Filtering tables before database dump in CloudQuery for large datasets

devoted-oryx · August 30, 2024, 2:02pm

Hi, as CloudQuery has evolved over the last time I was playing around with it, is it now possible to filter tables before they get dumped into the database? My use case involves many millions of rows, but I’m interested in a very small subset.

ben · August 30, 2024, 2:21pm

Hi @devoted-oryx,

There are a couple of ways to filter data prior to insertion in the destination. What tables are you interested in using?

devoted-oryx · August 30, 2024, 2:23pm

say AWS Security Hub

I want to ingest only active findings for the specific service.

ben · August 30, 2024, 2:30pm

For aws_securityhub_findings, you can now override the parameters for the API call to AWS so you can only sync the exact findings that you are interested in.

devoted-oryx · August 30, 2024, 2:45pm

how this could be accomplished?

ben · August 30, 2024, 2:50pm

If you can, please share an example finding that you would like the filter to match. I can help create the config.

devoted-oryx · August 30, 2024, 2:59pm

Let’s say findings generated by Config, which are in Active state.

I think I found what you were referencing to - CloudQuery AWS Configuration and the table options.

So basically, considering I want to sync just a subset, let’s say 10k rows out of 10m findings in total, would I be billed for the 10k rows?

ben · August 30, 2024, 9:18pm

Exactly! You get both a performance and cost benefit in that you only get the data that is most impactful to your org. Here is an example of how to use the table_options functionality to grab active findings generated by Config:

kind: source
spec:
  name: aws_xxxxxx
  path: cloudquery/aws
  version: "v27.17.0"
  tables: ["aws_securityhub_findings"]
  destinations: ["postgresql"]
  spec:
    table_options:
      aws_securityhub_findings:
        get_findings:
          - filters:
              WorkflowStatus:
                - Value: "ACTIVE"
                  Comparison: "EQUALS"
              ProductFields:
                - Key: "aws/securityhub/ProductName"
                  Value: "Config"
                  Comparison: "EQUALS"

devoted-oryx · September 5, 2024, 7:34pm

Would it be possible to filter to the findings that have been updated within the last 7 days?

ben · September 5, 2024, 7:37pm

Looking at the GetFindings API, it looks like this should work:

kind: source
spec:
  name: aws_xxxxxx
  path: cloudquery/aws
  version: "v27.17.0"
  tables: ["aws_securityhub_findings"]
  destinations: ["postgresql"]
  spec:
    table_options:
      aws_securityhub_findings:
        get_findings:
          - filters:
              UpdatedAt:
                DateRange:
                  Unit: DAYS
                  Value: 7
              WorkflowStatus:
                - Value: "ACTIVE"
                  Comparison: "EQUALS"
              ProductFields:
                - Key: "aws/securityhub/ProductName"
                  Value: "Config"
                  Comparison: "EQUALS"

devoted-oryx · September 5, 2024, 7:50pm

that’s nice, thanks Ben!

ben · September 5, 2024, 7:54pm

Your welcome! Let me know if you run into any issues with this or have other questions!

Topic		Replies	Views
Filtering out collected resources in CloudQuery to reduce collection time CloudQuery Plugins	4	1	February 6, 2024
Filter aws_securityhub_findings by active record_state and created_at conditions CloudQuery Plugins	3	2	October 10, 2023
Request to filter archived GuardDuty findings to reduce noise and storage usage CloudQuery Plugins	2	4	April 19, 2024
CloudQuery table_options deprecation and alternative for syncing record subsets CloudQuery Plugins	2	6	December 5, 2023
Simplifying table selection for CloudQuery sync process CloudQuery Plugins	1	2	August 15, 2023

Filtering tables before database dump in CloudQuery for large datasets

Related topics