pub enum Selector {
Rule,
Level,
Event(Vec<String>),
Match(String),
Enrichment(Vec<String>),
CorrelationGroupKey(String),
}Expand description
A parsed field selector over the EvaluationResult namespace.
Variants§
Rule
rule: the rule id, falling back to the rule title.
Level
level: the severity, lowercased.
Event(Vec<String>)
event.<path>: a dotted path into the retained event JSON.
Match(String)
match.<field>: a matched field value (detection only).
Enrichment(Vec<String>)
enrichment.<path>: a dotted path into header.enrichments.
CorrelationGroupKey(String)
correlation.group_key.<field>: a group-by value (correlation only).
Implementations§
Source§impl Selector
impl Selector
Sourcepub fn parse(raw: &str) -> Result<Self, SelectorParseError>
pub fn parse(raw: &str) -> Result<Self, SelectorParseError>
Parse a selector string. Returns a SelectorParseError naming the
offending selector on an unknown namespace or an empty path.
Sourcepub fn as_str(&self) -> String
pub fn as_str(&self) -> String
The canonical string form of this selector. Round-trips Selector::parse.
Sourcepub fn resolve(&self, result: &EvaluationResult) -> Option<Value>
pub fn resolve(&self, result: &EvaluationResult) -> Option<Value>
Resolve this selector against a result. Returns None when the value
is absent (missing field, wrong result kind, or no retained event).
Trait Implementations§
impl Eq for Selector
impl StructuralPartialEq for Selector
Auto Trait Implementations§
impl Freeze for Selector
impl RefUnwindSafe for Selector
impl Send for Selector
impl Sync for Selector
impl Unpin for Selector
impl UnsafeUnpin for Selector
impl UnwindSafe for Selector
Blanket Implementations§
Source§impl<T> AnyExt for T
impl<T> AnyExt for T
Source§fn downcast_ref<T>(this: &Self) -> Option<&T>where
T: Any,
fn downcast_ref<T>(this: &Self) -> Option<&T>where
T: Any,
Attempts to downcast this to
T behind referenceSource§fn downcast_mut<T>(this: &mut Self) -> Option<&mut T>where
T: Any,
fn downcast_mut<T>(this: &mut Self) -> Option<&mut T>where
T: Any,
Attempts to downcast this to
T behind mutable referenceSource§fn downcast_rc<T>(this: Rc<Self>) -> Result<Rc<T>, Rc<Self>>where
T: Any,
fn downcast_rc<T>(this: Rc<Self>) -> Result<Rc<T>, Rc<Self>>where
T: Any,
Attempts to downcast this to
T behind Rc pointerSource§fn downcast_arc<T>(this: Arc<Self>) -> Result<Arc<T>, Arc<Self>>where
T: Any,
fn downcast_arc<T>(this: Arc<Self>) -> Result<Arc<T>, Arc<Self>>where
T: Any,
Attempts to downcast this to
T behind Arc pointerSource§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
Source§impl<T, X> CoerceTo<T> for Xwhere
T: CoerceFrom<X> + ?Sized,
impl<T, X> CoerceTo<T> for Xwhere
T: CoerceFrom<X> + ?Sized,
fn coerce_rc_to(self: Rc<X>) -> Rc<T>
fn coerce_box_to(self: Box<X>) -> Box<T>
fn coerce_ref_to(&self) -> &T
fn coerce_mut_to(&mut self) -> &mut T
Source§impl<Q, K> Equivalent<K> for Q
impl<Q, K> Equivalent<K> for Q
Source§impl<Q, K> Equivalent<K> for Q
impl<Q, K> Equivalent<K> for Q
Source§fn equivalent(&self, key: &K) -> bool
fn equivalent(&self, key: &K) -> bool
Compare self to
key and return true if they are equal.Source§impl<Q, K> Equivalent<K> for Q
impl<Q, K> Equivalent<K> for Q
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
Converts
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
Converts
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read more