New module to calculate the ratio

[maxbruso]

Hello,

I created a new AccessRatioRule.py module in the previous version of elasticalert to calculate the ratio .

def add_data (self, data):
    count = 0.0

    for document on date:
        if document ['field1'] == 0 and document ['field2'] == 200 and document ['field3'] == GET ":
            count = count + 1
    size = len (date)
    self.alert_ratio = (count / size) * 100
    if self.alert_ratio> = self.rules ["alert_ratio"]:
        for document on date:
            if document ['field1'] == 0 and document ['field2'] == 200 and document ['field3'] == "GET":
                self.add_match (document)

def get_match_str (self, match):
     site = self.rules ["monitor_site"]
     return "Client:% s \ nRatio found =% d \ n"% (site, self.alert_ratio)

---

# example_ratio.yaml
# 
# Elasticsearch host
es_host: 127.0.0.1

# (Optional)
# Elasticsearch port
es_port: 9200

# (Required)
# Rule name, must be unique
name: Event ratio

# (Required)
# Type of alert.
type: "elastalert_modules.AccessRatioRule.AccessRatioRule"

# (Required)
# Index to search, wildcard supported
index: testfile-*

#  search all >= 5 %
alert_ratio: 5

timeframe:
  hours: 6

query_key: "clientip.keyword"

Now I wish I could handle the equivalent of sql "group_by" clientip, to calculate the ratio for each ip that has field1 = 0 and field2 = 200 and field3 = GET.
Using query_key it is calculated the ratio between all requests with field1 == 0 AND field2 == 200 AND field3 == GET and those made by clientip aggregated.

How can the ratio be calculated for each individual client?
Could anyone help me?

[maxbruso]

Hello ,
I found the solution.
My example_ratio.yml file is :
example_ratio.txt

The AccessRateRule.py file is :
AccessRateRule.txt