filter

package
v1.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 31, 2023 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidFilter = func(rule, group string, err error) error {
		return fmt.Errorf("syntax error in rule %q located in %q group: \n%v", rule, group, err)
	}
)
View Source 
var (
	// ErrNoFields signals an error that happens when the filter is declared without any fields
	ErrNoFields = errors.New("expected at least one field or operator but zero found")
)
View Source 
var (
	// ErrPsNil indicates the process state associated with the event is not initialized
	ErrPsNil = errors.New("process state is nil")
)

Functions

func InitFuncs added in v1.8.0 

func InitFuncs(funcMap template.FuncMap)

InitFuncs assigns late-bound functions to the func map.

func InterpolateFields added in v1.8.0 

func InterpolateFields(s string, evts []*kevent.Kevent) string

InterpolateFields replaces all occurrences of field modifiers in the given string with values extracted from the event. Field modifiers may contain a leading ordinal which refers to the event in particular sequence stage. Otherwise, the modifier is a well-known field name prepended with the `%` symbol.

func NewFuncMap added in v1.8.0 

func NewFuncMap() template.FuncMap

NewFuncMap returns the template func map populated with some useful template functions that can be used in rule actions.

Types

type Filter 

type Filter interface {
	// Compile compiles the filter by parsing the sequence/expression.
	Compile() error
	// Run runs a filter with a single expression. The return value decides
	// if the incoming event has successfully matched the filter expression.
	Run(kevt *kevent.Kevent) bool
	// RunSequence runs a filter with sequence expressions. Sequence rules depend
	// on the state machine transitions and partial matches to decide whether the
	// rule is fired.
	RunSequence(kevt *kevent.Kevent, seqID uint16, partials map[uint16][]*kevent.Kevent) bool
	// GetStringFields returns field names mapped to their string values.
	GetStringFields() map[fields.Field][]string
	// GetFields returns all field used in the filter expression.
	GetFields() []fields.Field
	// GetSequence returns the sequence descriptor or nil if this filter is not a sequence.
	GetSequence() *ql.Sequence
	// IsSequence determines if this filter is a sequence.
	IsSequence() bool
}

Filter is the main interface for the filter engine implementors. Filter can either be a single expression combined by various subexpressions connected by operators, or it can be a sequence of expressions.

type Rules added in v1.4.0 

type Rules struct {
	// contains filtered or unexported fields
}

Rules stores the compiled filter groups and for each incoming event, it applies the corresponding filtering policies to the event, dropping the event or passing it accordingly. If the filter rule has an action, the former is executed when the rule fires.

func NewRules added in v1.4.0 

func NewRules(psnap ps.Snapshotter, c *config.Config) Rules

NewRules produces a fresh rules instance.

func (*Rules) Compile added in v1.4.0 

func (r *Rules) Compile() error

Compile loads macros and rule groups from all indicated resources and creates the rules for each filter group. It also sets up the state machine transitions for sequence rule group policies.

func (*Rules) Fire added in v1.4.0 

func (r *Rules) Fire(kevt *kevent.Kevent) bool

Source Files

View all Source files

Directories

Path Synopsis
ql
functions

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.