Examples with AggregationSeries org.graylog.events.processor.aggregation.AggregationSeries used on opensource projects

Example 1 with AggregationSeries

use of org.graylog.events.processor.aggregation.AggregationSeries in project graylog2-server by Graylog2.

the class EventDefinitionFacadeTest method createTestEntity.

private EntityV1 createTestEntity() {
    final EventFieldSpec fieldSpec = EventFieldSpec.builder().dataType(FieldValueType.STRING).providers(ImmutableList.of(TemplateFieldValueProvider.Config.builder().template("template").build())).build();
    final Expr.Greater trueExpr = Expr.Greater.create(Expr.NumberValue.create(2), Expr.NumberValue.create(1));
    final AggregationSeries serie = AggregationSeries.create("id-deef", AggregationFunction.COUNT, "field");
    final AggregationConditions condition = AggregationConditions.builder().expression(Expr.And.create(trueExpr, trueExpr)).build();
    final AggregationEventProcessorConfigEntity aggregationConfig = AggregationEventProcessorConfigEntity.builder().query(ValueReference.of("author: \"Jane Hopper\"")).streams(ImmutableSet.of()).groupBy(ImmutableList.of("project")).series(ImmutableList.of(serie)).conditions(condition).executeEveryMs(122200000L).searchWithinMs(1231312123L).build();
    final EventDefinitionEntity eventDefinitionEntity = EventDefinitionEntity.builder().title(ValueReference.of("title")).description(ValueReference.of("description")).priority(ValueReference.of(1)).config(aggregationConfig).alert(ValueReference.of(true)).fieldSpec(ImmutableMap.of("fieldSpec", fieldSpec)).keySpec(ImmutableList.of("keyspec")).notificationSettings(EventNotificationSettings.builder().gracePeriodMs(123123).backlogSize(123).build()).notifications(ImmutableList.of(EventNotificationHandlerConfigEntity.builder().notificationId(ValueReference.of("123123")).build())).storage(ImmutableList.of()).build();
    final JsonNode data = objectMapper.convertValue(eventDefinitionEntity, JsonNode.class);
    return EntityV1.builder().data(data).id(ModelId.of("beef-1337")).type(ModelTypes.EVENT_DEFINITION_V1).build();
}

Example 2 with AggregationSeries

use of org.graylog.events.processor.aggregation.AggregationSeries in project graylog2-server by Graylog2.

the class LegacyAlertConditionMigrator method migrateFieldValue.

/**
 * Example field value alert condition data structure on streams:
 * <pre>{@code
 *         {
 *           "id" : "00000000-0000-0000-0000-000000000001",
 *           "type" : "field_value",
 *           "title" : "Field Value - HIGHER - MEAN",
 *           "parameters" : {
 *             "backlog" : 15,
 *             "repeat_notifications" : false,
 *             "field" : "test_field_1",
 *             "query" : "*",
 *             "grace" : 1,
 *             "threshold_type" : "HIGHER",
 *             "threshold" : 23,
 *             "time" : 5,
 *             "type" : "MEAN"
 *           },
 *           "creator_user_id" : "admin",
 *           "created_at": "2019-01-01T00:00:00.000Z"
 *         }
 * }</pre>
 */
private void migrateFieldValue(Helper helper) {
    final String type = helper.parameters().getString("type");
    final String field = helper.parameters().getString("field");
    final String seriesId = helper.newSeriesId();
    final AggregationSeries.Builder aggregationSeriesBuilder = AggregationSeries.builder().id(seriesId).field(field);
    switch(type.toUpperCase(Locale.US)) {
        case "MEAN":
            aggregationSeriesBuilder.function(AggregationFunction.AVG);
            break;
        case "MIN":
            aggregationSeriesBuilder.function(AggregationFunction.MIN);
            break;
        case "MAX":
            aggregationSeriesBuilder.function(AggregationFunction.MAX);
            break;
        case "SUM":
            aggregationSeriesBuilder.function(AggregationFunction.SUM);
            break;
        case "STDDEV":
            aggregationSeriesBuilder.function(AggregationFunction.STDDEV);
            break;
        default:
            LOG.warn("Couldn't migrate field value alert condition with unknown type: {}", type);
            return;
    }
    final AggregationSeries aggregationSeries = aggregationSeriesBuilder.build();
    final Expression<Boolean> expression = helper.createExpression(seriesId, "HIGHER");
    final EventProcessorConfig config = helper.createAggregationProcessorConfig(aggregationSeries, expression, executeEveryMs);
    final EventDefinitionDto definitionDto = helper.createEventDefinition(config);
    LOG.info("Migrate legacy field value alert condition <{}>", definitionDto.title());
    eventDefinitionHandler.create(definitionDto, userService.getRootUser());
}

Example 3 with AggregationSeries

use of org.graylog.events.processor.aggregation.AggregationSeries in project graylog2-server by Graylog2.

the class LegacyAlertConditionMigrator method migrateFieldContentValue.

/**
 * Example field content value alert condition data structure on streams:
 * <pre>{@code
 *         {
 *           "id" : "00000000-0000-0000-0000-000000000001",
 *           "type" : "field_content_value",
 *           "title" : "Field Content - WITHOUT QUERY",
 *           "parameters" : {
 *             "backlog" : 100,
 *             "repeat_notifications" : false,
 *             "field" : "test_field_2",
 *             "query" : "",
 *             "grace" : 2,
 *             "value" : "hello"
 *           },
 *           "creator_user_id" : "admin",
 *           "created_at": "2019-01-01T00:00:00.000Z"
 *         }
 * }</pre>
 */
private void migrateFieldContentValue(Helper helper) {
    final String field = helper.parameters().getString("field");
    final String value = helper.parameters().getString("value");
    // The configured condition query can be empty
    String query = field + ":\"" + value + "\"";
    if (!isNullOrEmpty(helper.query) && !"*".equals(helper.query.trim())) {
        query = query + " AND " + helper.query;
    }
    final String seriesId = helper.newSeriesId();
    final AggregationSeries messageCountSeries = AggregationSeries.builder().id(seriesId).function(AggregationFunction.COUNT).field(null).build();
    final Expr.NumberReference left = Expr.NumberReference.create(seriesId);
    final Expr.NumberValue right = Expr.NumberValue.create(0);
    final Expression<Boolean> expression = Expr.Greater.create(left, right);
    final EventProcessorConfig config = AggregationEventProcessorConfig.builder().streams(ImmutableSet.of(helper.streamId)).query(query).series(ImmutableList.of(messageCountSeries)).groupBy(ImmutableList.of()).conditions(AggregationConditions.builder().expression(expression).build()).searchWithinMs(// The FieldContentValueAlertCondition was just using the alert scanner interval
    executeEveryMs).executeEveryMs(executeEveryMs).build();
    final EventDefinitionDto definitionDto = helper.createEventDefinition(config);
    LOG.info("Migrate legacy field content value alert condition <{}>", definitionDto.title());
    eventDefinitionHandler.create(definitionDto, userService.getRootUser());
}

Example 4 with AggregationSeries

use of org.graylog.events.processor.aggregation.AggregationSeries in project graylog2-server by Graylog2.

the class LegacyAlertConditionMigrator method migrateMessageCount.

/**
 * Example message count alert condition data structure on streams:
 * <pre>{@code
 *         {
 *           "id" : "00000000-0000-0000-0000-000000000001",
 *           "type" : "message_count",
 *           "title" : "Message Count - MORE",
 *           "parameters" : {
 *             "backlog" : 10,
 *             "repeat_notifications" : false,
 *             "query" : "hello:world",
 *             "grace" : 2,
 *             "threshold_type" : "MORE",
 *             "threshold" : 1,
 *             "time" : 10
 *           },
 *           "creator_user_id" : "admin",
 *           "created_at": "2019-01-01T00:00:00.000Z"
 *         }
 * }</pre>
 */
private void migrateMessageCount(Helper helper) {
    final String seriesId = helper.newSeriesId();
    final AggregationSeries messageCountSeries = AggregationSeries.builder().id(seriesId).function(AggregationFunction.COUNT).field(null).build();
    final Expression<Boolean> expression = helper.createExpression(seriesId, "MORE");
    final EventProcessorConfig config = helper.createAggregationProcessorConfig(messageCountSeries, expression, executeEveryMs);
    final EventDefinitionDto definitionDto = helper.createEventDefinition(config);
    LOG.info("Migrate legacy message count alert condition <{}>", definitionDto.title());
    eventDefinitionHandler.create(definitionDto, userService.getRootUser());
}