rsigma_runtime/input/
json.rs

1//! JSON / NDJSON / GELF input adapter.
2//!
3//! GELF is just JSON with conventions (`version`, `host`, `short_message`,
4//! underscore-prefixed custom fields) — no special parser needed.
5
6use rsigma_eval::JsonEvent;
7
8use super::EventInputDecoded;
9
10/// Parse a line as JSON. Returns `None` on parse failure.
11pub fn parse_json(line: &str) -> Option<EventInputDecoded> {
12    let value: serde_json::Value = serde_json::from_str(line).ok()?;
13    Some(EventInputDecoded::Json(JsonEvent::owned(value)))
14}
15
16#[cfg(test)]
17mod tests {
18    use super::*;
19    use rsigma_eval::Event;
20
21    #[test]
22    fn valid_json_object() {
23        let decoded = parse_json(r#"{"EventID": 1, "host": "web01"}"#).unwrap();
24        assert!(decoded.get_field("EventID").is_some());
25        assert!(decoded.get_field("host").is_some());
26    }
27
28    #[test]
29    fn invalid_json_returns_none() {
30        assert!(parse_json("not json").is_none());
31    }
32
33    #[test]
34    fn gelf_message() {
35        let gelf = r#"{"version":"1.1","host":"example.org","short_message":"A short message","_user_id":"9001"}"#;
36        let decoded = parse_json(gelf).unwrap();
37        assert!(decoded.get_field("version").is_some());
38        assert!(decoded.get_field("_user_id").is_some());
39    }
40
41    #[test]
42    fn empty_string_returns_none() {
43        assert!(parse_json("").is_none());
44    }
45}
rsigma_runtime/input/json.rs

rsigma_runtime/input/
json.rs
