Fix all alerts page. Fix require attention results.

httpdocs/misc/db_schema_clickhouse.sql

@@ -517,23 +517,23 @@ ALTER TABLE `system_alerts` ADD COLUMN IF NOT EXISTS alert_category UInt8;
 DROP VIEW IF EXISTS `all_alerts_view`;
 @
 CREATE VIEW IF NOT EXISTS `all_alerts_view` AS
-SELECT 8 entity_id, interface_id, alert_id, alert_status, tstamp, tstamp_end, severity, score, alert_category FROM `active_monitoring_alerts`
+SELECT 8 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `active_monitoring_alerts`
 UNION ALL
-SELECT 4 entity_id, INTERFACE_ID AS interface_id, STATUS AS alert_id, ALERT_STATUS AS alert_status, FIRST_SEEN AS tstamp, LAST_SEEN AS tstamp_end, SEVERITY AS severity, SCORE AS score, ALERT_CATEGORY AS alert_category FROM `flows` WHERE (STATUS != 0 AND IS_ALERT_DELETED != 1)
+SELECT 4 entity_id, INTERFACE_ID AS interface_id, STATUS AS alert_id, ALERT_STATUS AS alert_status, REQUIRE_ATTENTION AS require_attention, FIRST_SEEN AS tstamp, LAST_SEEN AS tstamp_end, SEVERITY AS severity, SCORE AS score, ALERT_CATEGORY AS alert_category FROM `flows` WHERE (STATUS != 0 AND IS_ALERT_DELETED != 1)
 UNION ALL
-SELECT 1 entity_id, interface_id, alert_id, alert_status, tstamp, tstamp_end, severity, score, alert_category FROM `host_alerts`
+SELECT 1 entity_id, interface_id, alert_id, alert_status, require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `host_alerts`
 UNION ALL
-SELECT 5 entity_id, interface_id, alert_id, alert_status, tstamp, tstamp_end, severity, score, alert_category FROM `mac_alerts`
+SELECT 5 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `mac_alerts`
 UNION ALL
-SELECT 3 entity_id, interface_id, alert_id, alert_status, tstamp, tstamp_end, severity, score, alert_category FROM `snmp_alerts`
+SELECT 3 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `snmp_alerts`
 UNION ALL
-SELECT 2 entity_id, interface_id, alert_id, alert_status, tstamp, tstamp_end, severity, score, alert_category FROM `network_alerts`
+SELECT 2 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `network_alerts`
 UNION ALL
-SELECT 0 entity_id, interface_id, alert_id, alert_status, tstamp, tstamp_end, severity, score, alert_category FROM `interface_alerts`
+SELECT 0 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `interface_alerts`
 UNION ALL
-SELECT 7 entity_id, interface_id, alert_id, alert_status, tstamp, tstamp_end, severity, score, alert_category FROM `user_alerts`
+SELECT 7 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `user_alerts`
 UNION ALL
-SELECT 9 entity_id, interface_id, alert_id, alert_status, tstamp, tstamp_end, severity, score, alert_category FROM `system_alerts`
+SELECT 9 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `system_alerts`
 ;
 
 @

httpdocs/misc/db_schema_clickhouse_cluster.sql

@@ -516,23 +516,23 @@ ALTER TABLE `system_alerts` ON CLUSTER '$CLUSTER' ADD COLUMN IF NOT EXISTS alert
 DROP VIEW IF EXISTS `all_alerts_view` ON CLUSTER '$CLUSTER';
 @
 CREATE VIEW IF NOT EXISTS `all_alerts_view` ON CLUSTER '$CLUSTER' AS
-SELECT 8 entity_id, interface_id, alert_id, alert_status, tstamp, tstamp_end, severity, score, alert_category FROM `active_monitoring_alerts`
+SELECT 8 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `active_monitoring_alerts`
 UNION ALL
-SELECT 4 entity_id, INTERFACE_ID AS interface_id, STATUS AS alert_id, 0 AS alert_status, FIRST_SEEN AS tstamp, LAST_SEEN AS tstamp_end, SEVERITY AS severity, SCORE AS score, ALERT_CATEGORY AS alert_category FROM `flows` WHERE (STATUS != 0 AND IS_ALERT_DELETED != 1)
+SELECT 4 entity_id, INTERFACE_ID AS interface_id, STATUS AS alert_id, 0 AS alert_status, REQUIRE_ATTENTION AS require_attention, FIRST_SEEN AS tstamp, LAST_SEEN AS tstamp_end, SEVERITY AS severity, SCORE AS score, ALERT_CATEGORY AS alert_category FROM `flows` WHERE (STATUS != 0 AND IS_ALERT_DELETED != 1)
 UNION ALL
-SELECT 1 entity_id, interface_id, alert_id, alert_status, tstamp, tstamp_end, severity, score, alert_category FROM `host_alerts`
+SELECT 1 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `host_alerts`
 UNION ALL
-SELECT 5 entity_id, interface_id, alert_id, alert_status, tstamp, tstamp_end, severity, score, alert_category FROM `mac_alerts`
+SELECT 5 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `mac_alerts`
 UNION ALL
-SELECT 3 entity_id, interface_id, alert_id, alert_status, tstamp, tstamp_end, severity, score, alert_category FROM `snmp_alerts`
+SELECT 3 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `snmp_alerts`
 UNION ALL
-SELECT 2 entity_id, interface_id, alert_id, alert_status, tstamp, tstamp_end, severity, score, alert_category FROM `network_alerts`
+SELECT 2 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `network_alerts`
 UNION ALL
-SELECT 0 entity_id, interface_id, alert_id, alert_status, tstamp, tstamp_end, severity, score, alert_category FROM `interface_alerts`
+SELECT 0 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `interface_alerts`
 UNION ALL
-SELECT 7 entity_id, interface_id, alert_id, alert_status, tstamp, tstamp_end, severity, score, alert_category FROM `user_alerts`
+SELECT 7 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `user_alerts`
 UNION ALL
-SELECT 9 entity_id, interface_id, alert_id, alert_status, tstamp, tstamp_end, severity, score, alert_category FROM `system_alerts`
+SELECT 9 entity_id, interface_id, alert_id, alert_status, true AS require_attention, tstamp, tstamp_end, severity, score, alert_category FROM `system_alerts`
 ;
 
 @

scripts/locales/en.lua

@@ -2264,6 +2264,7 @@ local lang = {
             ["pre_nat_ipv4_src_addr"] = "Pre-NAT IPv4 Src IP",
             ["pre_nat_src_port"] = "Pre-NAT Src Port",
             ["probe_ip"] = "Flow Exporter",
+            ["require_attention"] = "Require Attention",
             ["retransmissions"] = "Packets Retransmissions",
             ["role"] = "Role",
             ["role_cli_srv"] = "Client/Server",

scripts/lua/modules/alert_consts.lua

@@ -90,7 +90,7 @@ alert_consts.alert_status = {
       on_db = true
    },
    ["any"] = {
-      -- This status is not actually stored in the database (any = historical | acknowledged)
+      -- This status is not actually stored in the database (any = historical | acknowledged | engaged)
       alert_status_id = 3,
       i18n_title = "db_search.alert_status.any",
       on_db = false

scripts/lua/modules/alert_store/alert_store.lua

@@ -185,36 +185,33 @@ end
 -- ##############################################
 
 function alert_store:_build_alert_status_condition(status, is_write)
-    local field = 'alert_status'
+    local status_field = 'alert_status'
+    local require_attention_field = 'require_attention'
 
-    field = self:get_column_name(field, is_write)
+    status_field = self:get_column_name(status_field, is_write)
+    require_attention_field = self:get_column_name(require_attention_field, is_write)
 
     if status == "any" then
-        -- This condition has been removed as was hiding engaged alerts since the introduction
-        -- of the in-memory table for engaged alerts (was it really required?)
-        -- return string.format(" ((%s = %u) OR (%s = %u)) ",
-        --     field, alert_consts.alert_status.historical.alert_status_id,
-        --     field, alert_consts.alert_status.acknowledged.alert_status_id)
         return nil
     elseif status == 'historical' then -- 'Require Attention' alerts - also include engaged
         -- Note: alert_status for engaged is always engaged, acknowledged (historical) is hidden in that case
-        return string.format(" ((%s = %u) OR (%s = %u)) ",
-            field, alert_consts.alert_status.historical.alert_status_id,
-            field, alert_consts.alert_status.engaged.alert_status_id)
+        return string.format(" (%s = 1 AND NOT %s = %u) ",
+            require_attention_field,
+            status_field, alert_consts.alert_status.acknowledged.alert_status_id)
     else
-        return string.format(" %s = %u ", field, alert_consts.alert_status[status].alert_status_id)
+        return string.format(" %s = %u ", status_field, alert_consts.alert_status[status].alert_status_id)
     end
 end
 
 -- ##############################################
 
--- @brief Add filters on status (any, engaged, historical, or acknowledged)
+-- @brief Add filters on status/tab (any, engaged, historical, or acknowledged)
 -- @param status A status key (one of those enumerated in `alert_consts.alert_status`)
 -- @return True if set is successful, false otherwise
 function alert_store:add_status_filter(status, is_write)
     if not self._status then
         if not status then
-            status = "historical"
+            status = "historical" -- "require attention" by default
         end
 
         if alert_consts.alert_status[status] then
@@ -2032,6 +2029,7 @@ end
 -- @brief Add filters according to what is specified inside the REST API
 function alert_store:add_request_filters(is_write)
     local ifid = self:get_ifid()
+    local status = _GET["status"] -- Tab: engaged, require-attention (hitorical), all (any)
     local epoch_begin = tonumber(_GET["epoch_begin"])
     local epoch_end = tonumber(_GET["epoch_end"])
     local alert_id = _GET["alert_id"] or _GET["alert_type"] --[[ compatibility ]] --
@@ -2041,7 +2039,6 @@ function alert_store:add_request_filters(is_write)
     local score = _GET["score"]
     local rowid = _GET["row_id"]
     local tstamp = _GET["tstamp"]
-    local status = _GET["status"]
     local info = _GET["info"]
     local description = _GET["description"]
 

scripts/lua/modules/alert_store/flow_alert_store.lua

@@ -124,8 +124,8 @@ function flow_alert_store:get_column_name(field, is_write, value)
 	       col = 'IPV4_DST_ADDR'
 	    end
 	 end
-      else
 
+      else
 	 -- Convert columns to tags for those who differ
 	 if field == 'proto' then
 	    field = 'l4proto'

scripts/lua/modules/historical_flow_utils.lua

@@ -1166,6 +1166,7 @@ local flow_columns = {
 
    -- Alert data
    ['ALERT_STATUS'] =         { tag = "alert_status" },
+   ['REQUIRE_ATTENTION'] =    { tag = "require_attention" },
    ['USER_LABEL'] =           { tag = "user_label" },
    ['USER_LABEL_TSTAMP'] =    { tag = "user_label_tstamp" },
 }

scripts/lua/modules/tag_utils.lua

@@ -284,6 +284,11 @@ tag_utils.defined_tags = {
         i18n_label = i18n('db_search.tags.alert_status'),
         operators = { 'eq', 'neq' }
     },
+    require_attention = {
+        value_type = 'boolean',
+        i18n_label = i18n('db_search.tags.require_attention'),
+        operators = { 'eq', 'neq' }
+    },
     severity = {
         type = tag_utils.input_types.select,
         value_type = 'severity',