Example 11 with Event
use of org.graylog.events.event.Event in project graylog2-server by Graylog2.
the class AggregationEventProcessorTest method testEventsFromAggregationResultWithConditions.
@Test
public void testEventsFromAggregationResultWithConditions() {
final DateTime now = DateTime.now(DateTimeZone.UTC);
final AbsoluteRange timerange = AbsoluteRange.create(now.minusHours(1), now.plusHours(1));
// We expect to get the end of the aggregation timerange as event time
final TestEvent event1 = new TestEvent(timerange.to());
final TestEvent event2 = new TestEvent(timerange.to());
when(eventFactory.createEvent(any(EventDefinition.class), eq(now), anyString())).thenReturn(// first invocation return value
event1).thenReturn(// second invocation return value
event2);
// There should only be one result because the second result's "abc123" value is less than 40. (it is 23)
// See result builder below
final AggregationConditions conditions = AggregationConditions.builder().expression(Expr.And.create(Expr.Greater.create(Expr.NumberReference.create("abc123"), Expr.NumberValue.create(40.0d)), Expr.Lesser.create(Expr.NumberReference.create("xyz789"), Expr.NumberValue.create(2.0d)))).build();
final EventDefinitionDto eventDefinitionDto = buildEventDefinitionDto(ImmutableSet.of(), ImmutableList.of(), conditions);
final AggregationEventProcessorParameters parameters = AggregationEventProcessorParameters.builder().timerange(timerange).build();
final AggregationEventProcessor eventProcessor = new AggregationEventProcessor(eventDefinitionDto, searchFactory, eventProcessorDependencyCheck, stateService, moreSearch, streamService, messages);
final AggregationResult result = AggregationResult.builder().effectiveTimerange(timerange).totalAggregatedMessages(1).sourceStreams(ImmutableSet.of("stream-1", "stream-2", "stream-3")).keyResults(ImmutableList.of(AggregationKeyResult.builder().key(ImmutableList.of("one", "two")).timestamp(now).seriesValues(ImmutableList.of(AggregationSeriesValue.builder().key(ImmutableList.of("a")).value(42.0d).series(AggregationSeries.builder().id("abc123").function(AggregationFunction.COUNT).field("source").build()).build(), AggregationSeriesValue.builder().key(ImmutableList.of("a")).value(1.0d).series(AggregationSeries.builder().id("xyz789").function(AggregationFunction.CARD).field("source").build()).build())).build(), AggregationKeyResult.builder().key(ImmutableList.of(now.toString(), "one", "two")).seriesValues(ImmutableList.of(AggregationSeriesValue.builder().key(ImmutableList.of("a")).value(// Doesn't match condition
23.0d).series(AggregationSeries.builder().id("abc123").function(AggregationFunction.COUNT).field("source").build()).build(), AggregationSeriesValue.builder().key(ImmutableList.of("a")).value(1.0d).series(AggregationSeries.builder().id("xyz789").function(AggregationFunction.CARD).field("source").build()).build())).build())).build();
final ImmutableList<EventWithContext> eventsWithContext = eventProcessor.eventsFromAggregationResult(eventFactory, parameters, result);
assertThat(eventsWithContext).hasSize(1);
assertThat(eventsWithContext.get(0)).satisfies(eventWithContext -> {
final Event event = eventWithContext.event();
assertThat(event.getId()).isEqualTo(event1.getId());
assertThat(event.getMessage()).isEqualTo(event1.getMessage());
assertThat(event.getEventTimestamp()).isEqualTo(timerange.to());
assertThat(event.getTimerangeStart()).isEqualTo(timerange.from());
assertThat(event.getTimerangeEnd()).isEqualTo(timerange.to());
// Should contain all streams because when config.streams is empty, we search in all streams
assertThat(event.getSourceStreams()).containsOnly("stream-1", "stream-2", "stream-3");
final Message message = eventWithContext.messageContext().orElse(null);
assertThat(message).isNotNull();
assertThat(message.getField("group_field_one")).isEqualTo("one");
assertThat(message.getField("group_field_two")).isEqualTo("two");
assertThat(message.getField("aggregation_key")).isEqualTo("one|two");
assertThat(message.getField("aggregation_value_count_source")).isEqualTo(42.0d);
assertThat(message.getField("aggregation_value_card_source")).isEqualTo(1.0d);
assertThat(event.getGroupByFields().get("group_field_one")).isEqualTo("one");
assertThat(event.getGroupByFields().get("group_field_two")).isEqualTo("two");
});
}
Also used :
EventDefinitionDto(org.graylog.events.processor.EventDefinitionDto)
Message(org.graylog2.plugin.Message)
TestEvent(org.graylog.events.event.TestEvent)
AbsoluteRange(org.graylog2.plugin.indexer.searches.timeranges.AbsoluteRange)
Event(org.graylog.events.event.Event)
TestEvent(org.graylog.events.event.TestEvent)
EventWithContext(org.graylog.events.event.EventWithContext)
DateTime(org.joda.time.DateTime)
Test(org.junit.Test)
Example 12 with Event
use of org.graylog.events.event.Event in project graylog2-server by Graylog2.
the class AggregationEventProcessorTest method testEventsFromAggregationResultWithEmptyResultAndNoConfiguredStreamsUsesAllStreamsAsSourceStreams.
@Test
public void testEventsFromAggregationResultWithEmptyResultAndNoConfiguredStreamsUsesAllStreamsAsSourceStreams() {
final DateTime now = DateTime.now(DateTimeZone.UTC);
final AbsoluteRange timerange = AbsoluteRange.create(now.minusHours(1), now.plusHours(1));
// We expect to get the end of the aggregation timerange as event time
final TestEvent event1 = new TestEvent(timerange.to());
final TestEvent event2 = new TestEvent(timerange.to());
when(eventFactory.createEvent(any(EventDefinition.class), eq(now), anyString())).thenReturn(// first invocation return value
event1).thenReturn(// second invocation return value
event2);
when(streamService.loadAll()).thenReturn(ImmutableList.of(new StreamMock(Collections.singletonMap("_id", "stream-1"), Collections.emptyList()), new StreamMock(Collections.singletonMap("_id", "stream-2"), Collections.emptyList()), new StreamMock(Collections.singletonMap("_id", "stream-3"), Collections.emptyList()), new StreamMock(Collections.singletonMap("_id", StreamImpl.DEFAULT_STREAM_ID), Collections.emptyList()), new StreamMock(Collections.singletonMap("_id", StreamImpl.DEFAULT_EVENTS_STREAM_ID), Collections.emptyList()), new StreamMock(Collections.singletonMap("_id", StreamImpl.DEFAULT_SYSTEM_EVENTS_STREAM_ID), Collections.emptyList())));
final EventDefinitionDto eventDefinitionDto = buildEventDefinitionDto(ImmutableSet.of(), ImmutableList.of(), null);
final AggregationEventProcessorParameters parameters = AggregationEventProcessorParameters.builder().timerange(timerange).build();
final AggregationEventProcessor eventProcessor = new AggregationEventProcessor(eventDefinitionDto, searchFactory, eventProcessorDependencyCheck, stateService, moreSearch, streamService, messages);
final AggregationResult result = buildAggregationResult(timerange, now, ImmutableList.of("one", "two"));
final ImmutableList<EventWithContext> eventsWithContext = eventProcessor.eventsFromAggregationResult(eventFactory, parameters, result);
assertThat(eventsWithContext).hasSize(1);
assertThat(eventsWithContext.get(0)).satisfies(eventWithContext -> {
final Event event = eventWithContext.event();
assertThat(event.getId()).isEqualTo(event1.getId());
assertThat(event.getMessage()).isEqualTo(event1.getMessage());
assertThat(event.getEventTimestamp()).isEqualTo(timerange.to());
assertThat(event.getTimerangeStart()).isEqualTo(timerange.from());
assertThat(event.getTimerangeEnd()).isEqualTo(timerange.to());
// Must contain all existing streams but the default event streams!
assertThat(event.getSourceStreams()).containsOnly("stream-1", "stream-2", "stream-3", StreamImpl.DEFAULT_STREAM_ID);
final Message message = eventWithContext.messageContext().orElse(null);
assertThat(message).isNotNull();
assertThat(message.getField("group_field_one")).isEqualTo("one");
assertThat(message.getField("group_field_two")).isEqualTo("two");
assertThat(message.getField("aggregation_key")).isEqualTo("one|two");
assertThat(message.getField("aggregation_value_count")).isEqualTo(0.0d);
});
}
Also used :
StreamMock(org.graylog2.streams.StreamMock)
EventDefinitionDto(org.graylog.events.processor.EventDefinitionDto)
Message(org.graylog2.plugin.Message)
TestEvent(org.graylog.events.event.TestEvent)
AbsoluteRange(org.graylog2.plugin.indexer.searches.timeranges.AbsoluteRange)
Event(org.graylog.events.event.Event)
TestEvent(org.graylog.events.event.TestEvent)
EventWithContext(org.graylog.events.event.EventWithContext)
DateTime(org.joda.time.DateTime)
Test(org.junit.Test)
Example 13 with Event
use of org.graylog.events.event.Event in project graylog2-server by Graylog2.
the class AggregationEventProcessorTest method testEventsFromAggregationResult.
@Test
public void testEventsFromAggregationResult() {
final DateTime now = DateTime.now(DateTimeZone.UTC);
final AbsoluteRange timerange = AbsoluteRange.create(now.minusHours(1), now.plusHours(1));
// We expect to get the end of the aggregation timerange as event time
final TestEvent event1 = new TestEvent(timerange.to());
final TestEvent event2 = new TestEvent(timerange.to());
when(eventFactory.createEvent(any(EventDefinition.class), eq(now), anyString())).thenReturn(// first invocation return value
event1).thenReturn(// second invocation return value
event2);
final EventDefinitionDto eventDefinitionDto = buildEventDefinitionDto(ImmutableSet.of("stream-2"), ImmutableList.of(), null);
final AggregationEventProcessorParameters parameters = AggregationEventProcessorParameters.builder().timerange(timerange).build();
final AggregationEventProcessor eventProcessor = new AggregationEventProcessor(eventDefinitionDto, searchFactory, eventProcessorDependencyCheck, stateService, moreSearch, streamService, messages);
final AggregationResult result = AggregationResult.builder().effectiveTimerange(timerange).totalAggregatedMessages(1).sourceStreams(ImmutableSet.of("stream-1", "stream-2")).keyResults(ImmutableList.of(AggregationKeyResult.builder().key(ImmutableList.of("one", "two")).timestamp(now).seriesValues(ImmutableList.of(AggregationSeriesValue.builder().key(ImmutableList.of("a")).value(42.0d).series(AggregationSeries.builder().id("abc123").function(AggregationFunction.COUNT).field("source").build()).build(), AggregationSeriesValue.builder().key(ImmutableList.of("a")).value(23.0d).series(AggregationSeries.builder().id("abc123-no-field").function(AggregationFunction.COUNT).build()).build(), AggregationSeriesValue.builder().key(ImmutableList.of("a")).value(1.0d).series(AggregationSeries.builder().id("xyz789").function(AggregationFunction.CARD).field("source").build()).build())).build())).build();
final ImmutableList<EventWithContext> eventsWithContext = eventProcessor.eventsFromAggregationResult(eventFactory, parameters, result);
assertThat(eventsWithContext).hasSize(1);
assertThat(eventsWithContext.get(0)).satisfies(eventWithContext -> {
final Event event = eventWithContext.event();
assertThat(event.getId()).isEqualTo(event1.getId());
assertThat(event.getMessage()).isEqualTo(event1.getMessage());
assertThat(event.getEventTimestamp()).isEqualTo(timerange.to());
assertThat(event.getTimerangeStart()).isEqualTo(timerange.from());
assertThat(event.getTimerangeEnd()).isEqualTo(timerange.to());
// Should only contain the streams that have been configured in event definition
assertThat(event.getSourceStreams()).containsOnly("stream-2");
final Message message = eventWithContext.messageContext().orElse(null);
assertThat(message).isNotNull();
assertThat(message.getField("group_field_one")).isEqualTo("one");
assertThat(message.getField("group_field_two")).isEqualTo("two");
assertThat(message.getField("aggregation_key")).isEqualTo("one|two");
assertThat(message.getField("aggregation_value_count_source")).isEqualTo(42.0d);
// Make sure that the count with a "null" field doesn't include the field in the name
assertThat(message.getField("aggregation_value_count")).isEqualTo(23.0d);
assertThat(message.getField("aggregation_value_card_source")).isEqualTo(1.0d);
assertThat(event.getGroupByFields().get("group_field_one")).isEqualTo("one");
assertThat(event.getGroupByFields().get("group_field_two")).isEqualTo("two");
});
}
Also used :
EventDefinitionDto(org.graylog.events.processor.EventDefinitionDto)
Message(org.graylog2.plugin.Message)
TestEvent(org.graylog.events.event.TestEvent)
AbsoluteRange(org.graylog2.plugin.indexer.searches.timeranges.AbsoluteRange)
Event(org.graylog.events.event.Event)
TestEvent(org.graylog.events.event.TestEvent)
EventWithContext(org.graylog.events.event.EventWithContext)
DateTime(org.joda.time.DateTime)
Test(org.junit.Test)
Example 14 with Event
use of org.graylog.events.event.Event in project graylog2-server by Graylog2.
the class EventNotificationHandler method handleEvents.
public void handleEvents(EventDefinition definition, List<EventWithContext> eventsWithContext) {
for (Config config : definition.notifications()) {
final Optional<JobDefinitionDto> jobDefinition = jobDefinitionService.getByConfigField(Config.FIELD_NOTIFICATION_ID, config.notificationId());
if (!jobDefinition.isPresent()) {
LOG.error("Couldn't find job definition for notification <{}>", config.notificationId());
continue;
}
final Optional<NotificationDto> notificationDto = notificationService.get(config.notificationId());
if (!notificationDto.isPresent()) {
LOG.error("Couldn't find notification definition for id <{}>", config.notificationId());
continue;
}
final EventNotificationConfig notificationConfig = notificationDto.get().config();
for (EventWithContext eventWithContext : eventsWithContext) {
final Event event = eventWithContext.event();
if (notificationGracePeriodService.inGracePeriod(definition, config.notificationId(), event)) {
continue;
}
try {
final JobTriggerDto trigger = jobTriggerService.create(JobTriggerDto.builder().jobDefinitionId(jobDefinition.get().id()).schedule(OnceJobSchedule.create()).data(notificationConfig.toJobTriggerData(event.toDto())).build());
LOG.debug("Scheduled job <{}> for notification <{}> - event <{}/{}>", trigger.id(), config.notificationId(), event.getId(), event.getMessage());
// TODO: The trigger ID needs to be added to the "triggered_tasks" list of the event
} catch (Exception e) {
LOG.error("Couldn't create job trigger for notification <{}> and event: {}", config.notificationId(), event, e);
}
}
}
}
Also used :
JobDefinitionDto(org.graylog.scheduler.JobDefinitionDto)
Event(org.graylog.events.event.Event)
EventWithContext(org.graylog.events.event.EventWithContext)
JobTriggerDto(org.graylog.scheduler.JobTriggerDto)
NotFoundException(org.graylog2.database.NotFoundException)
Example 15 with Event
use of org.graylog.events.event.Event in project graylog2-server by Graylog2.
the class EventFieldSpecEngine method execute.
public void execute(List<EventWithContext> eventsWithContext, Map<String, EventFieldSpec> fieldSpec) {
for (final Map.Entry<String, EventFieldSpec> entry : fieldSpec.entrySet()) {
final String fieldName = entry.getKey();
final EventFieldSpec spec = entry.getValue();
for (final FieldValueProvider.Config providerConfig : spec.providers()) {
final FieldValueProvider.Factory providerFactory = fieldValueProviders.get(providerConfig.type());
if (providerFactory == null) {
LOG.error("Couldn't find field provider factory for type {}", providerConfig.type());
continue;
}
final FieldValueProvider provider = providerFactory.create(providerConfig);
for (final EventWithContext eventWithContext : eventsWithContext) {
final Event event = eventWithContext.event();
event.setField(fieldName, provider.get(fieldName, eventWithContext));
}
}
}
}
Also used :
FieldValueProvider(org.graylog.events.fields.providers.FieldValueProvider)
Event(org.graylog.events.event.Event)
EventWithContext(org.graylog.events.event.EventWithContext)
Map(java.util.Map)
Aggregations
Event (org.graylog.events.event.Event)16
TestEvent (org.graylog.events.event.TestEvent)12
Test (org.junit.Test)12
EventWithContext (org.graylog.events.event.EventWithContext)8
NotificationGracePeriodService (org.graylog.events.notifications.NotificationGracePeriodService)8
Message (org.graylog2.plugin.Message)6
DateTime (org.joda.time.DateTime)6
AbsoluteRange (org.graylog2.plugin.indexer.searches.timeranges.AbsoluteRange)5
EventDefinitionDto (org.graylog.events.processor.EventDefinitionDto)4
VisibleForTesting (com.google.common.annotations.VisibleForTesting)2
ImmutableList (com.google.common.collect.ImmutableList)2
HashMap (java.util.HashMap)2
Map (java.util.Map)2
ImmutableMap (com.google.common.collect.ImmutableMap)1
ImmutableSet (com.google.common.collect.ImmutableSet)1
Lists (com.google.common.collect.Lists)1
Maps (com.google.common.collect.Maps)1
Sets (com.google.common.collect.Sets)1
Ints (com.google.common.primitives.Ints)1
Assisted (com.google.inject.assistedinject.Assisted)1
