Examples with EvaluationContext org.graylog.plugins.pipelineprocessor.EvaluationContext used on opensource projects

Search in sources :

Example 1 with EvaluationContext

use of org.graylog.plugins.pipelineprocessor.EvaluationContext in project graylog2-server by Graylog2.

the class FunctionsSnippetsTest method clonedMessageWithInvalidTimestamp.

@Test
public void clonedMessageWithInvalidTimestamp() {
    final Message message = new Message("test", "test", Tools.nowUTC());
    message.addField("timestamp", "foobar");
    final Rule rule = parser.parseRule(ruleForTest(), false);
    final EvaluationContext context = contextForRuleEval(rule, message);
    final Message origMessage = context.currentMessage();
    final Message clonedMessage = Iterables.get(context.createdMessages(), 0);
    assertThat(origMessage).isNotEqualTo(clonedMessage);
    assertThat(origMessage.getField("timestamp")).isInstanceOf(DateTime.class);
    assertThat(clonedMessage).isNotNull();
    assertThat(clonedMessage.getMessage()).isEqualTo(origMessage.getMessage());
    assertThat(clonedMessage.getSource()).isEqualTo(origMessage.getSource());
    assertThat(clonedMessage.getStreams()).isEqualTo(origMessage.getStreams());
    assertThat(clonedMessage.getTimestamp()).isNotNull();
    assertThat(clonedMessage.getTimestamp()).isEqualTo(origMessage.getTimestamp());
}
Also used : CreateMessage(org.graylog.plugins.pipelineprocessor.functions.messages.CreateMessage) CloneMessage(org.graylog.plugins.pipelineprocessor.functions.messages.CloneMessage) DropMessage(org.graylog.plugins.pipelineprocessor.functions.messages.DropMessage) Message(org.graylog2.plugin.Message) MockitoRule(org.mockito.junit.MockitoRule) Rule(org.graylog.plugins.pipelineprocessor.ast.Rule) EvaluationContext(org.graylog.plugins.pipelineprocessor.EvaluationContext) BaseParserTest(org.graylog.plugins.pipelineprocessor.BaseParserTest) Test(org.junit.Test)

Example 2 with EvaluationContext

use of org.graylog.plugins.pipelineprocessor.EvaluationContext in project graylog2-server by Graylog2.

the class FunctionsSnippetsTest method conversions.

@Test
public void conversions() {
    final Rule rule = parser.parseRule(ruleForTest(), false);
    final EvaluationContext context = contextForRuleEval(rule, new Message("test", "test", Tools.nowUTC()));
    assertThat(context.evaluationErrors()).isEmpty();
    final Message message = context.currentMessage();
    assertNotNull(message);
    assertThat(message.getField("string_1")).isEqualTo("1");
    assertThat(message.getField("string_2")).isEqualTo("2");
    // special case, Message doesn't allow adding fields with empty string values
    assertThat(message.hasField("string_3")).isFalse();
    assertThat(message.getField("string_4")).isEqualTo("default");
    assertThat(message.getField("string_5")).isEqualTo("false");
    assertThat(message.getField("string_6")).isEqualTo("42");
    assertThat(message.getField("string_7")).isEqualTo("23.42");
    assertThat(message.getField("long_1")).isEqualTo(1L);
    assertThat(message.getField("long_2")).isEqualTo(2L);
    assertThat(message.getField("long_3")).isEqualTo(0L);
    assertThat(message.getField("long_4")).isEqualTo(1L);
    assertThat(message.getField("long_5")).isEqualTo(23L);
    assertThat(message.getField("long_6")).isEqualTo(23L);
    assertThat(message.getField("long_7")).isEqualTo(1L);
    assertThat(message.getField("long_min1")).isEqualTo(Long.MIN_VALUE);
    assertThat(message.getField("long_min2")).isEqualTo(1L);
    assertThat(message.getField("long_max1")).isEqualTo(Long.MAX_VALUE);
    assertThat(message.getField("long_max2")).isEqualTo(1L);
    assertThat(message.getField("double_1")).isEqualTo(1d);
    assertThat(message.getField("double_2")).isEqualTo(2d);
    assertThat(message.getField("double_3")).isEqualTo(0d);
    assertThat(message.getField("double_4")).isEqualTo(1d);
    assertThat(message.getField("double_5")).isEqualTo(23d);
    assertThat(message.getField("double_6")).isEqualTo(23d);
    assertThat(message.getField("double_7")).isEqualTo(23.42d);
    assertThat(message.getField("double_min1")).isEqualTo(Double.MIN_VALUE);
    assertThat(message.getField("double_min2")).isEqualTo(0d);
    assertThat(message.getField("double_max1")).isEqualTo(Double.MAX_VALUE);
    assertThat(message.getField("double_inf1")).isEqualTo(Double.POSITIVE_INFINITY);
    assertThat(message.getField("double_inf2")).isEqualTo(Double.NEGATIVE_INFINITY);
    assertThat(message.getField("double_inf3")).isEqualTo(Double.POSITIVE_INFINITY);
    assertThat(message.getField("double_inf4")).isEqualTo(Double.NEGATIVE_INFINITY);
    assertThat(message.getField("bool_1")).isEqualTo(true);
    assertThat(message.getField("bool_2")).isEqualTo(false);
    assertThat(message.getField("bool_3")).isEqualTo(false);
    assertThat(message.getField("bool_4")).isEqualTo(true);
    // the is wrapped in our own class for safety in rules
    assertThat(message.getField("ip_1")).isEqualTo(new IpAddress(InetAddresses.forString("127.0.0.1")));
    assertThat(message.getField("ip_2")).isEqualTo(new IpAddress(InetAddresses.forString("127.0.0.1")));
    assertThat(message.getField("ip_3")).isEqualTo(new IpAddress(InetAddresses.forString("0.0.0.0")));
    assertThat(message.getField("ip_4")).isEqualTo(new IpAddress(InetAddresses.forString("::1")));
    assertThat(message.getField("map_1")).isEqualTo(Collections.singletonMap("foo", "bar"));
    assertThat(message.getField("map_2")).isEqualTo(Collections.emptyMap());
    assertThat(message.getField("map_3")).isEqualTo(Collections.emptyMap());
    assertThat(message.getField("map_4")).isEqualTo(Collections.emptyMap());
    assertThat(message.getField("map_5")).isEqualTo(Collections.emptyMap());
    assertThat(message.getField("map_6")).isEqualTo(Collections.emptyMap());
}
Also used : CreateMessage(org.graylog.plugins.pipelineprocessor.functions.messages.CreateMessage) CloneMessage(org.graylog.plugins.pipelineprocessor.functions.messages.CloneMessage) DropMessage(org.graylog.plugins.pipelineprocessor.functions.messages.DropMessage) Message(org.graylog2.plugin.Message) IpAddress(org.graylog.plugins.pipelineprocessor.functions.ips.IpAddress) MockitoRule(org.mockito.junit.MockitoRule) Rule(org.graylog.plugins.pipelineprocessor.ast.Rule) EvaluationContext(org.graylog.plugins.pipelineprocessor.EvaluationContext) BaseParserTest(org.graylog.plugins.pipelineprocessor.BaseParserTest) Test(org.junit.Test)

Example 3 with EvaluationContext

use of org.graylog.plugins.pipelineprocessor.EvaluationContext in project graylog2-server by Graylog2.

the class FunctionsSnippetsTest method newlyCreatedMessage.

@Test
public void newlyCreatedMessage() {
    final Message message = new Message("test", "test", Tools.nowUTC());
    message.addField("foo", "bar");
    message.addStream(mock(Stream.class));
    final Rule rule = parser.parseRule(ruleForTest(), false);
    final EvaluationContext context = contextForRuleEval(rule, message);
    final Message origMessage = context.currentMessage();
    final Message newMessage = Iterables.getOnlyElement(context.createdMessages());
    assertThat(origMessage).isNotSameAs(newMessage);
    assertThat(newMessage.getMessage()).isEqualTo("new");
    assertThat(newMessage.getSource()).isEqualTo("synthetic");
    assertThat(newMessage.getStreams()).isEmpty();
    assertThat(newMessage.hasField("removed_again")).isFalse();
    assertThat(newMessage.getFieldAs(Boolean.class, "has_source")).isTrue();
    assertThat(newMessage.getFieldAs(String.class, "only_in")).isEqualTo("new message");
    assertThat(newMessage.getFieldAs(String.class, "multi")).isEqualTo("new message");
    assertThat(newMessage.getFieldAs(String.class, "foo")).isNull();
}
Also used : CreateMessage(org.graylog.plugins.pipelineprocessor.functions.messages.CreateMessage) CloneMessage(org.graylog.plugins.pipelineprocessor.functions.messages.CloneMessage) DropMessage(org.graylog.plugins.pipelineprocessor.functions.messages.DropMessage) Message(org.graylog2.plugin.Message) RouteToStream(org.graylog.plugins.pipelineprocessor.functions.messages.RouteToStream) Stream(org.graylog2.plugin.streams.Stream) RemoveFromStream(org.graylog.plugins.pipelineprocessor.functions.messages.RemoveFromStream) MockitoRule(org.mockito.junit.MockitoRule) Rule(org.graylog.plugins.pipelineprocessor.ast.Rule) EvaluationContext(org.graylog.plugins.pipelineprocessor.EvaluationContext) BaseParserTest(org.graylog.plugins.pipelineprocessor.BaseParserTest) Test(org.junit.Test)

Example 4 with EvaluationContext

use of org.graylog.plugins.pipelineprocessor.EvaluationContext in project graylog2-server by Graylog2.

the class Join method evaluate.

@Override
public String evaluate(FunctionArgs args, EvaluationContext context) {
    final List elements = elementsParam.optional(args, context).orElse(Collections.emptyList());
    final int length = elements.size();
    final String delimiter = delimiterParam.required(args, context);
    final int startIndex = startIndexParam.optional(args, context).filter(idx -> idx >= 0).orElse(0);
    final int endIndex = endIndexParam.optional(args, context).filter(idx -> idx >= 0).orElse(length);
    return StringUtils.join(elements.subList(startIndex, endIndex), delimiter);
}
Also used : FunctionArgs(org.graylog.plugins.pipelineprocessor.ast.functions.FunctionArgs) FunctionDescriptor(org.graylog.plugins.pipelineprocessor.ast.functions.FunctionDescriptor) List(java.util.List) AbstractFunction(org.graylog.plugins.pipelineprocessor.ast.functions.AbstractFunction) ImmutableList(com.google.common.collect.ImmutableList) ParameterDescriptor(org.graylog.plugins.pipelineprocessor.ast.functions.ParameterDescriptor) Collection(java.util.Collection) TypeToken(com.google.common.reflect.TypeToken) Ints(com.google.common.primitives.Ints) StringUtils(org.apache.commons.lang3.StringUtils) Collections(java.util.Collections) EvaluationContext(org.graylog.plugins.pipelineprocessor.EvaluationContext) List(java.util.List) ImmutableList(com.google.common.collect.ImmutableList)

Example 5 with EvaluationContext

use of org.graylog.plugins.pipelineprocessor.EvaluationContext in project graylog2-server by Graylog2.

the class CEFParserFunctionTest method evaluate_returns_result_for_valid_CEF_string.

@Test
public void evaluate_returns_result_for_valid_CEF_string() throws Exception {
    final Map<String, Expression> arguments = ImmutableMap.of(CEFParserFunction.VALUE, new StringExpression(new CommonToken(0), "CEF:0|vendor|product|1.0|id|name|low|dvc=example.com msg=Foobar"), CEFParserFunction.USE_FULL_NAMES, new BooleanExpression(new CommonToken(0), false));
    final FunctionArgs functionArgs = new FunctionArgs(function, arguments);
    final Message message = new Message("__dummy", "__dummy", DateTime.parse("2010-07-30T16:03:25Z"));
    final EvaluationContext evaluationContext = new EvaluationContext(message);
    final CEFParserResult result = function.evaluate(functionArgs, evaluationContext);
    assertNotNull(result);
    assertEquals(0, result.get("cef_version"));
    assertEquals("vendor", result.get("device_vendor"));
    assertEquals("product", result.get("device_product"));
    assertEquals("1.0", result.get("device_version"));
    assertEquals("id", result.get("device_event_class_id"));
    assertEquals("low", result.get("severity"));
    assertEquals("example.com", result.get("dvc"));
    assertEquals("Foobar", result.get("msg"));
}
Also used : BooleanExpression(org.graylog.plugins.pipelineprocessor.ast.expressions.BooleanExpression) Message(org.graylog2.plugin.Message) BooleanExpression(org.graylog.plugins.pipelineprocessor.ast.expressions.BooleanExpression) StringExpression(org.graylog.plugins.pipelineprocessor.ast.expressions.StringExpression) Expression(org.graylog.plugins.pipelineprocessor.ast.expressions.Expression) StringExpression(org.graylog.plugins.pipelineprocessor.ast.expressions.StringExpression) FunctionArgs(org.graylog.plugins.pipelineprocessor.ast.functions.FunctionArgs) EvaluationContext(org.graylog.plugins.pipelineprocessor.EvaluationContext) CommonToken(org.antlr.v4.runtime.CommonToken) Test(org.junit.Test)

Aggregations

EvaluationContext (org.graylog.plugins.pipelineprocessor.EvaluationContext)17 Message (org.graylog2.plugin.Message)15 Test (org.junit.Test)15 Rule (org.graylog.plugins.pipelineprocessor.ast.Rule)9 BaseParserTest (org.graylog.plugins.pipelineprocessor.BaseParserTest)8 FunctionArgs (org.graylog.plugins.pipelineprocessor.ast.functions.FunctionArgs)8 CloneMessage (org.graylog.plugins.pipelineprocessor.functions.messages.CloneMessage)8 CreateMessage (org.graylog.plugins.pipelineprocessor.functions.messages.CreateMessage)8 DropMessage (org.graylog.plugins.pipelineprocessor.functions.messages.DropMessage)8 MockitoRule (org.mockito.junit.MockitoRule)8 CommonToken (org.antlr.v4.runtime.CommonToken)6 BooleanExpression (org.graylog.plugins.pipelineprocessor.ast.expressions.BooleanExpression)6 Expression (org.graylog.plugins.pipelineprocessor.ast.expressions.Expression)6 StringExpression (org.graylog.plugins.pipelineprocessor.ast.expressions.StringExpression)6 RemoveFromStream (org.graylog.plugins.pipelineprocessor.functions.messages.RemoveFromStream)2 RouteToStream (org.graylog.plugins.pipelineprocessor.functions.messages.RouteToStream)2 Stream (org.graylog2.plugin.streams.Stream)2 MetricRegistry (com.codahale.metrics.MetricRegistry)1 ImmutableList (com.google.common.collect.ImmutableList)1 Ints (com.google.common.primitives.Ints)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial