Struct FieldMatch 

pub struct FieldMatch {
    pub field: String,
    pub value: Value,
    pub selection: Option<String>,
    pub matcher: Option<MatcherKind>,
    pub pattern: Option<String>,
    pub case_sensitive: Option<bool>,
    pub negated: bool,
}

A specific field match within a detection.

The field and value keys are always present and preserve the historical wire shape. The remaining keys are populated only when the engine runs above MatchDetailLevel::Off and are skipped on serialization when empty, so the default output is byte-identical to pre-enrichment releases.

Fields

field: String

The field name that matched ("keyword" for keyword matches).

value: Value

The event value that triggered the match (null for absence matches).

selection: Option<String>

The selection (named detection) the match came from.

matcher: Option<MatcherKind>

The matcher kind that fired.

pattern: Option<String>

The pattern the matcher tested against (Full level only, truncated).

case_sensitive: Option<bool>

Whether the match was case-sensitive, when meaningful for the matcher.

negated: bool

Whether the matcher was negated (|not / inverted).

Implementations

impl FieldMatch

pub fn new(field: impl Into<String>, value: Value) -> Self

Construct a bare match with only field and value set, matching the historical (MatchDetailLevel::Off) shape.

Trait Implementations

impl Clone for FieldMatch

fn clone(&self) -> FieldMatch

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for FieldMatch

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for FieldMatch

fn default() -> FieldMatch

Returns the “default value” for a type.

impl Serialize for FieldMatch

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.