I have an index containing vulnerable dependencies, and their status in repositories.
I don't want to remove the alerts when they are resolved, as i also want to log that the vulnerability has been patched.
However, this means that i end up with some data that i'm not sure what would be the best way to deal with.
Here is a simplified example of how my data looks like
_id
alert_id
repository
alert_name
action
1
1
car_repository
jwt
created
2
2
car_repository
express
created
3
2
car_repository
express
resolved
4
5
boat_repository
express
created
5
3
car_repository
log4j
resolved
6
3
car_repository
log4j
created
7
4
boat_repository
log4j
created
In total, 5 vulnerability warnings has been created. 2 of them has been resolved.
Now - what i want to do is show the current status. We have 3 active vulnerabilities still. How would i go about only showing the 3 relevant rows? (1, 4 and 7)
Keep in mind that i am still pretty new to using ELK/OpenStack, so i don't know if this is best solved using queries or filters, or if it would help dividing into multiple indices.
I'd say the easiest way would be to maintain 2 indices: one for actions with what you have in the table above and one with vulnerabilities and current status. So whenever you're creating a "created" action you would also create a vulnerability doc with status == "created" and when you create action which is not "created" you'll update_by_query that doc to set status = "resolved". Then your query would become super simple.
Alternative would be to use collapse but in my experience its behavior is quite confusing when you try to paginate or aggregate the results.
Related
Let me explain the problem
We get real time data which is as big as 0.2Million per day.
Some of these records are of special significance. The attributes
that shall mark them as significant are pushed in a reference collection. Let us say each row in Master Database has the following attributes
a. ID b. Type c. Event 1 d. Event 2 e. Event 3 f. Event 4
For the special markers, we identify them as
Marker1 -- Event 1 -- Value1
Marker2 -- Event 3 -- Value1
Marker3 -- Event 1 -- Value2
and so on. We can add 10000 such markers.
Further, the attribute Type can be Image, Video, Text, Others. Hence the idea is to segregate Data based on Type, which means that we create 4 collections out of Master Collection. This is because we have to run search on collections based on Type and also run some processing.The marker data should show in a different tab on the search screen.
We shall also be running a search on Master Collection through a wild search.
We are running Crons to do these processes as
I. Dumping Data in Master Collection - Cron 1
II. Assigning Markers - Cron 2
III. Segregating Data based on Type - Cron 3
Which runs as a module. Cron 1 - Cron 2 - Cron 3.
But assigning targets and segregation takes a very long time. We are using Python as scripting language.
In fact, the crons don't seem to work at all. The cron works from the command prompt. But scheduling these in crontab does not work. We are giving absolute path to the files. The crons are scheduled at 3 minutes apart.
Can someone help?
Yes, I also faced this problem but then I tried by moving small chunks of the data. Sharding is not the better way as per my experience regarding this kind of problem. Same thing for the replica set.
I'm using Satellite 6 to manage EL 5, 6 and 7x hosts.
I've been trying to perform a Job Invocation (via Monitor-> Jobs -> Run Jobs) on a host of servers, based on a custom fact that I wrote (the fact is called ad_domain and basically tells you whether its active directory joined or not).
However I can't figure out how to do this....is this even possible?
I'm a Satellite newbie...I don't even even know what parameters I can use in the Search Query to do this. Can anyone help enlighten? Is it possible to specify a factor/facter value(s) in the Search Query so that it will resolve only to hosts that match that value(s)?
Appreciate your help in advance,
Sue
You can try
facts.ad_domain = value
Can I make a LUA script to be a TRIGGER used in relational database.
e.g., after ever append or rpush to the list with key 'TIMELIST', a lua script is triggered to do some work on the list?
I have a quick look at the lua-script section in REDIS documentation and found that it seems that the script can only be explicitly evaluated. Is my idea impossible?
EXT:
If the above idea is impossible. What I should take to address such problem. I have a sorted list to store daily quotas. I use
> ZADD 'TIMELIST' <TS> <QUOTA>
to add a new a quota with its date as the weight. I wanna the sorted list act as a bounded list which only maintain the last 7 days' quotas. I don't use the LTRIM on a normal redis-list because the quotas may have gap in timeline. Hash isn't suitable either since for some reason, I must make the TRUNCATION op invisible to application who access REDIS.
I'm a newbie to redis. Any suggestion? Thanks!
No, that isn't doable. What you can easily do, however, is use a script to both perform the operation (LPUSH, ZADD, etc) as well as any additional trigger-like logic.
You can use ZREMRANGEBYRANK to remove the old elements.
redis> ZADD myzset 1 "one"
(integer) 1
redis> ZADD myzset 2 "two"
(integer) 1
redis> ZADD myzset 3 "three"
(integer) 1
redis> ZREMRANGEBYRANK myzset 0 1
(integer) 2
redis> ZRANGE myzset 0 -1 WITHSCORES
1) "three"
2) "3"
redis>
There has been an interesting development with Redis regarding these kind of "triggers". You could accomplish what you want with:
Redis Key Space Notifications (get notified when an event happens - for example adding a key to your set/zset) and run an internal Redis Module (new in Version 5)
that will perform a ZREM from set under some conditions - effectively having a Redis "trigger".
You could technically just use the Key Space Notifications option that send a pub/sub event (in Redis) - but you might miss events if you have no subscribers to that event (pub/sub events in Redis are not durable).
The downside is that you will have to write that module in C/C++ code and validate it works properly.
I have created a form in which students have to tell if they've formed a group of 4, 5 or 6 members and correspondingly fill out the email id's of all members in the group.
Right now, all the responses land in a single document, like this
I want that depending on the group size, 3 different spreadsheets be created. To say, All group of 4 responses in 1 spreadsheet, all group of 5 in one spreadsheet and all group of 6 responses in one spreadsheet. So 3 spreadsheets for the 3 group options.
I was going through the web and I see its possible via App scripts but I couldnt figure out how. Any leads on this?
no need to use script for this which is not trivial to do and handle all possible errors.
instead simply use a combination of importRange and filter/query to the other spreadsheets from the master responses.
by using spreadsheet formulas your spreadsheets will always update correctly and instantly.
The easiest way would be to use an installable trigger on the form which is called on form submission. Rather than using the default functionality of adding all responses to a "Form Responses" sheet, your script would then take the raw form data and add it to the appropriate sheet based on the group size.
I'm trying to generate a list of all cases in a system that has been closed within 2 days, but don't know what is the base way to do it, apart from running through all the cases and comparing created on with resolved by date. Are there any other ways to do it? Are there build in function to solve such a trivial task?
Thank you
When a Case/Incident is resolved a new record is created: Case Resolution
This is a semi-hidden CRM record type.
You can use Advanced Find to create a view of this:
This will allow you to create a view. Unfortunately you can't then include this view in your list of Incident Views (along with Active Cases, Resolved Cases, etc)