From 7f9c2fade016c92875b723fd012301186d0dd942 Mon Sep 17 00:00:00 2001
From: jimzz <jimzz@live.com>
Date: Thu, 30 Sep 2021 11:09:23 -0400
Subject: [PATCH] Add support for Graylog 4.1+

Changes for StreamLookupFunction.java
    1) Added required elasticsearch import for SortOrder import
    org.elasticsearch.search.sort.SortOrder;

    2) Remove asElastic() as this method is no longer used

    3) Switch timeRange builder to implement the new method introduced in Graylog 4.1 with the optional from/to
       relative range See https://github.com/Graylog2/graylog2-server/pull/9899/files

Changes for pom.xml
    1) Added Elasticsearch 7.7 dependencies

    2) Change Graylog version from 2.3.2 to 4.1.0

    3) Change graylog-plugin-slookup-function to version 4.1.0 to indicate that it's for 4.1.x Graylog
---
 pom.xml                                         | 16 ++++++++++------
 .../plugins/slookup/StreamLookupFunction.java   | 17 +++++++++++++----
 2 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/pom.xml b/pom.xml
index 6f21190..57f520f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -9,7 +9,7 @@
 
     <groupId>org.graylog.plugins</groupId>
     <artifactId>graylog-plugin-slookup-function</artifactId>
-    <version>2.0.0</version>
+    <version>4.1.0</version>
     <packaging>jar</packaging>
 
     <name>${project.artifactId}</name>
@@ -34,7 +34,7 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <maven.compiler.source>1.8</maven.compiler.source>
         <maven.compiler.target>1.8</maven.compiler.target>
-        <graylog.version>2.3.2</graylog.version>
+        <graylog.version>4.1.0</graylog.version>
         <graylog.plugin-dir>/usr/share/graylog-server/plugin</graylog.plugin-dir>
     </properties>
 
@@ -46,10 +46,14 @@
             <scope>provided</scope>
         </dependency>
         <dependency>
-            <groupId>org.graylog.plugins</groupId>
-            <artifactId>graylog-plugin-pipeline-processor</artifactId>
-            <version>1.1.1</version>
-            <scope>provided</scope>
+            <groupId>org.elasticsearch.client</groupId>
+            <artifactId>elasticsearch-rest-high-level-client</artifactId>
+            <version>7.7.0</version>
+        </dependency>
+        <dependency>
+            <groupId>org.elasticsearch</groupId>
+            <artifactId>elasticsearch</artifactId>
+            <version>7.7.0</version>
         </dependency>
     </dependencies>
 
diff --git a/src/main/java/org/graylog/plugins/slookup/StreamLookupFunction.java b/src/main/java/org/graylog/plugins/slookup/StreamLookupFunction.java
index b58b3a9..db0b7df 100644
--- a/src/main/java/org/graylog/plugins/slookup/StreamLookupFunction.java
+++ b/src/main/java/org/graylog/plugins/slookup/StreamLookupFunction.java
@@ -1,6 +1,8 @@
 package org.graylog.plugins.slookup;
 
 import org.elasticsearch.action.search.SearchPhaseExecutionException;
+import org.elasticsearch.search.sort.SortOrder;
+
 import org.graylog2.indexer.results.ResultMessage;
 import org.graylog2.indexer.results.SearchResult;
 import org.graylog2.indexer.searches.SearchesConfig;
@@ -12,6 +14,7 @@
 import org.graylog.plugins.pipelineprocessor.EvaluationContext;
 import org.graylog.plugins.pipelineprocessor.ast.expressions.Expression;
 import org.graylog.plugins.pipelineprocessor.ast.functions.*;
+
 import static com.google.common.collect.ImmutableList.of;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -88,7 +91,13 @@ public List<String> evaluate(FunctionArgs functionArgs, EvaluationContext evalua
             blankList.add("No match found");
         }
 
-        this.timeRange = RelativeRange.builder().type("relative").range(timeRange).build();
+        //this.timeRange = RelativeRange.builder().type("relative").range(timeRange).build();
+	//this was changed in Graylog 4.1 to include an optional from/to instead of just range
+        try {
+            this.timeRange = RelativeRange.create(timeRange.intValue());
+        } catch (Exception e) {
+            LOG.info(e.getMessage());
+        }	 
 
         String srcFieldValue = evaluationContext.currentMessage().getField(srcField).toString();
         String escapeChars ="[\\\\+\\-\\!\\(\\)\\:\\^\\]\\{\\}\\~\\*\\?]";
@@ -103,12 +112,12 @@ public List<String> evaluate(FunctionArgs functionArgs, EvaluationContext evalua
 
         if (sortField.equals("asc")) {
             this.sortType = new Sorting("timestamp", Sorting.Direction.ASC);
-            LOG.debug("This sortType  - field: {}, order: {}", this.sortType.getField().toString(), this.sortType.asElastic().toString());
+            LOG.debug("This sortType  - field: {}, order: {}", this.sortType.getField().toString(), this.sortType.toString());
         }
         else
         {
             this.sortType = new Sorting("timestamp", Sorting.Direction.DESC);
-            LOG.debug("This sortType  - field: {}, order: {}", this.sortType.getField().toString(), this.sortType.asElastic().toString());
+            LOG.debug("This sortType  - field: {}, order: {}", this.sortType.getField().toString(), this.sortType.toString());
         }
 
         final SearchesConfig searchesConfig = SearchesConfig.builder()
@@ -123,7 +132,7 @@ public List<String> evaluate(FunctionArgs functionArgs, EvaluationContext evalua
 
         try {
             SearchResult response = this.searches.search(searchesConfig);
-            LOG.debug("Search config - field: {}, order: {}", searchesConfig.sorting().getField().toString(), searchesConfig.sorting().asElastic().toString());
+            LOG.debug("Search config - field: {}, order: {}", searchesConfig.sorting().getField().toString(), searchesConfig.sorting().toString());
             if (response.getResults().size() == 0) {
                 LOG.debug("No Search Results observed.");
                 return blankList;