Use DB conversion function for timestamps, instead of parsing the date in lua

2026-05-02 00:40:10 +00:00 · 2022-03-21 11:53:30 +01:00 · 2022-03-21 11:53:30 +01:00 · be5bf4e479
commit be5bf4e479
parent 38d9133e0b
2 changed files with 13 additions and 5 deletions
--- a/scripts/lua/modules/alert_store/alert_store.lua
+++ b/scripts/lua/modules/alert_store/alert_store.lua
@ -737,7 +737,7 @@ function alert_store:select_historical(filter, fields)
   -- NOTE: entity_id is necessary as alert_utils.formatAlertMessage assumes it to always be present inside the alert
   local q
   if ntop.isClickHouseEnabled() then
-      q = string.format(" SELECT %u entity_id, (toUnixTimestamp(tstamp_end) - toUnixTimestamp(tstamp)) duration, %s FROM `%s` WHERE %s %s %s %s %s",
+      q = string.format(" SELECT %u entity_id, (toUnixTimestamp(tstamp_end) - toUnixTimestamp(tstamp)) duration, toUnixTimestamp(tstamp) as tstamp_epoch, toUnixTimestamp(tstamp_end) as tstamp_end_epoch, %s FROM `%s` WHERE %s %s %s %s %s",
         self._alert_entity.entity_id, fields, self._table_name, where_clause, group_by_clause, order_by_clause, limit_clause, offset_clause)
   else
      q = string.format(" SELECT %u entity_id, (tstamp_end - tstamp) duration, %s FROM `%s` WHERE %s %s %s %s %s",
@ -749,9 +749,16 @@ function alert_store:select_historical(filter, fields)
   if ntop.isClickHouseEnabled() then
      -- convert DATETIME to epoch
      for _, record in ipairs(res or {}) do
-         if record.tstamp then record.tstamp = format_utils.parseDateTime(record.tstamp) end
-         if record.tstamp_end then record.tstamp_end = format_utils.parseDateTime(record.tstamp_end) end
-         if record.first_seen then record.first_seen = format_utils.parseDateTime(record.first_seen) end
+         if record.tstamp_epoch then record.tstamp = record.tstamp_epoch
+         elseif record.tstamp then record.tstamp = format_utils.parseDateTime(record.tstamp) end
+
+         if record.tstamp_end_epoch then record.tstamp_end = record.tstamp_end_epoch
+         elseif record.tstamp_end then record.tstamp_end = format_utils.parseDateTime(record.tstamp_end) end
+
+         -- first_seen is only used in where conditions as it is indexed,  
+         -- using tstamp in select as it is commong to all alert tables
+         -- if record.first_seen then record.first_seen = format_utils.parseDateTime(record.first_seen) end
+
         if record.user_label_tstamp then record.user_label_tstamp = format_utils.parseDateTime(record.user_label_tstamp) end
      end
   end
--- a/scripts/lua/modules/alert_store/flow_alert_store.lua
+++ b/scripts/lua/modules/alert_store/flow_alert_store.lua
@ -62,6 +62,7 @@ function flow_alert_store:insert(alert)
   -- - tstamp and first_seen contains the same value alert.first_seen
   -- - tstamp_end is set to alert.tstamp (which is the time the alert has been emitted as there is no engage on flows)
   -- - first_seen is used to lookups as this is the indexed field
+   -- - tstamp (instead of first_seen) is used in select and for visualization as it's in common to all tables

   local insert_stmt = string.format("INSERT INTO %s "..
      "(%salert_id, interface_id, tstamp, tstamp_end, severity, ip_version, cli_ip, srv_ip, cli_port, srv_port, vlan_id, "..
@ -560,7 +561,7 @@ function flow_alert_store:format_record(value, no_html)
      local op_suffix = tag_utils.SEPARATOR .. 'eq'
      local href = string.format('%s/lua/pro/db_search.lua?epoch_begin=%u&epoch_end=%u&cli_ip=%s%s&srv_ip=%s%s&cli_port=%s%s&srv_port=%s%s&l4proto=%s%s',
         ntop.getHttpPrefix(), 
-         tonumber(value["first_seen"]) - (5*60),
+         tonumber(value["tstamp"]) - (5*60),
         tonumber(value["tstamp_end"]) + (5*60), 
         value["cli_ip"], op_suffix,
         value["srv_ip"], op_suffix,