Added LogPoint aggregation

Added generateAggregation function for LogPoint
2024-11-07 09:48:58 +00:00 · 2017-06-19 15:21:29 +02:00 · 2017-06-19 15:21:29 +02:00 · 43c4486de0
commit 43c4486de0
parent d1f1bd59da
1 changed files with 8 additions and 0 deletions
--- a/tools/backends.py
+++ b/tools/backends.py
@ -185,6 +185,14 @@ class LogPointBackend(SingleTextQueryBackend):
    mapListsSpecialHandling = True
    mapListValueExpression = "%s IN %s"
    
+    def generateAggregation(self, agg):
+        if agg == None:
+            return ""
+        if agg.groupfield == None:
+            return " | chart %s(%s) as val | search val %s %s" % (agg.aggfunc_notrans, agg.aggfield, agg.cond_op, agg.condition)
+        else:
+            return " | chart %s(%s) as val by %s | search val %s %s" % (agg.aggfunc_notrans, agg.aggfield, agg.groupfield, agg.cond_op, agg.condition)
+    
 class SplunkBackend(SingleTextQueryBackend):
    """Converts Sigma rule into Splunk Search Processing Language (SPL)."""
    identifier = "splunk"