Skip to main content

rsigma_eval/event/
kv.rs

1use std::borrow::Cow;
2
3use serde_json::Value;
4
5use super::{Event, EventValue};
6
7/// Flat key-value event (e.g., from logfmt, syslog structured data).
8///
9/// No nested access (no dot-notation traversal), no arrays.
10/// All values are strings.
11#[derive(Debug, Clone)]
12pub struct KvEvent {
13    fields: Vec<(String, String)>,
14}
15
16impl KvEvent {
17    pub fn new(fields: Vec<(String, String)>) -> Self {
18        Self { fields }
19    }
20
21    pub fn fields(&self) -> &[(String, String)] {
22        &self.fields
23    }
24}
25
26impl Event for KvEvent {
27    fn get_field(&self, path: &str) -> Option<EventValue<'_>> {
28        self.fields
29            .iter()
30            .find(|(k, _)| k == path)
31            .map(|(_, v)| EventValue::Str(Cow::Borrowed(v.as_str())))
32    }
33
34    fn any_string_value(&self, pred: &dyn Fn(&str) -> bool) -> bool {
35        self.fields.iter().any(|(_, v)| pred(v.as_str()))
36    }
37
38    fn all_string_values(&self) -> Vec<Cow<'_, str>> {
39        self.fields
40            .iter()
41            .map(|(_, v)| Cow::Borrowed(v.as_str()))
42            .collect()
43    }
44
45    fn to_json(&self) -> Value {
46        let map: serde_json::Map<String, Value> = self
47            .fields
48            .iter()
49            .map(|(k, v)| (k.clone(), Value::String(v.clone())))
50            .collect();
51        Value::Object(map)
52    }
53
54    fn field_keys(&self) -> Vec<Cow<'_, str>> {
55        self.fields
56            .iter()
57            .map(|(k, _)| Cow::Borrowed(k.as_str()))
58            .collect()
59    }
60}
61
62#[cfg(test)]
63mod tests {
64    use super::*;
65    use serde_json::json;
66
67    #[test]
68    fn kv_get_field() {
69        let event = KvEvent::new(vec![
70            ("host".into(), "web01".into()),
71            ("status".into(), "200".into()),
72        ]);
73        assert_eq!(
74            event.get_field("host"),
75            Some(EventValue::Str(Cow::Borrowed("web01")))
76        );
77        assert_eq!(event.get_field("missing"), None);
78    }
79
80    #[test]
81    fn kv_all_string_values() {
82        let event = KvEvent::new(vec![("a".into(), "one".into()), ("b".into(), "two".into())]);
83        let vals = event.all_string_values();
84        assert_eq!(vals.len(), 2);
85    }
86
87    #[test]
88    fn kv_to_json() {
89        let event = KvEvent::new(vec![("key".into(), "val".into())]);
90        let j = event.to_json();
91        assert_eq!(j, json!({"key": "val"}));
92    }
93
94    #[test]
95    fn kv_field_keys() {
96        let event = KvEvent::new(vec![
97            ("host".into(), "web01".into()),
98            ("status".into(), "200".into()),
99        ]);
100        let keys: Vec<String> = event.field_keys().iter().map(|c| c.to_string()).collect();
101        assert_eq!(keys, vec!["host", "status"]);
102    }
103}