Allow search window type to be specified in generic deadman config

2019-02-04 13:19:51 -06:00 · 2019-02-04 13:19:51 -06:00 · 3e895ab0dc
--- a/alerts/deadman_generic.json
+++ b/alerts/deadman_generic.json
@ -1,14 +1,16 @@
 {
    "alerts": [
        {
+            "description": "Sample Alert 1",
            "search_query": "ABC12345436",
            "time_window": "5",
-            "description": "Basic deadman"
+            "time_window_type": "minutes"
        },
        {
+            "description": "Sample Alert 2",
            "search_query": "anotherterm",
            "time_window": "20",
-            "description": "Another deadman"
+            "time_window_type": "hours"
        }
    ]
 }
--- a/alerts/deadman_generic.py
+++ b/alerts/deadman_generic.py
@ -15,7 +15,6 @@ class AlertDeadman_Generic(AlertTask):

    def main(self):
        self._config = self.parse_json_alert_config('deadman_generic.json')
-
        for alert_cfg in self._config['alerts']:
            try:
                self.process_alert(alert_cfg)
@ -27,7 +26,9 @@ class AlertDeadman_Generic(AlertTask):

    def process_alert(self, alert_config):
        self.current_alert_time_window = int(alert_config['time_window'])
-        search_query = SearchQuery(minutes=self.current_alert_time_window)
+        self.current_alert_time_type = alert_config['time_window_type']
+        search_query_time_window = {self.current_alert_time_type: self.current_alert_time_window}
+        search_query = SearchQuery(**search_query_time_window)
        search_query.add_must(QueryStringMatch(str(alert_config['search_query'])))
        self.filtersManual(search_query)
        self.searchEventsSimple()
@ -40,5 +41,9 @@ class AlertDeadman_Generic(AlertTask):
        tags = ['deadman']
        severity = 'ERROR'

-        summary = "Deadman check failed for '{0}' the past {1} minutes".format(description, self.current_alert_time_window)
+        summary = "Deadman check failed for '{0}' the past {1} {2}".format(
+            description,
+            self.current_alert_time_window,
+            self.current_alert_time_type
+        )
        return self.createAlertDict(summary, category, tags, [], severity=severity)
--- a/tests/alerts/test_deadman_generic.py
+++ b/tests/alerts/test_deadman_generic.py
@ -32,7 +32,7 @@ class TestDeadman_Generic(AlertTestSuite):
        "category": "deadman",
        "tags": ['deadman'],
        "severity": "ERROR",
-        "summary": 'Deadman check failed for \'Basic deadman\' the past 5 minutes',
+        "summary": 'Deadman check failed for \'Sample Alert 1\' the past 5 minutes',
    }
    test_cases.append(
        PositiveAlertTestCase(
@ -51,7 +51,7 @@ class TestDeadman_Generic(AlertTestSuite):
        "category": "deadman",
        "tags": ['deadman'],
        "severity": "ERROR",
-        "summary": 'Deadman check failed for \'Another deadman\' the past 20 minutes',
+        "summary": 'Deadman check failed for \'Sample Alert 2\' the past 20 hours',
    }
    test_cases.append(
        PositiveAlertTestCase(
@ -86,8 +86,8 @@ class TestDeadman_Generic(AlertTestSuite):
        AlertTestSuite.create_event(matched_event_first),
        AlertTestSuite.create_event(matched_event_second)
    ]
-    events[1]['_source']['utctimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'minutes': 21})
-    events[1]['_source']['receivedtimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'minutes': 21})
+    events[1]['_source']['utctimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'hours': 21})
+    events[1]['_source']['receivedtimestamp'] = AlertTestSuite.subtract_from_timestamp_lambda(date_timedelta={'hours': 21})
    test_cases.append(
        PositiveAlertTestCase(
            description="Positive test case with events matching second alert configuration but are old",