Struct JsonEvent 

pub struct JsonEvent<'a> { /* private fields */ }

Zero-copy event backed by serde_json::Value.

Supports both borrowed (&Value) and owned (Value) backing via Cow. This is the primary implementation for JSON/NDJSON input.

Flat keys are checked first: "actor.id" as a single key takes precedence over {"actor": {"id": ...}} nested traversal.

Implementations

impl<'a> JsonEvent<'a>

pub fn borrow(v: &'a Value) -> Self

Wrap a borrowed JSON value as an event.

pub fn owned(v: Value) -> Self

Wrap an owned JSON value as an event.

Trait Implementations

impl<'a> Debug for JsonEvent<'a>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'a> Event for JsonEvent<'a>

fn get_field(&self, path: &str) -> Option<EventValue<'_>>

Get a field value by name, supporting dot-notation for nested access.

Checks for a flat key first (exact match), then falls back to dot-separated traversal. When a path segment crosses an array, every element is followed and all terminal values are collected: a single hit is returned as-is, multiple hits are returned as an EventValue::Array so the matcher applies any-member semantics (rather than only testing the first element).

fn any_string_value(&self, pred: &dyn Fn(&str) -> bool) -> bool

Check if any string value in the event satisfies a predicate.

Short-circuits on the first match, avoiding the allocation of collecting all string values into a Vec.

fn all_string_values(&self) -> Vec<Cow<'_, str>>

Iterate over all string values in the event (for keyword detection).

Recursively walks the entire event object and yields every string value found, including inside nested objects and arrays. Traversal is capped at 64 levels of nesting to prevent stack overflow.

fn field_keys(&self) -> Vec<Cow<'_, str>>

Walk every leaf field in the event and yield dot-joined paths. Intermediate object names (actor for {"actor":{"id":"x"}}) are NOT emitted; only the leaves (actor.id) appear. This matches typical Sigma rules, which reference nested values via dot-notation; emitting the intermediate name would falsely flag every parent object as “unknown” in the gap signal even when the rule references a child path. Top-level scalar fields ({"actor":"alice"}) emit actor because they ARE leaves. Arrays contribute their parent path once; per-index suffixes are not emitted.

fn to_json(&self) -> Value

Materialize the event as a serde_json::Value.

impl<'a> From<&'a Value> for JsonEvent<'a>

fn from(v: &'a Value) -> Self

Converts to this type from the input type.

impl From<Value> for JsonEvent<'static>

fn from(v: Value) -> Self

Converts to this type from the input type.