Replay support for Enterprise event Search Filters (#18029)

* Backend: Add support for event search replay filters

* Add missing license header

* Fix forbidden API warning

* fix: Add search-filters to the query

---------

Co-authored-by: Ezequiel Lopez <[email protected]>
Co-authored-by: Zack King <[email protected]>

graylog2-server/src/main/java/org/graylog/events/event/EventReplayInfo.java

@@ -20,8 +20,11 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import com.google.auto.value.AutoValue;
+import org.graylog.plugins.views.search.searchfilters.model.UsedSearchFilter;
 import org.joda.time.DateTime;
 
+import java.util.Collections;
+import java.util.List;
 import java.util.Set;
 
 /**
@@ -35,6 +38,7 @@ public abstract class EventReplayInfo {
     public static final String FIELD_TIMERANGE_END = "timerange_end";
     public static final String FIELD_QUERY = "query";
     public static final String FIELD_STREAMS = "streams";
+    public static final String FIELD_FILTERS = "filters";
 
     @JsonProperty(FIELD_TIMERANGE_START)
     public abstract DateTime timerangeStart();
@@ -48,8 +52,12 @@ public abstract class EventReplayInfo {
     @JsonProperty(FIELD_STREAMS)
     public abstract Set<String> streams();
 
+    @JsonProperty(FIELD_FILTERS)
+    public abstract List<UsedSearchFilter> filters();
+
     public static Builder builder() {
-        return new AutoValue_EventReplayInfo.Builder();
+        return new AutoValue_EventReplayInfo.Builder()
+                .filters(Collections.emptyList());
     }
 
     public abstract Builder toBuilder();
@@ -68,11 +76,14 @@ public static abstract class Builder {
         @JsonProperty(FIELD_STREAMS)
         public abstract Builder streams(Set<String> streams);
 
+        @JsonProperty(FIELD_FILTERS)
+        public abstract Builder filters(List<UsedSearchFilter> filters);
+
         public abstract EventReplayInfo build();
 
         @JsonCreator
         public static Builder create() {
-            return new AutoValue_EventReplayInfo.Builder();
+            return builder();
         }
     }
 }

graylog2-server/src/main/java/org/graylog/events/processor/aggregation/AggregationEventProcessor.java

@@ -248,6 +248,7 @@ private void filterSearch(EventFactory eventFactory, AggregationEventProcessorPa
                         .timerangeEnd(parameters.timerange().getTo())
                         .query(config.query())
                         .streams(event.getSourceStreams())
+                        .filters(config.filters())
                         .build());
 
                 eventsWithContext.add(EventWithContext.create(event, msg));
@@ -341,6 +342,7 @@ ImmutableList<EventWithContext> eventsFromAggregationResult(EventFactory eventFa
                     .timerangeEnd(event.getTimerangeEnd())
                     .query(config.query())
                     .streams(sourceStreams)
+                    .filters(config.filters())
                     .build());
             sourceStreams.forEach(event::addSourceStream);
 

graylog2-server/src/test/java/org/graylog/events/event/EventReplayInfoTest.java

@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2020 Graylog, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+package org.graylog.events.event;
+
+import org.joda.time.DateTime;
+import org.joda.time.DateTimeZone;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+import java.util.Collections;
+
+class EventReplayInfoTest {
+
+    @Test
+    public void testCreateNoFilters() {
+        // Backwards-compatibility test for events that previously did not have filters.
+        final DateTime now = DateTime.now(DateTimeZone.UTC);
+        final EventReplayInfo info = EventReplayInfo.builder()
+                .query("*")
+                .streams(Collections.singleton("stream"))
+                .timerangeStart(now.minusMinutes(1))
+                .timerangeEnd(now).build();
+        Assertions.assertNotNull(info.filters());
+        Assertions.assertTrue(info.filters().isEmpty());
+    }
+}

graylog2-web-interface/src/views/logic/views/UseCreateViewForEvent.ts

@@ -190,8 +190,7 @@ export const ViewGenerator = async ({
   groupBy: Array<string>,
   queryParameters: Array<ParameterJson>,
   searchFilters?: Array<SearchFilter>,
-},
-) => {
+}) => {
   const query = QueryGenerator(streams, undefined, timeRange, queryString, (searchFilters || []));
   const search = Search.create().toBuilder().queries([query]).parameters(queryParameters.map((param) => Parameter.fromJSON(param)))
     .build();
@@ -228,8 +227,10 @@ export const UseCreateViewForEvent = (
 
   const groupBy = eventDefinition?.config?.group_by ?? [];
 
+  const searchFilters = eventDefinition.config?.filters;
+
   return useMemo(
-    () => ViewGenerator({ streams, timeRange, queryString, aggregations, groupBy, queryParameters }),
+    () => ViewGenerator({ streams, timeRange, queryString, aggregations, groupBy, queryParameters, searchFilters }),
     // eslint-disable-next-line react-hooks/exhaustive-deps
     [],
   );