use of org.apache.metron.indexing.dao.search.GroupResult in project metron by apache.
the class SearchIntegrationTest method group_by_ip_query.
@Test
public void group_by_ip_query() throws Exception {
GroupRequest request = JSONUtils.INSTANCE.load(groupByIpQuery, GroupRequest.class);
GroupResponse response = dao.group(request);
// expect only 1 group for 'ip_src_addr'
Assert.assertEquals("ip_src_addr", response.getGroupedBy());
// there are 8 different 'ip_src_addr' values
List<GroupResult> groups = response.getGroupResults();
Assert.assertEquals(8, groups.size());
// expect dotted-decimal notation in descending order
Assert.assertEquals("192.168.1.8", groups.get(0).getKey());
Assert.assertEquals("192.168.1.7", groups.get(1).getKey());
Assert.assertEquals("192.168.1.6", groups.get(2).getKey());
Assert.assertEquals("192.168.1.5", groups.get(3).getKey());
Assert.assertEquals("192.168.1.4", groups.get(4).getKey());
Assert.assertEquals("192.168.1.3", groups.get(5).getKey());
Assert.assertEquals("192.168.1.2", groups.get(6).getKey());
Assert.assertEquals("192.168.1.1", groups.get(7).getKey());
}
use of org.apache.metron.indexing.dao.search.GroupResult in project metron by apache.
the class SearchIntegrationTest method group_by_returns_results_in_groups.
@Test
public void group_by_returns_results_in_groups() throws Exception {
// Group by test case, default order is count descending
GroupRequest request = JSONUtils.INSTANCE.load(groupByQuery, GroupRequest.class);
GroupResponse response = dao.group(request);
Assert.assertEquals("is_alert", response.getGroupedBy());
List<GroupResult> isAlertGroups = response.getGroupResults();
Assert.assertEquals(2, isAlertGroups.size());
// isAlert == true group
GroupResult trueGroup = isAlertGroups.get(0);
Assert.assertEquals("true", trueGroup.getKey());
Assert.assertEquals(6, trueGroup.getTotal());
Assert.assertEquals("latitude", trueGroup.getGroupedBy());
Assert.assertEquals(198.0, trueGroup.getScore(), 0.00001);
List<GroupResult> trueLatitudeGroups = trueGroup.getGroupResults();
Assert.assertEquals(2, trueLatitudeGroups.size());
// isAlert == true && latitude == 48.5839 group
GroupResult trueLatitudeGroup2 = trueLatitudeGroups.get(0);
Assert.assertEquals(48.5839, Double.parseDouble(trueLatitudeGroup2.getKey()), 0.00001);
Assert.assertEquals(5, trueLatitudeGroup2.getTotal());
Assert.assertEquals(148.0, trueLatitudeGroup2.getScore(), 0.00001);
// isAlert == true && latitude == 48.0001 group
GroupResult trueLatitudeGroup1 = trueLatitudeGroups.get(1);
Assert.assertEquals(48.0001, Double.parseDouble(trueLatitudeGroup1.getKey()), 0.00001);
Assert.assertEquals(1, trueLatitudeGroup1.getTotal());
Assert.assertEquals(50.0, trueLatitudeGroup1.getScore(), 0.00001);
// isAlert == false group
GroupResult falseGroup = isAlertGroups.get(1);
Assert.assertEquals("false", falseGroup.getKey());
Assert.assertEquals("latitude", falseGroup.getGroupedBy());
Assert.assertEquals(130.0, falseGroup.getScore(), 0.00001);
List<GroupResult> falseLatitudeGroups = falseGroup.getGroupResults();
Assert.assertEquals(2, falseLatitudeGroups.size());
// isAlert == false && latitude == 48.5839 group
GroupResult falseLatitudeGroup2 = falseLatitudeGroups.get(0);
Assert.assertEquals(48.5839, Double.parseDouble(falseLatitudeGroup2.getKey()), 0.00001);
Assert.assertEquals(3, falseLatitudeGroup2.getTotal());
Assert.assertEquals(80.0, falseLatitudeGroup2.getScore(), 0.00001);
// isAlert == false && latitude == 48.0001 group
GroupResult falseLatitudeGroup1 = falseLatitudeGroups.get(1);
Assert.assertEquals(48.0001, Double.parseDouble(falseLatitudeGroup1.getKey()), 0.00001);
Assert.assertEquals(1, falseLatitudeGroup1.getTotal());
Assert.assertEquals(50.0, falseLatitudeGroup1.getScore(), 0.00001);
}
use of org.apache.metron.indexing.dao.search.GroupResult in project metron by apache.
the class SearchIntegrationTest method group_by_returns_results_in_sorted_groups.
@Test
public void group_by_returns_results_in_sorted_groups() throws Exception {
// Group by with sorting test case where is_alert is sorted by count ascending and ip_src_addr is sorted by term descending
GroupRequest request = JSONUtils.INSTANCE.load(sortedGroupByQuery, GroupRequest.class);
GroupResponse response = dao.group(request);
Assert.assertEquals("is_alert", response.getGroupedBy());
List<GroupResult> isAlertGroups = response.getGroupResults();
Assert.assertEquals(2, isAlertGroups.size());
// isAlert == false group
GroupResult falseGroup = isAlertGroups.get(0);
Assert.assertEquals(4, falseGroup.getTotal());
Assert.assertEquals("ip_src_addr", falseGroup.getGroupedBy());
List<GroupResult> falseIpSrcAddrGroups = falseGroup.getGroupResults();
Assert.assertEquals(4, falseIpSrcAddrGroups.size());
// isAlert == false && ip_src_addr == 192.168.1.8 group
GroupResult falseIpSrcAddrGroup1 = falseIpSrcAddrGroups.get(0);
Assert.assertEquals("192.168.1.8", falseIpSrcAddrGroup1.getKey());
Assert.assertEquals(1, falseIpSrcAddrGroup1.getTotal());
Assert.assertNull(falseIpSrcAddrGroup1.getGroupedBy());
Assert.assertNull(falseIpSrcAddrGroup1.getGroupResults());
// isAlert == false && ip_src_addr == 192.168.1.7 group
GroupResult falseIpSrcAddrGroup2 = falseIpSrcAddrGroups.get(1);
Assert.assertEquals("192.168.1.7", falseIpSrcAddrGroup2.getKey());
Assert.assertEquals(1, falseIpSrcAddrGroup2.getTotal());
Assert.assertNull(falseIpSrcAddrGroup2.getGroupedBy());
Assert.assertNull(falseIpSrcAddrGroup2.getGroupResults());
// isAlert == false && ip_src_addr == 192.168.1.6 group
GroupResult falseIpSrcAddrGroup3 = falseIpSrcAddrGroups.get(2);
Assert.assertEquals("192.168.1.6", falseIpSrcAddrGroup3.getKey());
Assert.assertEquals(1, falseIpSrcAddrGroup3.getTotal());
Assert.assertNull(falseIpSrcAddrGroup3.getGroupedBy());
Assert.assertNull(falseIpSrcAddrGroup3.getGroupResults());
// isAlert == false && ip_src_addr == 192.168.1.2 group
GroupResult falseIpSrcAddrGroup4 = falseIpSrcAddrGroups.get(3);
Assert.assertEquals("192.168.1.2", falseIpSrcAddrGroup4.getKey());
Assert.assertEquals(1, falseIpSrcAddrGroup4.getTotal());
Assert.assertNull(falseIpSrcAddrGroup4.getGroupedBy());
Assert.assertNull(falseIpSrcAddrGroup4.getGroupResults());
// isAlert == false group
GroupResult trueGroup = isAlertGroups.get(1);
Assert.assertEquals(6, trueGroup.getTotal());
Assert.assertEquals("ip_src_addr", trueGroup.getGroupedBy());
List<GroupResult> trueIpSrcAddrGroups = trueGroup.getGroupResults();
Assert.assertEquals(4, trueIpSrcAddrGroups.size());
// isAlert == false && ip_src_addr == 192.168.1.5 group
GroupResult trueIpSrcAddrGroup1 = trueIpSrcAddrGroups.get(0);
Assert.assertEquals("192.168.1.5", trueIpSrcAddrGroup1.getKey());
Assert.assertEquals(1, trueIpSrcAddrGroup1.getTotal());
Assert.assertNull(trueIpSrcAddrGroup1.getGroupedBy());
Assert.assertNull(trueIpSrcAddrGroup1.getGroupResults());
// isAlert == false && ip_src_addr == 192.168.1.4 group
GroupResult trueIpSrcAddrGroup2 = trueIpSrcAddrGroups.get(1);
Assert.assertEquals("192.168.1.4", trueIpSrcAddrGroup2.getKey());
Assert.assertEquals(1, trueIpSrcAddrGroup2.getTotal());
Assert.assertNull(trueIpSrcAddrGroup2.getGroupedBy());
Assert.assertNull(trueIpSrcAddrGroup2.getGroupResults());
// isAlert == false && ip_src_addr == 192.168.1.3 group
GroupResult trueIpSrcAddrGroup3 = trueIpSrcAddrGroups.get(2);
Assert.assertEquals("192.168.1.3", trueIpSrcAddrGroup3.getKey());
Assert.assertEquals(1, trueIpSrcAddrGroup3.getTotal());
Assert.assertNull(trueIpSrcAddrGroup3.getGroupedBy());
Assert.assertNull(trueIpSrcAddrGroup3.getGroupResults());
// isAlert == false && ip_src_addr == 192.168.1.1 group
GroupResult trueIpSrcAddrGroup4 = trueIpSrcAddrGroups.get(3);
Assert.assertEquals("192.168.1.1", trueIpSrcAddrGroup4.getKey());
Assert.assertEquals(3, trueIpSrcAddrGroup4.getTotal());
Assert.assertNull(trueIpSrcAddrGroup4.getGroupedBy());
Assert.assertNull(trueIpSrcAddrGroup4.getGroupResults());
}
use of org.apache.metron.indexing.dao.search.GroupResult in project metron by apache.
the class ElasticsearchDao method getGroupResults.
private List<GroupResult> getGroupResults(GroupRequest groupRequest, int index, Aggregations aggregations, Map<String, FieldType> commonColumnMetadata) {
List<Group> groups = groupRequest.getGroups();
String field = groups.get(index).getField();
Terms terms = aggregations.get(getGroupByAggregationName(field));
List<GroupResult> searchResultGroups = new ArrayList<>();
for (Bucket bucket : terms.getBuckets()) {
GroupResult groupResult = new GroupResult();
groupResult.setKey(formatKey(bucket.getKey(), commonColumnMetadata.get(field)));
groupResult.setTotal(bucket.getDocCount());
Optional<String> scoreField = groupRequest.getScoreField();
if (scoreField.isPresent()) {
Sum score = bucket.getAggregations().get(getSumAggregationName(scoreField.get()));
groupResult.setScore(score.getValue());
}
if (index < groups.size() - 1) {
groupResult.setGroupedBy(groups.get(index + 1).getField());
groupResult.setGroupResults(getGroupResults(groupRequest, index + 1, bucket.getAggregations(), commonColumnMetadata));
}
searchResultGroups.add(groupResult);
}
return searchResultGroups;
}
use of org.apache.metron.indexing.dao.search.GroupResult in project metron by apache.
the class ElasticsearchMetaAlertIntegrationTest method shouldHidesAlertsOnGroup.
@Test
public void shouldHidesAlertsOnGroup() throws Exception {
// Load alerts
List<Map<String, Object>> alerts = buildAlerts(2);
alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
alerts.get(0).put("ip_src_addr", "192.168.1.1");
alerts.get(0).put("score_field", 1);
alerts.get(1).put("ip_src_addr", "192.168.1.1");
alerts.get(1).put("score_field", 10);
elasticsearchAdd(alerts, INDEX, SENSOR_NAME);
// Put the nested type into the test index, so that it'll match appropriately
((ElasticsearchDao) esDao).getClient().admin().indices().preparePutMapping(INDEX).setType("test_doc").setSource(nestedAlertMapping).get();
// Don't need any meta alerts to actually exist, since we've populated the field on the alerts.
// Verify load was successful
findCreatedDocs(Arrays.asList(new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME)));
// Build our group request
Group searchGroup = new Group();
searchGroup.setField("ip_src_addr");
List<Group> groupList = new ArrayList<>();
groupList.add(searchGroup);
GroupResponse groupResponse = metaDao.group(new GroupRequest() {
{
setQuery("ip_src_addr:192.168.1.1");
setIndices(Collections.singletonList("*"));
setScoreField("score_field");
setGroups(groupList);
}
});
// Should only return the standalone alert in the group
GroupResult result = groupResponse.getGroupResults().get(0);
Assert.assertEquals(1, result.getTotal());
Assert.assertEquals("192.168.1.1", result.getKey());
// No delta, since no ops happen
Assert.assertEquals(10.0d, result.getScore(), 0.0d);
}
Aggregations