def test_spike_terms():
rules = {'threshold_ref': 5,
'spike_height': 2,
'timeframe': datetime.timedelta(minutes=10),
'spike_type': 'both',
'use_count_query': False,
'timestamp_field': 'ts',
'query_key': 'username',
'use_term_query': True}
terms1 = {ts_to_dt('2014-01-01T00:01:00Z'): [{'key': 'userA', 'doc_count': 10},
{'key': 'userB', 'doc_count': 5}]}
terms2 = {ts_to_dt('2014-01-01T00:10:00Z'): [{'key': 'userA', 'doc_count': 22},
{'key': 'userB', 'doc_count': 5}]}
terms3 = {ts_to_dt('2014-01-01T00:25:00Z'): [{'key': 'userA', 'doc_count': 25},
{'key': 'userB', 'doc_count': 27}]}
terms4 = {ts_to_dt('2014-01-01T00:27:00Z'): [{'key': 'userA', 'doc_count': 10},
{'key': 'userB', 'doc_count': 12},
{'key': 'userC', 'doc_count': 100}]}
terms5 = {ts_to_dt('2014-01-01T00:30:00Z'): [{'key': 'userD', 'doc_count': 100},
{'key': 'userC', 'doc_count': 100}]}
rule = SpikeRule(rules)
# Initial input
rule.add_terms_data(terms1)
assert len(rule.matches) == 0
# No spike for UserA because windows not filled
rule.add_terms_data(terms2)
assert len(rule.matches) == 0
# Spike for userB only
rule.add_terms_data(terms3)
assert len(rule.matches) == 1
assert rule.matches[0].get('username') == 'userB'
# Test no alert for new user over threshold
rules.pop('threshold_ref')
rules['threshold_cur'] = 50
rule = SpikeRule(rules)
rule.add_terms_data(terms1)
rule.add_terms_data(terms2)
rule.add_terms_data(terms3)
rule.add_terms_data(terms4)
assert len(rule.matches) == 0
# Test alert_on_new_data
rules['alert_on_new_data'] = True
rule = SpikeRule(rules)
rule.add_terms_data(terms1)
rule.add_terms_data(terms2)
rule.add_terms_data(terms3)
rule.add_terms_data(terms4)
assert len(rule.matches) == 1
# Test that another alert doesn't fire immediately for userC but it does for userD
rule.matches = []
rule.add_terms_data(terms5)
assert len(rule.matches) == 1
assert rule.matches[0]['username'] == 'userD'
def test_spike_terms():
rules = {
"threshold_ref": 5,
"spike_height": 2,
"timeframe": datetime.timedelta(minutes=10),
"spike_type": "both",
"use_count_query": False,
"timestamp_field": "ts",
"query_key": "username",
"use_term_query": True,
}
terms1 = {ts_to_dt("2014-01-01T00:01:00Z"): [{"key": "userA", "doc_count": 10}, {"key": "userB", "doc_count": 5}]}
terms2 = {ts_to_dt("2014-01-01T00:10:00Z"): [{"key": "userA", "doc_count": 22}, {"key": "userB", "doc_count": 5}]}
terms3 = {ts_to_dt("2014-01-01T00:25:00Z"): [{"key": "userA", "doc_count": 25}, {"key": "userB", "doc_count": 27}]}
terms4 = {
ts_to_dt("2014-01-01T00:27:00Z"): [
{"key": "userA", "doc_count": 10},
{"key": "userB", "doc_count": 12},
{"key": "userC", "doc_count": 100},
]
}
terms5 = {
ts_to_dt("2014-01-01T00:30:00Z"): [{"key": "userD", "doc_count": 100}, {"key": "userC", "doc_count": 100}]
}
rule = SpikeRule(rules)
# Initial input
rule.add_terms_data(terms1)
assert len(rule.matches) == 0
# No spike for UserA because windows not filled
rule.add_terms_data(terms2)
assert len(rule.matches) == 0
# Spike for userB only
rule.add_terms_data(terms3)
assert len(rule.matches) == 1
assert rule.matches[0].get("username") == "userB"
# Test no alert for new user over threshold
rules.pop("threshold_ref")
rules["threshold_cur"] = 50
rule = SpikeRule(rules)
rule.add_terms_data(terms1)
rule.add_terms_data(terms2)
rule.add_terms_data(terms3)
rule.add_terms_data(terms4)
assert len(rule.matches) == 0
# Test alert_on_new_data
rules["alert_on_new_data"] = True
rule = SpikeRule(rules)
rule.add_terms_data(terms1)
rule.add_terms_data(terms2)
rule.add_terms_data(terms3)
rule.add_terms_data(terms4)
assert len(rule.matches) == 1
# Test that another alert doesn't fire immediately for userC but it does for userD
rule.matches = []
rule.add_terms_data(terms5)
assert len(rule.matches) == 1
assert rule.matches[0]["username"] == "userD"
