Fix formatting matched arguments

This commit is contained in:
Mark Veidemanis 2023-02-09 22:54:38 +00:00
parent f4273e4453
commit 2356c6bcd7
Signed by: m
GPG Key ID: 5ACFCEED46C0904F
2 changed files with 28 additions and 4 deletions

View File

@ -371,6 +371,8 @@ class ElasticsearchBackend(StorageBackend):
""" """
Check the results of a scheduled query for aggregations. Check the results of a scheduled query for aggregations.
""" """
if rule_object.aggs is None:
return result_map
for index, (meta, result) in result_map.items(): for index, (meta, result) in result_map.items():
# Default to true, if no aggs are found, we still want to match # Default to true, if no aggs are found, we still want to match
match = True match = True

View File

@ -103,7 +103,7 @@ def format_webhook(**kwargs):
notify_message = { notify_message = {
"rule_id": rule.id, "rule_id": rule.id,
"rule_name": rule.name, "rule_name": rule.name,
"match": matched, "matched": matched,
"total_hits": total_hits, "total_hits": total_hits,
"index": index, "index": index,
"data": message, "data": message,
@ -215,6 +215,25 @@ class NotificationRuleData(object):
self.object.match[index] = False self.object.match[index] = False
self.object.save() self.object.save()
def format_matched(self, messages):
matched = {}
for message in messages:
for field, value in self.data:
if field == "msg":
# Allow partial matches for msg
for msg in value:
if "msg" in message:
if msg.lower() in message["msg"].lower():
matched[field] = msg
# Break out of the msg matching loop
break
# Continue to next field
continue
if field in message and message[field] in value:
# Do exact matches for all other fields
matched[field] = message[field]
return matched
def store_match(self, index, match): def store_match(self, index, match):
""" """
Store a match result. Store a match result.
@ -293,8 +312,9 @@ class NotificationRuleData(object):
for agg_name, agg in aggs.items(): for agg_name, agg in aggs.items():
print("ITER", agg_name, agg) print("ITER", agg_name, agg)
# Already checked membership below # Already checked membership below
op, value = self.aggs[agg_name] if agg_name in self.aggs:
new_aggs[agg_name] = f"{agg['value']}{op}{value}" op, value = self.aggs[agg_name]
new_aggs[agg_name] = f"{agg['value']}{op}{value}"
return new_aggs return new_aggs
@ -361,9 +381,11 @@ class NotificationRuleData(object):
pass pass
# We hit the return above if we don't need to notify # We hit the return above if we don't need to notify
if "aggs" in meta and "matched" not in meta: meta["matched"] = self.format_matched(message)
if "aggs" in meta:
meta["matched"] = self.format_aggs(meta["aggs"]) meta["matched"] = self.format_aggs(meta["aggs"])
print("MATCHED", meta["matched"]) print("MATCHED", meta["matched"])
rule_notify(self.object, index, message, meta) rule_notify(self.object, index, message, meta)
self.store_match(index, message) self.store_match(index, message)
await self.ingest_matches(index, message, meta, mode) await self.ingest_matches(index, message, meta, mode)