def generateAggregation(self, agg, where_clausel):
if not agg:
return self.table, where_clausel
if (agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT or
agg.aggfunc == SigmaAggregationParser.AGGFUNC_MAX or
agg.aggfunc == SigmaAggregationParser.AGGFUNC_MIN or
agg.aggfunc == SigmaAggregationParser.AGGFUNC_SUM or
agg.aggfunc == SigmaAggregationParser.AGGFUNC_AVG):
if agg.groupfield:
group_by = " GROUP BY {0}".format(self.fieldNameMapping(agg.groupfield, None))
else:
group_by = ""
if agg.aggfield:
select = "*,{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None))
else:
if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT:
select = "*,{}(*) AS agg".format(agg.aggfunc_notrans)
else:
raise SigmaParseError("For {} aggregation a fieldname needs to be specified".format(agg.aggfunc_notrans))
temp_table = "(SELECT {} FROM {} WHERE {}{})".format(select, self.table, where_clausel, group_by)
agg_condition = "agg {} {}".format(agg.cond_op, agg.condition)
return temp_table, agg_condition
raise NotImplementedError("{} aggregation not implemented in SQL Backend".format(agg.aggfunc_notrans))
def generateSqlQuery(self, sigma_io):
try:
# Check if sigma_io can be parsed
parser = SigmaCollectionParser(sigma_io, self.config, None)
except Exception as e:
raise SigmaParseError("Parsing error: {}".format(e))
# generate sql query
queries = list(parser.generate(self.SQL))
# extract parsed rules
parsed_rules = [parser.parsedyaml for parser in parser.parsers]
# returns the SQL-Query with the parsed rule
return list(zip(queries, parsed_rules))
def generateAggregation(self, agg, where_clause):
if not agg:
return self.table, where_clause
# Near operator not supported yet
if agg.aggfunc == SigmaAggregationParser.AGGFUNC_NEAR:
raise NotImplementedError(
"The 'near' aggregation operator is not implemented for the %s backend"
% self.identifier)
if (agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT
or agg.aggfunc == SigmaAggregationParser.AGGFUNC_MAX
or agg.aggfunc == SigmaAggregationParser.AGGFUNC_MIN
or agg.aggfunc == SigmaAggregationParser.AGGFUNC_SUM
or agg.aggfunc == SigmaAggregationParser.AGGFUNC_AVG):
if agg.groupfield:
group_by = " group by {0}".format(
self.fieldNameMapping(agg.groupfield, None))
else:
group_by = ""
if agg.aggfield:
select = "{}({}) as agg".format(
agg.aggfunc_notrans,
self.fieldNameMapping(agg.aggfield, None))
else:
if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT:
select = "{}(*) as agg".format(agg.aggfunc_notrans)
else:
raise SigmaParseError(
"For {} aggregation a fieldname needs to be specified".
format(agg.aggfunc_notrans))
if self.derivedFieldSet:
derivedFieldsStr = " {}".format(" ".join(self.derivedFieldSet))
else:
derivedFieldsStr = ""
temp_table = "from {}{} where {}{} select {}".format(
self.table, derivedFieldsStr, where_clause, group_by, select)
agg_condition = "agg {} {}".format(agg.cond_op, agg.condition)
return temp_table, agg_condition
raise NotImplementedError(
"{} aggregation not implemented in Devo Backend".format(
agg.aggfunc_notrans))