use of org.graylog2.indexer.results.FieldStatsResult in project graylog2-server by Graylog2.
the class SearchesTest method testFieldStats.
@Test
@UsingDataSet(loadStrategy = LoadStrategyEnum.CLEAN_INSERT)
public void testFieldStats() throws Exception {
FieldStatsResult result = searches.fieldStats("n", "*", AbsoluteRange.create(new DateTime(2015, 1, 1, 0, 0, DateTimeZone.UTC), new DateTime(2015, 1, 2, 0, 0, DateTimeZone.UTC)));
assertThat(result.getSearchHits()).hasSize(10);
assertThat(result.getCount()).isEqualTo(8);
assertThat(result.getMin()).isEqualTo(1.0);
assertThat(result.getMax()).isEqualTo(4.0);
assertThat(result.getMean()).isEqualTo(2.375);
assertThat(result.getSum()).isEqualTo(19.0);
assertThat(result.getSumOfSquares()).isEqualTo(53.0);
assertThat(result.getVariance()).isEqualTo(0.984375);
assertThat(result.getStdDeviation()).isEqualTo(0.9921567416492215);
}
use of org.graylog2.indexer.results.FieldStatsResult in project graylog2-server by Graylog2.
the class Searches method fieldStats.
public FieldStatsResult fieldStats(String field, String query, String filter, TimeRange range, boolean includeCardinality, boolean includeStats, boolean includeCount) throws FieldTypeException {
SearchRequestBuilder srb;
final Set<String> indices = indicesContainingField(determineAffectedIndices(range, filter), field);
if (filter == null) {
srb = standardSearchRequest(query, indices, range);
} else {
srb = filteredSearchRequest(query, filter, indices, range);
}
FilterAggregationBuilder builder = AggregationBuilders.filter(AGG_FILTER).filter(standardAggregationFilters(range, filter));
if (includeCount) {
builder.subAggregation(AggregationBuilders.count(AGG_VALUE_COUNT).field(field));
}
if (includeStats) {
builder.subAggregation(AggregationBuilders.extendedStats(AGG_EXTENDED_STATS).field(field));
}
if (includeCardinality) {
builder.subAggregation(AggregationBuilders.cardinality(AGG_CARDINALITY).field(field));
}
srb.addAggregation(builder);
SearchResponse r;
final SearchRequest request;
try {
request = srb.request();
r = c.search(request).actionGet();
} catch (org.elasticsearch.action.search.SearchPhaseExecutionException e) {
throw new FieldTypeException(e);
}
checkForFailedShards(r);
recordEsMetrics(r, range);
final Filter f = r.getAggregations().get(AGG_FILTER);
return new FieldStatsResult(f.getAggregations().get(AGG_VALUE_COUNT), f.getAggregations().get(AGG_EXTENDED_STATS), f.getAggregations().get(AGG_CARDINALITY), r.getHits(), query, request.source(), r.getTook());
}
use of org.graylog2.indexer.results.FieldStatsResult in project graylog2-server by Graylog2.
the class StatisticalCountWidgetStrategy method compute.
@Override
public ComputationResult compute() {
try {
final String filter;
if (!isNullOrEmpty(streamId)) {
filter = "streams:" + streamId;
} else {
filter = null;
}
final TimeRange timeRange = this.timeRange;
boolean needsCardinality = statsFunction.equals(StatisticalFunction.CARDINALITY);
boolean needsCount = statsFunction.equals(StatisticalFunction.COUNT);
final FieldStatsResult fieldStatsResult = getSearches().fieldStats(field, query, filter, timeRange, needsCardinality, !(needsCount || needsCardinality), needsCount);
if (trend && timeRange instanceof RelativeRange) {
DateTime toPrevious = timeRange.getFrom();
DateTime fromPrevious = toPrevious.minus(Seconds.seconds(((RelativeRange) timeRange).getRange()));
TimeRange previousTimeRange = AbsoluteRange.create(fromPrevious, toPrevious);
final FieldStatsResult previousFieldStatsResult = getSearches().fieldStats(field, query, filter, previousTimeRange, needsCardinality, !(needsCount || needsCardinality), needsCount);
Map<String, Object> results = Maps.newHashMap();
results.put("now", getStatisticalValue(fieldStatsResult));
results.put("previous", getStatisticalValue(previousFieldStatsResult));
long tookMs = fieldStatsResult.took().millis() + previousFieldStatsResult.took().millis();
return new ComputationResult(results, tookMs);
} else {
return new ComputationResult(getStatisticalValue(fieldStatsResult), fieldStatsResult.took().millis());
}
} catch (Searches.FieldTypeException e) {
log.warn("Invalid field provided, returning 'NaN'", e);
return new ComputationResult(Double.NaN, 0);
}
}
use of org.graylog2.indexer.results.FieldStatsResult in project graylog2-server by Graylog2.
the class FieldValueAlertCondition method runCheck.
@Override
public CheckResult runCheck() {
try {
final String filter = "streams:" + stream.getId();
// TODO we don't support cardinality yet
final FieldStatsResult fieldStatsResult = searches.fieldStats(field, "*", filter, RelativeRange.create(time * 60), false, true, false);
if (fieldStatsResult.getCount() == 0) {
LOG.debug("Alert check <{}> did not match any messages. Returning not triggered.", type);
return new NegativeCheckResult();
}
final double result;
switch(type) {
case MEAN:
result = fieldStatsResult.getMean();
break;
case MIN:
result = fieldStatsResult.getMin();
break;
case MAX:
result = fieldStatsResult.getMax();
break;
case SUM:
result = fieldStatsResult.getSum();
break;
case STDDEV:
result = fieldStatsResult.getStdDeviation();
break;
default:
LOG.error("No such field value check type: [{}]. Returning not triggered.", type);
return new NegativeCheckResult();
}
LOG.debug("Alert check <{}> result: [{}]", id, result);
if (Double.isInfinite(result)) {
// This happens when there are no ES results/docs.
LOG.debug("Infinite value. Returning not triggered.");
return new NegativeCheckResult();
}
final boolean triggered;
switch(thresholdType) {
case HIGHER:
triggered = result > threshold.doubleValue();
break;
case LOWER:
triggered = result < threshold.doubleValue();
break;
default:
triggered = false;
}
if (triggered) {
final String resultDescription = "Field " + field + " had a " + type + " of " + decimalFormat.format(result) + " in the last " + time + " minutes with trigger condition " + thresholdType + " than " + decimalFormat.format(threshold) + ". " + "(Current grace time: " + grace + " minutes)";
final List<MessageSummary> summaries;
if (getBacklog() > 0) {
final List<ResultMessage> searchResult = fieldStatsResult.getSearchHits();
summaries = Lists.newArrayListWithCapacity(searchResult.size());
for (ResultMessage resultMessage : searchResult) {
final Message msg = resultMessage.getMessage();
summaries.add(new MessageSummary(resultMessage.getIndex(), msg));
}
} else {
summaries = Collections.emptyList();
}
return new CheckResult(true, this, resultDescription, Tools.nowUTC(), summaries);
} else {
return new NegativeCheckResult();
}
} catch (InvalidRangeParametersException e) {
// cannot happen lol
LOG.error("Invalid timerange.", e);
return null;
} catch (InvalidRangeFormatException e) {
// lol same here
LOG.error("Invalid timerange format.", e);
return null;
} catch (Searches.FieldTypeException e) {
LOG.debug("Field [{}] seems not to have a numerical type or doesn't even exist at all. Returning not triggered.", field, e);
return new NegativeCheckResult();
}
}
use of org.graylog2.indexer.results.FieldStatsResult in project graylog2-server by Graylog2.
the class FieldValueAlertConditionTest method getFieldStatsResult.
private FieldStatsResult getFieldStatsResult(FieldValueAlertCondition.CheckType type, Number retValue) {
final Double value = (Double) retValue;
final FieldStatsResult fieldStatsResult = mock(FieldStatsResult.class);
when(fieldStatsResult.getCount()).thenReturn(1L);
switch(type) {
case MIN:
when(fieldStatsResult.getMin()).thenReturn(value);
case MAX:
when(fieldStatsResult.getMax()).thenReturn(value);
case MEAN:
when(fieldStatsResult.getMean()).thenReturn(value);
case STDDEV:
when(fieldStatsResult.getStdDeviation()).thenReturn(value);
case SUM:
when(fieldStatsResult.getSum()).thenReturn(value);
}
return fieldStatsResult;
}
Aggregations