def test_flatline_forget_query_key():
rules = {
'timeframe': datetime.timedelta(seconds=30),
'threshold': 1,
'query_key': 'qk',
'forget_keys': True,
'timestamp_field': '@timestamp'
}
rule = FlatlineRule(rules)
# Adding two separate query keys, the flatline rule should trigger for both
rule.add_data(hits(1, qk='key1'))
assert rule.matches == []
# This will be run at the end of the hits
rule.garbage_collect(ts_to_dt('2014-09-26T12:00:11Z'))
assert rule.matches == []
# Key1 should not alert
timestamp = '2014-09-26T12:00:45Z'
rule.garbage_collect(ts_to_dt(timestamp))
assert len(rule.matches) == 1
rule.matches = []
# key1 was forgotten, so no more matches
rule.garbage_collect(ts_to_dt('2014-09-26T12:01:11Z'))
assert rule.matches == []
def test_flatline():
events = hits(10)
rules = {"timeframe": datetime.timedelta(seconds=30), "threshold": 2, "timestamp_field": "@timestamp"}
rule = FlatlineRule(rules)
# 1 hit should cause an alert until after at least 30 seconds pass
rule.add_data(hits(1))
assert rule.matches == []
rule.add_data(events)
# This will be run at the end of the hits
rule.garbage_collect(ts_to_dt("2014-09-26T12:00:11Z"))
assert rule.matches == []
# This would be run if the query returned nothing for a future timestamp
rule.garbage_collect(ts_to_dt("2014-09-26T12:00:45Z"))
assert len(rule.matches) == 1
def test_flatline():
events = hits(10)
rules = {'timeframe': datetime.timedelta(seconds=30),
'threshold': 2,
'timestamp_field': '@timestamp'}
rule = FlatlineRule(rules)
# 1 hit should cause an alert until after at least 30 seconds pass
rule.add_data(hits(1))
assert rule.matches == []
rule.add_data(events)
# This will be run at the end of the hits
rule.garbage_collect(ts_to_dt('2014-09-26T12:00:11Z'))
assert rule.matches == []
# This would be run if the query returned nothing for a future timestamp
rule.garbage_collect(ts_to_dt('2014-09-26T12:00:45Z'))
assert len(rule.matches) == 1
def test_flatline_query_key():
rules = {'timeframe': datetime.timedelta(seconds=30),
'threshold': 1,
'use_query_key': True,
'query_key': 'qk',
'timestamp_field': '@timestamp'}
rule = FlatlineRule(rules)
# Adding two separate query keys, the flatline rule should trigger for both
rule.add_data(hits(1, qk='key1'))
rule.add_data(hits(1, qk='key2'))
rule.add_data(hits(1, qk='key3'))
assert rule.matches == []
# This will be run at the end of the hits
rule.garbage_collect(ts_to_dt('2014-09-26T12:00:11Z'))
assert rule.matches == []
# Add new data from key3. It will not immediately cause an alert
rule.add_data([create_event(ts_to_dt('2014-09-26T12:00:20Z'), qk='key3')])
# key1 and key2 have not had any new data, so they will trigger the flatline alert
timestamp = '2014-09-26T12:00:45Z'
rule.garbage_collect(ts_to_dt(timestamp))
assert len(rule.matches) == 2
assert set(['key1', 'key2']) == set([m['key'] for m in rule.matches if m['@timestamp'] == timestamp])
# Next time the rule runs, the key1 and key2 will have been forgotten. Now key3 will cause an alert
timestamp = '2014-09-26T12:01:20Z'
rule.garbage_collect(ts_to_dt(timestamp))
assert len(rule.matches) == 3
assert set(['key3']) == set([m['key'] for m in rule.matches if m['@timestamp'] == timestamp])
def test_flatline_query_key():
rules = {
"timeframe": datetime.timedelta(seconds=30),
"threshold": 1,
"use_query_key": True,
"query_key": "qk",
"timestamp_field": "@timestamp",
}
rule = FlatlineRule(rules)
# Adding two separate query keys, the flatline rule should trigger for both
rule.add_data(hits(1, qk="key1"))
rule.add_data(hits(1, qk="key2"))
rule.add_data(hits(1, qk="key3"))
assert rule.matches == []
# This will be run at the end of the hits
rule.garbage_collect(ts_to_dt("2014-09-26T12:00:11Z"))
assert rule.matches == []
# Add new data from key3. It will not immediately cause an alert
rule.add_data([create_event(ts_to_dt("2014-09-26T12:00:20Z"), qk="key3")])
# key1 and key2 have not had any new data, so they will trigger the flatline alert
timestamp = "2014-09-26T12:00:45Z"
rule.garbage_collect(ts_to_dt(timestamp))
assert len(rule.matches) == 2
assert set(["key1", "key2"]) == set([m["key"] for m in rule.matches if m["@timestamp"] == timestamp])
# Next time the rule runs, the key1 and key2 will have been forgotten. Now key3 will cause an alert
timestamp = "2014-09-26T12:01:20Z"
rule.garbage_collect(ts_to_dt(timestamp))
assert len(rule.matches) == 3
assert set(["key3"]) == set([m["key"] for m in rule.matches if m["@timestamp"] == timestamp])
def test_flatline():
events = hits(40)
rules = {
'timeframe': datetime.timedelta(seconds=30),
'threshold': 2,
'timestamp_field': '@timestamp',
}
rule = FlatlineRule(rules)
# 1 hit should cause an alert until after at least 30 seconds pass
rule.add_data(hits(1))
assert rule.matches == []
# Add hits with timestamps 2014-09-26T12:00:00 --> 2014-09-26T12:00:09
rule.add_data(events[0:10])
# This will be run at the end of the hits
rule.garbage_collect(ts_to_dt('2014-09-26T12:00:11Z'))
assert rule.matches == []
# This would be run if the query returned nothing for a future timestamp
rule.garbage_collect(ts_to_dt('2014-09-26T12:00:45Z'))
assert len(rule.matches) == 1
# After another garbage collection, since there are still no events, a new match is added
rule.garbage_collect(ts_to_dt('2014-09-26T12:00:50Z'))
assert len(rule.matches) == 2
# Add hits with timestamps 2014-09-26T12:00:30 --> 2014-09-26T12:00:39
rule.add_data(events[30:])
# Now that there is data in the last 30 minutes, no more matches should be added
rule.garbage_collect(ts_to_dt('2014-09-26T12:00:55Z'))
assert len(rule.matches) == 2
# After that window passes with no more data, a new match is added
rule.garbage_collect(ts_to_dt('2014-09-26T12:01:11Z'))
assert len(rule.matches) == 3
def test_flatline():
events = hits(40)
rules = {
'timeframe': datetime.timedelta(seconds=30),
'threshold': 2,
'timestamp_field': '@timestamp',
}
rule = FlatlineRule(rules)
# 1 hit should cause an alert until after at least 30 seconds pass
rule.add_data(hits(1))
assert rule.matches == []
# Add hits with timestamps 2014-09-26T12:00:00 --> 2014-09-26T12:00:09
rule.add_data(events[0:10])
# This will be run at the end of the hits
rule.garbage_collect(ts_to_dt('2014-09-26T12:00:11Z'))
assert rule.matches == []
# This would be run if the query returned nothing for a future timestamp
rule.garbage_collect(ts_to_dt('2014-09-26T12:00:45Z'))
assert len(rule.matches) == 1
# After another garbage collection, since there are still no events, a new match is added
rule.garbage_collect(ts_to_dt('2014-09-26T12:00:50Z'))
assert len(rule.matches) == 2
# Add hits with timestamps 2014-09-26T12:00:30 --> 2014-09-26T12:00:39
rule.add_data(events[30:])
# Now that there is data in the last 30 minutes, no more matches should be added
rule.garbage_collect(ts_to_dt('2014-09-26T12:00:55Z'))
assert len(rule.matches) == 2
# After that window passes with no more data, a new match is added
rule.garbage_collect(ts_to_dt('2014-09-26T12:01:11Z'))
assert len(rule.matches) == 3