Skip to content

Squash merge temp into temp-parser #658

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ishree-dev wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Squash merge temp into temp-parser #658

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@
> **Note:** At this time, only response integration and playbook content is supported via this contribution
> workflow. We expect to expand support to other critical content types in the near future.



👋 Hello and welcome!

This repository is the central hub for a wide array of community-contributed content intended to
Expand Down
84 changes: 84 additions & 0 deletions content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/dummy_logtype.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
filter {
mutate {
replace => {
"event_data" => ""
"productlogid" => ""
"kv_msg" => ""
"msg" => ""
"deviceCustomDate1" => ""
"rt" => ""
}
Comment on lines +4 to +10
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The fields productlogid, deviceCustomDate1, and rt are initialized but never used or populated in the parser logic. Removing unused initializations improves code clarity and maintainability.

      "event_data" => ""
      "kv_msg" => ""
      "msg" => ""
    }
References
  1. The style guide emphasizes readability and maintainability, which includes avoiding redundant or unused code. (link)

}

grok {
match => {
"message" => [
"%{GREEDYDATA:event_data} \\| %{GREEDYDATA:kv_msg}"
]
}
overwrite => ["event_data" ,"msg" ,"kv_msg"]
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The field msg is included in the overwrite list for the grok filter, but it is not defined as a capture group in the match pattern. It should be removed from the overwrite list. Additionally, the spacing in the array should be corrected for consistency.

    overwrite => ["event_data", "kv_msg"]
References
  1. The style guide emphasizes readability and maintainability, which includes avoiding redundant or inconsistent code formatting. (link)

on_error => "grok_failure"
}

mutate {
gsub => ["kv_msg", " ([a-zA-Z0-9]+=)","#$1"]
}

kv {
source => "kv_msg"
field_split => "#"
value_split => "="
on_error => "kv_failure"
}

mutate {
replace => {
"event_type" => "GENERIC_EVENT"
}
}

if [msg] != "" {
mutate {
replace => {
"msg_label.value.string_value" => "%{msg}"
}
on_error => "msg_empty"
}
if ![msg_empty] {
mutate {
replace => {
"msg_label.key" => "msg"
}
}
mutate {
merge => {
"event.idm.read_only_udm.additional.fields" => "msg_label"
}
on_error => "msg_label_empty"
}
}
}

if [event_data] != "" {
mutate {
replace => {
"event.idm.read_only_udm.metadata.description" => "%{event_data}"
}
on_error => "event_data_empty"
}
}

mutate {
rename => {
"event_type" => "event.idm.read_only_udm.metadata.event_type"
}
}

mutate {
merge => {
"@output" => "event"
}
}

}

7 changes: 7 additions & 0 deletions content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"product": "DUMMY Product",
"vendor": "Test Vendor",
"description": "Some sort of product from this vendorr.",
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

There is a typo in the description: 'vendorr' should be 'vendor'.

Suggested change
"description": "Some sort of product from this vendorr.",
"description": "Some sort of product from this vendor.",

"log_type": "DUMMY_LOGTYPE",
"verified": true
}
38 changes: 38 additions & 0 deletions ...parsers/third_party/community/DUMMY_LOGTYPE/cbn/testdata/expected_events/test_events.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
{
"events": [
{
"event" : {
"timestamp": "2021-03-23T08:20:27.863384Z",
"idm": {
"read_only_udm": {
"metadata": {
"event_timestamp": "2021-03-23T08:20:27.863384Z",
"event_type": "GENERIC_EVENT",
"description": "No New Ingestion Activity"
},
"additional": {
"msg": "No reports have been ingested since MAR 23 2021 00:18:31."
}
}
}
}
},
{
"event" : {
"timestamp": "2021-03-23T08:20:27.863384Z",
"idm": {
"read_only_udm": {
"metadata": {
"event_timestamp": "2021-03-23T08:20:27.863384Z",
"event_type": "GENERIC_EVENT",
"description": "No New Ingestion Activity"
},
"additional": {
"msg": "No reports have been ingested since MAR 23 2021 00:18:32."
}
}
}
}
}
]
}
38 changes: 38 additions & 0 deletions ...ers/third_party/community/DUMMY_LOGTYPE/cbn/testdata/expected_events/usecase1_events.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
{
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This test file is identical to test_events.json. Redundant test cases should be removed or updated to cover different log scenarios to ensure better test coverage without duplication.

"events": [
{
"event" : {
"timestamp": "2021-03-23T08:20:27.863384Z",
"idm": {
"read_only_udm": {
"metadata": {
"event_timestamp": "2021-03-23T08:20:27.863384Z",
"event_type": "GENERIC_EVENT",
"description": "No New Ingestion Activity"
},
"additional": {
"msg": "No reports have been ingested since MAR 23 2021 00:18:31."
}
}
}
}
},
{
"event" : {
"timestamp": "2021-03-23T08:20:27.863384Z",
"idm": {
"read_only_udm": {
"metadata": {
"event_timestamp": "2021-03-23T08:20:27.863384Z",
"event_type": "GENERIC_EVENT",
"description": "No New Ingestion Activity"
},
"additional": {
"msg": "No reports have been ingested since MAR 23 2021 00:18:32."
}
}
}
}
}
]
}
6 changes: 6 additions & 0 deletions content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/testdata/raw_logs/test_log.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"raw_logs": [
"No New Ingestion Activity | msg=No reports have been ingested since MAR 23 2021 00:18:31.",
"No New Ingestion Activity | msg=No reports have been ingested since MAR 23 2021 00:18:32."
]
}
6 changes: 6 additions & 0 deletions content/parsers/third_party/community/DUMMY_LOGTYPE/cbn/testdata/raw_logs/usecase1_log.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This raw log file is identical to test_log.json. Redundant test data should be removed or modified to represent a different use case.

"raw_logs": [
"No New Ingestion Activity | msg=No reports have been ingested since MAR 23 2021 00:18:31.",
"No New Ingestion Activity | msg=No reports have been ingested since MAR 23 2021 00:18:32."
]
}
2 changes: 2 additions & 0 deletions docs/contributing.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,8 @@ with your changes to the main repository's main branch.

### Code Reviews



All submissions, including submissions by project members, require review. We
use [GitHub pull requests](https://docs.github.com/articles/about-pull-requests)
for this purpose.
Expand Down
Loading