Bug #7770
Updated by Rajmund Hruška about 1 month ago
When any event occurs during the relapse period, all thresholded events should be reported (for given event-class and address).
<pre><code class="python">
def search_relapsed_events(self, group_name, severity, ttl):
"""
Search for list of relapsed events for given group, severity and TTL.
Event is considered to be relapsed, when following conditions are met:
* there is record in ``thresholds`` table with ``thresholds.ttltime <= $ttl``
(this means that thresholding window expired)
* there is record in ``events_thresholded`` table with ``events_thresholded.createtime >= thresholds.relapsetime``
(this meant that the event was thresholded in relapse period)
:param str group_name: Name of the abuse group.
:param str severity: Event severity.
:param datetime.datetime ttl: Record TTL time.
:return: List of relapsed events as touple of id, json of event data and list of threshold keys.
:rtype: list
"""
self.cursor.execute(
"SELECT events_json.id, events_json.event, ARRAY_AGG(events_thresholded.keyid) AS keyids FROM events_json INNER JOIN events_thresholded ON events_json.id = events_thresholded.eventid INNER JOIN thresholds ON events_thresholded.keyid = thresholds.id WHERE events_thresholded.groupname = %s AND events_thresholded.eventseverity = %s AND events_thresholded.createtime >= thresholds.relapsetime AND thresholds.ttltime <= %s GROUP BY events_json.id",
(group_name, severity, ttl)
)
return self.cursor.fetchall()
</code></pre>