indexing Config

{
 "hdfs": {
  "batchSize": 1,
  "enabled": true,
  "index": "abc2"
 },
 "elasticsearch": {
  "batchSize": 1,
  "enabled": true,
 

 "index": "abc2"
 },
 "solr": {
  "batchSize": 1,
  "enabled": true,
  "index": "abc2"
 }
}

Kibana Template

"abc2": {
    "order": 0,
    "template": "abc2*",
    "settings": {},
    "mappings": {
      "squid_doc": {
        "dynamic_templates": [
          {
            "geo_location_point": {
              "match": "enrichments:geo:*:location_point",
              "match_mapping_type": "*",
              "mapping": {
                "type": "geo_point"
              }
            }
          },
          {
            "geo_country": {
              "match": "enrichments:geo:*:country",
              "match_mapping_type": "*",
              "mapping": {
                "type": "keyword"
              }
            }
          },
          {
            "geo_city": {
              "match": "enrichments:geo:*:city",
              "match_mapping_type": "*",
              "mapping": {
                "type": "keyword"
              }
            }
          },
          {
            "geo_location_id": {
              "match": "enrichments:geo:*:locID",
              "match_mapping_type": "*",
              "mapping": {
                "type": "keyword"
              }
            }
          },
          {
            "geo_dma_code": {
              "match": "enrichments:geo:*:dmaCode",
              "match_mapping_type": "*",
              "mapping": {
                "type": "keyword"
              }
            }
          },
          {
            "geo_postal_code": {
              "match": "enrichments:geo:*:postalCode",
              "match_mapping_type": "*",
              "mapping": {
                "type": "keyword"
              }
            }
          },
          {
            "geo_latitude": {
              "match": "enrichments:geo:*:latitude",
              "match_mapping_type": "*",
              "mapping": {
                "type": "float"
              }
            }
          },
          {
            "geo_longitude": {
              "match": "enrichments:geo:*:longitude",
              "match_mapping_type": "*",
              "mapping": {
                "type": "float"
              }
            }
          },
          {
            "timestamps": {
              "match": "*:ts",
              "match_mapping_type": "*",
              "mapping": {
                "type": "date",
                "format": "epoch_millis"
              }
            }
          },
          {
            "threat_triage_score": {
              "mapping": {
                "type": "float"
              },
              "match": "threat:triage:*score",
              "match_mapping_type": "*"
            }
          },
          {
            "threat_triage_reason": {
              "mapping": {
                "type": "text",
                "fielddata": "true"
              },
              "match": "threat:triage:rules:*:reason",
              "match_mapping_type": "*"
            }
          },
          {
            "threat_triage_name": {
              "mapping": {
                "type": "text",
                "fielddata": "true"
              },
              "match": "threat:triage:rules:*:name",
              "match_mapping_type": "*"
            }
          }
        ],
        "properties": {
          "timestamp": {
            "type": "date",
            "format": "epoch_millis"
          },
          "source:type": {
            "type": "keyword"
          },
          "ip_dst_addr": {
            "type": "ip"
          },
          "ip_dst_port": {
            "type": "integer"
          },
          "ip_src_addr": {
            "type": "ip"
          },
          "ip_src_port": {
            "type": "integer"
          },
          "alert": {
            "type": "nested"
          },
          "guid": {
            "type": "keyword"
          }
        }
      }
    },
    "aliases": {}
  }

Index In Kibana

{
  "took": 0,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": 13,
    "max_score": 1,
    "hits": [
      {
        "_index": "abc2_index_2018.11.13.05",
        "_type": "abc2_doc",
        "_id": "5b958e39-aab9-4acd-9f08-7371a7023a91",
        "_score": 1,
        "_source": {
          "date": 12,
          "full_hostname": "www.help.1and1.co.uk",
          "code": 301,
          "enrichments:geo:ip_dst_addr:location_point": "51.2993,9.491",
          "threatinteljoinbolt:joiner:ts": "1542088567977",
          "year": 2018,
          "enrichmentsplitterbolt:splitter:begin:ts": "1542088567966",
          "enrichmentjoinbolt:joiner:ts": "1542088567973",
          "adapter:geoadapter:begin:ts": "1542088567971",
          "enrichments:geo:ip_dst_addr:latitude": "51.2993",
          "elapsed": 1700,
          "domain_name": "1and1.co.uk",
          "source:type": "abc2",
          "ip_dst_addr": "213.165.66.7",
          "original_string": "1542024963.640   1700 ::1 TCP_MISS/301 759 GET http://www.help.1and1.co.uk/domains-c40986/transfer-domains-c79878 - HIER_DIRECT/213.165.66.7 text/html",
          "action": "TCP_MISS",
          "adapter:geoadapter:end:ts": "1542088567971",
          "ip_src_addr": "::1",
          "threatintelsplitterbolt:splitter:end:ts": "1542088567974",
          "enrichments:geo:ip_dst_addr:longitude": "9.491",
          "timestamp": 1542024963640,
          "method": "GET",
          "enrichmentsplitterbolt:splitter:end:ts": "1542088567966",
          "url": "http://www.help.1and1.co.uk/domains-c40986/transfer-domains-c79878",
          "month": 11,
          "bytes": 759,
          "threatintelsplitterbolt:splitter:begin:ts": "1542088567974",
          "guid": "5b958e39-aab9-4acd-9f08-7371a7023a91",
          "enrichments:geo:ip_dst_addr:country": "DE"
        }
      },
      {
        "_index": "abc2_index_2018.11.13.05",
        "_type": "abc2_doc",
        "_id": "04158570-affc-4a40-8003-0b9ca5bb1b32",
        "_score": 1,
        "_source": {
          "date": 12,
          "full_hostname": "www.microsoftstore.com",
          "code": 302,
          "enrichments:geo:ip_dst_addr:location_point": "37.751,-97.822",
          "threatinteljoinbolt:joiner:ts": "1542088567981",
          "year": 2018,
          "enrichmentsplitterbolt:splitter:begin:ts": "1542088567972",
          "enrichmentjoinbolt:joiner:ts": "1542088567977",
          "adapter:geoadapter:begin:ts": "1542088567975",
          "enrichments:geo:ip_dst_addr:latitude": "37.751",
          "elapsed": 464,
          "domain_name": "microsoftstore.com",
          "source:type": "abc2",
          "ip_dst_addr": "69.192.203.198",
          "original_string": "1542024965.339    464 ::1 TCP_MISS/302 1620 GET https://www.microsoftstore.com/store/msusa/en_US/pdp/Microsoft-Band-2-Charging-Stand/productID.32950... - HIER_DIRECT/69.192.203.198 text/html",
          "action": "TCP_MISS",
          "adapter:geoadapter:end:ts": "1542088567975",
          "ip_src_addr": "::1",
          "threatintelsplitterbolt:splitter:end:ts": "1542088567979",
          "enrichments:geo:ip_dst_addr:longitude": "-97.822",
          "timestamp": 1542024965339,
          "method": "GET",
          "enrichmentsplitterbolt:splitter:end:ts": "1542088567972",
          "url": "https://www.microsoftstore.com/store/msusa/en_US/pdp/Microsoft-Band-2-Charging-Stand/productID.329506400",
          "month": 11,
          "bytes": 1620,
          "threatintelsplitterbolt:splitter:begin:ts": "1542088567979",
          "guid": "04158570-affc-4a40-8003-0b9ca5bb1b32",
          "enrichments:geo:ip_dst_addr:country": "US"
        }
      },
      {
        "_index": "abc2_index_2018.11.13.05",
        "_type": "abc2_doc",
        "_id": "690143c7-534e-4e85-a5a4-0980aacd7eb6",
        "_score": 1,
        "_source": {
          "date": 12,
          "full_hostname": "www.ebay.com",
          "code": 301,
          "enrichments:geo:ip_dst_addr:location_point": "37.751,-97.822",
          "threatinteljoinbolt:joiner:ts": "1542088567981",
          "year": 2018,
          "enrichmentsplitterbolt:splitter:begin:ts": "1542088567972",
          "enrichmentjoinbolt:joiner:ts": "1542088567977",
          "adapter:geoadapter:begin:ts": "1542088567975",
          "enrichments:geo:ip_dst_addr:latitude": "37.751",
          "elapsed": 149,
          "domain_name": "ebay.com",
          "source:type": "abc2",
          "ip_dst_addr": "23.44.160.209",
          "original_string": "1542024977.842    149 ::1 TCP_MISS/301 536 GET http://www.ebay.com/itm/02-Infiniti-QX4-Rear-spoiler-Air-deflector-Nissan-Pathfinder-/172240020293? - HIER_DIRECT/23.44.160.209 -",
          "action": "TCP_MISS",
          "adapter:geoadapter:end:ts": "1542088567975",
          "ip_src_addr": "::1",
          "threatintelsplitterbolt:splitter:end:ts": "1542088567979",
          "enrichments:geo:ip_dst_addr:longitude": "-97.822",
          "timestamp": 1542024977842,
          "method": "GET",
          "enrichmentsplitterbolt:splitter:end:ts": "1542088567972",
          "url": "http://www.ebay.com/itm/02-Infiniti-QX4-Rear-spoiler-Air-deflector-Nissan-Pathfinder-/172240020293?",
          "month": 11,
          "bytes": 536,
          "threatintelsplitterbolt:splitter:begin:ts": "1542088567979",
          "guid": "690143c7-534e-4e85-a5a4-0980aacd7eb6",
          "enrichments:geo:ip_dst_addr:country": "US"
        }
      },
      {
        "_index": "abc2_index_2018.11.13.05",
        "_type": "abc2_doc",
        "_id": "e132f06e-9e72-413d-b0e6-77df5dbc4828",
        "_score": 1,
        "_source": {
          "date": 12,
          "full_hostname": "www.aliexpress.com",
          "code": 200,
          "enrichments:geo:ip_dst_addr:location_point": "37.751,-97.822",
          "threatinteljoinbolt:joiner:ts": "1542088567981",
          "year": 2018,
          "enrichmentsplitterbolt:splitter:begin:ts": "1542088567972",
          "enrichmentjoinbolt:joiner:ts": "1542088567977",
          "adapter:geoadapter:begin:ts": "1542088567975",
          "enrichments:geo:ip_dst_addr:latitude": "37.751",
          "elapsed": 1164,
          "domain_name": "aliexpress.com",
          "source:type": "abc2",
          "ip_dst_addr": "23.60.73.45",
          "original_string": "1542024981.369   1164 ::1 TCP_MISS/200 478359 GET http://www.aliexpress.com/af/shoes.html? - HIER_DIRECT/23.60.73.45 text/html",
          "action": "TCP_MISS",
          "adapter:geoadapter:end:ts": "1542088567975",
          "ip_src_addr": "::1",
          "threatintelsplitterbolt:splitter:end:ts": "1542088567979",
          "enrichments:geo:ip_dst_addr:longitude": "-97.822",
          "timestamp": 1542024981369,
          "method": "GET",
          "enrichmentsplitterbolt:splitter:end:ts": "1542088567972",
          "url": "http://www.aliexpress.com/af/shoes.html?",
          "month": 11,
          "bytes": 478359,
          "threatintelsplitterbolt:splitter:begin:ts": "1542088567979",
          "guid": "e132f06e-9e72-413d-b0e6-77df5dbc4828",
          "enrichments:geo:ip_dst_addr:country": "US"
        }
      },
      {
        "_index": "abc2_index_2018.11.13.05",
        "_type": "abc2_doc",
        "_id": "d919eb13-1685-40f8-a74b-161e8687145d",
        "_score": 1,
        "_source": {
          "date": 12,
          "full_hostname": "www.autonews.com",
          "code": 302,
          "enrichments:geo:ip_dst_addr:location_point": "37.751,-97.822",
          "threatinteljoinbolt:joiner:ts": "1542088567981",
          "year": 2018,
          "enrichmentsplitterbolt:splitter:begin:ts": "1542088567972",
          "enrichmentjoinbolt:joiner:ts": "1542088567977",
          "adapter:geoadapter:begin:ts": "1542088567975",
          "enrichments:geo:ip_dst_addr:latitude": "37.751",
          "elapsed": 282,
          "domain_name": "autonews.com",
          "source:type": "abc2",
          "ip_dst_addr": "192.230.67.240",
          "original_string": "1542024965.627    282 ::1 TCP_MISS/302 2444 GET http://www.autonews.com/article/20151115/RETAIL04/311169971/toyota-fj-cruiser-is-scarce-hot-and-high... - HIER_DIRECT/192.230.67.240 text/html",
          "action": "TCP_MISS",
          "adapter:geoadapter:end:ts": "1542088567975",
          "ip_src_addr": "::1",
          "threatintelsplitterbolt:splitter:end:ts": "1542088567979",
          "enrichments:geo:ip_dst_addr:longitude": "-97.822",
          "timestamp": 1542024965627,
          "method": "GET",
          "enrichmentsplitterbolt:splitter:end:ts": "1542088567972",
          "url": "http://www.autonews.com/article/20151115/RETAIL04/311169971/toyota-fj-cruiser-is-scarce-hot-and-high-priced",
          "month": 11,
          "bytes": 2444,
          "threatintelsplitterbolt:splitter:begin:ts": "1542088567979",
          "guid": "d919eb13-1685-40f8-a74b-161e8687145d",
          "enrichments:geo:ip_dst_addr:country": "US"
        }
      },
      {
        "_index": "abc2_index_2018.11.13.05",
        "_type": "abc2_doc",
        "_id": "17de42c9-daa4-4991-b6f5-17c84e891678",
        "_score": 1,
        "_source": {
          "date": 12,
          "full_hostname": "www.help.1and1.co.uk",
          "code": 301,
          "enrichments:geo:ip_dst_addr:location_point": "51.2993,9.491",
          "threatinteljoinbolt:joiner:ts": "1542088567981",
          "year": 2018,
          "enrichmentsplitterbolt:splitter:begin:ts": "1542088567972",
          "enrichmentjoinbolt:joiner:ts": "1542088567977",
          "adapter:geoadapter:begin:ts": "1542088567975",
          "enrichments:geo:ip_dst_addr:latitude": "51.2993",
          "elapsed": 323,
          "domain_name": "1and1.co.uk",
          "source:type": "abc2",
          "ip_dst_addr": "213.165.66.7",
          "original_string": "1542024980.198    323 ::1 TCP_MISS/301 759 GET http://www.help.1and1.co.uk/domains-c40986/transfer-domains-c79878 - HIER_DIRECT/213.165.66.7 text/html",
          "action": "TCP_MISS",
          "adapter:geoadapter:end:ts": "1542088567975",
          "ip_src_addr": "::1",
          "threatintelsplitterbolt:splitter:end:ts": "1542088567979",
          "enrichments:geo:ip_dst_addr:longitude": "9.491",
          "timestamp": 1542024980198,
          "method": "GET",
          "enrichmentsplitterbolt:splitter:end:ts": "1542088567972",
          "url": "http://www.help.1and1.co.uk/domains-c40986/transfer-domains-c79878",
          "month": 11,
          "bytes": 759,
          "threatintelsplitterbolt:splitter:begin:ts": "1542088567979",
          "guid": "17de42c9-daa4-4991-b6f5-17c84e891678",
          "enrichments:geo:ip_dst_addr:country": "DE"
        }
      },
      {
        "_index": "abc2_index_2018.11.13.05",
        "_type": "abc2_doc",
        "_id": "4aa30241-fa1d-401d-a868-bcb588f79436",
        "_score": 1,
        "_source": {
          "date": 12,
          "full_hostname": "www.facebook.com",
          "code": 200,
          "enrichments:geo:ip_dst_addr:location_point": "37.751,-97.822",
          "threatinteljoinbolt:joiner:ts": "1542088567981",
          "year": 2018,
          "enrichmentsplitterbolt:splitter:begin:ts": "1542088567972",
          "enrichmentjoinbolt:joiner:ts": "1542088567977",
          "adapter:geoadapter:begin:ts": "1542088567975",
          "enrichments:geo:ip_dst_addr:latitude": "37.751",
          "elapsed": 1671,
          "domain_name": "facebook.com",
          "source:type": "abc2",
          "ip_dst_addr": "157.240.11.35",
          "original_string": "1542024968.069   1671 ::1 TCP_MISS/200 2762560 GET https://www.facebook.com/Africa-Bike-Week-1550200608567001/ - HIER_DIRECT/157.240.11.35 text/html",
          "action": "TCP_MISS",
          "adapter:geoadapter:end:ts": "1542088567975",
          "ip_src_addr": "::1",
          "threatintelsplitterbolt:splitter:end:ts": "1542088567979",
          "enrichments:geo:ip_dst_addr:longitude": "-97.822",
          "timestamp": 1542024968069,
          "method": "GET",
          "enrichmentsplitterbolt:splitter:end:ts": "1542088567972",
          "url": "https://www.facebook.com/Africa-Bike-Week-1550200608567001/",
          "month": 11,
          "bytes": 2762560,
          "threatintelsplitterbolt:splitter:begin:ts": "1542088567979",
          "guid": "4aa30241-fa1d-401d-a868-bcb588f79436",
          "enrichments:geo:ip_dst_addr:country": "US"
        }
      },
      {
        "_index": "abc2_index_2018.11.13.05",
        "_type": "abc2_doc",
        "_id": "e233ccaf-2493-4b81-ac83-6c41183266da",
        "_score": 1,
        "_source": {
          "date": 12,
          "enrichments:geo:ip_dst_addr:locID": "1850147",
          "full_hostname": "www.recruit.jp",
          "code": 301,
          "enrichments:geo:ip_dst_addr:location_point": "35.685,139.7514",
          "threatinteljoinbolt:joiner:ts": "1542088567981",
          "year": 2018,
          "enrichmentsplitterbolt:splitter:begin:ts": "1542088567972",
          "enrichmentjoinbolt:joiner:ts": "1542088567977",
          "adapter:geoadapter:begin:ts": "1542088567975",
          "enrichments:geo:ip_dst_addr:latitude": "35.685",
          "elapsed": 443,
          "domain_name": "recruit.jp",
          "source:type": "abc2",
          "ip_dst_addr": "52.194.52.214",
          "original_string": "1542024978.290    443 ::1 TCP_MISS/301 650 GET http://www.recruit.jp/corporate/english/company/index.html - HIER_DIRECT/52.194.52.214 text/html",
          "action": "TCP_MISS",
          "adapter:geoadapter:end:ts": "1542088567975",
          "ip_src_addr": "::1",
          "threatintelsplitterbolt:splitter:end:ts": "1542088567979",
          "enrichments:geo:ip_dst_addr:longitude": "139.7514",
          "timestamp": 1542024978290,
          "method": "GET",
          "enrichmentsplitterbolt:splitter:end:ts": "1542088567972",
          "enrichments:geo:ip_dst_addr:city": "Tokyo",
          "enrichments:geo:ip_dst_addr:postalCode": "190-0032",
          "url": "http://www.recruit.jp/corporate/english/company/index.html",
          "month": 11,
          "bytes": 650,
          "threatintelsplitterbolt:splitter:begin:ts": "1542088567979",
          "guid": "e233ccaf-2493-4b81-ac83-6c41183266da",
          "enrichments:geo:ip_dst_addr:country": "JP"
        }
      },
      {
        "_index": "abc2_index_2018.11.13.05",
        "_type": "abc2_doc",
        "_id": "8a109c47-5a61-4fc3-87e6-07211ed761a0",
        "_score": 1,
        "_source": {
          "date": 12,
          "full_hostname": "www.aliexpress.com",
          "code": 200,
          "enrichments:geo:ip_dst_addr:location_point": "37.751,-97.822",
          "threatinteljoinbolt:joiner:ts": "1542088567977",
          "year": 2018,
          "enrichmentsplitterbolt:splitter:begin:ts": "1542088567966",
          "enrichmentjoinbolt:joiner:ts": "1542088567973",
          "adapter:geoadapter:begin:ts": "1542088567971",
          "enrichments:geo:ip_dst_addr:latitude": "37.751",
          "elapsed": 992,
          "domain_name": "aliexpress.com",
          "source:type": "abc2",
          "ip_dst_addr": "23.60.73.45",
          "original_string": "1542020614.967    992 ::1 TCP_MISS/200 480259 GET http://www.aliexpress.com/af/shoes.html? - HIER_DIRECT/23.60.73.45 text/html",
          "action": "TCP_MISS",
          "adapter:geoadapter:end:ts": "1542088567971",
          "ip_src_addr": "::1",
          "threatintelsplitterbolt:splitter:end:ts": "1542088567974",
          "enrichments:geo:ip_dst_addr:longitude": "-97.822",
          "timestamp": 1542020614967,
          "method": "GET",
          "enrichmentsplitterbolt:splitter:end:ts": "1542088567966",
          "url": "http://www.aliexpress.com/af/shoes.html?",
          "month": 11,
          "bytes": 480259,
          "threatintelsplitterbolt:splitter:begin:ts": "1542088567974",
          "guid": "8a109c47-5a61-4fc3-87e6-07211ed761a0",
          "enrichments:geo:ip_dst_addr:country": "US"
        }
      },
      {
        "_index": "abc2_index_2018.11.13.05",
        "_type": "abc2_doc",
        "_id": "19b2a08e-6227-4152-8366-1af51e0c9e80",
        "_score": 1,
        "_source": {
          "date": 12,
          "full_hostname": "www.pravda.ru",
          "code": 301,
          "enrichments:geo:ip_dst_addr:location_point": "55.7386,37.6068",
          "threatinteljoinbolt:joiner:ts": "1542088567977",
          "year": 2018,
          "enrichmentsplitterbolt:splitter:begin:ts": "1542088567966",
          "enrichmentjoinbolt:joiner:ts": "1542088567973",
          "adapter:geoadapter:begin:ts": "1542088567971",
          "enrichments:geo:ip_dst_addr:latitude": "55.7386",
          "elapsed": 1180,
          "domain_name": "pravda.ru",
          "source:type": "abc2",
          "ip_dst_addr": "185.201.54.50",
          "original_string": "1542024964.825   1180 ::1 TCP_MISS/301 519 GET http://www.pravda.ru/science/ - HIER_DIRECT/185.201.54.50 text/html",
          "action": "TCP_MISS",
          "adapter:geoadapter:end:ts": "1542088567971",
          "ip_src_addr": "::1",
          "threatintelsplitterbolt:splitter:end:ts": "1542088567975",
          "enrichments:geo:ip_dst_addr:longitude": "37.6068",
          "timestamp": 1542024964825,
          "method": "GET",
          "enrichmentsplitterbolt:splitter:end:ts": "1542088567966",
          "url": "http://www.pravda.ru/science/",
          "month": 11,
          "bytes": 519,
          "threatintelsplitterbolt:splitter:begin:ts": "1542088567974",
          "guid": "19b2a08e-6227-4152-8366-1af51e0c9e80",
          "enrichments:geo:ip_dst_addr:country": "RU"
        }
      }
    ]
  }
}

93249-metron-alerts-ui.png