Example 16 with EventDefinitionDto
use of org.graylog.events.processor.EventDefinitionDto in project graylog2-server by Graylog2.
the class EventDefinitionFacadeTest method loadNativeEntity.
@Test
@MongoDBFixtures("EventDefinitionFacadeTest.json")
public void loadNativeEntity() {
final NativeEntityDescriptor nativeEntityDescriptor = NativeEntityDescriptor.create(ModelId.of("content-pack-id"), ModelId.of("5d4032513d2746703d1467f6"), ModelTypes.EVENT_DEFINITION_V1, "title");
final Optional<NativeEntity<EventDefinitionDto>> optionalNativeEntity = facade.loadNativeEntity(nativeEntityDescriptor);
assertThat(optionalNativeEntity).isPresent();
final NativeEntity<EventDefinitionDto> nativeEntity = optionalNativeEntity.get();
assertThat(nativeEntity.entity()).isNotNull();
final EventDefinitionDto eventDefinition = nativeEntity.entity();
assertThat(eventDefinition.id()).isEqualTo("5d4032513d2746703d1467f6");
}
Also used :
EventDefinitionDto(org.graylog.events.processor.EventDefinitionDto)
NativeEntityDescriptor(org.graylog2.contentpacks.model.entities.NativeEntityDescriptor)
NativeEntity(org.graylog2.contentpacks.model.entities.NativeEntity)
MongoDBFixtures(org.graylog.testing.mongodb.MongoDBFixtures)
Test(org.junit.Test)
Example 17 with EventDefinitionDto
use of org.graylog.events.processor.EventDefinitionDto in project graylog2-server by Graylog2.
the class AggregationEventProcessorTest method testEventsFromAggregationResultWithConditions.
@Test
public void testEventsFromAggregationResultWithConditions() {
final DateTime now = DateTime.now(DateTimeZone.UTC);
final AbsoluteRange timerange = AbsoluteRange.create(now.minusHours(1), now.plusHours(1));
// We expect to get the end of the aggregation timerange as event time
final TestEvent event1 = new TestEvent(timerange.to());
final TestEvent event2 = new TestEvent(timerange.to());
when(eventFactory.createEvent(any(EventDefinition.class), eq(now), anyString())).thenReturn(// first invocation return value
event1).thenReturn(// second invocation return value
event2);
// There should only be one result because the second result's "abc123" value is less than 40. (it is 23)
// See result builder below
final AggregationConditions conditions = AggregationConditions.builder().expression(Expr.And.create(Expr.Greater.create(Expr.NumberReference.create("abc123"), Expr.NumberValue.create(40.0d)), Expr.Lesser.create(Expr.NumberReference.create("xyz789"), Expr.NumberValue.create(2.0d)))).build();
final EventDefinitionDto eventDefinitionDto = buildEventDefinitionDto(ImmutableSet.of(), ImmutableList.of(), conditions);
final AggregationEventProcessorParameters parameters = AggregationEventProcessorParameters.builder().timerange(timerange).build();
final AggregationEventProcessor eventProcessor = new AggregationEventProcessor(eventDefinitionDto, searchFactory, eventProcessorDependencyCheck, stateService, moreSearch, streamService, messages);
final AggregationResult result = AggregationResult.builder().effectiveTimerange(timerange).totalAggregatedMessages(1).sourceStreams(ImmutableSet.of("stream-1", "stream-2", "stream-3")).keyResults(ImmutableList.of(AggregationKeyResult.builder().key(ImmutableList.of("one", "two")).timestamp(now).seriesValues(ImmutableList.of(AggregationSeriesValue.builder().key(ImmutableList.of("a")).value(42.0d).series(AggregationSeries.builder().id("abc123").function(AggregationFunction.COUNT).field("source").build()).build(), AggregationSeriesValue.builder().key(ImmutableList.of("a")).value(1.0d).series(AggregationSeries.builder().id("xyz789").function(AggregationFunction.CARD).field("source").build()).build())).build(), AggregationKeyResult.builder().key(ImmutableList.of(now.toString(), "one", "two")).seriesValues(ImmutableList.of(AggregationSeriesValue.builder().key(ImmutableList.of("a")).value(// Doesn't match condition
23.0d).series(AggregationSeries.builder().id("abc123").function(AggregationFunction.COUNT).field("source").build()).build(), AggregationSeriesValue.builder().key(ImmutableList.of("a")).value(1.0d).series(AggregationSeries.builder().id("xyz789").function(AggregationFunction.CARD).field("source").build()).build())).build())).build();
final ImmutableList<EventWithContext> eventsWithContext = eventProcessor.eventsFromAggregationResult(eventFactory, parameters, result);
assertThat(eventsWithContext).hasSize(1);
assertThat(eventsWithContext.get(0)).satisfies(eventWithContext -> {
final Event event = eventWithContext.event();
assertThat(event.getId()).isEqualTo(event1.getId());
assertThat(event.getMessage()).isEqualTo(event1.getMessage());
assertThat(event.getEventTimestamp()).isEqualTo(timerange.to());
assertThat(event.getTimerangeStart()).isEqualTo(timerange.from());
assertThat(event.getTimerangeEnd()).isEqualTo(timerange.to());
// Should contain all streams because when config.streams is empty, we search in all streams
assertThat(event.getSourceStreams()).containsOnly("stream-1", "stream-2", "stream-3");
final Message message = eventWithContext.messageContext().orElse(null);
assertThat(message).isNotNull();
assertThat(message.getField("group_field_one")).isEqualTo("one");
assertThat(message.getField("group_field_two")).isEqualTo("two");
assertThat(message.getField("aggregation_key")).isEqualTo("one|two");
assertThat(message.getField("aggregation_value_count_source")).isEqualTo(42.0d);
assertThat(message.getField("aggregation_value_card_source")).isEqualTo(1.0d);
assertThat(event.getGroupByFields().get("group_field_one")).isEqualTo("one");
assertThat(event.getGroupByFields().get("group_field_two")).isEqualTo("two");
});
}
Also used :
EventDefinitionDto(org.graylog.events.processor.EventDefinitionDto)
Message(org.graylog2.plugin.Message)
TestEvent(org.graylog.events.event.TestEvent)
AbsoluteRange(org.graylog2.plugin.indexer.searches.timeranges.AbsoluteRange)
Event(org.graylog.events.event.Event)
TestEvent(org.graylog.events.event.TestEvent)
EventWithContext(org.graylog.events.event.EventWithContext)
DateTime(org.joda.time.DateTime)
Test(org.junit.Test)
Example 18 with EventDefinitionDto
use of org.graylog.events.processor.EventDefinitionDto in project graylog2-server by Graylog2.
the class AggregationEventProcessorTest method testEventsFromAggregationResultWithEmptyResultAndNoConfiguredStreamsUsesAllStreamsAsSourceStreams.
@Test
public void testEventsFromAggregationResultWithEmptyResultAndNoConfiguredStreamsUsesAllStreamsAsSourceStreams() {
final DateTime now = DateTime.now(DateTimeZone.UTC);
final AbsoluteRange timerange = AbsoluteRange.create(now.minusHours(1), now.plusHours(1));
// We expect to get the end of the aggregation timerange as event time
final TestEvent event1 = new TestEvent(timerange.to());
final TestEvent event2 = new TestEvent(timerange.to());
when(eventFactory.createEvent(any(EventDefinition.class), eq(now), anyString())).thenReturn(// first invocation return value
event1).thenReturn(// second invocation return value
event2);
when(streamService.loadAll()).thenReturn(ImmutableList.of(new StreamMock(Collections.singletonMap("_id", "stream-1"), Collections.emptyList()), new StreamMock(Collections.singletonMap("_id", "stream-2"), Collections.emptyList()), new StreamMock(Collections.singletonMap("_id", "stream-3"), Collections.emptyList()), new StreamMock(Collections.singletonMap("_id", StreamImpl.DEFAULT_STREAM_ID), Collections.emptyList()), new StreamMock(Collections.singletonMap("_id", StreamImpl.DEFAULT_EVENTS_STREAM_ID), Collections.emptyList()), new StreamMock(Collections.singletonMap("_id", StreamImpl.DEFAULT_SYSTEM_EVENTS_STREAM_ID), Collections.emptyList())));
final EventDefinitionDto eventDefinitionDto = buildEventDefinitionDto(ImmutableSet.of(), ImmutableList.of(), null);
final AggregationEventProcessorParameters parameters = AggregationEventProcessorParameters.builder().timerange(timerange).build();
final AggregationEventProcessor eventProcessor = new AggregationEventProcessor(eventDefinitionDto, searchFactory, eventProcessorDependencyCheck, stateService, moreSearch, streamService, messages);
final AggregationResult result = buildAggregationResult(timerange, now, ImmutableList.of("one", "two"));
final ImmutableList<EventWithContext> eventsWithContext = eventProcessor.eventsFromAggregationResult(eventFactory, parameters, result);
assertThat(eventsWithContext).hasSize(1);
assertThat(eventsWithContext.get(0)).satisfies(eventWithContext -> {
final Event event = eventWithContext.event();
assertThat(event.getId()).isEqualTo(event1.getId());
assertThat(event.getMessage()).isEqualTo(event1.getMessage());
assertThat(event.getEventTimestamp()).isEqualTo(timerange.to());
assertThat(event.getTimerangeStart()).isEqualTo(timerange.from());
assertThat(event.getTimerangeEnd()).isEqualTo(timerange.to());
// Must contain all existing streams but the default event streams!
assertThat(event.getSourceStreams()).containsOnly("stream-1", "stream-2", "stream-3", StreamImpl.DEFAULT_STREAM_ID);
final Message message = eventWithContext.messageContext().orElse(null);
assertThat(message).isNotNull();
assertThat(message.getField("group_field_one")).isEqualTo("one");
assertThat(message.getField("group_field_two")).isEqualTo("two");
assertThat(message.getField("aggregation_key")).isEqualTo("one|two");
assertThat(message.getField("aggregation_value_count")).isEqualTo(0.0d);
});
}
Also used :
StreamMock(org.graylog2.streams.StreamMock)
EventDefinitionDto(org.graylog.events.processor.EventDefinitionDto)
Message(org.graylog2.plugin.Message)
TestEvent(org.graylog.events.event.TestEvent)
AbsoluteRange(org.graylog2.plugin.indexer.searches.timeranges.AbsoluteRange)
Event(org.graylog.events.event.Event)
TestEvent(org.graylog.events.event.TestEvent)
EventWithContext(org.graylog.events.event.EventWithContext)
DateTime(org.joda.time.DateTime)
Test(org.junit.Test)
Example 19 with EventDefinitionDto
use of org.graylog.events.processor.EventDefinitionDto in project graylog2-server by Graylog2.
the class AggregationEventProcessorTest method testEventsFromAggregationResult.
@Test
public void testEventsFromAggregationResult() {
final DateTime now = DateTime.now(DateTimeZone.UTC);
final AbsoluteRange timerange = AbsoluteRange.create(now.minusHours(1), now.plusHours(1));
// We expect to get the end of the aggregation timerange as event time
final TestEvent event1 = new TestEvent(timerange.to());
final TestEvent event2 = new TestEvent(timerange.to());
when(eventFactory.createEvent(any(EventDefinition.class), eq(now), anyString())).thenReturn(// first invocation return value
event1).thenReturn(// second invocation return value
event2);
final EventDefinitionDto eventDefinitionDto = buildEventDefinitionDto(ImmutableSet.of("stream-2"), ImmutableList.of(), null);
final AggregationEventProcessorParameters parameters = AggregationEventProcessorParameters.builder().timerange(timerange).build();
final AggregationEventProcessor eventProcessor = new AggregationEventProcessor(eventDefinitionDto, searchFactory, eventProcessorDependencyCheck, stateService, moreSearch, streamService, messages);
final AggregationResult result = AggregationResult.builder().effectiveTimerange(timerange).totalAggregatedMessages(1).sourceStreams(ImmutableSet.of("stream-1", "stream-2")).keyResults(ImmutableList.of(AggregationKeyResult.builder().key(ImmutableList.of("one", "two")).timestamp(now).seriesValues(ImmutableList.of(AggregationSeriesValue.builder().key(ImmutableList.of("a")).value(42.0d).series(AggregationSeries.builder().id("abc123").function(AggregationFunction.COUNT).field("source").build()).build(), AggregationSeriesValue.builder().key(ImmutableList.of("a")).value(23.0d).series(AggregationSeries.builder().id("abc123-no-field").function(AggregationFunction.COUNT).build()).build(), AggregationSeriesValue.builder().key(ImmutableList.of("a")).value(1.0d).series(AggregationSeries.builder().id("xyz789").function(AggregationFunction.CARD).field("source").build()).build())).build())).build();
final ImmutableList<EventWithContext> eventsWithContext = eventProcessor.eventsFromAggregationResult(eventFactory, parameters, result);
assertThat(eventsWithContext).hasSize(1);
assertThat(eventsWithContext.get(0)).satisfies(eventWithContext -> {
final Event event = eventWithContext.event();
assertThat(event.getId()).isEqualTo(event1.getId());
assertThat(event.getMessage()).isEqualTo(event1.getMessage());
assertThat(event.getEventTimestamp()).isEqualTo(timerange.to());
assertThat(event.getTimerangeStart()).isEqualTo(timerange.from());
assertThat(event.getTimerangeEnd()).isEqualTo(timerange.to());
// Should only contain the streams that have been configured in event definition
assertThat(event.getSourceStreams()).containsOnly("stream-2");
final Message message = eventWithContext.messageContext().orElse(null);
assertThat(message).isNotNull();
assertThat(message.getField("group_field_one")).isEqualTo("one");
assertThat(message.getField("group_field_two")).isEqualTo("two");
assertThat(message.getField("aggregation_key")).isEqualTo("one|two");
assertThat(message.getField("aggregation_value_count_source")).isEqualTo(42.0d);
// Make sure that the count with a "null" field doesn't include the field in the name
assertThat(message.getField("aggregation_value_count")).isEqualTo(23.0d);
assertThat(message.getField("aggregation_value_card_source")).isEqualTo(1.0d);
assertThat(event.getGroupByFields().get("group_field_one")).isEqualTo("one");
assertThat(event.getGroupByFields().get("group_field_two")).isEqualTo("two");
});
}
Also used :
EventDefinitionDto(org.graylog.events.processor.EventDefinitionDto)
Message(org.graylog2.plugin.Message)
TestEvent(org.graylog.events.event.TestEvent)
AbsoluteRange(org.graylog2.plugin.indexer.searches.timeranges.AbsoluteRange)
Event(org.graylog.events.event.Event)
TestEvent(org.graylog.events.event.TestEvent)
EventWithContext(org.graylog.events.event.EventWithContext)
DateTime(org.joda.time.DateTime)
Test(org.junit.Test)
Example 20 with EventDefinitionDto
use of org.graylog.events.processor.EventDefinitionDto in project graylog2-server by Graylog2.
the class LegacyAlertConditionMigrator method migrateFieldValue.
/**
* Example field value alert condition data structure on streams:
* <pre>{@code
* {
* "id" : "00000000-0000-0000-0000-000000000001",
* "type" : "field_value",
* "title" : "Field Value - HIGHER - MEAN",
* "parameters" : {
* "backlog" : 15,
* "repeat_notifications" : false,
* "field" : "test_field_1",
* "query" : "*",
* "grace" : 1,
* "threshold_type" : "HIGHER",
* "threshold" : 23,
* "time" : 5,
* "type" : "MEAN"
* },
* "creator_user_id" : "admin",
* "created_at": "2019-01-01T00:00:00.000Z"
* }
* }</pre>
*/
private void migrateFieldValue(Helper helper) {
final String type = helper.parameters().getString("type");
final String field = helper.parameters().getString("field");
final String seriesId = helper.newSeriesId();
final AggregationSeries.Builder aggregationSeriesBuilder = AggregationSeries.builder().id(seriesId).field(field);
switch(type.toUpperCase(Locale.US)) {
case "MEAN":
aggregationSeriesBuilder.function(AggregationFunction.AVG);
break;
case "MIN":
aggregationSeriesBuilder.function(AggregationFunction.MIN);
break;
case "MAX":
aggregationSeriesBuilder.function(AggregationFunction.MAX);
break;
case "SUM":
aggregationSeriesBuilder.function(AggregationFunction.SUM);
break;
case "STDDEV":
aggregationSeriesBuilder.function(AggregationFunction.STDDEV);
break;
default:
LOG.warn("Couldn't migrate field value alert condition with unknown type: {}", type);
return;
}
final AggregationSeries aggregationSeries = aggregationSeriesBuilder.build();
final Expression<Boolean> expression = helper.createExpression(seriesId, "HIGHER");
final EventProcessorConfig config = helper.createAggregationProcessorConfig(aggregationSeries, expression, executeEveryMs);
final EventDefinitionDto definitionDto = helper.createEventDefinition(config);
LOG.info("Migrate legacy field value alert condition <{}>", definitionDto.title());
eventDefinitionHandler.create(definitionDto, userService.getRootUser());
}
Also used :
EventDefinitionDto(org.graylog.events.processor.EventDefinitionDto)
AggregationSeries(org.graylog.events.processor.aggregation.AggregationSeries)
EventProcessorConfig(org.graylog.events.processor.EventProcessorConfig)
AggregationEventProcessorConfig(org.graylog.events.processor.aggregation.AggregationEventProcessorConfig)
Aggregations
EventDefinitionDto (org.graylog.events.processor.EventDefinitionDto)25
Test (org.junit.Test)10
AbsoluteRange (org.graylog2.plugin.indexer.searches.timeranges.AbsoluteRange)7
DateTime (org.joda.time.DateTime)7
TestEvent (org.graylog.events.event.TestEvent)5
Event (org.graylog.events.event.Event)4
EventWithContext (org.graylog.events.event.EventWithContext)4
EventProcessorConfig (org.graylog.events.processor.EventProcessorConfig)4
Message (org.graylog2.plugin.Message)4
AggregationEventProcessorConfig (org.graylog.events.processor.aggregation.AggregationEventProcessorConfig)3
AggregationSeries (org.graylog.events.processor.aggregation.AggregationSeries)3
JobDefinitionDto (org.graylog.scheduler.JobDefinitionDto)3
JobTriggerDto (org.graylog.scheduler.JobTriggerDto)3
MongoDBFixtures (org.graylog.testing.mongodb.MongoDBFixtures)3
NativeEntityDescriptor (org.graylog2.contentpacks.model.entities.NativeEntityDescriptor)3
ApiOperation (io.swagger.annotations.ApiOperation)2
EventDto (org.graylog.events.event.EventDto)2
ModelId (org.graylog2.contentpacks.model.ModelId)2
EntityDescriptor (org.graylog2.contentpacks.model.entities.EntityDescriptor)2
ArgumentMatchers.anyString (org.mockito.ArgumentMatchers.anyString)2
