Cleaning up

fkie-cad · Dec 19, 2024 · faa40d5 · faa40d5
1 parent 5559f69
commit faa40d5
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 33 deletions.
diff --git a/doc/source/development/notebooks/processor_examples/regex.ipynb b/doc/source/development/notebooks/processor_examples/regex.ipynb
@@ -135,7 +135,16 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 78,
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "## Das ist meiner nach falsch und sollte nur mit \"\\/logs\\/\" funktionieren"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 79,
    "metadata": {},
    "outputs": [
     {
@@ -150,7 +159,7 @@
      "output_type": "stream",
      "text": [
       "before: {'data_stream': {'dataset': 'windows', 'namespace': 'devopslab', 'type': '/logs/'}, '_op_type': 'create'}\n",
-      "after: {'data_stream': {'dataset': 'windows', 'namespace': 'devopslab', 'type': '/logs/'}, '_op_type': 'create'}\n",
+      "after: {'data_stream': {'dataset': 'windows', 'namespace': 'devopslab', 'type': '/logs/'}, '_op_type': 'create', '_index': '/logs/-windows-devopslab'}\n",
       "False\n"
      ]
     }
@@ -213,8 +222,44 @@
    ]
   },
   {
+   "metadata": {},
    "cell_type": "code",
-   "execution_count": 71,
+   "outputs": [],
+   "execution_count": null,
+   "source": "### Fehlerwarnung mit nur einem Escape."
+  },
+  {
+   "metadata": {},
+   "cell_type": "code",
+   "outputs": [],
+   "execution_count": null,
+   "source": [
+    "rule_yaml = \"\"\"---\n",
+    "filter: 'data_stream.type: /\\/lo.*/'    \n",
+    "                           \n",
+    "concatenator:\n",
+    "  source_fields:\n",
+    "    - data_stream.type\n",
+    "    - data_stream.dataset\n",
+    "    - data_stream.namespace\n",
+    "  target_field: _index\n",
+    "  separator: \"-\"\n",
+    "  overwrite_target: false\n",
+    "  delete_source_fields: false\n",
+    "\"\"\"\n",
+    "concat_with_rule(rule_yaml)"
+   ]
+  },
+  {
+   "metadata": {},
+   "cell_type": "code",
+   "outputs": [],
+   "execution_count": null,
+   "source": "### Zweimal Escapen ist richtig und funktioniert. Würde sich allerdings nicht eins zu eins in Opensearch kopieren lassen. "
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 87,
    "metadata": {},
    "outputs": [
     {
@@ -229,7 +274,7 @@
    ],
    "source": [
     "rule_yaml = \"\"\"---\n",
-    "filter: 'data_stream.type: /\\\\/.*lo.*/'    \n",
+    "filter: 'data_stream.type: /\\\\/lo.*/'    \n",
     "                           \n",
     "concatenator:\n",
     "  source_fields:\n",
@@ -244,13 +289,6 @@
     "concat_with_rule(rule_yaml)"
    ]
   },
-  {
-   "cell_type": "code",
-   "execution_count": null,
-   "metadata": {},
-   "outputs": [],
-   "source": []
-  },
   {
    "cell_type": "code",
    "execution_count": null,

diff --git a/tests/unit/filter/test_lucene_filter.py b/tests/unit/filter/test_lucene_filter.py
@@ -480,38 +480,24 @@ def test_new_lucene_compliance(self):
 
         assert lucene_filter == RegExFilterExpression(["regex_key_one"], ".*value.*")
 
-    def test_creates_lucene_compliance_filter_one_matching_one_missmatch_regex_key_of_two2(self):
+    def test_creates_lucene_compliance_filter_one_matching_one_missmatch_regex_key_of_two(self):
         lucene_filter = LuceneFilter.create(
             'regex_key_one:/.*value.*/ AND key_two: "/.*value.*/"',
         )
 
         assert lucene_filter == And(RegExFilterExpression(["regex_key_one"], ".*value.*"),
                                     StringFilterExpression(["key_two"], "/.*value.*/"))
 
-    def test_new_lucene_compliance2(self):
-        lucene_filter = LuceneFilter.create(
-            'regex_key_one:/\/.*value.*/'
-        )
-
+    def test_new_lucene_compliance_double_escape(self):
         lucene_filter = LuceneFilter.create(
             'regex_key_one:/\\/.*value.*/'
         )
 
-        # lucene_filter = LuceneFilter.create(
-        #     'regex_key_one: "\/.*value.*"',
-        #     special_fields={"regex_fields": ["regex_key_one"]},
-        # )
-
-        # in opensearch mit lucene ausprobiert:  /\/value/  um  /value zu finden
-        # opensearch lucene regex ohne escapen funktioniert nicht. also //value// geht nicht, so wie es im notebook
-        # mit dem regex_field ist.
-
-        # so wie es hier ist funktioniert (mti /\/ ebenso wie mit /\\/ weil im Code sowieso beides auf /\\/ gesetzt wird)
-        # im Notebook mit yaml doc muss allerdings mit \\/ escaped werden, dass es funktioniert.
-        # Das waere noch gut, wenn man das nicht muesste.
-
-
+        assert lucene_filter == RegExFilterExpression(["regex_key_one"], "\/.*value.*")
 
+    def test_new_lucene_compliance_single_escape(self):
+        lucene_filter = LuceneFilter.create(
+            'regex_key_one:/\/.*value.*/'
+        )
 
-        assert lucene_filter == RegExFilterExpression(["regex_key_one"], "\/.*value.*")
-        #assert lucene_filter == RegExFilterExpression(["regex_key_one"], "/.*value.*")
+        assert lucene_filter == RegExFilterExpression(["regex_key_one"], "\/.*value.*")