Use parsed event detection in data lake as coverage signal

- sync-sources now runs a parallel PowerQuery checking for event.type population per source; count stored in new active_sources.parser_detected - Coverage map marks a source as covered if parser_detected > 0, even without a matching local parser file (handles built-in/cloud parsers) - UI parser cell shows "Parsed (N typed events detected)" for data-lake- detected parsers vs named local parser files - Runtime ALTER TABLE migration adds parser_detected column to existing DBs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-09 21:07:15 +00:00 · 2026-05-19 13:06:29 -04:00
parent 81e3656c46
commit 1b07a59991
4 changed files with 49 additions and 10 deletions
@@ -5,6 +5,14 @@ from routers import coverage, ingest, settings, quality

 Base.metadata.create_all(bind=engine)

+# Runtime migration: add columns that didn't exist in earlier schema versions
+from sqlalchemy import text
+with engine.connect() as _conn:
+    _conn.execute(text(
+        "ALTER TABLE active_sources ADD COLUMN IF NOT EXISTS parser_detected INTEGER DEFAULT 0"
+    ))
+    _conn.commit()
+
 app = FastAPI(title="SIEM Toolkit", version="1.0.0")

 app.add_middleware(