Skip to content

Commit 6c99633

Browse files
nazargesyknazargesyk
committed
gis-8557 clean rule name inside query in splunk-spl-rule-yml
1 parent 4adffd5 commit 6c99633

File tree

1 file changed

+4
-0
lines changed
  • uncoder-core/app/translator/platforms/base/spl/parsers

1 file changed

+4
-0
lines changed

uncoder-core/app/translator/platforms/base/spl/parsers/spl.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@
2929

3030
class SplQueryParser(PlatformQueryParser):
3131
log_source_pattern = r"^___source_type___\s*=\s*(?:\"(?P<d_q_value>[%a-zA-Z_*:0-9\-/]+)\"|(?P<value>[%a-zA-Z_*:0-9\-/]+))(?:\s+(?:and|or)\s+|\s+)?" # noqa: E501
32+
rule_name_pattern = r"`(?P<name>(?:[:a-zA-Z*0-9=+%#\-_/,;`?~‘\'.<>$&^@!\]\[()\s])*)`"
3233
log_source_key_types = ("index", "source", "sourcetype", "sourcecategory")
3334

3435
platform_functions: SplFunctions = None
@@ -53,6 +54,9 @@ def _parse_log_sources(self, query: str) -> tuple[dict[str, list[str]], str]:
5354
return log_sources, query
5455

5556
def _parse_query(self, query: str) -> tuple[str, dict[str, list[str]], ParsedFunctions]:
57+
if re.match(self.rule_name_pattern, query):
58+
search = re.search(self.rule_name_pattern, query, flags=re.IGNORECASE)
59+
query = query[:search.start()] + query[search.end():]
5660
query = query.strip()
5761
log_sources, query = self._parse_log_sources(query)
5862
query, functions = self.platform_functions.parse(query)

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy