crowdsec/pkg/parser/tests/base-tree/base-grok.yaml

#Here we are testing the trees within the node
filter: "evt.Line.Labels.type == 'type1'"
debug: true
name: tests/base-grok-root
pattern_syntax:
  MYCAP4: ".*"
grok:
  pattern: ^xxheader %{MYCAP4:extracted_value} trailing stuff$
  apply_on: Line.Raw
statics:
  - meta: state
    value: root-done
  - meta: state_sub
    expression: evt.Parsed.extracted_value
---
filter: "evt.Line.Labels.type == 'type1' && evt.Meta.state == 'root-done'"
debug: true
onsuccess: next_stage
name: tests/base-grok-leafs
#the sub-nodes will process the result of the master node
nodes:
  - filter: "evt.Parsed.extracted_value == 'VALUE1'"
    debug: true
    statics:
      - meta: final_state
        value: leaf1
  - filter: "evt.Parsed.extracted_value == 'VALUE2'"
    debug: true
    statics:
      - meta: final_state
        value: leaf2
initial import 2020-05-15 09:39:16 +00:00			`#Here we are testing the trees within the node`
			`filter: "evt.Line.Labels.type == 'type1'"`
			`debug: true`
			`name: tests/base-grok-root`
			`pattern_syntax:`
unique pattern names 2020-05-24 10:44:33 +00:00			`MYCAP4: ".*"`
initial import 2020-05-15 09:39:16 +00:00			`grok:`
unique pattern names 2020-05-24 10:44:33 +00:00			`pattern: ^xxheader %{MYCAP4:extracted_value} trailing stuff$`
initial import 2020-05-15 09:39:16 +00:00			`apply_on: Line.Raw`
			`statics:`
			`- meta: state`
			`value: root-done`
			`- meta: state_sub`
			`expression: evt.Parsed.extracted_value`
			`---`
			`filter: "evt.Line.Labels.type == 'type1' && evt.Meta.state == 'root-done'"`
			`debug: true`
			`onsuccess: next_stage`
			`name: tests/base-grok-leafs`
			`#the sub-nodes will process the result of the master node`
			`nodes:`
			`- filter: "evt.Parsed.extracted_value == 'VALUE1'"`
			`debug: true`
			`statics:`
			`- meta: final_state`
			`value: leaf1`
			`- filter: "evt.Parsed.extracted_value == 'VALUE2'"`
			`debug: true`
			`statics:`
			`- meta: final_state`
			`value: leaf2`