Skip to main content

RuleFieldSet

rsigma_eval::fields

Struct RuleFieldSet 

Source 
pub struct RuleFieldSet { /* private fields */ }
Expand description

Set of field names referenced by a loaded SigmaCollection, optionally after applying processing pipelines.

Built via RuleFieldSet::collect and queried via contains, iter, and len. Cheap to clone for sharing across threads behind an Arc.

Implementations§

Source§

impl RuleFieldSet

Source

pub fn collect( collection: &SigmaCollection, pipelines: &[Pipeline], include_filters: bool, ) -> Self

Walk a rule collection (and any pipelines) and return the resulting field set. When pipelines is non-empty, each rule is cloned and transformed before its fields are collected so the recorded names match what the engine evaluates against. Rules whose pipeline application fails fall back to the untransformed names so the set stays observable even when a pipeline misfires on one rule.

include_filters controls whether filter-rule detection blocks contribute to the set; mirrors the existing --no-filters flag on rsigma rule fields.

Source

pub fn contains(&self, field: &str) -> bool

True if any rule references this field name.

Source

pub fn origin(&self, field: &str) -> Option<&FieldOrigin>

Look up provenance for a single field name.

Source

pub fn iter(&self) -> impl Iterator<Item = (&str, &FieldOrigin)>

Iterate field names and their provenance in sorted order.

Source

pub fn names(&self) -> impl Iterator<Item = &str>

Iterate just the field names in sorted order.

Source

pub fn len(&self) -> usize

Number of distinct fields in the set.

Source

pub fn is_empty(&self) -> bool

True when no fields were collected.

Trait Implementations§

Source§

impl Clone for RuleFieldSet

Source§

fn clone(&self) -> RuleFieldSet

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for RuleFieldSet

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for RuleFieldSet

Source§

fn default() -> RuleFieldSet

Returns the “default value” for a type. Read more
Source§

impl PartialEq for RuleFieldSet

Source§

fn eq(&self, other: &RuleFieldSet) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 (const: unstable) · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Eq for RuleFieldSet

Source§

impl StructuralPartialEq for RuleFieldSet

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Checks if this value is equivalent to the given key. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Compare self to key and return true if they are equal.
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.