v0.1 Mick Marc merged

2026-06-09 12:57:13 +00:00 · 2026-05-20 23:44:53 +02:00
commit 79efb6bf7d
50 changed files with 5190 additions and 0 deletions
@@ -0,0 +1,77 @@
+#!/usr/bin/env python3
+"""Probe what PowerQuery syntax this SDL tenant accepts."""
+import json, time, urllib.request, urllib.error, sys
+import os
+
+def _load_sdl_cfg():
+    import json as _j, os as _o, sys as _s
+    here = _o.path.dirname(_o.path.abspath(__file__))
+    candidates = [
+        _o.environ.get("SDL_CONFIG"),
+        _o.path.join(here, "sdl_config.json"),
+        _o.path.join(here, "..", "sdl_config.json"),
+    ]
+    for p in candidates:
+        if p and _o.path.exists(p):
+            with open(p) as fh:
+                return _j.load(fh)
+    _s.stderr.write(
+        "ERROR: no SDL config found. Set $SDL_CONFIG or create sdl_config.json "
+        "(see sdl_config.example.json)\n")
+    _s.exit(2)
+
+
+CFG = _load_sdl_cfg()
+URL = CFG['base_url'].rstrip('/') + '/api/powerQuery'
+END_MS = int(time.time() * 1000)
+START_MS = END_MS - 3600 * 1000  # last hour
+
+
+def run(label: str, query: str):
+    body = json.dumps({
+        "token":     CFG['log_read_key'],
+        "query":     query,
+        "startTime": START_MS,
+        "endTime":   END_MS,
+        "maxCount":  5,
+    }).encode()
+    req = urllib.request.Request(URL, data=body, headers={"Content-Type": "application/json"})
+    try:
+        resp = urllib.request.urlopen(req, timeout=30).read()
+        d = json.loads(resp)
+        st = d.get('status', '?')
+        cols = d.get('columns') or []
+        vals = d.get('values') or d.get('matches') or []
+        print(f"[OK ] {label:<40} status={st} cols={len(cols)} rows={len(vals)}")
+        if vals:
+            print(f"      sample={str(vals[0])[:160]}")
+    except urllib.error.HTTPError as e:
+        body = e.read().decode()
+        try:
+            j = json.loads(body)
+            msg = j.get('message', body)[:200]
+        except Exception:
+            msg = body[:200]
+        print(f"[ERR] {label:<40} HTTP {e.code}: {msg}")
+    except Exception as e:
+        print(f"[ERR] {label:<40} {type(e).__name__}: {str(e)[:160]}")
+
+
+CASES = [
+    ("leading-pipe single-stage",  "| group total=count()"),
+    ("no-pipe single-stage",       "group total=count()"),
+    ("leading-pipe multi-stage",   "| group events=count() by dataSource.name | sort -events | limit 5"),
+    ("no-pipe multi-stage",        "group events=count() by dataSource.name | sort -events | limit 5"),
+    ("no-pipe trim sort",          "group events=count() by dataSource.name | limit 5"),
+    ("filter then group",          "dataSource.name=='SentinelOne' | group events=count()"),
+    ("filter (modern keyword)",    "filter dataSource.name=='SentinelOne' | group events=count()"),
+    ("dataset-style with sort",    "group events=count() by dataSource.name | sort events desc | limit 5"),
+    ("count() as alias",           "| count() as events"),
+    ("group by event.type",        "group events=count() by event.type | limit 5"),
+]
+
+print(f"URL: {URL}")
+print(f"Window: last 1h ({START_MS}..{END_MS} ms)")
+print()
+for label, q in CASES:
+    run(label, q)