Create aggregation field in event definition - #170

VincentD06 · VincentD06 · commit eed28c3b00d2 · 2025-12-10T10:36:19.000+01:00
diff --git a/src/main/java/com/airbus_cyber_security/graylog/wizard/alert/business/EventDefinitionService.java b/src/main/java/com/airbus_cyber_security/graylog/wizard/alert/business/EventDefinitionService.java
@@ -20,7 +20,11 @@
 import com.airbus_cyber_security.graylog.wizard.config.rest.AlertWizardConfig;
 import com.airbus_cyber_security.graylog.wizard.config.rest.AlertWizardConfigurationService;
 import com.airbus_cyber_security.graylog.wizard.config.rest.DefaultValues;
+import com.airbus_cyber_security.graylog.wizard.fields.AggregationFieldValueProvider;
 import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+import org.graylog.events.fields.EventFieldSpec;
+import org.graylog.events.fields.FieldValueType;
 import org.graylog.events.notifications.EventNotificationHandler;
 import org.graylog.events.notifications.EventNotificationSettings;
 import org.graylog.events.processor.DBEventDefinitionService;
@@ -35,10 +39,10 @@
 import jakarta.inject.Inject;
 import java.util.Optional;
 
-// TODO I am not sure to like this name EventDefinitionHandler? EventDefinitionBusiness? EventDefinitionOperations?
 public class EventDefinitionService {
 
     private static final Logger LOG = LoggerFactory.getLogger(EventDefinitionService.class);
+    private static final String AGGREGATION_TIME_RANGE_FIELD_NAME = "aggregation_id";
 
     private final EventDefinitionHandler eventDefinitionHandler;
 
@@ -77,13 +81,20 @@ public String createEvent(String alertTitle, String description, Integer priorit
 
         AlertWizardConfig pluginConfiguration = this.configurationService.getConfiguration();
         DefaultValues defaultValues = pluginConfiguration.accessDefaultValues();
+        EventFieldSpec aggregationFieldSpec = EventFieldSpec.builder()
+                .dataType(FieldValueType.STRING)
+                .providers(ImmutableList.of(AggregationFieldValueProvider.Config.builder()
+                        .aggregationTimeRange(defaultValues.getAggregationTime())
+                        .build()))
+                .build();
         EventDefinitionDto eventDefinition = EventDefinitionDto.builder()
                 .title(alertTitle)
                 .description(description)
                 .config(configuration)
                 .alert(true)
                 .priority(priority)
                 .keySpec(ImmutableList.of())
+                .fieldSpec(ImmutableMap.of(AGGREGATION_TIME_RANGE_FIELD_NAME, aggregationFieldSpec))
                 .notifications(ImmutableList.<EventNotificationHandler.Config>builder().add(notificationConfiguration).build())
                 .notificationSettings(EventNotificationSettings.builder()
                         .gracePeriodMs(0L)
diff --git a/src/main/java/com/airbus_cyber_security/graylog/wizard/alert/business/NotificationService.java b/src/main/java/com/airbus_cyber_security/graylog/wizard/alert/business/NotificationService.java
@@ -69,17 +69,10 @@ private String getDefaultLogBody() {
         return generalConfig.accessLogBody();
     }
 
-    private int getDefaultTime() {
-        LoggingAlertConfig configuration = this.clusterConfigService.getOrDefault(LoggingAlertConfig.class,
-                LoggingAlertConfig.createDefault());
-        return configuration.accessAggregationTime();
-    }
-
     public String createNotification(String alertTitle, UserContext userContext) {
         LoggingNotificationConfig loggingNotificationConfig = LoggingNotificationConfig.builder()
                 .singleMessage(false)
                 .logBody(this.getDefaultLogBody())
-                .aggregationTime(this.getDefaultTime())
                 .build();
         NotificationDto notification = NotificationDto.builder()
                 .config(loggingNotificationConfig)
@@ -94,7 +87,7 @@ public void updateNotification(String title, String notificationIdentifier) {
                 .orElseThrow(() -> new jakarta.ws.rs.NotFoundException("Notification " + notificationIdentifier + " doesn't exist"));
         LoggingNotificationConfig loggingNotificationConfig = (LoggingNotificationConfig) notification.config();
         if (!notification.title().equals(title)) {
-            LOG.debug("Update Notification " + title);
+            LOG.debug("Update Notification {}", title);
             notification = NotificationDto.builder()
                     .id(notification.id())
                     .config(loggingNotificationConfig)
