Add top mac and networks by alert count

2026-05-06 03:45:26 +00:00 · 2021-06-03 15:12:37 +02:00 · 2021-06-03 15:12:37 +02:00 · f6f089c69e
commit f6f089c69e
parent d490648c70
5 changed files with 56 additions and 8 deletions
--- a/scripts/lua/modules/alert_store/alert_store.lua
+++ b/scripts/lua/modules/alert_store/alert_store.lua
@ -24,12 +24,14 @@ local alert_store = classes.class()

 -- Default number of time slots to be returned when aggregating by time
 local NUM_TIME_SLOTS = 31
+local TOP_LIMIT = 10

 -- ##############################################

 function alert_store:init(args)
   self._where = { "1 = 1" }
   self._group_by = nil
+   self._top_limit = TOP_LIMIT
 end

 -- ##############################################
--- a/scripts/lua/modules/alert_store/flow_alert_store.lua
+++ b/scripts/lua/modules/alert_store/flow_alert_store.lua
@ -87,10 +87,9 @@ end
 function flow_alert_store:top_cli_ip_historical()
   -- Preserve all the filters currently set
   local where_clause = table.concat(self._where, " AND ")
-   local limit = 10

   local q = string.format("SELECT cli_ip, count(*) count FROM %s WHERE %s GROUP BY cli_ip ORDER BY count DESC LIMIT %u",
-			   self._table_name, where_clause, limit)
+			   self._table_name, where_clause, self._top_limit)

   local q_res = interface.alert_store_query(q) or {}

@ -103,10 +102,9 @@ end
 function flow_alert_store:top_srv_ip_historical()
   -- Preserve all the filters currently set
   local where_clause = table.concat(self._where, " AND ")
-   local limit = 10

   local q = string.format("SELECT srv_ip, count(*) count FROM %s WHERE %s GROUP BY srv_ip ORDER BY count DESC LIMIT %u",
-			   self._table_name, where_clause, limit)
+			   self._table_name, where_clause, self._top_limit)

   local q_res = interface.alert_store_query(q) or {}

@ -119,7 +117,6 @@ end
 local function top_ip_merge(top_cli_ip, top_srv_ip)
   local all_ip = {}
   local top_ip = {}
-   local limit = 10

   for _, p in ipairs(top_cli_ip) do
      all_ip[p.cli_ip] = tonumber(p.count)
@ -132,7 +129,7 @@ local function top_ip_merge(top_cli_ip, top_srv_ip)
         ip = ip,
         count = count,
      }
-      if #top_ip >= limit then break end
+      if #top_ip >= self._top_limit then break end
   end

   return top_ip
--- a/scripts/lua/modules/alert_store/host_alert_store.lua
+++ b/scripts/lua/modules/alert_store/host_alert_store.lua
@ -73,10 +73,9 @@ end
 function host_alert_store:top_ip_historical()
   -- Preserve all the filters currently set
   local where_clause = table.concat(self._where, " AND ")
-   local limit = 10

   local q = string.format("SELECT ip, count(*) count FROM %s WHERE %s GROUP BY ip ORDER BY count DESC LIMIT %u",
-			   self._table_name, where_clause, limit)
+			   self._table_name, where_clause, self._top_limit)

   local q_res = interface.alert_store_query(q) or {}

--- a/scripts/lua/modules/alert_store/mac_alert_store.lua
+++ b/scripts/lua/modules/alert_store/mac_alert_store.lua
@ -57,6 +57,31 @@ end

 -- ##############################################

+--@brief Performs a query for the top device address by alert count
+function mac_alert_store:top_address_historical()
+   -- Preserve all the filters currently set
+   local where_clause = table.concat(self._where, " AND ")
+
+   local q = string.format("SELECT address, count(*) count FROM %s WHERE %s GROUP BY address ORDER BY count DESC LIMIT %u",
+			   self._table_name, where_clause, self._top_limit)
+
+   local q_res = interface.alert_store_query(q) or {}
+
+   return q_res
+end
+
+-- ##############################################
+
+--@brief Stats used by the dashboard
+function mac_alert_store:_get_additional_stats()
+   local stats = {}
+   stats.top = {}
+   stats.top.address = self:top_address_historical()
+   return stats
+end
+
+-- ##############################################
+
 --@brief Add filters according to what is specified inside the REST API
 function mac_alert_store:_add_additional_request_filters()
   -- Add filters specific to the mac family
--- a/scripts/lua/modules/alert_store/network_alert_store.lua
+++ b/scripts/lua/modules/alert_store/network_alert_store.lua
@ -64,6 +64,31 @@ end

 -- ##############################################

+--@brief Performs a query for the top networks by alert count
+function network_alert_store:top_local_network_id_historical()
+   -- Preserve all the filters currently set
+   local where_clause = table.concat(self._where, " AND ")
+
+   local q = string.format("SELECT local_network_id, count(*) count, name FROM %s WHERE %s GROUP BY local_network_id ORDER BY count DESC LIMIT %u",
+			   self._table_name, where_clause, self._top_limit)
+
+   local q_res = interface.alert_store_query(q) or {}
+
+   return q_res
+end
+
+-- ##############################################
+
+--@brief Stats used by the dashboard
+function network_alert_store:_get_additional_stats()
+   local stats = {}
+   stats.top = {}
+   stats.top.local_network_id = self:top_local_network_id_historical()
+   return stats
+end
+
+-- ##############################################
+
 --@brief Convert an alert coming from the DB (value) to a record returned by the REST API
 function network_alert_store:format_record(value, no_html)
   local record = self:format_record_common(value, alert_entities.network.entity_id, no_html)