Example 1 with BucketSpec
use of org.graylog.plugins.views.search.searchtypes.pivot.BucketSpec in project graylog2-server by Graylog2.
the class ESPivotTest method mixedPivotsAndSeriesShouldBeNested.
@Test
public void mixedPivotsAndSeriesShouldBeNested() {
final SearchSourceBuilder searchSourceBuilder = new SearchSourceBuilder();
final ESPivotBucketSpecHandler<? extends BucketSpec, ? extends Aggregation> valuesBucketHandler = mock(ESValuesHandler.class);
mockBucketSpecGeneratesComparableString(valuesBucketHandler);
final ESPivotBucketSpecHandler<? extends BucketSpec, ? extends Aggregation> timeBucketHandler = mock(ESTimeHandler.class);
mockBucketSpecGeneratesComparableString(timeBucketHandler);
final ESPivotSeriesSpecHandler<? extends SeriesSpec, ? extends Aggregation> countHandler = mock(ESCountHandler.class);
mockSeriesSpecGeneratesComparableString(countHandler);
bucketHandlers.put(Values.NAME, valuesBucketHandler);
bucketHandlers.put(Time.NAME, timeBucketHandler);
seriesHandlers.put(Count.NAME, countHandler);
when(queryContext.searchSourceBuilder(pivot)).thenReturn(searchSourceBuilder);
when(queryContext.nextName()).thenReturn("rowPivot1", "rowPivot2", "columnPivot1", "columnPivot2");
final BucketSpec rowPivot1 = Time.builder().field("timestamp").interval(AutoInterval.create()).build();
final BucketSpec rowPivot2 = Values.builder().field("http_method").limit(10).build();
final BucketSpec columnPivot1 = Values.builder().field("controller").limit(10).build();
final BucketSpec columnPivot2 = Values.builder().field("action").limit(10).build();
final Count count = Count.builder().build();
when(pivot.rowGroups()).thenReturn(ImmutableList.of(rowPivot1, rowPivot2));
when(pivot.columnGroups()).thenReturn(ImmutableList.of(columnPivot1, columnPivot2));
when(pivot.series()).thenReturn(Collections.singletonList(count));
when(pivot.rollup()).thenReturn(false);
when(queryContext.seriesName(any(), any())).thenCallRealMethod();
this.esPivot.doGenerateQueryPart(job, query, pivot, queryContext);
verify(timeBucketHandler).createAggregation(eq("rowPivot1"), eq(pivot), eq(rowPivot1), eq(this.esPivot), eq(queryContext), eq(query));
verify(valuesBucketHandler).createAggregation(eq("rowPivot2"), eq(pivot), eq(rowPivot2), eq(this.esPivot), eq(queryContext), eq(query));
verify(valuesBucketHandler).createAggregation(eq("columnPivot1"), eq(pivot), eq(columnPivot1), eq(this.esPivot), eq(queryContext), eq(query));
verify(valuesBucketHandler).createAggregation(eq("columnPivot2"), eq(pivot), eq(columnPivot2), eq(this.esPivot), eq(queryContext), eq(query));
final DocumentContext context = JsonPath.parse(searchSourceBuilder.toString());
extractAggregation(context, "rowPivot1").isEqualTo("Time{type=time, field=timestamp, interval=AutoInterval{type=auto, scaling=1.0}}");
extractAggregation(context, "rowPivot1.rowPivot2").isEqualTo("Values{type=values, field=http_method, limit=10}");
extractAggregation(context, "rowPivot1.rowPivot2.columnPivot1").isEqualTo("Values{type=values, field=controller, limit=10}");
extractAggregation(context, "rowPivot1.rowPivot2.columnPivot1.columnPivot2").isEqualTo("Values{type=values, field=action, limit=10}");
extractAggregation(context, "rowPivot1.rowPivot2.dummypivot-series-count()").isEqualTo("Count{type=count, id=count(), field=null}");
extractAggregation(context, "rowPivot1.rowPivot2.columnPivot1.columnPivot2.dummypivot-series-count()").isEqualTo("Count{type=count, id=count(), field=null}");
}
Also used :
Count(org.graylog.plugins.views.search.searchtypes.pivot.series.Count)
DocumentContext(com.jayway.jsonpath.DocumentContext)
BucketSpec(org.graylog.plugins.views.search.searchtypes.pivot.BucketSpec)
SearchSourceBuilder(org.graylog.shaded.elasticsearch7.org.elasticsearch.search.builder.SearchSourceBuilder)
Test(org.junit.Test)
Example 2 with BucketSpec
use of org.graylog.plugins.views.search.searchtypes.pivot.BucketSpec in project graylog2-server by Graylog2.
the class ESPivot method processRows.
/*
results from elasticsearch are nested so we need to recurse into the aggregation tree, but our result is a table, thus we need
to keep track of the current row keys manually
*/
private void processRows(PivotResult.Builder resultBuilder, SearchResponse searchResult, ESGeneratedQueryContext queryContext, Pivot pivot, List<BucketSpec> remainingRows, ArrayDeque<String> rowKeys, HasAggregations aggregation) {
if (remainingRows.isEmpty()) {
// this is the last row group, so we need to fork into the columns if they exist.
// being here also means that `rowKeys` contains the maximum number of parts, one for each combination of row bucket keys
// we will always add the series for this bucket, because that's the entire point of row groups
final PivotResult.Row.Builder rowBuilder = PivotResult.Row.builder().key(ImmutableList.copyOf(rowKeys));
// do the same for columns as we did for the rows
processColumns(rowBuilder, searchResult, queryContext, pivot, pivot.columnGroups(), new ArrayDeque<>(), aggregation);
// columnKeys is empty, because this is a rollup per row bucket, thus for all columns in that bucket (IOW it's not a leaf!)
if (pivot.rollup()) {
processSeries(rowBuilder, searchResult, queryContext, pivot, new ArrayDeque<>(), aggregation, true, "row-leaf");
}
resultBuilder.addRow(rowBuilder.source("leaf").build());
} else {
// this is not a leaf for the rows, so we add its key to the rowKeys and descend into the aggregation tree
// afterwards we'll check if we need to add rollup for intermediate buckets. not all clients need them so they can request
// to not calculate them
final BucketSpec currentBucket = remainingRows.get(0);
// this handler should never be missing, because we used it above to generate the query
// if it is missing for some weird reason, it's ok to fail hard here
final ESPivotBucketSpecHandler<? extends PivotSpec, ? extends Aggregation> handler = bucketHandlers.get(currentBucket.type());
final Aggregation aggregationResult = handler.extractAggregationFromResult(pivot, currentBucket, aggregation, queryContext);
final Stream<ESPivotBucketSpecHandler.Bucket> bucketStream = handler.handleResult(pivot, currentBucket, searchResult, aggregationResult, this, queryContext);
// for each bucket, recurse and eventually collect all the row keys. once we reach a leaf, we'll end up in the other if branch above
bucketStream.forEach(bucket -> {
// push the bucket's key and use its aggregation as the new source for sub-aggregations
rowKeys.addLast(bucket.key());
processRows(resultBuilder, searchResult, queryContext, pivot, tail(remainingRows), rowKeys, bucket.aggregation());
rowKeys.removeLast();
});
// also add the series for this row key if the client wants rollups
if (pivot.rollup()) {
final PivotResult.Row.Builder rowBuilder = PivotResult.Row.builder().key(ImmutableList.copyOf(rowKeys));
// columnKeys is empty, because this is a rollup per row bucket, thus for all columns in that bucket (IOW it's not a leaf!)
processSeries(rowBuilder, searchResult, queryContext, pivot, new ArrayDeque<>(), aggregation, true, "row-inner");
resultBuilder.addRow(rowBuilder.source("non-leaf").build());
}
}
}
Also used :
Aggregation(org.graylog.shaded.elasticsearch7.org.elasticsearch.search.aggregations.Aggregation)
BucketSpec(org.graylog.plugins.views.search.searchtypes.pivot.BucketSpec)
Example 3 with BucketSpec
use of org.graylog.plugins.views.search.searchtypes.pivot.BucketSpec in project graylog2-server by Graylog2.
the class ESPivot method processColumns.
private void processColumns(PivotResult.Row.Builder rowBuilder, SearchResponse searchResult, ESGeneratedQueryContext queryContext, Pivot pivot, List<BucketSpec> remainingColumns, ArrayDeque<String> columnKeys, HasAggregations aggregation) {
if (remainingColumns.isEmpty()) {
// with duplicate data entries
if (!columnKeys.isEmpty()) {
processSeries(rowBuilder, searchResult, queryContext, pivot, columnKeys, aggregation, false, "col-leaf");
}
} else {
// for a non-leaf column group, we need to recurse further into the aggregation tree
// and if rollup was requested we'll add intermediate series according to the column keys
final BucketSpec currentBucket = remainingColumns.get(0);
// this handler should never be missing, because we used it above to generate the query
// if it is missing for some weird reason, it's ok to fail hard here
final ESPivotBucketSpecHandler<? extends PivotSpec, ? extends Aggregation> handler = bucketHandlers.get(currentBucket.type());
final Aggregation aggregationResult = handler.extractAggregationFromResult(pivot, currentBucket, aggregation, queryContext);
final Stream<ESPivotBucketSpecHandler.Bucket> bucketStream = handler.handleResult(pivot, currentBucket, searchResult, aggregationResult, this, queryContext);
// for each bucket, recurse and eventually collect all the column keys. once we reach a leaf, we'll end up in the other if branch above
bucketStream.forEach(bucket -> {
// push the bucket's key and use its aggregation as the new source for sub-aggregations
columnKeys.addLast(bucket.key());
processColumns(rowBuilder, searchResult, queryContext, pivot, tail(remainingColumns), columnKeys, bucket.aggregation());
columnKeys.removeLast();
});
// don't add the empty column key rollup, because that's not the correct bucket here, it's being done in the row-leaf code
if (pivot.rollup() && !columnKeys.isEmpty()) {
// columnKeys is not empty, because this is a rollup per column in a row
processSeries(rowBuilder, searchResult, queryContext, pivot, columnKeys, aggregation, true, "col-inner");
}
}
}
Also used :
Aggregation(org.graylog.shaded.elasticsearch7.org.elasticsearch.search.aggregations.Aggregation)
BucketSpec(org.graylog.plugins.views.search.searchtypes.pivot.BucketSpec)
Example 4 with BucketSpec
use of org.graylog.plugins.views.search.searchtypes.pivot.BucketSpec in project graylog2-server by Graylog2.
the class ESPivot method doGenerateQueryPart.
@Override
public void doGenerateQueryPart(SearchJob job, Query query, Pivot pivot, ESGeneratedQueryContext queryContext) {
LOG.debug("Generating aggregation for {}", pivot);
final SearchSourceBuilder searchSourceBuilder = queryContext.searchSourceBuilder(pivot);
final Map<Object, Object> contextMap = queryContext.contextMap();
final AggTypes aggTypes = new AggTypes();
contextMap.put(pivot.id(), aggTypes);
// holds the initial level aggregation to be added to the query
AggregationBuilder topLevelAggregation = null;
// holds the last complete bucket aggregation into which subsequent buckets get added
AggregationBuilder previousAggregation = null;
// add global rollup series if those were requested
if (pivot.rollup()) {
seriesStream(pivot, queryContext, "global rollup").forEach(previousAggregation != null ? previousAggregation::subAggregation : searchSourceBuilder::aggregation);
}
final Iterator<BucketSpec> rowBuckets = pivot.rowGroups().iterator();
while (rowBuckets.hasNext()) {
final BucketSpec bucketSpec = rowBuckets.next();
final String name = queryContext.nextName();
LOG.debug("Creating row group aggregation '{}' as {}", bucketSpec.type(), name);
final ESPivotBucketSpecHandler<? extends PivotSpec, ? extends Aggregation> handler = bucketHandlers.get(bucketSpec.type());
if (handler == null) {
throw new IllegalArgumentException("Unknown row_group type " + bucketSpec.type());
}
final Optional<AggregationBuilder> generatedAggregation = handler.createAggregation(name, pivot, bucketSpec, this, queryContext, query);
if (generatedAggregation.isPresent()) {
final AggregationBuilder aggregationBuilder = generatedAggregation.get();
if (topLevelAggregation == null) {
topLevelAggregation = aggregationBuilder;
}
// always insert the series for the final row group, or for each one if explicit rollup was requested
if (!rowBuckets.hasNext() || pivot.rollup()) {
seriesStream(pivot, queryContext, !rowBuckets.hasNext() ? "leaf row" : "row rollup").forEach(aggregationBuilder::subAggregation);
}
if (previousAggregation != null) {
previousAggregation.subAggregation(aggregationBuilder);
} else {
searchSourceBuilder.aggregation(aggregationBuilder);
}
previousAggregation = aggregationBuilder;
}
}
final Iterator<BucketSpec> colBuckets = pivot.columnGroups().iterator();
while (colBuckets.hasNext()) {
final BucketSpec bucketSpec = colBuckets.next();
final String name = queryContext.nextName();
LOG.debug("Creating column group aggregation '{}' as {}", bucketSpec.type(), name);
final ESPivotBucketSpecHandler<? extends PivotSpec, ? extends Aggregation> handler = bucketHandlers.get(bucketSpec.type());
if (handler == null) {
throw new IllegalArgumentException("Unknown column_group type " + bucketSpec.type());
}
final Optional<AggregationBuilder> generatedAggregation = handler.createAggregation(name, pivot, bucketSpec, this, queryContext, query);
if (generatedAggregation.isPresent()) {
final AggregationBuilder aggregationBuilder = generatedAggregation.get();
// always insert the series for the final row group, or for each one if explicit rollup was requested
if (!colBuckets.hasNext() || pivot.rollup()) {
seriesStream(pivot, queryContext, !colBuckets.hasNext() ? "leaf column" : "column rollup").forEach(aggregationBuilder::subAggregation);
}
if (previousAggregation != null) {
previousAggregation.subAggregation(aggregationBuilder);
} else {
searchSourceBuilder.aggregation(aggregationBuilder);
}
previousAggregation = aggregationBuilder;
}
}
final MinAggregationBuilder startTimestamp = AggregationBuilders.min("timestamp-min").field("timestamp");
final MaxAggregationBuilder endTimestamp = AggregationBuilders.max("timestamp-max").field("timestamp");
searchSourceBuilder.aggregation(startTimestamp);
searchSourceBuilder.aggregation(endTimestamp);
if (topLevelAggregation == null) {
LOG.debug("No aggregations generated for {}", pivot);
}
}
Also used :
MinAggregationBuilder(org.graylog.shaded.elasticsearch6.org.elasticsearch.search.aggregations.metrics.min.MinAggregationBuilder)
MaxAggregationBuilder(org.graylog.shaded.elasticsearch6.org.elasticsearch.search.aggregations.metrics.max.MaxAggregationBuilder)
AggregationBuilder(org.graylog.shaded.elasticsearch6.org.elasticsearch.search.aggregations.AggregationBuilder)
BucketSpec(org.graylog.plugins.views.search.searchtypes.pivot.BucketSpec)
SearchSourceBuilder(org.graylog.shaded.elasticsearch6.org.elasticsearch.search.builder.SearchSourceBuilder)
MaxAggregationBuilder(org.graylog.shaded.elasticsearch6.org.elasticsearch.search.aggregations.metrics.max.MaxAggregationBuilder)
MinAggregationBuilder(org.graylog.shaded.elasticsearch6.org.elasticsearch.search.aggregations.metrics.min.MinAggregationBuilder)
Example 5 with BucketSpec
use of org.graylog.plugins.views.search.searchtypes.pivot.BucketSpec in project graylog2-server by Graylog2.
the class PivotAggregationSearch method getAggregationQuery.
/**
* Returns the query to compute the aggregation.
*
* @param parameters processor parameters
* @param searchWithinMs processor search within period. Used to build the date range buckets
* @param executeEveryMs
* @return aggregation query
*/
private Query getAggregationQuery(AggregationEventProcessorParameters parameters, long searchWithinMs, long executeEveryMs) {
final Pivot.Builder pivotBuilder = Pivot.builder().id(PIVOT_ID).rollup(true);
final ImmutableList<SeriesSpec> series = config.series().stream().map(entry -> entry.function().toSeriesSpec(metricName(entry), entry.field().orElse(null))).collect(ImmutableList.toImmutableList());
if (!series.isEmpty()) {
pivotBuilder.series(series);
}
// Wrap every aggregation with date range buckets of the searchWithin time range.
// If the aggregation is configured to be using a sliding window (searchWithin > executeEveryMs)
// the time ranges will overlap.
// This allows us to run aggregations over larger time ranges than the searchWithin time.
// The results will be received in time buckets of the searchWithin time size.
final DateRangeBucket dateRangeBucket = buildDateRangeBuckets(parameters.timerange(), searchWithinMs, executeEveryMs);
final List<BucketSpec> groupBy = new ArrayList<>();
// The first bucket must be the date range!
groupBy.add(dateRangeBucket);
if (!config.groupBy().isEmpty()) {
// Then we add the configured groups
groupBy.addAll(config.groupBy().stream().map(field -> Values.builder().limit(Integer.MAX_VALUE).field(field).build()).collect(Collectors.toList()));
}
// We always have row groups because of the date range buckets
pivotBuilder.rowGroups(groupBy);
final Set<SearchType> searchTypes = Collections.singleton(pivotBuilder.build());
final Query.Builder queryBuilder = Query.builder().id(QUERY_ID).searchTypes(searchTypes).query(ElasticsearchQueryString.of(config.query())).timerange(parameters.timerange());
final Set<String> streams = getStreams(parameters);
if (!streams.isEmpty()) {
queryBuilder.filter(filteringForStreamIds(streams));
}
return queryBuilder.build();
}
Also used :
DateTimeZone(org.joda.time.DateTimeZone)
LoggerFactory(org.slf4j.LoggerFactory)
TimeoutException(java.util.concurrent.TimeoutException)
Assisted(com.google.inject.assistedinject.Assisted)
StreamFilter(org.graylog.plugins.views.search.filter.StreamFilter)
BucketSpec(org.graylog.plugins.views.search.searchtypes.pivot.BucketSpec)
SeriesSpec(org.graylog.plugins.views.search.searchtypes.pivot.SeriesSpec)
Locale(java.util.Locale)
EventDefinition(org.graylog.events.processor.EventDefinition)
EventProcessorException(org.graylog.events.processor.EventProcessorException)
Pivot(org.graylog.plugins.views.search.searchtypes.pivot.Pivot)
Values(org.graylog.plugins.views.search.searchtypes.pivot.buckets.Values)
TimeRange(org.graylog2.plugin.indexer.searches.timeranges.TimeRange)
Collectors.toSet(java.util.stream.Collectors.toSet)
PermittedStreams(org.graylog.plugins.views.search.rest.PermittedStreams)
ImmutableSet(com.google.common.collect.ImmutableSet)
Set(java.util.Set)
Collectors(java.util.stream.Collectors)
MoreSearch(org.graylog.events.search.MoreSearch)
List(java.util.List)
Stream(org.graylog2.plugin.streams.Stream)
Filter(org.graylog.plugins.views.search.Filter)
Count(org.graylog.plugins.views.search.searchtypes.pivot.series.Count)
MoreObjects.firstNonNull(com.google.common.base.MoreObjects.firstNonNull)
QueryError(org.graylog.plugins.views.search.errors.QueryError)
QueryEngine(org.graylog.plugins.views.search.engine.QueryEngine)
Query(org.graylog.plugins.views.search.Query)
PivotResult(org.graylog.plugins.views.search.searchtypes.pivot.PivotResult)
SearchJobService(org.graylog.plugins.views.search.db.SearchJobService)
Strings.isNullOrEmpty(com.google.common.base.Strings.isNullOrEmpty)
DateRangeBucket(org.graylog.plugins.views.search.searchtypes.pivot.buckets.DateRangeBucket)
ArrayList(java.util.ArrayList)
ElasticsearchQueryString(org.graylog.plugins.views.search.elasticsearch.ElasticsearchQueryString)
Inject(javax.inject.Inject)
EventsConfigurationProvider(org.graylog.events.configuration.EventsConfigurationProvider)
OrFilter(org.graylog.plugins.views.search.filter.OrFilter)
ImmutableList(com.google.common.collect.ImmutableList)
SearchType(org.graylog.plugins.views.search.SearchType)
EmptyParameterError(org.graylog.plugins.views.search.errors.EmptyParameterError)
Search(org.graylog.plugins.views.search.Search)
QueryResult(org.graylog.plugins.views.search.QueryResult)
SearchJob(org.graylog.plugins.views.search.SearchJob)
Uninterruptibles(com.google.common.util.concurrent.Uninterruptibles)
Logger(org.slf4j.Logger)
DateTime(org.joda.time.DateTime)
ExecutionException(java.util.concurrent.ExecutionException)
TimeUnit(java.util.concurrent.TimeUnit)
DateRange(org.graylog.plugins.views.search.searchtypes.pivot.buckets.DateRange)
SearchError(org.graylog.plugins.views.search.errors.SearchError)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Collections(java.util.Collections)
Query(org.graylog.plugins.views.search.Query)
DateRangeBucket(org.graylog.plugins.views.search.searchtypes.pivot.buckets.DateRangeBucket)
ArrayList(java.util.ArrayList)
SeriesSpec(org.graylog.plugins.views.search.searchtypes.pivot.SeriesSpec)
ElasticsearchQueryString(org.graylog.plugins.views.search.elasticsearch.ElasticsearchQueryString)
BucketSpec(org.graylog.plugins.views.search.searchtypes.pivot.BucketSpec)
Pivot(org.graylog.plugins.views.search.searchtypes.pivot.Pivot)
SearchType(org.graylog.plugins.views.search.SearchType)
Aggregations
BucketSpec (org.graylog.plugins.views.search.searchtypes.pivot.BucketSpec)11
ImmutableSet (com.google.common.collect.ImmutableSet)3
Aggregation (io.searchbox.core.search.aggregation.Aggregation)3
Collections (java.util.Collections)3
Set (java.util.Set)3
Query (org.graylog.plugins.views.search.Query)3
QueryResult (org.graylog.plugins.views.search.QueryResult)3
Search (org.graylog.plugins.views.search.Search)3
SearchJob (org.graylog.plugins.views.search.SearchJob)3
SearchType (org.graylog.plugins.views.search.SearchType)3
Count (org.graylog.plugins.views.search.searchtypes.pivot.series.Count)3
DocumentContext (com.jayway.jsonpath.DocumentContext)2
MetricAggregation (io.searchbox.core.search.aggregation.MetricAggregation)2
HashMap (java.util.HashMap)2
List (java.util.List)2
Map (java.util.Map)2
Provider (javax.inject.Provider)2
FieldTypesLookup (org.graylog.plugins.views.search.elasticsearch.FieldTypesLookup)2
IndexLookup (org.graylog.plugins.views.search.elasticsearch.IndexLookup)2
QueryStringDecorators (org.graylog.plugins.views.search.elasticsearch.QueryStringDecorators)2
