From 7ce682ba9ebf2f64968b2876f284ef4c5a49c6f3 Mon Sep 17 00:00:00 2001
From: Thomas Labarussias <issif+github@gadz.org>
Date: Fri, 23 Feb 2024 13:16:19 +0100
Subject: [PATCH] fix the empty result when the value of an output field
 contains a dash/slash + trim prefix with the timestamp and priority for the
 output

Signed-off-by: Thomas Labarussias <issif+github@gadz.org>
---
 internal/api/api.go              |  2 ++
 internal/database/redis/index.go |  1 +
 internal/database/redis/set.go   |  7 +++++++
 internal/utils/utils.go          | 16 +++++++++++++---
 4 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/internal/api/api.go b/internal/api/api.go
index c0d0d08..e466d0f 100644
--- a/internal/api/api.go
+++ b/internal/api/api.go
@@ -62,6 +62,8 @@ func AddEvent(c echo.Context) error {
 
 	models.GetOutputs().Update(payload.Outputs)
 
+	payload.Event.Output = utils.TrimPrefix(payload.Event.Output)
+
 	if err := events.Add(&payload.Event); err != nil {
 		return err
 	}
diff --git a/internal/database/redis/index.go b/internal/database/redis/index.go
index d12ecce..e5e787c 100644
--- a/internal/database/redis/index.go
+++ b/internal/database/redis/index.go
@@ -44,6 +44,7 @@ func CreateIndex(client *redisearch.Client) {
 		AddField(redisearch.NewTextField("hostname")).
 		AddField(redisearch.NewTextField("source")).
 		AddField(redisearch.NewTextField("tags")).
+		AddField(redisearch.NewTextField("outputfields")).
 		AddField(redisearch.NewNumericField("timestamp")).
 		AddField(redisearch.NewTextField("json"))
 
diff --git a/internal/database/redis/set.go b/internal/database/redis/set.go
index acae1a9..06b28c4 100644
--- a/internal/database/redis/set.go
+++ b/internal/database/redis/set.go
@@ -30,6 +30,12 @@ func SetKey(client *redisearch.Client, event *models.Event) error {
 
 	jsonString, _ := json.Marshal(event)
 
+	of := make([]string, 0, len(event.OutputFields))
+
+	for _, i := range event.OutputFields {
+		of = append(of, fmt.Sprintf("%v", i))
+	}
+
 	doc := redisearch.NewDocument(fmt.Sprintf("event:%v", event.UUID), 1.0).
 		Set("rule", event.Rule).
 		Set("priority", event.Priority).
@@ -38,6 +44,7 @@ func SetKey(client *redisearch.Client, event *models.Event) error {
 		Set("timestamp", event.Time.UnixNano()/1e3).
 		Set("tags", utils.Escape(strings.Join(event.Tags, ","))).
 		Set("json", string(jsonString)).
+		Set("outputfields", utils.Escape(strings.Join(of, ","))).
 		Set("uuid", event.UUID).
 		SetTTL(c.TTL)
 	if event.Hostname != "" {
diff --git a/internal/utils/utils.go b/internal/utils/utils.go
index ddf154d..f85f5b2 100644
--- a/internal/utils/utils.go
+++ b/internal/utils/utils.go
@@ -29,6 +29,7 @@ import (
 const (
 	extractNumber = "^[0-9]+"
 	extractUnity  = "[a-z-A-Z]+$"
+	trimPrefix    = "(?i)^\\d{2}:\\d{2}:\\d{2}\\.\\d{9}\\:\\ (Debug|Info|Informational|Notice|Warning|Error|Critical|Alert|Emergency)"
 )
 
 const (
@@ -39,11 +40,12 @@ const (
 	fatalLog
 )
 
-var regExtractNumber, regExtractUnity *regexp.Regexp
+var regExtractNumber, regExtractUnity, regTrimPrefix *regexp.Regexp
 
 func init() {
 	regExtractNumber, _ = regexp.Compile(extractNumber)
 	regExtractUnity, _ = regexp.Compile(extractUnity)
+	regTrimPrefix, _ = regexp.Compile(trimPrefix)
 }
 
 func CheckErr(e error) {
@@ -164,9 +166,17 @@ func GetPriortiyInt(prio string) int {
 }
 
 func Escape(s string) string {
-	return strings.ReplaceAll(s, "-", `\-`)
+	s = strings.ReplaceAll(s, "-", `\-`)
+	s = strings.ReplaceAll(s, "/", "\\/")
+	return s
 }
 
 func UnEscape(s string) string {
-	return strings.ReplaceAll(s, `\-`, "-")
+	s = strings.ReplaceAll(s, `\-`, "-")
+	s = strings.ReplaceAll(s, `\\/`, "/")
+	return s
+}
+
+func TrimPrefix(s string) string {
+	return regTrimPrefix.ReplaceAllString(s, "")
 }