0ct0pu5/crowdsec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

update parser and scenari doc (#116)

Browse source 
Co-authored-by: AlteredCoder <AlteredCoder>
This commit is contained in:
AlteredCoder 2020-07-02 11:46:16 +02:00 committed by GitHub
parent eef1847873
commit 672785ba17
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
docs/references/parsers.md
View file

@ -151,10 +151,14 @@ It is meant to help understanding parser node behaviour by providing contextual
filter: expression
```
`filter` must be a valid {{expr.htmlname}} expression that will be evaluated against the {{event.name}}.
`filter` must be a valid {{expr.htmlname}} expression that will be evaluated against the {{event.htmlname}}.
If `filter` evaluation returns true or is absent, node will be processed.
If `filter` returns `false` or a non-boolean, node won't be processed.
Here is the [expr documentation](https://github.com/antonmedv/expr/tree/master/docs).
Examples :
- `filter: "evt.Meta.foo == 'test'"`

8
docs/references/scenarios.md
View file

@ -87,12 +87,16 @@ The name must be unique (and will define the scenario's name in the hub), and th
### filter
```yaml
filter: evt.Meta.log_type == 'telnet_new_session'
filter: expression
```
`filter` must be a valid {{expr.htmlname}} expression that will be evaluated against the {{event.htmlname}}.
an {{expr.htmlname}} that must return true if the event is eligible for the bucket.
If `filter` evaluation returns true or is absent, event will be pour in the bucket.
If `filter` returns `false` or a non-boolean, the event will be skip for this bucket.
Here is the [expr documentation](https://github.com/antonmedv/expr/tree/master/docs).
Examples :