add support for Sagan (#14070)

* add sagan instance fetch function

* add sagan discovery

* add sagan poller

* add sagan graphs

* add graph sources

* add sagan to apps page

* remove alert

* more app graph work

* polling fix

* re-order keys and add alert key

* correct field key usage

* add alert and fix a missing unit

* more unit fixes

* add alert status

* add alert rules for sagan

* fix a missing : after S while I am here in the json stat tool helper... also add tests

* now add the tests

* add docs

* point php-cs-fixer at two files

* remove-unneeded sagan instance fetch function

* convert to use app_data

* style fix

* apply bennet-esyoil's suggestions here as well

* update for the new app model

* convert poller to the new method

* convert the sagan device app page

* convert sagan

* doc cleanup

doc/Extensions/Applications.md

@@ -2183,6 +2183,74 @@ extend supervisord /etc/snmp/supervisord.py
 systemctl restart snmpd
 ```
 
+## Sagan
+
+For metrics the stats are migrated as below from the stats JSON.
+
+`f_drop_percent` and `drop_percent` are computed based on the found data.
+
+| Instance Key       | Stats JSON Key                     |
+|--------------------|------------------------------------|
+| uptime             | .stats.uptime                      |
+| total              | .stats.captured.total              |
+| drop               | .stats.captured.drop               |
+| ignore             | .stats.captured.ignore             |
+| threshold          | .stats.captured.theshold           |
+| after              | .stats.captured.after              |
+| match              | .stats.captured.match              |
+| bytes              | .stats.captured.bytes_total        |
+| bytes_ignored      | .stats.captured.bytes_ignored      |
+| max_bytes_log_line | .stats.captured.max_bytes_log_line |
+| eps                | .stats.captured.eps                |
+| f_total            | .stats.flow.total                  |
+| f_dropped          | .stats.flow.dropped                |
+
+Those keys are appended with the name of the instance running with `_`
+between the instance name and instance metric key. So `uptime` for
+`ids` would be `ids_uptime`.
+
+The default is named 'ids' unless otherwise specified via the extend.
+
+There is a special instance name of `.total` which is the total of all
+the instances. So if you want the total eps, the metric would be
+`.total_eps`. Also worth noting that the alert value is the highest
+one found among all the instances.
+
+### SNMP Extend
+
+1. Install the extend.
+```
+cpanm Sagan::Monitoring
+```
+
+2. Setup cron. Below is a example.
+```
+*/5 * * * * /usr/local/bin/sagan_stat_check > /dev/null
+```
+
+3. Configure snmpd.conf
+```
+extend sagan-stats /usr/bin/env PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin sagan_stat_check -c
+```
+
+4. Restart snmpd on your system.
+
+You will want to make sure that sagan is setup to with the values set
+below for stats-json processor, for a single instance setup..
+
+```
+enabled: yes
+time: 300
+subtract_old_values: true
+filename: "$LOG_PATH/stats.json"
+```
+
+Any configuration of sagan_stat_check should be done in the cron
+setup. If the default does not work, check the docs for it at
+[MetaCPAN for
+sagan_stat_check](https://metacpan.org/dist/Sagan-Monitoring/view/bin/sagan_stat_check)
+
+
 ## Suricata
 
 ### SNMP Extend