TerribleDev/TimberWinR
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

(feat): Adds mutate:remove filter to remove fields.

Browse Source
This commit is contained in:
gediminasgu
2014-11-28 16:38:43 +02:00
parent c67ff21859
commit 9761b38fdb
3 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
TimberWinR/Filters/MutateFilter.cs
View File

@@ -19,6 +19,7 @@ namespace TimberWinR.Parser
new JProperty("condition", Condition), new JProperty("condition", Condition),
new JProperty("splits", Split), new JProperty("splits", Split),
new JProperty("type", Type), new JProperty("type", Type),
new JProperty("remove", Remove),
new JProperty("rename", Rename), new JProperty("rename", Rename),
new JProperty("replace", Replace) new JProperty("replace", Replace)
))); )));
@@ -42,11 +43,24 @@ namespace TimberWinR.Parser
} }
ApplySplits(json); ApplySplits(json);
ApplyRemoves(json);
ApplyRenames(json); ApplyRenames(json);
ApplyReplace(json); ApplyReplace(json);
return true; return true;
} }
private void ApplyRemoves(JObject json)
{
if (Remove != null && Remove.Length > 0)
{
for (int i = 0; i < Remove.Length; i += 1)
{
string name = ExpandField(Remove[i], json);
RemoveProperty(json, name);
}
}
}
private void ApplyRenames(JObject json) private void ApplyRenames(JObject json)
{ {
if (Rename != null && Rename.Length > 0) if (Rename != null && Rename.Length > 0)

12
TimberWinR/Parser.cs
View File

@@ -27,6 +27,15 @@ namespace TimberWinR.Parser
{ {
public abstract bool Apply(JObject json); public abstract bool Apply(JObject json);
protected void RemoveProperty(JObject json, string name)
{
JToken token = json[name];
if (token != null)
{
json.Remove(name);
}
}
protected void RenameProperty(JObject json, string oldName, string newName) protected void RenameProperty(JObject json, string oldName, string newName)
{ {
JToken token = json[oldName]; JToken token = json[oldName];
@@ -633,6 +642,9 @@ namespace TimberWinR.Parser
[JsonProperty("condition")] [JsonProperty("condition")]
public string Condition { get; set; } public string Condition { get; set; }
[JsonProperty("remove")]
public string[] Remove { get; set; }
[JsonProperty("rename")] [JsonProperty("rename")]
public string[] Rename { get; set; } public string[] Rename { get; set; }

14
TimberWinR/mdocs/MutateFilter.md
View File

@@ -8,6 +8,7 @@ The following operations are allowed when mutating a field.
| Operation | Type | Description | Operation | Type | Description
| :-----------|:----------------|:-----------------------------------------------------------------------| | :-----------|:----------------|:-----------------------------------------------------------------------|
| *condition* | property:string |C# Expression | *condition* | property:string |C# Expression
| *remove* | property:array |Remove one or more fields
| *rename* | property:array |Rename one or more fields | *rename* | property:array |Rename one or more fields
| *replace* | property:array |Replace a field with a new value. The new value can include %{foo} strings to help you build a new value from other parts of the event. | *replace* | property:array |Replace a field with a new value. The new value can include %{foo} strings to help you build a new value from other parts of the event.
| *split* | property:array |Separator between values of the "Strings" field. | *split* | property:array |Separator between values of the "Strings" field.
@@ -30,6 +31,19 @@ then the operation(s) will be executed in order.
``` ```
The above example will rename ComputerName to Host only for Win32-EventLog types. The above example will rename ComputerName to Host only for Win32-EventLog types.
### remove ["name", ...]
Removes field.
```json
"Filters": [
{
"mutate": {
"remove": [
"ComputerName", "Username"
]
}
}
]
```
### rename ["oldname", "newname", ...] ### rename ["oldname", "newname", ...]
The fields must be in pairs with oldname first and newname second. The fields must be in pairs with oldname first and newname second.
```json ```json