groupby Value Empty about elsa HOT 3 OPEN

If you take off the archive:0 or archive:1 and do a search that isn't a
groupby, do you get results?

On Wed, May 4, 2016 at 9:18 AM, Milian Reichardt [email protected]
wrote:

Hey,
I created a custom Class and patternDB for our Sophos Firewall.
Everything works correctly, but when I try to groupby: e.g. srcip, ELSA
shows only 1 graph and without Value. The Count looks right but added all
srcip's together.
I only created one new Field (fwrule(int)).

Also, if I don't add the "archive:0/1" it shows no result at all.
[image: auto generated inline image 1]
https://cloud.githubusercontent.com/assets/18323490/15016514/ce1d381c-1211-11e6-83a5-a08f6bb65a8b.jpg

Output of web.log during Query:

• TRACE [2016/05/04 14:44:49] /usr/local/elsa/web/lib/SyncMysql.pm (29) SyncMysql::query 7489 [undef]
  query: SELECT id, program FROM programs WHERE id IN (?)
  values:
  • ERROR [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Query/SQL.pm (652) Query::SQL::ANON 7489 [undef]
    Did not get extra field value rows though we had values: $VAR1 = {
    '' => undef
    };
• WARN [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Fields.pm (646) Fields::resolve_value 7489 [undef]
  No field_order found for col
• TRACE [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Query/SQL.pm (572) Query::SQL::_format_records_groupby 7489 [undef]
  field_order: key
• WARN [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Fields.pm (646) Fields::resolve_value 7489 [undef]
  No field_order found for col
• TRACE [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Query/SQL.pm (572) Query::SQL::_format_records_groupby 7489 [undef]
  field_order: key
• WARN [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Fields.pm (646) Fields::resolve_value 7489 [undef]
  No field_order found for col
• TRACE [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Query/SQL.pm (572) Query::SQL::_format_records_groupby 7489 [undef]
  field_order: key
• WARN [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Fields.pm (646) Fields::resolve_value 7489 [undef]
  No field_order found for col
• TRACE [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Query/SQL.pm (572) Query::SQL::_format_records_groupby 7489 [undef]
  field_order: key
• WARN [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Fields.pm (646) Fields::resolve_value 7489 [undef]
  No field_order found for col
• TRACE [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Query/SQL.pm (572) Query::SQL::_format_records_groupby 7489 [undef]
  field_order: key
• WARN [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Fields.pm (646) Fields::resolve_value 7489 [undef]
  No field_order found for col
• TRACE [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Query/SQL.pm (572) Query::SQL::_format_records_groupby 7489 [undef]
  field_order: key
• WARN [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Fields.pm (646) Fields::resolve_value 7489 [undef]
  No field_order found for col
• TRACE [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Query/SQL.pm (572) Query::SQL::_format_records_groupby 7489 [undef]
  field_order: key
• WARN [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Fields.pm (646) Fields::resolve_value 7489 [undef]
  No field_order found for col
• TRACE [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Query/SQL.pm (572) Query::SQL::_format_records_groupby 7489 [undef]
  field_order: key
• WARN [2016/05/04 14:44:49] /usr/local/elsa/web/lib/Fields.pm (646) Fields::resolve_value 7489 [undef]
  No field_order found for col

MySQL Query:

USE syslog;

INSERT INTO classes (id, class, parent_id) VALUES(10001, "SOPHOS_FIREWALL", 0);

INSERT INTO fields (field, field_type, pattern_type) VALUES ("fwrule","int", "NUMBER");

INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="SOPHOS_FIREWALL"), (SELECT id FROM fields WHERE field="fwrule"), 5);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="SOPHOS_FIREWALL"), (SELECT id FROM fields WHERE field="srcip"), 6);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="SOPHOS_FIREWALL"), (SELECT id FROM fields WHERE field="dstip"), 7);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="SOPHOS_FIREWALL"), (SELECT id FROM fields WHERE field="srcport"), 8);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="SOPHOS_FIREWALL"), (SELECT id FROM fields WHERE field="dstport"), 9);
INSERT INTO fields_classes_map (class_id, field_id, field_order) VALUES ((SELECT id FROM classes WHERE class="SOPHOS_FIREWALL"), (SELECT id FROM fields WHERE field="action"), 11);

The Fields look good and have all the right value:
[image: 2016-05-04 16_09_10-elsa]
https://cloud.githubusercontent.com/assets/18323490/15016871/6a2e46b4-1213-11e6-98a9-7000982d4827.png

I just noticed, if I groupby host, I get value.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
#35

from elsa.

Hey,
no I don't. Without the archive option I don't get results, No matter which Query I use.

from elsa.

I just tried it on a CentOS 7 (currently using Debian 8.4 ) Machine with a complete fresh install and only injecting the fields.
Still the same result. No Data without the archive option and only a count for groupby.

EDIT: I just tried it again on my productive server. And the Groupby works now! i havn't changed any setting neither did I update something. I still have to use the archive option.

from elsa.