use of org.graylog.plugins.pipelineprocessor.ast.expressions.Expression in project graylog2-server by Graylog2.
the class CEFParserFunctionTest method evaluate_returns_result_without_message_field.
@Test
public void evaluate_returns_result_without_message_field() throws Exception {
final Map<String, Expression> arguments = ImmutableMap.of(CEFParserFunction.VALUE, new StringExpression(new CommonToken(0), "CEF:0|vendor|product|1.0|id|name|low|dvc=example.com"), CEFParserFunction.USE_FULL_NAMES, new BooleanExpression(new CommonToken(0), false));
final FunctionArgs functionArgs = new FunctionArgs(function, arguments);
final Message message = new Message("__dummy", "__dummy", DateTime.parse("2010-07-30T16:03:25Z"));
final EvaluationContext evaluationContext = new EvaluationContext(message);
final CEFParserResult result = function.evaluate(functionArgs, evaluationContext);
assertNotNull(result);
assertEquals(0, result.get("cef_version"));
assertEquals("vendor", result.get("device_vendor"));
assertEquals("product", result.get("device_product"));
assertEquals("1.0", result.get("device_version"));
assertEquals("id", result.get("device_event_class_id"));
assertEquals("low", result.get("severity"));
assertEquals("example.com", result.get("dvc"));
assertFalse(result.containsKey("message"));
}
use of org.graylog.plugins.pipelineprocessor.ast.expressions.Expression in project graylog2-server by Graylog2.
the class CEFParserFunctionTest method evaluate_returns_result_for_valid_CEF_string_with_full_names.
@Test
public void evaluate_returns_result_for_valid_CEF_string_with_full_names() throws Exception {
final CEFParserFunction function = new CEFParserFunction(new MetricRegistry());
final Map<String, Expression> arguments = ImmutableMap.of(CEFParserFunction.VALUE, new StringExpression(new CommonToken(0), "CEF:0|vendor|product|1.0|id|name|low|dvc=example.com msg=Foobar"), CEFParserFunction.USE_FULL_NAMES, new BooleanExpression(new CommonToken(0), true));
final FunctionArgs functionArgs = new FunctionArgs(function, arguments);
final Message message = new Message("__dummy", "__dummy", DateTime.parse("2010-07-30T16:03:25Z"));
final EvaluationContext evaluationContext = new EvaluationContext(message);
final CEFParserResult result = function.evaluate(functionArgs, evaluationContext);
assertNotNull(result);
assertEquals(0, result.get("cef_version"));
assertEquals("vendor", result.get("device_vendor"));
assertEquals("product", result.get("device_product"));
assertEquals("1.0", result.get("device_version"));
assertEquals("id", result.get("device_event_class_id"));
assertEquals("low", result.get("severity"));
assertEquals("example.com", result.get("deviceAddress"));
assertEquals("Foobar", result.get("message"));
}
use of org.graylog.plugins.pipelineprocessor.ast.expressions.Expression in project graylog2-server by Graylog2.
the class CEFParserFunctionTest method evaluate_returns_null_for_empty_CEF_string.
@Test
public void evaluate_returns_null_for_empty_CEF_string() throws Exception {
final Map<String, Expression> arguments = Collections.singletonMap(CEFParserFunction.VALUE, new StringExpression(new CommonToken(0), ""));
final FunctionArgs functionArgs = new FunctionArgs(function, arguments);
final Message message = new Message("__dummy", "__dummy", DateTime.parse("2010-07-30T16:03:25Z"));
final EvaluationContext evaluationContext = new EvaluationContext(message);
final CEFParserResult result = function.evaluate(functionArgs, evaluationContext);
assertNull(result);
}
Aggregations