rsigma_runtime/input/
plain.rs

1//! Plain text input adapter.
2//!
3//! One event per line. Only keyword matching works against plain events
4//! (`get_field` always returns `None`).
5
6use rsigma_eval::PlainEvent;
7
8use super::EventInputDecoded;
9
10/// Wrap a raw line as a plain text event.
11pub fn parse_plain(line: &str) -> EventInputDecoded {
12    EventInputDecoded::Plain(PlainEvent::new(line.to_string()))
13}
14
15#[cfg(test)]
16mod tests {
17    use super::*;
18    use rsigma_eval::Event;
19
20    #[test]
21    fn plain_keyword_match() {
22        let decoded = parse_plain("ERROR: disk full on /dev/sda1");
23        assert!(decoded.any_string_value(&|s| s.contains("disk full")));
24    }
25
26    #[test]
27    fn plain_no_fields() {
28        let decoded = parse_plain("some log line");
29        assert!(decoded.get_field("anything").is_none());
30    }
31}
rsigma_runtime/input/plain.rs

rsigma_runtime/input/
plain.rs
