Examples with FieldStatsResult org.graylog2.indexer.results.FieldStatsResult used on opensource projects

Example 1 with FieldStatsResult

use of org.graylog2.indexer.results.FieldStatsResult in project graylog2-server by Graylog2.

the class SearchesTest method testFieldStats.

@Test
@UsingDataSet(loadStrategy = LoadStrategyEnum.CLEAN_INSERT)
public void testFieldStats() throws Exception {
    FieldStatsResult result = searches.fieldStats("n", "*", AbsoluteRange.create(new DateTime(2015, 1, 1, 0, 0, DateTimeZone.UTC), new DateTime(2015, 1, 2, 0, 0, DateTimeZone.UTC)));
    assertThat(result.getSearchHits()).hasSize(10);
    assertThat(result.getCount()).isEqualTo(8);
    assertThat(result.getMin()).isEqualTo(1.0);
    assertThat(result.getMax()).isEqualTo(4.0);
    assertThat(result.getMean()).isEqualTo(2.375);
    assertThat(result.getSum()).isEqualTo(19.0);
    assertThat(result.getSumOfSquares()).isEqualTo(53.0);
    assertThat(result.getVariance()).isEqualTo(0.984375);
    assertThat(result.getStdDeviation()).isEqualTo(0.9921567416492215);
}

Example 2 with FieldStatsResult

use of org.graylog2.indexer.results.FieldStatsResult in project graylog2-server by Graylog2.

the class Searches method fieldStats.

public FieldStatsResult fieldStats(String field, String query, String filter, TimeRange range, boolean includeCardinality, boolean includeStats, boolean includeCount) throws FieldTypeException {
    SearchRequestBuilder srb;
    final Set<String> indices = indicesContainingField(determineAffectedIndices(range, filter), field);
    if (filter == null) {
        srb = standardSearchRequest(query, indices, range);
    } else {
        srb = filteredSearchRequest(query, filter, indices, range);
    }
    FilterAggregationBuilder builder = AggregationBuilders.filter(AGG_FILTER).filter(standardAggregationFilters(range, filter));
    if (includeCount) {
        builder.subAggregation(AggregationBuilders.count(AGG_VALUE_COUNT).field(field));
    }
    if (includeStats) {
        builder.subAggregation(AggregationBuilders.extendedStats(AGG_EXTENDED_STATS).field(field));
    }
    if (includeCardinality) {
        builder.subAggregation(AggregationBuilders.cardinality(AGG_CARDINALITY).field(field));
    }
    srb.addAggregation(builder);
    SearchResponse r;
    final SearchRequest request;
    try {
        request = srb.request();
        r = c.search(request).actionGet();
    } catch (org.elasticsearch.action.search.SearchPhaseExecutionException e) {
        throw new FieldTypeException(e);
    }
    checkForFailedShards(r);
    recordEsMetrics(r, range);
    final Filter f = r.getAggregations().get(AGG_FILTER);
    return new FieldStatsResult(f.getAggregations().get(AGG_VALUE_COUNT), f.getAggregations().get(AGG_EXTENDED_STATS), f.getAggregations().get(AGG_CARDINALITY), r.getHits(), query, request.source(), r.getTook());
}

Example 3 with FieldStatsResult

use of org.graylog2.indexer.results.FieldStatsResult in project graylog2-server by Graylog2.

the class StatisticalCountWidgetStrategy method compute.

@Override
public ComputationResult compute() {
    try {
        final String filter;
        if (!isNullOrEmpty(streamId)) {
            filter = "streams:" + streamId;
        } else {
            filter = null;
        }
        final TimeRange timeRange = this.timeRange;
        boolean needsCardinality = statsFunction.equals(StatisticalFunction.CARDINALITY);
        boolean needsCount = statsFunction.equals(StatisticalFunction.COUNT);
        final FieldStatsResult fieldStatsResult = getSearches().fieldStats(field, query, filter, timeRange, needsCardinality, !(needsCount || needsCardinality), needsCount);
        if (trend && timeRange instanceof RelativeRange) {
            DateTime toPrevious = timeRange.getFrom();
            DateTime fromPrevious = toPrevious.minus(Seconds.seconds(((RelativeRange) timeRange).getRange()));
            TimeRange previousTimeRange = AbsoluteRange.create(fromPrevious, toPrevious);
            final FieldStatsResult previousFieldStatsResult = getSearches().fieldStats(field, query, filter, previousTimeRange, needsCardinality, !(needsCount || needsCardinality), needsCount);
            Map<String, Object> results = Maps.newHashMap();
            results.put("now", getStatisticalValue(fieldStatsResult));
            results.put("previous", getStatisticalValue(previousFieldStatsResult));
            long tookMs = fieldStatsResult.took().millis() + previousFieldStatsResult.took().millis();
            return new ComputationResult(results, tookMs);
        } else {
            return new ComputationResult(getStatisticalValue(fieldStatsResult), fieldStatsResult.took().millis());
        }
    } catch (Searches.FieldTypeException e) {
        log.warn("Invalid field provided, returning 'NaN'", e);
        return new ComputationResult(Double.NaN, 0);
    }
}

Example 4 with FieldStatsResult

use of org.graylog2.indexer.results.FieldStatsResult in project graylog2-server by Graylog2.

the class FieldValueAlertCondition method runCheck.

@Override
public CheckResult runCheck() {
    try {
        final String filter = "streams:" + stream.getId();
        // TODO we don't support cardinality yet
        final FieldStatsResult fieldStatsResult = searches.fieldStats(field, "*", filter, RelativeRange.create(time * 60), false, true, false);
        if (fieldStatsResult.getCount() == 0) {
            LOG.debug("Alert check <{}> did not match any messages. Returning not triggered.", type);
            return new NegativeCheckResult();
        }
        final double result;
        switch(type) {
            case MEAN:
                result = fieldStatsResult.getMean();
                break;
            case MIN:
                result = fieldStatsResult.getMin();
                break;
            case MAX:
                result = fieldStatsResult.getMax();
                break;
            case SUM:
                result = fieldStatsResult.getSum();
                break;
            case STDDEV:
                result = fieldStatsResult.getStdDeviation();
                break;
            default:
                LOG.error("No such field value check type: [{}]. Returning not triggered.", type);
                return new NegativeCheckResult();
        }
        LOG.debug("Alert check <{}> result: [{}]", id, result);
        if (Double.isInfinite(result)) {
            // This happens when there are no ES results/docs.
            LOG.debug("Infinite value. Returning not triggered.");
            return new NegativeCheckResult();
        }
        final boolean triggered;
        switch(thresholdType) {
            case HIGHER:
                triggered = result > threshold.doubleValue();
                break;
            case LOWER:
                triggered = result < threshold.doubleValue();
                break;
            default:
                triggered = false;
        }
        if (triggered) {
            final String resultDescription = "Field " + field + " had a " + type + " of " + decimalFormat.format(result) + " in the last " + time + " minutes with trigger condition " + thresholdType + " than " + decimalFormat.format(threshold) + ". " + "(Current grace time: " + grace + " minutes)";
            final List<MessageSummary> summaries;
            if (getBacklog() > 0) {
                final List<ResultMessage> searchResult = fieldStatsResult.getSearchHits();
                summaries = Lists.newArrayListWithCapacity(searchResult.size());
                for (ResultMessage resultMessage : searchResult) {
                    final Message msg = resultMessage.getMessage();
                    summaries.add(new MessageSummary(resultMessage.getIndex(), msg));
                }
            } else {
                summaries = Collections.emptyList();
            }
            return new CheckResult(true, this, resultDescription, Tools.nowUTC(), summaries);
        } else {
            return new NegativeCheckResult();
        }
    } catch (InvalidRangeParametersException e) {
        // cannot happen lol
        LOG.error("Invalid timerange.", e);
        return null;
    } catch (InvalidRangeFormatException e) {
        // lol same here
        LOG.error("Invalid timerange format.", e);
        return null;
    } catch (Searches.FieldTypeException e) {
        LOG.debug("Field [{}] seems not to have a numerical type or doesn't even exist at all. Returning not triggered.", field, e);
        return new NegativeCheckResult();
    }
}

Example 5 with FieldStatsResult

use of org.graylog2.indexer.results.FieldStatsResult in project graylog2-server by Graylog2.

the class FieldValueAlertConditionTest method getFieldStatsResult.

private FieldStatsResult getFieldStatsResult(FieldValueAlertCondition.CheckType type, Number retValue) {
    final Double value = (Double) retValue;
    final FieldStatsResult fieldStatsResult = mock(FieldStatsResult.class);
    when(fieldStatsResult.getCount()).thenReturn(1L);
    switch(type) {
        case MIN:
            when(fieldStatsResult.getMin()).thenReturn(value);
        case MAX:
            when(fieldStatsResult.getMax()).thenReturn(value);
        case MEAN:
            when(fieldStatsResult.getMean()).thenReturn(value);
        case STDDEV:
            when(fieldStatsResult.getStdDeviation()).thenReturn(value);
        case SUM:
            when(fieldStatsResult.getSum()).thenReturn(value);
    }
    return fieldStatsResult;
}