MCPcopy
hub / github.com/crowdsecurity/crowdsec / processGrok

Method processGrok

pkg/parser/node.go:168–243  ·  view source on GitHub ↗
(p *pipeline.Event, cachedExprEnv map[string]any)

Source from the content-addressed store, hash-verified

166}
167
168func (n *Node) processGrok(p *pipeline.Event, cachedExprEnv map[string]any) (bool, bool, error) {
169 // Process grok if present, should be exclusive with nodes :)
170 var nodeHasOKGrok bool
171
172 clog := n.Logger
173 gstr := ""
174
175 if n.RuntimeGrok.RunTimeRegexp == nil {
176 clog.Tracef("! No grok pattern: %p", n.RuntimeGrok.RunTimeRegexp)
177 return true, false, nil
178 }
179
180 clog.Tracef("Processing grok pattern: %s: %p", n.Grok.RegexpName, n.RuntimeGrok.RunTimeRegexp)
181 // for unparsed, parsed etc. set sensible defaults to reduce user hassle
182 if n.Grok.TargetField != "" {
183 // it's a hack to avoid using real reflect
184 if n.Grok.TargetField == "Line.Raw" {
185 gstr = p.Line.Raw
186 } else if val, ok := p.Parsed[n.Grok.TargetField]; ok {
187 gstr = val
188 } else {
189 clog.Debugf("(%s) target field %q doesn't exist in %v", n.rn, n.Grok.TargetField, p.Parsed)
190 return false, false, nil
191 }
192 } else if n.RuntimeGrok.RunTimeValue != nil {
193 output, err := exprhelpers.Run(n.RuntimeGrok.RunTimeValue, cachedExprEnv, clog, n.Debug)
194 if err != nil {
195 clog.Warningf("failed to run RunTimeValue: %v", err)
196 return false, false, nil
197 }
198
199 switch out := output.(type) {
200 case string:
201 gstr = out
202 case int:
203 gstr = strconv.Itoa(out)
204 case float64, float32:
205 gstr = fmt.Sprintf("%f", out)
206 default:
207 clog.Errorf("unexpected return type for RunTimeValue: %T", output)
208 }
209 }
210
211 var groklabel string
212 if n.Grok.RegexpName == "" {
213 groklabel = fmt.Sprintf("%5.5s...", n.Grok.RegexpValue)
214 } else {
215 groklabel = n.Grok.RegexpName
216 }
217
218 grok := n.RuntimeGrok.RunTimeRegexp.Parse(gstr)
219
220 if len(grok) == 0 {
221 // grok failed, node failed
222 clog.Debugf("+ Grok %q didn't return data on %q", groklabel, gstr)
223 return false, false, nil
224 }
225

Callers 1

processMethod · 0.95

Calls 4

RunFunction · 0.92
TracefMethod · 0.80
ParseMethod · 0.45
ProcessStaticsMethod · 0.45

Tested by

no test coverage detected