Example 1 with SearchResponse
use of org.apache.metron.indexing.dao.search.SearchResponse in project metron by apache.
the class ElasticsearchDao method buildSearchResponse.
/**
* Builds a search response.
*
* This effectively transforms an Elasticsearch search response into a Metron search response.
*
* @param searchRequest The Metron search request.
* @param esResponse The Elasticsearch search response.
* @return A Metron search response.
* @throws InvalidSearchException
*/
private SearchResponse buildSearchResponse(SearchRequest searchRequest, org.elasticsearch.action.search.SearchResponse esResponse) throws InvalidSearchException {
SearchResponse searchResponse = new SearchResponse();
searchResponse.setTotal(esResponse.getHits().getTotalHits());
// search hits --> search results
List<SearchResult> results = new ArrayList<>();
for (SearchHit hit : esResponse.getHits().getHits()) {
results.add(getSearchResult(hit, searchRequest.getFields()));
}
searchResponse.setResults(results);
// handle facet fields
if (searchRequest.getFacetFields() != null) {
List<String> facetFields = searchRequest.getFacetFields();
Map<String, FieldType> commonColumnMetadata;
try {
commonColumnMetadata = getColumnMetadata(searchRequest.getIndices());
} catch (IOException e) {
throw new InvalidSearchException(String.format("Could not get common column metadata for indices %s", Arrays.toString(searchRequest.getIndices().toArray())));
}
searchResponse.setFacetCounts(getFacetCounts(facetFields, esResponse.getAggregations(), commonColumnMetadata));
}
if (LOG.isDebugEnabled()) {
LOG.debug("Built search response; response={}", ElasticsearchUtils.toJSON(searchResponse).orElse("???"));
}
return searchResponse;
}
Also used :
InvalidSearchException(org.apache.metron.indexing.dao.search.InvalidSearchException)
SearchHit(org.elasticsearch.search.SearchHit)
ArrayList(java.util.ArrayList)
SearchResult(org.apache.metron.indexing.dao.search.SearchResult)
IOException(java.io.IOException)
SearchResponse(org.apache.metron.indexing.dao.search.SearchResponse)
FieldType(org.apache.metron.indexing.dao.search.FieldType)
Example 2 with SearchResponse
use of org.apache.metron.indexing.dao.search.SearchResponse in project metron by apache.
the class ElasticsearchMetaAlertIntegrationTest method shouldSearchByNestedAlert.
@Test
public void shouldSearchByNestedAlert() throws Exception {
// Load alerts
List<Map<String, Object>> alerts = buildAlerts(4);
alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
alerts.get(0).put("ip_src_addr", "192.168.1.1");
alerts.get(0).put("ip_src_port", 8010);
alerts.get(1).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
alerts.get(1).put("ip_src_addr", "192.168.1.2");
alerts.get(1).put("ip_src_port", 8009);
alerts.get(2).put("ip_src_addr", "192.168.1.3");
alerts.get(2).put("ip_src_port", 8008);
alerts.get(3).put("ip_src_addr", "192.168.1.4");
alerts.get(3).put("ip_src_port", 8007);
elasticsearchAdd(alerts, INDEX, SENSOR_NAME);
// Put the nested type into the test index, so that it'll match appropriately
((ElasticsearchDao) esDao).getClient().admin().indices().preparePutMapping(INDEX).setType("test_doc").setSource(nestedAlertMapping).get();
// Load metaAlerts
Map<String, Object> activeMetaAlert = buildMetaAlert("meta_active", MetaAlertStatus.ACTIVE, Optional.of(Arrays.asList(alerts.get(0), alerts.get(1))));
Map<String, Object> inactiveMetaAlert = buildMetaAlert("meta_inactive", MetaAlertStatus.INACTIVE, Optional.of(Arrays.asList(alerts.get(2), alerts.get(3))));
// We pass MetaAlertDao.METAALERT_TYPE, because the "_doc" gets appended automatically.
elasticsearchAdd(Arrays.asList(activeMetaAlert, inactiveMetaAlert), METAALERTS_INDEX, MetaAlertDao.METAALERT_TYPE);
// Verify load was successful
findCreatedDocs(Arrays.asList(new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME), new GetRequest("message_2", SENSOR_NAME), new GetRequest("message_3", SENSOR_NAME), new GetRequest("meta_active", METAALERT_TYPE), new GetRequest("meta_inactive", METAALERT_TYPE)));
SearchResponse searchResponse = metaDao.search(new SearchRequest() {
{
setQuery("(ip_src_addr:192.168.1.1 AND ip_src_port:8009) OR (alert.ip_src_addr:192.168.1.1 AND alert.ip_src_port:8009)");
setIndices(Collections.singletonList(MetaAlertDao.METAALERT_TYPE));
setFrom(0);
setSize(5);
setSort(Collections.singletonList(new SortField() {
{
setField(Constants.GUID);
}
}));
}
});
// Should not have results because nested alerts shouldn't be flattened
Assert.assertEquals(0, searchResponse.getTotal());
// Query against all indices. Only the single active meta alert should be returned.
// The child alerts should be hidden.
searchResponse = metaDao.search(new SearchRequest() {
{
setQuery("(ip_src_addr:192.168.1.1 AND ip_src_port:8010)" + " OR (alert.ip_src_addr:192.168.1.1 AND alert.ip_src_port:8010)");
setIndices(Collections.singletonList("*"));
setFrom(0);
setSize(5);
setSort(Collections.singletonList(new SortField() {
{
setField(Constants.GUID);
}
}));
}
});
// Nested query should match a nested alert
Assert.assertEquals(1, searchResponse.getTotal());
Assert.assertEquals("meta_active", searchResponse.getResults().get(0).getSource().get("guid"));
// Query against all indices. The child alert has no actual attached meta alerts, and should
// be returned on its own.
searchResponse = metaDao.search(new SearchRequest() {
{
setQuery("(ip_src_addr:192.168.1.3 AND ip_src_port:8008)" + " OR (alert.ip_src_addr:192.168.1.3 AND alert.ip_src_port:8008)");
setIndices(Collections.singletonList("*"));
setFrom(0);
setSize(1);
setSort(Collections.singletonList(new SortField() {
{
setField(Constants.GUID);
}
}));
}
});
// Nested query should match a plain alert
Assert.assertEquals(1, searchResponse.getTotal());
Assert.assertEquals("message_2", searchResponse.getResults().get(0).getSource().get("guid"));
}
Also used :
SearchRequest(org.apache.metron.indexing.dao.search.SearchRequest)
ElasticsearchDao(org.apache.metron.elasticsearch.dao.ElasticsearchDao)
GetRequest(org.apache.metron.indexing.dao.search.GetRequest)
SortField(org.apache.metron.indexing.dao.search.SortField)
Map(java.util.Map)
HashMap(java.util.HashMap)
SearchResponse(org.apache.metron.indexing.dao.search.SearchResponse)
Test(org.junit.Test)
Example 3 with SearchResponse
use of org.apache.metron.indexing.dao.search.SearchResponse in project metron by apache.
the class ElasticsearchMetaAlertIntegrationTest method shouldGetAllMetaAlertsForAlert.
@Test
public void shouldGetAllMetaAlertsForAlert() throws Exception {
// Load alerts
List<Map<String, Object>> alerts = buildAlerts(3);
elasticsearchAdd(alerts, INDEX, SENSOR_NAME);
// Load metaAlerts
List<Map<String, Object>> metaAlerts = buildMetaAlerts(12, MetaAlertStatus.ACTIVE, Optional.of(Collections.singletonList(alerts.get(0))));
metaAlerts.add(buildMetaAlert("meta_active_12", MetaAlertStatus.ACTIVE, Optional.of(Arrays.asList(alerts.get(0), alerts.get(2)))));
metaAlerts.add(buildMetaAlert("meta_inactive", MetaAlertStatus.INACTIVE, Optional.of(Arrays.asList(alerts.get(0), alerts.get(2)))));
// We pass MetaAlertDao.METAALERT_TYPE, because the "_doc" gets appended automatically.
elasticsearchAdd(metaAlerts, METAALERTS_INDEX, MetaAlertDao.METAALERT_TYPE);
// Verify load was successful
List<GetRequest> createdDocs = metaAlerts.stream().map(metaAlert -> new GetRequest((String) metaAlert.get(Constants.GUID), METAALERT_TYPE)).collect(Collectors.toList());
createdDocs.addAll(alerts.stream().map(alert -> new GetRequest((String) alert.get(Constants.GUID), SENSOR_NAME)).collect(Collectors.toList()));
findCreatedDocs(createdDocs);
int previousPageSize = ((ElasticsearchMetaAlertDao) metaDao).getPageSize();
((ElasticsearchMetaAlertDao) metaDao).setPageSize(5);
{
// Verify searches successfully return more than 10 results
SearchResponse searchResponse0 = metaDao.getAllMetaAlertsForAlert("message_0");
List<SearchResult> searchResults0 = searchResponse0.getResults();
Assert.assertEquals(13, searchResults0.size());
Set<Map<String, Object>> resultSet = new HashSet<>();
Iterables.addAll(resultSet, Iterables.transform(searchResults0, r -> r.getSource()));
StringBuffer reason = new StringBuffer("Unable to find " + metaAlerts.get(0) + "\n");
reason.append(Joiner.on("\n").join(resultSet));
Assert.assertTrue(reason.toString(), resultSet.contains(metaAlerts.get(0)));
// Verify no meta alerts are returned because message_1 was not added to any
SearchResponse searchResponse1 = metaDao.getAllMetaAlertsForAlert("message_1");
List<SearchResult> searchResults1 = searchResponse1.getResults();
Assert.assertEquals(0, searchResults1.size());
// Verify only the meta alert message_2 was added to is returned
SearchResponse searchResponse2 = metaDao.getAllMetaAlertsForAlert("message_2");
List<SearchResult> searchResults2 = searchResponse2.getResults();
Assert.assertEquals(1, searchResults2.size());
Assert.assertEquals(metaAlerts.get(12), searchResults2.get(0).getSource());
}
((ElasticsearchMetaAlertDao) metaDao).setPageSize(previousPageSize);
}
Also used :
InvalidSearchException(org.apache.metron.indexing.dao.search.InvalidSearchException)
Arrays(java.util.Arrays)
AccessConfig(org.apache.metron.indexing.dao.AccessConfig)
ALERT_FIELD(org.apache.metron.indexing.dao.MetaAlertDao.ALERT_FIELD)
Date(java.util.Date)
PatchRequest(org.apache.metron.indexing.dao.update.PatchRequest)
GroupResult(org.apache.metron.indexing.dao.search.GroupResult)
GroupResponse(org.apache.metron.indexing.dao.search.GroupResponse)
METAALERTS_INDEX(org.apache.metron.indexing.dao.MetaAlertDao.METAALERTS_INDEX)
Map(java.util.Map)
SearchResult(org.apache.metron.indexing.dao.search.SearchResult)
After(org.junit.After)
MetaAlertCreateRequest(org.apache.metron.indexing.dao.metaalert.MetaAlertCreateRequest)
Document(org.apache.metron.indexing.dao.update.Document)
AfterClass(org.junit.AfterClass)
MetaAlertDao(org.apache.metron.indexing.dao.MetaAlertDao)
IndexDao(org.apache.metron.indexing.dao.IndexDao)
Set(java.util.Set)
GetRequest(org.apache.metron.indexing.dao.search.GetRequest)
SearchRequest(org.apache.metron.indexing.dao.search.SearchRequest)
Collectors(java.util.stream.Collectors)
OriginalNotFoundException(org.apache.metron.indexing.dao.update.OriginalNotFoundException)
ElasticSearchComponent(org.apache.metron.elasticsearch.integration.components.ElasticSearchComponent)
List(java.util.List)
METAALERT_TYPE(org.apache.metron.indexing.dao.MetaAlertDao.METAALERT_TYPE)
Optional(java.util.Optional)
Joiner(com.google.common.base.Joiner)
SearchResponse(org.apache.metron.indexing.dao.search.SearchResponse)
Iterables(com.google.common.collect.Iterables)
MetaAlertStatus(org.apache.metron.indexing.dao.metaalert.MetaAlertStatus)
BeforeClass(org.junit.BeforeClass)
SimpleDateFormat(java.text.SimpleDateFormat)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
HashSet(java.util.HashSet)
Group(org.apache.metron.indexing.dao.search.Group)
JSONUtils(org.apache.metron.common.utils.JSONUtils)
STATUS_FIELD(org.apache.metron.indexing.dao.MetaAlertDao.STATUS_FIELD)
Before(org.junit.Before)
GroupRequest(org.apache.metron.indexing.dao.search.GroupRequest)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
IOException(java.io.IOException)
Test(org.junit.Test)
Constants(org.apache.metron.common.Constants)
SortField(org.apache.metron.indexing.dao.search.SortField)
File(java.io.File)
MetaAlertCreateResponse(org.apache.metron.indexing.dao.metaalert.MetaAlertCreateResponse)
ElasticsearchMetaAlertDao(org.apache.metron.elasticsearch.dao.ElasticsearchMetaAlertDao)
METAALERT_FIELD(org.apache.metron.indexing.dao.MetaAlertDao.METAALERT_FIELD)
Multiline(org.adrianwalker.multilinestring.Multiline)
Assert(org.junit.Assert)
Collections(java.util.Collections)
ElasticsearchDao(org.apache.metron.elasticsearch.dao.ElasticsearchDao)
Set(java.util.Set)
HashSet(java.util.HashSet)
SearchResponse(org.apache.metron.indexing.dao.search.SearchResponse)
GetRequest(org.apache.metron.indexing.dao.search.GetRequest)
List(java.util.List)
ArrayList(java.util.ArrayList)
Map(java.util.Map)
HashMap(java.util.HashMap)
ElasticsearchMetaAlertDao(org.apache.metron.elasticsearch.dao.ElasticsearchMetaAlertDao)
Test(org.junit.Test)
Example 4 with SearchResponse
use of org.apache.metron.indexing.dao.search.SearchResponse in project metron by apache.
the class SearchIntegrationTest method sort_descending_with_missing_fields.
@Test
public void sort_descending_with_missing_fields() throws Exception {
SearchRequest request = JSONUtils.INSTANCE.load(sortDescendingWithMissingFields, SearchRequest.class);
SearchResponse response = dao.search(request);
Assert.assertEquals(10, response.getTotal());
List<SearchResult> results = response.getResults();
Assert.assertEquals(10, results.size());
// validate sorted order - there are only 2 with a 'threat:triage:score'
Assert.assertEquals("20", results.get(0).getSource().get("threat:triage:score"));
Assert.assertEquals("10", results.get(1).getSource().get("threat:triage:score"));
// the remaining are missing the 'threat:triage:score' and should be sorted last
for (int i = 2; i < 10; i++) {
Assert.assertFalse(results.get(i).getSource().containsKey("threat:triage:score"));
}
}
Also used :
SearchRequest(org.apache.metron.indexing.dao.search.SearchRequest)
SearchResult(org.apache.metron.indexing.dao.search.SearchResult)
SearchResponse(org.apache.metron.indexing.dao.search.SearchResponse)
Test(org.junit.Test)
Example 5 with SearchResponse
use of org.apache.metron.indexing.dao.search.SearchResponse in project metron by apache.
the class SearchIntegrationTest method no_results_returned_when_query_does_not_match.
@Test
public void no_results_returned_when_query_does_not_match() throws Exception {
SearchRequest request = JSONUtils.INSTANCE.load(noResultsFieldsQuery, SearchRequest.class);
SearchResponse response = dao.search(request);
Assert.assertEquals(0, response.getTotal());
}
Also used :
SearchRequest(org.apache.metron.indexing.dao.search.SearchRequest)
SearchResponse(org.apache.metron.indexing.dao.search.SearchResponse)
Test(org.junit.Test)
Aggregations
SearchResponse (org.apache.metron.indexing.dao.search.SearchResponse)32
SearchRequest (org.apache.metron.indexing.dao.search.SearchRequest)24
SearchResult (org.apache.metron.indexing.dao.search.SearchResult)23
Test (org.junit.Test)15
ArrayList (java.util.ArrayList)12
HashMap (java.util.HashMap)12
GetRequest (org.apache.metron.indexing.dao.search.GetRequest)11
InvalidSearchException (org.apache.metron.indexing.dao.search.InvalidSearchException)11
IOException (java.io.IOException)10
Map (java.util.Map)10
SortField (org.apache.metron.indexing.dao.search.SortField)10
Document (org.apache.metron.indexing.dao.update.Document)7
List (java.util.List)6
Optional (java.util.Optional)6
Collectors (java.util.stream.Collectors)5
Constants (org.apache.metron.common.Constants)5
GroupRequest (org.apache.metron.indexing.dao.search.GroupRequest)5
GroupResponse (org.apache.metron.indexing.dao.search.GroupResponse)5
JSONUtils (org.apache.metron.common.utils.JSONUtils)4
Group (org.apache.metron.indexing.dao.search.Group)4
