Skip to main content

Module selector

Module selector 

Source
Expand description

Field-selector namespace shared by the post-engine sink layers.

A Selector resolves a single value out of an EvaluationResult across six namespaces. It is consumed by the alert pipeline (fingerprints, group-by, matchers) and the risk layer (risk-object extraction), so both reason about the result the same way:

  • rule — the rule id, falling back to the rule title.
  • level — the severity, lowercased (high, critical, …).
  • event.<path> — a dotted path into the retained event JSON. Resolves to nothing unless the event was retained (--include-event or per-rule rsigma.include_event).
  • match.<field> — the value of a matched field (detection results only).
  • enrichment.<path> — a dotted path into header.enrichments.
  • correlation.group_key.<field> — a group-by value (correlation results only).

A selector that resolves to nothing yields None; the fingerprint treats that as an explicit null marker, and entity extraction contributes nothing.

Structs§

SelectorParseError
A selector string that failed to parse, naming the offending selector so config validation can point the operator at the exact line.

Enums§

Selector
A parsed field selector over the EvaluationResult namespace.