Project

General

Profile

Actions

Bug #7770

open

Reporter sends thresholded events only from relapse period

Added by Rajmund Hruška 4 months ago. Updated 3 days ago.

Status:
In Progress
Priority:
Normal
Category:
Development - Core
Target version:
Start date:
08/07/2024
Due date:
% Done:

0%

Estimated time:
To be discussed:
No

Description

When any event occurs during the relapse period, all thresholded events should be reported (for given event-class and address).

def search_relapsed_events(self, group_name, severity, ttl):
    """ 
    Search for list of relapsed events for given group, severity and TTL.
    Event is considered to be relapsed, when following conditions are met:

    * there is record in ``thresholds`` table with ``thresholds.ttltime <= $ttl``
      (this means that thresholding window expired)
    * there is record in ``events_thresholded`` table with ``events_thresholded.createtime >= thresholds.relapsetime``
      (this meant that the event was thresholded in relapse period)

    :param str group_name: Name of the abuse group.
    :param str severity: Event severity.
    :param datetime.datetime ttl: Record TTL time.
    :return: List of relapsed events as touple of id, json of event data and list of threshold keys.
    :rtype: list
    """ 
    self.cursor.execute(
        "SELECT events_json.id, events_json.event, ARRAY_AGG(events_thresholded.keyid) AS keyids FROM events_json INNER JOIN events_thresholded ON events_json.id = events_thresholded.eventid INNER JOIN thresholds ON events_thresholded.keyid = thresholds.id WHERE events_thresholded.groupname = %s AND events_thresholded.eventseverity = %s AND events_thresholded.createtime >= thresholds.relapsetime AND thresholds.ttltime <= %s GROUP BY events_json.id",
        (group_name, severity, ttl)
    )
    return self.cursor.fetchall()
Actions

Also available in: Atom PDF