def generateAggregation(self, agg, where_clausel): if not agg: return self.table, where_clausel if (agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT or agg.aggfunc == SigmaAggregationParser.AGGFUNC_MAX or agg.aggfunc == SigmaAggregationParser.AGGFUNC_MIN or agg.aggfunc == SigmaAggregationParser.AGGFUNC_SUM or agg.aggfunc == SigmaAggregationParser.AGGFUNC_AVG): if agg.groupfield: group_by = " GROUP BY {0}".format(self.fieldNameMapping(agg.groupfield, None)) else: group_by = "" if agg.aggfield: select = "*,{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None)) else: if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT: select = "*,{}(*) AS agg".format(agg.aggfunc_notrans) else: raise SigmaParseError("For {} aggregation a fieldname needs to be specified".format(agg.aggfunc_notrans)) temp_table = "(SELECT {} FROM {} WHERE {}{})".format(select, self.table, where_clausel, group_by) agg_condition = "agg {} {}".format(agg.cond_op, agg.condition) return temp_table, agg_condition raise NotImplementedError("{} aggregation not implemented in SQL Backend".format(agg.aggfunc_notrans))
def generateSqlQuery(self, sigma_io): try: # Check if sigma_io can be parsed parser = SigmaCollectionParser(sigma_io, self.config, None) except Exception as e: raise SigmaParseError("Parsing error: {}".format(e)) # generate sql query queries = list(parser.generate(self.SQL)) # extract parsed rules parsed_rules = [parser.parsedyaml for parser in parser.parsers] # returns the SQL-Query with the parsed rule return list(zip(queries, parsed_rules))
def generateAggregation(self, agg, where_clause): if not agg: return self.table, where_clause # Near operator not supported yet if agg.aggfunc == SigmaAggregationParser.AGGFUNC_NEAR: raise NotImplementedError( "The 'near' aggregation operator is not implemented for the %s backend" % self.identifier) if (agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT or agg.aggfunc == SigmaAggregationParser.AGGFUNC_MAX or agg.aggfunc == SigmaAggregationParser.AGGFUNC_MIN or agg.aggfunc == SigmaAggregationParser.AGGFUNC_SUM or agg.aggfunc == SigmaAggregationParser.AGGFUNC_AVG): if agg.groupfield: group_by = " group by {0}".format( self.fieldNameMapping(agg.groupfield, None)) else: group_by = "" if agg.aggfield: select = "{}({}) as agg".format( agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None)) else: if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT: select = "{}(*) as agg".format(agg.aggfunc_notrans) else: raise SigmaParseError( "For {} aggregation a fieldname needs to be specified". format(agg.aggfunc_notrans)) if self.derivedFieldSet: derivedFieldsStr = " {}".format(" ".join(self.derivedFieldSet)) else: derivedFieldsStr = "" temp_table = "from {}{} where {}{} select {}".format( self.table, derivedFieldsStr, where_clause, group_by, select) agg_condition = "agg {} {}".format(agg.cond_op, agg.condition) return temp_table, agg_condition raise NotImplementedError( "{} aggregation not implemented in Devo Backend".format( agg.aggfunc_notrans))