crowdsec/pkg/parser/grok_pattern.go

package parser

import (
	"time"

	"github.com/antonmedv/expr/vm"

	"github.com/crowdsecurity/grokky"
)

// Used mostly for statics
type ExtraField struct {
	//if the target is indicated by name Struct.Field etc,
	TargetByName string `yaml:"target,omitempty"`
	//if the target field is in Event map
	Parsed string `yaml:"parsed,omitempty"`
	//if the target field is in Meta map
	Meta string `yaml:"meta,omitempty"`
	//if the target field is in Enriched map
	Enriched string `yaml:"enriched,omitempty"`
	//the source is a static value
	Value string `yaml:"value,omitempty"`
	//or the result of an Expression
	ExpValue     string      `yaml:"expression,omitempty"`
	RunTimeValue *vm.Program `json:"-"` //the actual compiled filter
	//or an enrichment method
	Method string `yaml:"method,omitempty"`
}

type GrokPattern struct {
	//the field to which regexp is going to apply
	TargetField string `yaml:"apply_on,omitempty"`
	//the grok/regexp by name (loaded from patterns/*)
	RegexpName string `yaml:"name,omitempty"`
	//a proper grok pattern
	RegexpValue string `yaml:"pattern,omitempty"`
	//the runtime form of regexpname / regexpvalue
	RunTimeRegexp grokky.Pattern `json:"-"` //the actual regexp
	//the output of the expression is going to be the source for regexp
	ExpValue     string      `yaml:"expression,omitempty"`
	RunTimeValue *vm.Program `json:"-"` //the actual compiled filter
	//a grok can contain statics that apply if pattern is successful
	Statics []ExtraField `yaml:"statics,omitempty"`
}

type DataCapture struct {
	Name            string        `yaml:"name,omitempty"`
	Key             string        `yaml:"key,omitempty"`
	KeyExpression   *vm.Program   `yaml:"-"`
	Value           string        `yaml:"value,omitempty"`
	ValueExpression *vm.Program   `yaml:"-"`
	TTL             string        `yaml:"ttl,omitempty"`
	TTLVal          time.Duration `yaml:"-"`
	MaxMapSize      int           `yaml:"size,omitempty"`
	Strategy        string        `yaml:"strategy,omitempty"`
}
Move grok_pattern.go away from pkg/types to trim bouncer dependencies (#2269) 2023-06-08 13:07:30 +00:00			`package parser`
initial import 2020-05-15 09:39:16 +00:00
			`import (`
Allow parsers to capture data for future enrichment (#1969) * Allow parsers to capture data in a cache, that can be later accessed via expr helpers (fake multi-line support) 2023-01-11 14:01:02 +00:00			`"time"`

initial import 2020-05-15 09:39:16 +00:00			`"github.com/antonmedv/expr/vm"`
light pkg/parser cleanup (#2279) * pkg/parser: clean up imports * remove duplicate import * simplify boolean expression * don't check length before range * if..else if.. -> switch/case * errors.Wrap -> fmt.Errorf * typo, lint * redundant break 2023-06-13 11:16:13 +00:00
use our fork of grokky (#953) 2021-09-09 12:46:16 +00:00			`"github.com/crowdsecurity/grokky"`
initial import 2020-05-15 09:39:16 +00:00			`)`

Allow parsers to capture data for future enrichment (#1969) * Allow parsers to capture data in a cache, that can be later accessed via expr helpers (fake multi-line support) 2023-01-11 14:01:02 +00:00			`// Used mostly for statics`
initial import 2020-05-15 09:39:16 +00:00			`type ExtraField struct {`
			`//if the target is indicated by name Struct.Field etc,`
			TargetByName string `yaml:"target,omitempty"`
			`//if the target field is in Event map`
			Parsed string `yaml:"parsed,omitempty"`
			`//if the target field is in Meta map`
			Meta string `yaml:"meta,omitempty"`
			`//if the target field is in Enriched map`
			Enriched string `yaml:"enriched,omitempty"`
			`//the source is a static value`
			Value string `yaml:"value,omitempty"`
			`//or the result of an Expression`
			ExpValue string `yaml:"expression,omitempty"`
			RunTimeValue *vm.Program `json:"-"` //the actual compiled filter
			`//or an enrichment method`
			Method string `yaml:"method,omitempty"`
			`}`

			`type GrokPattern struct {`
			`//the field to which regexp is going to apply`
			TargetField string `yaml:"apply_on,omitempty"`
			`//the grok/regexp by name (loaded from patterns/*)`
			RegexpName string `yaml:"name,omitempty"`
			`//a proper grok pattern`
			RegexpValue string `yaml:"pattern,omitempty"`
			`//the runtime form of regexpname / regexpvalue`
Add experimental support for re2 (#2138) 2023-03-28 14:26:47 +00:00			RunTimeRegexp grokky.Pattern `json:"-"` //the actual regexp
add support for 'expression' (fix #822) in grok patterns (#830) * add support for 'expression' (fix #822) in grok patterns * add tests 2021-06-21 07:07:33 +00:00			`//the output of the expression is going to be the source for regexp`
			ExpValue string `yaml:"expression,omitempty"`
			RunTimeValue *vm.Program `json:"-"` //the actual compiled filter
typos (#1453) 2022-04-19 09:25:27 +00:00			`//a grok can contain statics that apply if pattern is successful`
initial import 2020-05-15 09:39:16 +00:00			Statics []ExtraField `yaml:"statics,omitempty"`
			`}`
Allow parsers to capture data for future enrichment (#1969) * Allow parsers to capture data in a cache, that can be later accessed via expr helpers (fake multi-line support) 2023-01-11 14:01:02 +00:00
			`type DataCapture struct {`
			Name string `yaml:"name,omitempty"`
			Key string `yaml:"key,omitempty"`
			KeyExpression *vm.Program `yaml:"-"`
			Value string `yaml:"value,omitempty"`
			ValueExpression *vm.Program `yaml:"-"`
			TTL string `yaml:"ttl,omitempty"`
			TTLVal time.Duration `yaml:"-"`
			MaxMapSize int `yaml:"size,omitempty"`
allow user to specify stash's cache strategy (#2037) 2023-02-06 14:42:55 +00:00			Strategy string `yaml:"strategy,omitempty"`
Allow parsers to capture data for future enrichment (#1969) * Allow parsers to capture data in a cache, that can be later accessed via expr helpers (fake multi-line support) 2023-01-11 14:01:02 +00:00			`}`