From 2271f43730e0c8d5e3b3143aa0efaf99bdac9f8c Mon Sep 17 00:00:00 2001 From: KalmanMeth Date: Thu, 16 Feb 2023 15:36:21 +0200 Subject: [PATCH] added addField option to transform filter (#390) --- docs/api.md | 3 +- pkg/api/transform_filter.go | 3 +- pkg/pipeline/transform/transform_filter.go | 4 ++ .../transform/transform_filter_test.go | 38 +++++++++++++++++++ 4 files changed, 46 insertions(+), 2 deletions(-) diff --git a/docs/api.md b/docs/api.md index ccc5a2390..7ce2fa85d 100644 --- a/docs/api.md +++ b/docs/api.md @@ -130,9 +130,10 @@ Following is the supported API format for filter transformations: type: (enum) one of the following: remove_field: removes the field from the entry remove_entry_if_exists: removes the entry if the field exists - remove_entry_if_doesnt_exist: removes the entry if the field doesnt exist + remove_entry_if_doesnt_exist: removes the entry if the field does not exist remove_entry_if_equal: removes the entry if the field value equals specified value remove_entry_if_not_equal: removes the entry if the field value does not equal specified value + add_field_if_doesnt_exist: adds a field to the entry if the field does not exist value: specified value of input field: ## Transform Network API diff --git a/pkg/api/transform_filter.go b/pkg/api/transform_filter.go index 87124a1f1..254944afb 100644 --- a/pkg/api/transform_filter.go +++ b/pkg/api/transform_filter.go @@ -24,9 +24,10 @@ type TransformFilter struct { type TransformFilterOperationEnum struct { RemoveField string `yaml:"remove_field" json:"remove_field" doc:"removes the field from the entry"` RemoveEntryIfExists string `yaml:"remove_entry_if_exists" json:"remove_entry_if_exists" doc:"removes the entry if the field exists"` - RemoveEntryIfDoesntExist string `yaml:"remove_entry_if_doesnt_exist" json:"remove_entry_if_doesnt_exist" doc:"removes the entry if the field doesnt exist"` + RemoveEntryIfDoesntExist string `yaml:"remove_entry_if_doesnt_exist" json:"remove_entry_if_doesnt_exist" doc:"removes the entry if the field does not exist"` RemoveEntryIfEqual string `yaml:"remove_entry_if_equal" json:"remove_entry_if_equal" doc:"removes the entry if the field value equals specified value"` RemoveEntryIfNotEqual string `yaml:"remove_entry_if_not_equal" json:"remove_entry_if_not_equal" doc:"removes the entry if the field value does not equal specified value"` + AddFieldIfDoesntExist string `yaml:"add_field_if_doesnt_exist" json:"add_field_if_doesnt_exist" doc:"adds a field to the entry if the field does not exist"` } func TransformFilterOperationName(operation string) string { diff --git a/pkg/pipeline/transform/transform_filter.go b/pkg/pipeline/transform/transform_filter.go index 9db5de2a0..51c7f10b7 100644 --- a/pkg/pipeline/transform/transform_filter.go +++ b/pkg/pipeline/transform/transform_filter.go @@ -58,6 +58,10 @@ func (f *Filter) Transform(entry config.GenericMap) (config.GenericMap, bool) { return nil, false } } + case api.TransformFilterOperationName("AddFieldIfDoesntExist"): + if _, ok := entry[rule.Input]; !ok { + outputEntry[rule.Input] = rule.Value + } default: tlog.Panicf("unknown type %s for transform.Filter rule: %v", rule.Type, rule) } diff --git a/pkg/pipeline/transform/transform_filter_test.go b/pkg/pipeline/transform/transform_filter_test.go index 7343f9025..bbaf85666 100644 --- a/pkg/pipeline/transform/transform_filter_test.go +++ b/pkg/pipeline/transform/transform_filter_test.go @@ -101,6 +101,24 @@ parameters: value: "test message" ` +const testConfigTransformFilterAddField = `--- +log-level: debug +pipeline: + - name: filter1 +parameters: + - name: filter1 + transform: + type: filter + filter: + rules: + - input: dstPort + type: add_field_if_doesnt_exist + value: dummy_value + - input: dummy_field + type: add_field_if_doesnt_exist + value: dummy_value +` + func getFilterExpectedOutput() config.GenericMap { return config.GenericMap{ "srcIP": "10.0.0.1", @@ -183,6 +201,26 @@ func TestNewTransformFilterRemoveEntryIfNotEqual(t *testing.T) { require.False(t, ok) } +func TestNewTransformFilterAddField(t *testing.T) { + newTransform := InitNewTransformFilter(t, testConfigTransformFilterAddField) + transformFilter := newTransform.(*Filter) + require.Len(t, transformFilter.Rules, 2) + + input := test.GetIngestMockEntry(false) + output, ok := transformFilter.Transform(input) + require.True(t, ok) + require.Equal(t, 22, output["dstPort"]) + require.Equal(t, "dummy_value", output["dummy_field"]) + + input = test.GetIngestMockEntry(false) + input["dstPort"] = 3490 + input["dummy_field"] = 1 + output, ok = transformFilter.Transform(input) + require.True(t, ok) + require.Equal(t, 3490, output["dstPort"]) + require.Equal(t, 1, output["dummy_field"]) +} + func InitNewTransformFilter(t *testing.T, configFile string) Transformer { v, cfg := test.InitConfig(t, configFile) require.NotNil(t, v)