ql

package
v1.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 31, 2023 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	Illegal token = iota
	WS
	EOF

	Field      // ps.name
	BoundField // $evt1.file.name
	Str        // 'cmd.exe'
	Badstr
	Badesc
	Ident
	Decimal  // 123.3
	Integer  // 123
	Duration // 13h
	IP       // 192.168.1.23
	BadIP    // 192.156.300.12
	True     // true
	False    // false

	And         // and
	Or          // or
	In          // in
	IIn         // iin
	Not         // not
	Contains    // contains
	IContains   // icontains
	IStartswith // istartswith
	Startswith  // startswith
	Endswith    // endswith
	IEndswith   // iendswith
	Matches     // matches
	IMatches    // imatches
	Fuzzy       // fuzzy
	IFuzzy      // ifuzzy
	Fuzzynorm   // fuzzynorm
	IFuzzynorm  // ifuzzynorm
	Eq          // =
	IEq         // ~=
	Neq         // !=
	Lt          // <
	Lte         // <=
	Gt          // >
	Gte         // >=

	Lparen // (
	Rparen // )
	Comma  // ,
	Dot    // .
	Pipe   // |

	Seq     // SEQUENCE
	MaxSpan // MAXSPAN
	By      // BY
	As      // AS
)

Variables

View Source 
var (
	// ErrArgumentTypeMismatch signals an invalid argument type
	ErrArgumentTypeMismatch = func(i int, keyword string, fn functions.Fn, types []functions.ArgType) error {
		argTypes := make([]string, len(types))
		for i, typ := range types {
			argTypes[i] = typ.String()
		}
		return fmt.Errorf("argument #%d (%s) in function %s should be one of: %v", i+1, keyword, fn, strings.Join(argTypes, "|"))
	}
	// ErrUndefinedFunction is thrown when an unknown function is supplied
	ErrUndefinedFunction = func(name string) error {
		return fmt.Errorf("%s function is undefined. Did you mean one of %s%s", name, strings.Join(functionNames(), "|"), "?")
	}
	// ErrFunctionSignature is thrown when the function signature is not satisfied
	ErrFunctionSignature = func(desc functions.FunctionDesc, givenArguments int) error {
		return fmt.Errorf("%s function requires %d argument(s) but %d argument(s) given", desc.Name, desc.RequiredArgs(), givenArguments)
	}
)
View Source 
var ErrInvalidDuration = errors.New("invalid duration")

ErrInvalidDuration is returned when parsing a malformed duration.

Functions

func Eval 

func Eval(expr Expr, m map[string]interface{}, useFuncValuer bool) bool

Eval evaluates expr against a map that contains the field values.

func ScanString 

func ScanString(r io.RuneScanner) (string, error)

ScanString reads a quoted string from a rune reader.

func Walk 

func Walk(v Visitor, node Node)

Walk traverses a node hierarchy in depth-first order.

func WalkFunc 

func WalkFunc(node Node, fn func(Node))

WalkFunc traverses a node hierarchy in depth-first order.

Types

type BinaryExpr 

type BinaryExpr struct {
	Op  token
	LHS Expr
	RHS Expr
}

BinaryExpr represents an operation between two expressions.

func (*BinaryExpr) String 

func (e *BinaryExpr) String() string

String returns a string representation of the binary expression.

type BoolLiteral 

type BoolLiteral struct {
	Value bool
}

BoolLiteral represents the logical true/false literal.

func (BoolLiteral) String 

func (b BoolLiteral) String() string

type BoundFieldLiteral added in v1.10.0 

type BoundFieldLiteral struct {
	Value string
}

func (BoundFieldLiteral) Alias added in v1.10.0 

func (b BoundFieldLiteral) Alias() string

func (BoundFieldLiteral) Field added in v1.10.0 

func (b BoundFieldLiteral) Field() fields.Field

func (BoundFieldLiteral) String added in v1.10.0 

func (b BoundFieldLiteral) String() string

type CallValuer 

type CallValuer interface {
	Valuer

	// Call is invoked to evaluate a function call (if possible).
	Call(name string, args []interface{}) (interface{}, bool)
}

CallValuer implements the Call method for evaluating function calls.

type DecimalLiteral 

type DecimalLiteral struct {
	Value float64
}

DecimalLiteral represents an floating point number literal.

func (DecimalLiteral) String 

func (d DecimalLiteral) String() string

type Expr 

type Expr interface {
	Node
}

Expr represents an expression that can be evaluated to a value.

type FieldLiteral 

type FieldLiteral struct {
	Value string
}

FieldLiteral represents a field literal.

func (FieldLiteral) String 

func (f FieldLiteral) String() string

type Function 

type Function struct {
	Name string
	Args []Expr
}

Function represents a function call.

func (*Function) ArgsSlice added in v1.5.0 

func (f *Function) ArgsSlice() []string

ArgsSlice returns arguments as a slice of strings.

func (*Function) String 

func (f *Function) String() string

String returns a string representation of the call.

type FunctionDef 

type FunctionDef interface {
	// Call is the main function method that contains the implementation logic.
	Call(args []interface{}) (interface{}, bool)
	// Desc returns the function descriptor.
	Desc() functions.FunctionDesc
	// Name returns the function name.
	Name() functions.Fn
}

FunctionDef is the interface that all function definitions have to satisfy.

type FunctionValuer 

type FunctionValuer struct {
	// contains filtered or unexported fields
}

FunctionValuer implements the CallValuer interface and delegates the evaluation of function calls to the corresponding functions.

func (FunctionValuer) Call 

func (FunctionValuer) Call(name string, args []interface{}) (interface{}, bool)

func (FunctionValuer) Value 

func (f FunctionValuer) Value(key string) (interface{}, bool)

type IPLiteral 

type IPLiteral struct {
	Value net.IP
}

IPLiteral represents an IP literal.

func (IPLiteral) String 

func (i IPLiteral) String() string

type IntegerLiteral 

type IntegerLiteral struct {
	Value int64
}

IntegerLiteral represents a signed number literal.

func (IntegerLiteral) String 

func (i IntegerLiteral) String() string

type ListLiteral 

type ListLiteral struct {
	Values []string
}

ListLiteral represents a list of tag key literals.

func (*ListLiteral) String 

func (s *ListLiteral) String() string

String returns a string representation of the literal.

type MapValuer 

type MapValuer map[string]interface{}

MapValuer is a valuer that substitutes values for the mapped interface.

func (MapValuer) Value 

func (m MapValuer) Value(key string) (interface{}, bool)

Value returns the value for a key in the MapValuer.

type Node 

type Node interface {
	String() string
}

Node represents a node in the abstract syntax tree.

type NotExpr 

type NotExpr struct {
	Expr Expr
}

NotExpr represents an unary not expression.

func (*NotExpr) String 

func (e *NotExpr) String() string

String returns a string representation of the not expression.

type ParenExpr 

type ParenExpr struct {
	Expr Expr
}

ParenExpr represents a parenthesized expression.

func (*ParenExpr) String 

func (e *ParenExpr) String() string

String returns a string representation of the parenthesized expression.

type ParseError 

type ParseError struct {
	Expr     string
	Message  string
	Found    string
	Expected []string
	Pos      int
}

ParseError represents an error that occurred during parsing.

func (*ParseError) Error 

func (e *ParseError) Error() string

Error returns the string representation of the error.

type Parser 

type Parser struct {
	// contains filtered or unexported fields
}

Parser builds the binary expression tree from the filter string.

func NewParser 

func NewParser(expr string) *Parser

NewParser builds a new parser instance from the expression string.

func NewParserWithConfig added in v1.8.0 

func NewParserWithConfig(expr string, config *config.Filters) *Parser

NewParserWithConfig builds a new parser instance with filters config.

func (*Parser) IsSequence added in v1.10.0 

func (p *Parser) IsSequence() bool

IsSequence checks whether the expression given to the parser is a sequence.

func (*Parser) ParseExpr 

func (p *Parser) ParseExpr() (Expr, error)

ParseExpr parses an expression by building the binary expression tree.

func (*Parser) ParseSequence added in v1.10.0 

func (p *Parser) ParseSequence() (*Sequence, error)

ParseSequence parses the collection of binary expressions with possible join statements and time frame constraints. This method assumes the SEQUENCE token has already been consumed.

type Sequence added in v1.10.0 

type Sequence struct {
	MaxSpan     time.Duration
	By          fields.Field
	Expressions []SequenceExpr
}

Sequence is a collection of two or more sequence expressions.

func (Sequence) IsConstrained added in v1.10.0 

func (s Sequence) IsConstrained() bool

IsConstrained determines if the sequence has the global or per-expression `BY` statement.

type SequenceExpr added in v1.10.0 

type SequenceExpr struct {
	Expr        Expr
	By          fields.Field
	BoundFields []*BoundFieldLiteral
	Alias       string
	// contains filtered or unexported fields
}

SequenceExpr represents a single binary expression within the sequence.

func (*SequenceExpr) HasBoundFields added in v1.10.0 

func (e *SequenceExpr) HasBoundFields() bool

HasBoundFields determines if this sequence expression references any bound field.

func (*SequenceExpr) IsEvaluable added in v1.10.0 

func (e *SequenceExpr) IsEvaluable(kevt *kevent.Kevent) bool

IsEvaluable determines if the expression should be evaluated by inspecting the event type filter fields defined in the expression. We permit the expression to be evaluated when the incoming event type or category pertains to the one defined in the field literal.

type StringLiteral 

type StringLiteral struct {
	Value string
}

StringLiteral represents a string literal.

func (StringLiteral) String 

func (s StringLiteral) String() string

type UnsignedLiteral 

type UnsignedLiteral struct {
	Value uint64
}

UnsignedLiteral represents an unsigned number literal.

func (UnsignedLiteral) String 

func (u UnsignedLiteral) String() string

type Valuer 

type Valuer interface {
	// Value returns the value and existence flag for a given key.
	Value(key string) (interface{}, bool)
}

Valuer is the interface that wraps the Value() method.

func MultiValuer 

func MultiValuer(valuers ...Valuer) Valuer

MultiValuer returns a Valuer that iterates over multiple Valuer instances to find a match.

type ValuerEval 

type ValuerEval struct {
	Valuer Valuer

	// IntegerFloatDivision will set the eval system to treat
	// a division between two integers as a floating point division.
	IntegerFloatDivision bool
}

ValuerEval will evaluate an expression using the Valuer.

func (*ValuerEval) Eval 

func (v *ValuerEval) Eval(expr Expr) interface{}

Eval evaluates an expression and returns a value.

type Visitor 

type Visitor interface {
	Visit(Node) Visitor
}

Visitor can be called by Walk to traverse an AST hierarchy. The Visit() function is called once per node.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.