event dedup transform for win event logs v1

wintranformeventlogv1.py

def smart_truncate(text, max_length=128, suffix='...'):
    """Returns a string of at most `max_length` characters, cutting
    only at word-boundaries. If the string was truncated, `suffix`
    will be appended.
    """

    if len(text) > max_length:
        pattern = r'^(.{0,%d}\S)\s.*' % (max_length-len(suffix)-1)
        return re.sub(pattern, r'\1' + suffix, text)
    else:
        return text


existing_count = 0
# Prefix for fingerprint (dedupid).
dedupfields = [evt.device, evt.component, evt.eventClass]
if getattr(evt, 'eventKey', False):
    dedupfields += [evt.eventKey, evt.severity]
else:
    evt.dedupid = smart_truncate('|'.join(map(str, dedupfields)))     # truncate event class key so transform will work for big event summaries
    dedupfields += [evt.severity, evt.summary]
    zep = getFacade('zep')
    evt_filter = zep.createEventFilter(status=(0,1,2),fingerprint=evt.dedupid)
    summaries = zep.getEventSummaries(0, 1, filter=evt_filter)
    if summaries['total']:
        existing_count = list(summaries['events'])[0]['count']

if not evt.severity == 0:
    if existing_count < 3:
        evt.severity = 2
    else:
        evt.severity = 4