Project

General

Profile

Bug #7770

Updated by Rajmund Hruška 4 months ago

When any event occurs during the relapse period, all thresholded events should be reported (for given event-class and address). 

 <pre><code class="python"> 
 def search_relapsed_events(self, group_name, severity, ttl): 
     """ 
     Search for list of relapsed events for given group, severity and TTL. 
     Event is considered to be relapsed, when following conditions are met: 

     * there is record in ``thresholds`` table with ``thresholds.ttltime <= $ttl`` 
       (this means that thresholding window expired) 
     * there is record in ``events_thresholded`` table with ``events_thresholded.createtime >= thresholds.relapsetime`` 
       (this meant that the event was thresholded in relapse period) 

     :param str group_name: Name of the abuse group. 
     :param str severity: Event severity. 
     :param datetime.datetime ttl: Record TTL time. 
     :return: List of relapsed events as touple of id, json of event data and list of threshold keys. 
     :rtype: list 
     """ 
     self.cursor.execute( 
         "SELECT events_json.id, events_json.event, ARRAY_AGG(events_thresholded.keyid) AS keyids FROM events_json INNER JOIN events_thresholded ON events_json.id = events_thresholded.eventid INNER JOIN thresholds ON events_thresholded.keyid = thresholds.id WHERE events_thresholded.groupname = %s AND events_thresholded.eventseverity = %s AND events_thresholded.createtime >= thresholds.relapsetime AND thresholds.ttltime <= %s GROUP BY events_json.id", 
         (group_name, severity, ttl) 
     ) 
     return self.cursor.fetchall() 
 </code></pre> 

Back