Examples with SortField org.apache.metron.indexing.dao.search.SortField used on opensource projects

Search in sources :

Example 6 with SortField

use of org.apache.metron.indexing.dao.search.SortField in project metron by apache.

the class SolrMetaAlertIntegrationTest method shouldSearchByNestedAlert.

@Test
@Override
@SuppressWarnings("unchecked")
public void shouldSearchByNestedAlert() throws Exception {
    // Load alerts
    List<Map<String, Object>> alerts = buildAlerts(4);
    alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
    alerts.get(0).put("ip_src_addr", "192.168.1.1");
    alerts.get(0).put("ip_src_port", 8010);
    alerts.get(1).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
    alerts.get(1).put("ip_src_addr", "192.168.1.2");
    alerts.get(1).put("ip_src_port", 8009);
    alerts.get(2).put("ip_src_addr", "192.168.1.3");
    alerts.get(2).put("ip_src_port", 8008);
    alerts.get(3).put("ip_src_addr", "192.168.1.4");
    alerts.get(3).put("ip_src_port", 8007);
    addRecords(alerts, getTestIndexName(), SENSOR_NAME);
    // Put the nested type into the test index, so that it'll match appropriately
    setupTypings();
    // Load metaAlerts
    Map<String, Object> activeMetaAlert = buildMetaAlert("meta_active", MetaAlertStatus.ACTIVE, Optional.of(Arrays.asList(alerts.get(0), alerts.get(1))));
    Map<String, Object> inactiveMetaAlert = buildMetaAlert("meta_inactive", MetaAlertStatus.INACTIVE, Optional.of(Arrays.asList(alerts.get(2), alerts.get(3))));
    // We pass MetaAlertDao.METAALERT_TYPE, because the "_doc" gets appended automatically.
    addRecords(Arrays.asList(activeMetaAlert, inactiveMetaAlert), METAALERTS_COLLECTION, METAALERT_TYPE);
    // Verify load was successful
    findCreatedDocs(Arrays.asList(new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME), new GetRequest("message_2", SENSOR_NAME), new GetRequest("message_3", SENSOR_NAME), new GetRequest("meta_active", METAALERT_TYPE), new GetRequest("meta_inactive", METAALERT_TYPE)));
    SearchResponse searchResponse = metaDao.search(new SearchRequest() {

        {
            setQuery("ip_src_addr:192.168.1.1 AND ip_src_port:8010");
            setIndices(Collections.singletonList(METAALERT_TYPE));
            setFrom(0);
            setSize(5);
            setSort(Collections.singletonList(new SortField() {

                {
                    setField(Constants.GUID);
                }
            }));
        }
    });
    // Should have one result because Solr will return the parent.
    assertEquals(1, searchResponse.getTotal());
    // Ensure we returned the child alerts
    List<Map<String, Object>> actualAlerts = (List<Map<String, Object>>) searchResponse.getResults().get(0).getSource().get(MetaAlertConstants.ALERT_FIELD);
    assertEquals(2, actualAlerts.size());
    assertEquals("meta_active", searchResponse.getResults().get(0).getSource().get("guid"));
    // Query against all indices. Only the single active meta alert should be returned.
    // The child alerts should be hidden.
    searchResponse = metaDao.search(new SearchRequest() {

        {
            setQuery("ip_src_addr:192.168.1.1 AND ip_src_port:8010");
            setIndices(queryIndices);
            setFrom(0);
            setSize(5);
            setSort(Collections.singletonList(new SortField() {

                {
                    setField(Constants.GUID);
                }
            }));
        }
    });
    // Query should match a parent alert
    assertEquals(1, searchResponse.getTotal());
    // Ensure we returned the child alerts
    actualAlerts = (List<Map<String, Object>>) searchResponse.getResults().get(0).getSource().get(MetaAlertConstants.ALERT_FIELD);
    assertEquals(2, actualAlerts.size());
    assertEquals("meta_active", searchResponse.getResults().get(0).getSource().get("guid"));
    // Query against all indices. The child alert has no actual attached meta alerts, and should
    // be returned on its own.
    searchResponse = metaDao.search(new SearchRequest() {

        {
            setQuery("ip_src_addr:192.168.1.3 AND ip_src_port:8008");
            setIndices(queryIndices);
            setFrom(0);
            setSize(1);
            setSort(Collections.singletonList(new SortField() {

                {
                    setField(Constants.GUID);
                }
            }));
        }
    });
    // Query should match a plain alert
    assertEquals(1, searchResponse.getTotal());
    // Ensure we have no child alerts
    actualAlerts = (List<Map<String, Object>>) searchResponse.getResults().get(0).getSource().get(MetaAlertConstants.ALERT_FIELD);
    assertNull(actualAlerts);
    assertEquals("message_2", searchResponse.getResults().get(0).getSource().get("guid"));
}
Also used : SearchRequest(org.apache.metron.indexing.dao.search.SearchRequest) GetRequest(org.apache.metron.indexing.dao.search.GetRequest) SortField(org.apache.metron.indexing.dao.search.SortField) ImmutableMap(com.google.common.collect.ImmutableMap) SearchResponse(org.apache.metron.indexing.dao.search.SearchResponse) MetaAlertIntegrationTest(org.apache.metron.indexing.dao.metaalert.MetaAlertIntegrationTest)

Example 7 with SortField

use of org.apache.metron.indexing.dao.search.SortField in project metron by apache.

the class SolrMetaAlertIntegrationTest method shouldNotRetrieveFullChildrenWithoutSourceType.

@Test
@SuppressWarnings("unchecked")
public void shouldNotRetrieveFullChildrenWithoutSourceType() throws Exception {
    // Load alerts
    List<Map<String, Object>> alerts = buildAlerts(1);
    alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
    alerts.get(0).put("ip_src_addr", "192.168.1.1");
    alerts.get(0).put("ip_src_port", 8010);
    addRecords(alerts, getTestIndexName(), SENSOR_NAME);
    // Put the nested type into the test index, so that it'll match appropriately
    setupTypings();
    // Load metaAlerts
    Map<String, Object> activeMetaAlert = buildMetaAlert("meta_active", MetaAlertStatus.ACTIVE, Optional.of(Arrays.asList(alerts.get(0))));
    // We pass MetaAlertDao.METAALERT_TYPE, because the "_doc" gets appended automatically.
    addRecords(Collections.singletonList(activeMetaAlert), METAALERTS_COLLECTION, METAALERT_TYPE);
    // Verify load was successful
    findCreatedDocs(Collections.singletonList(new GetRequest("meta_active", METAALERT_TYPE)));
    SearchResponse searchResponse = metaDao.search(new SearchRequest() {

        {
            setQuery("ip_src_addr:192.168.1.1 AND ip_src_port:8010");
            setIndices(Collections.singletonList(METAALERT_TYPE));
            setFrom(0);
            setSize(5);
            setFields(Collections.singletonList(Constants.GUID));
            setSort(Collections.singletonList(new SortField() {

                {
                    setField(Constants.GUID);
                }
            }));
        }
    });
    // Should have one result because Solr will return the parent.
    assertEquals(1, searchResponse.getTotal());
    // Ensure we returned didn't return the child alerts
    List<Map<String, Object>> actualAlerts = (List<Map<String, Object>>) searchResponse.getResults().get(0).getSource().get(MetaAlertConstants.ALERT_FIELD);
    assertNull(actualAlerts);
    assertEquals("meta_active", searchResponse.getResults().get(0).getSource().get("guid"));
}
Also used : SearchRequest(org.apache.metron.indexing.dao.search.SearchRequest) GetRequest(org.apache.metron.indexing.dao.search.GetRequest) SortField(org.apache.metron.indexing.dao.search.SortField) ImmutableMap(com.google.common.collect.ImmutableMap) SearchResponse(org.apache.metron.indexing.dao.search.SearchResponse) MetaAlertIntegrationTest(org.apache.metron.indexing.dao.metaalert.MetaAlertIntegrationTest)

Example 8 with SortField

use of org.apache.metron.indexing.dao.search.SortField in project metron by apache.

the class ElasticsearchMetaAlertIntegrationTest method shouldSearchByNestedAlert.

@ParameterizedTest
@MethodSource("data")
public void shouldSearchByNestedAlert(Function<List<String>, List<String>> indexTransform) throws Exception {
    // Load alerts
    List<Map<String, Object>> alerts = buildAlerts(4);
    alerts.get(0).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
    alerts.get(0).put("ip_src_addr", "192.168.1.1");
    alerts.get(0).put("ip_src_port", 8010);
    alerts.get(1).put(METAALERT_FIELD, Collections.singletonList("meta_active"));
    alerts.get(1).put("ip_src_addr", "192.168.1.2");
    alerts.get(1).put("ip_src_port", 8009);
    alerts.get(2).put("ip_src_addr", "192.168.1.3");
    alerts.get(2).put("ip_src_port", 8008);
    alerts.get(3).put("ip_src_addr", "192.168.1.4");
    alerts.get(3).put("ip_src_port", 8007);
    addRecords(alerts, INDEX, SENSOR_NAME);
    // Put the nested type into the test index, so that it'll match appropriately
    setupTypings();
    // Load metaAlerts
    Map<String, Object> activeMetaAlert = buildMetaAlert("meta_active", MetaAlertStatus.ACTIVE, Optional.of(Arrays.asList(alerts.get(0), alerts.get(1))));
    Map<String, Object> inactiveMetaAlert = buildMetaAlert("meta_inactive", MetaAlertStatus.INACTIVE, Optional.of(Arrays.asList(alerts.get(2), alerts.get(3))));
    // We pass MetaAlertDao.METAALERT_TYPE, because the "_doc" gets appended automatically.
    addRecords(Arrays.asList(activeMetaAlert, inactiveMetaAlert), METAALERTS_INDEX, METAALERT_TYPE);
    // Verify load was successful
    findCreatedDocs(Arrays.asList(new GetRequest("message_0", SENSOR_NAME), new GetRequest("message_1", SENSOR_NAME), new GetRequest("message_2", SENSOR_NAME), new GetRequest("message_3", SENSOR_NAME), new GetRequest("meta_active", METAALERT_TYPE), new GetRequest("meta_inactive", METAALERT_TYPE)));
    SearchResponse searchResponse = metaDao.search(new SearchRequest() {

        {
            setQuery("(ip_src_addr:192.168.1.1 AND ip_src_port:8009) OR (metron_alert.ip_src_addr:192.168.1.1 AND metron_alert.ip_src_port:8009)");
            setIndices(Collections.singletonList(METAALERT_TYPE));
            setFrom(0);
            setSize(5);
            setSort(Collections.singletonList(new SortField() {

                {
                    setField(Constants.GUID);
                }
            }));
        }
    });
    // Should not have results because nested alerts shouldn't be flattened
    assertEquals(0, searchResponse.getTotal());
    // Query against all indices. Only the single active meta alert should be returned.
    // The child alerts should be hidden.
    searchResponse = metaDao.search(new SearchRequest() {

        {
            setQuery("(ip_src_addr:192.168.1.1 AND ip_src_port:8010)" + " OR (metron_alert.ip_src_addr:192.168.1.1 AND metron_alert.ip_src_port:8010)");
            setIndices(indexTransform.apply(allIndices));
            setFrom(0);
            setSize(5);
            setSort(Collections.singletonList(new SortField() {

                {
                    setField(Constants.GUID);
                }
            }));
        }
    });
    // Nested query should match a nested alert
    assertEquals(1, searchResponse.getTotal());
    assertEquals("meta_active", searchResponse.getResults().get(0).getSource().get("guid"));
    // Query against all indices. The child alert has no actual attached meta alerts, and should
    // be returned on its own.
    searchResponse = metaDao.search(new SearchRequest() {

        {
            setQuery("(ip_src_addr:192.168.1.3 AND ip_src_port:8008)" + " OR (metron_alert.ip_src_addr:192.168.1.3 AND metron_alert.ip_src_port:8008)");
            setIndices(Collections.singletonList("*"));
            setFrom(0);
            setSize(1);
            setSort(Collections.singletonList(new SortField() {

                {
                    setField(Constants.GUID);
                }
            }));
        }
    });
    // Nested query should match a plain alert
    assertEquals(1, searchResponse.getTotal());
    assertEquals("message_2", searchResponse.getResults().get(0).getSource().get("guid"));
}
Also used : SearchRequest(org.apache.metron.indexing.dao.search.SearchRequest) GetRequest(org.apache.metron.indexing.dao.search.GetRequest) SortField(org.apache.metron.indexing.dao.search.SortField) SearchResponse(org.apache.metron.indexing.dao.search.SearchResponse) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest) MethodSource(org.junit.jupiter.params.provider.MethodSource)

Example 9 with SortField

use of org.apache.metron.indexing.dao.search.SortField in project metron by apache.

the class ElasticsearchMetaAlertIntegrationTest method shouldSearchByStatus.

@Test
public void shouldSearchByStatus() throws Exception {
    // Load metaAlerts
    Map<String, Object> activeMetaAlert = buildMetaAlert("meta_active", MetaAlertStatus.ACTIVE, Optional.empty());
    Map<String, Object> inactiveMetaAlert = buildMetaAlert("meta_inactive", MetaAlertStatus.INACTIVE, Optional.empty());
    // We pass MetaAlertDao.METAALERT_TYPE, because the "_doc" gets appended automatically.
    elasticsearchAdd(Arrays.asList(activeMetaAlert, inactiveMetaAlert), METAALERTS_INDEX, MetaAlertDao.METAALERT_TYPE);
    // Verify load was successful
    findCreatedDocs(Arrays.asList(new GetRequest("meta_active", METAALERT_TYPE), new GetRequest("meta_inactive", METAALERT_TYPE)));
    SearchResponse searchResponse = metaDao.search(new SearchRequest() {

        {
            setQuery("*");
            setIndices(Collections.singletonList(MetaAlertDao.METAALERT_TYPE));
            setFrom(0);
            setSize(5);
            setSort(Collections.singletonList(new SortField() {

                {
                    setField(Constants.GUID);
                }
            }));
        }
    });
    // Verify only active meta alerts are returned
    Assert.assertEquals(1, searchResponse.getTotal());
    Assert.assertEquals(MetaAlertStatus.ACTIVE.getStatusString(), searchResponse.getResults().get(0).getSource().get(MetaAlertDao.STATUS_FIELD));
}
Also used : SearchRequest(org.apache.metron.indexing.dao.search.SearchRequest) GetRequest(org.apache.metron.indexing.dao.search.GetRequest) SortField(org.apache.metron.indexing.dao.search.SortField) SearchResponse(org.apache.metron.indexing.dao.search.SearchResponse) Test(org.junit.Test)

Example 10 with SortField

use of org.apache.metron.indexing.dao.search.SortField in project metron by apache.

the class SolrSearchDao method buildSearchRequest.

// An explicit, overriding fieldList can be provided.  This is useful for things like metaalerts,
// which may need to modify that parameter.
protected SolrQuery buildSearchRequest(SearchRequest searchRequest, String fieldList) throws IOException, SolrServerException {
    SolrQuery query = new SolrQuery().setStart(searchRequest.getFrom()).setRows(searchRequest.getSize()).setQuery(searchRequest.getQuery()).setShowDebugInfo(// tie Solr query debug output to our log level
    LOG.isDebugEnabled());
    // handle sort fields
    for (SortField sortField : searchRequest.getSort()) {
        query.addSort(sortField.getField(), getSolrSortOrder(sortField.getSortOrder()));
    }
    // handle search fields
    List<String> fields = searchRequest.getFields();
    if (fieldList == null) {
        fieldList = "*";
        if (fields != null) {
            fieldList = StringUtils.join(fields, ",");
        }
    }
    query.set("fl", fieldList);
    // handle facet fields
    List<String> facetFields = searchRequest.getFacetFields();
    if (facetFields != null) {
        facetFields.forEach(query::addFacetField);
    }
    query.set("collection", getCollections(searchRequest.getIndices()));
    return query;
}
Also used : SortField(org.apache.metron.indexing.dao.search.SortField) SolrQuery(org.apache.solr.client.solrj.SolrQuery)

Aggregations

SortField (org.apache.metron.indexing.dao.search.SortField)12 SearchRequest (org.apache.metron.indexing.dao.search.SearchRequest)9 GetRequest (org.apache.metron.indexing.dao.search.GetRequest)7 SearchResponse (org.apache.metron.indexing.dao.search.SearchResponse)7 IOException (java.io.IOException)3 HashMap (java.util.HashMap)3 Map (java.util.Map)3 InvalidSearchException (org.apache.metron.indexing.dao.search.InvalidSearchException)3 ImmutableMap (com.google.common.collect.ImmutableMap)2 MetaAlertIntegrationTest (org.apache.metron.indexing.dao.metaalert.MetaAlertIntegrationTest)2 FieldType (org.apache.metron.indexing.dao.search.FieldType)2 TermsAggregationBuilder (org.elasticsearch.search.aggregations.bucket.terms.TermsAggregationBuilder)2 Test (org.junit.jupiter.api.Test)2 Joiner (com.google.common.base.Joiner)1 Iterables (com.google.common.collect.Iterables)1 ArrayList (java.util.ArrayList)1 Arrays (java.util.Arrays)1 Collections (java.util.Collections)1 Comparator (java.util.Comparator)1 HashSet (java.util.HashSet)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial