Skip to main content

CompiledMatcher

rsigma_eval::matcher

Enum CompiledMatcher 

Source 
pub enum CompiledMatcher {

Show 23 variants    Exact {
        value: String,
        case_insensitive: bool,
    },
    Contains {
        value: String,
        case_insensitive: bool,
    },
    StartsWith {
        value: String,
        case_insensitive: bool,
    },
    EndsWith {
        value: String,
        case_insensitive: bool,
    },
    Regex(Regex),
    AhoCorasickSet {
        automaton: AhoCorasick,
        case_insensitive: bool,
        needles: Vec<String>,
    },
    RegexSetMatch {
        set: RegexSet,
        mode: GroupMode,
    },
    Cidr(IpNet),
    NumericEq(f64),
    NumericGt(f64),
    NumericGte(f64),
    NumericLt(f64),
    NumericLte(f64),
    Exists(bool),
    FieldRef {
        field: String,
        case_insensitive: bool,
    },
    Null,
    BoolEq(bool),
    Expand {
        template: Vec<ExpandPart>,
        case_insensitive: bool,
    },
    TimestampPart {
        part: TimePart,
        inner: Box<CompiledMatcher>,
    },
    Not(Box<CompiledMatcher>),
    AnyOf(Vec<CompiledMatcher>),
    AllOf(Vec<CompiledMatcher>),
    CaseInsensitiveGroup {
        children: Vec<CompiledMatcher>,
        mode: GroupMode,
    },

}
Expand description

A pre-compiled matcher for a single value comparison.

All string matchers store their values in the form needed for comparison (Unicode-lowercased for case-insensitive). The case_insensitive flag controls whether the input is lowercased before comparison.

Variants§

§

Exact

Exact string equality.

Fields

§value: String
§case_insensitive: bool
§

Contains

Substring containment.

Fields

§value: String
§case_insensitive: bool
§

StartsWith

String starts with prefix.

Fields

§value: String
§case_insensitive: bool
§

EndsWith

String ends with suffix.

Fields

§value: String
§case_insensitive: bool
§

Regex(Regex)

Compiled regex pattern (flags baked in at compile time).

§

AhoCorasickSet

Multi-pattern substring match via Aho-Corasick automaton.

Built by the optimizer when an AnyOf group contains AHO_CORASICK_THRESHOLD or more plain Contains matchers with the same case sensitivity. Replaces the sequential O(N * haystack_len) scan of AnyOf([Contains, ...]) with a single linear pass.

Invariant: this variant only encodes AnyOf (OR) semantics. AllOf(Contains) (|all modifier) MUST NOT be collapsed into this variant - the optimizer enforces this.

Case insensitivity: when case_insensitive is true, needles are stored pre-lowered (matching the Contains invariant) and the hot path lowers the haystack via ascii_lowercase_cow before searching. The AhoCorasick automaton itself is built case-sensitively.

Fields

§automaton: AhoCorasick
§case_insensitive: bool
§needles: Vec<String>

Pre-lowered needles in the same order they were fed to AhoCorasick::new. Retained so downstream consumers (e.g. the engine’s per-field bloom builder) can recover the pattern set without parsing the automaton’s internal state.

§

RegexSetMatch

Multi-pattern regex match via regex::RegexSet.

Built by the optimizer when an AnyOf group contains REGEX_SET_THRESHOLD or more individual Regex matchers. Compiles every pattern into a single combined DFA so one traversal of the haystack tests all patterns at once.

Pattern reconstruction: the optimizer rebuilds the set from each matcher’s Regex::as_str, which preserves any inline flags the compiler inlined (e.g. (?i), (?ims)). This relies on the eval crate’s regex builder always inlining flags into the pattern string rather than configuring them via RegexBuilder. A unit test guards against future drift in that contract.

Fields

§set: RegexSet
§mode: GroupMode
§

Cidr(IpNet)

CIDR network match for IP addresses.

§

NumericEq(f64)

Numeric equality.

§

NumericGt(f64)

Numeric greater-than.

§

NumericGte(f64)

Numeric greater-than-or-equal.

§

NumericLt(f64)

Numeric less-than.

§

NumericLte(f64)

Numeric less-than-or-equal.

§

Exists(bool)

Field existence check. true = field must exist, false = must not exist.

§

FieldRef

Compare against another field’s value.

Fields

§field: String
§case_insensitive: bool
§

Null

Match null / missing values.

§

BoolEq(bool)

Boolean equality.

§

Expand

Placeholder expansion: %fieldname% is resolved from the event at match time.

Fields

§template: Vec<ExpandPart>
§case_insensitive: bool
§

TimestampPart

Extract a time component from a timestamp field value and match it.

Fields

§part: TimePart
§inner: Box<CompiledMatcher>
§

Not(Box<CompiledMatcher>)

Negated matcher: matches if the inner matcher does NOT match.

§

AnyOf(Vec<CompiledMatcher>)

Match if ANY child matches (OR).

§

AllOf(Vec<CompiledMatcher>)

Match if ALL children match (AND).

§

CaseInsensitiveGroup

A composite of case-insensitive string matchers that lowers the haystack once before dispatching to children.

Built by the optimizer when an AnyOf or AllOf group is composed entirely of case-insensitive string matchers (Contains, StartsWith, EndsWith, Exact, AhoCorasickSet, plus regexes that carry the (?i) flag, plus Not / nested AnyOf / AllOf whose every leaf satisfies these rules).

Invariant: every child must be pre-lowerable. The optimizer’s is_pre_lowerable validator enforces this; matches_pre_lowered debug_assert!s on violation.

Why this exists: a mixed AnyOf([Contains, StartsWith, EndsWith]) previously called s.to_lowercase() once per child. Pre-lowering the haystack a single time and dispatching to a CI-aware match path eliminates the redundant allocations.

Fields

§children: Vec<CompiledMatcher>
§mode: GroupMode

Implementations§

Source§

impl CompiledMatcher

Source

pub fn matches(&self, value: &EventValue<'_>, event: &impl Event) -> bool

Check if this matcher matches an EventValue from an event.

The event parameter is needed for FieldRef to access other fields.

Source§

impl CompiledMatcher

Source

pub fn matches_keyword(&self, event: &impl Event) -> bool

Check if this matcher matches any string value in the event. Used for keyword detection (field-less matching).

Avoids allocating a Vec of all strings and a String per value by using matches_str with a short-circuiting traversal.

Trait Implementations§

Source§

impl Clone for CompiledMatcher

Source§

fn clone(&self) -> CompiledMatcher

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for CompiledMatcher

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.