chore: add unit test

vectordotdev · Oct 17, 2024 · db0d29c · db0d29c
1 parent 20a8da9
commit db0d29c
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/src/datadog/grok/parse_grok.rs b/src/datadog/grok/parse_grok.rs
@@ -420,6 +420,24 @@ mod tests {
         assert_eq!(error, Error::NoMatch);
     }
 
+    #[test]
+    fn fails_on_too_many_match_retries() {
+        let rules = parse_grok_rules(
+            // patterns
+            &[
+                "%{DATA}\\s+%{word}\\s+%{notSpace}:\\s+DL=(\\[%{date(\"dd/MMM/yyyy:HH:mm:ss.SSS\"):haproxy.response_time}\\],<%{number:haproxy.pid}>,<%{number:haproxy.request.counter}>,<%{DATA:http.request.id}>,<%{number:haproxy.cpu_calls}>,<%{number:haproxy.cpu_ns_tot}>,<%{number:haproxy.cpu_ns_avg}>,<%{number:haproxy.lat_ns_tot}>,<%{number:haproxy.lat_ns_avg}>,<%{number:haproxy.frontend.log_counter}>,<%{DATA:haproxy.config.file.path}>,<%{DATA:haproxy.config.file.number}>,<%{ip:source.ip}>,<%{port:source.port}>,<%{DATA:destination.ip}>,<%{DATA:destination.port}>,<%{DATA:haproxy.frontend_name}>,<%{DATA:haproxy.frontend_name_tls}>,<%{DATA:haproxy.health.backend.name}>,<%{DATA:destination.nat.ip}>,<%{DATA:destination.nat.port}>,<%{number:haproxy.bytes_read}>,<%{number:haproxy.bytes_uploaded}>,<%{DATA:haproxy.termination_state}>,<%{DATA:haproxy.cache.hit}>,<%{DATA:haproxy.compression}>|\\[%{date(\"dd/MMM/yyyy:HH:mm:ss.SSS\"):haproxy.response_time}\\],<%{number:haproxy.pid}>,<%{number:haproxy.request.counter}>,<%{DATA:http.request.id}>,<%{number:haproxy.cpu_calls}>,<%{number:haproxy.cpu_ns_tot}>,<%{number:haproxy.cpu_ns_avg}>,<%{number:haproxy.lat_ns_tot}>,<%{number:haproxy.lat_ns_avg}>,<%{number:haproxy.frontend.log_counter}>,<%{DATA:haproxy.config.file.path}>,<%{DATA:haproxy.config.file.number}>,<%{ip:source.ip}>,<%{port:source.port}>,<%{DATA:destination.ip}>,<%{DATA:destination.port}>,<%{DATA:haproxy.frontend_name}>,<%{DATA:haproxy.frontend_name_tls}>,<%{DATA:haproxy.health.backend.name}>,<%{ip:destination.nat.ip}>,<%{port:destination.nat.port}>,<%{number:haproxy.bytes_read}>,<%{number:haproxy.bytes_uploaded}>,<%{DATA:haproxy.termination_state}>,<%{DATA:haproxy.cache.hit}>,<%{DATA:haproxy.compression}>),TML=%{DATA},QL=%{DATA:queues_log},CONNL=%{DATA},TL=<%{DATA:trace.id}>,<%{DATA:span_id}>,<%{DATA:aero.app.id}>,<%{DATA:trace.device_id}>,<%{DATA:trace.ibe_proxy}>,<%{DATA:trace.test}>,<%{DATA:trace.test2}>,<%{boolean:recaptcha.tracking_id}>,<%{DATA:fingerprint}>,<%{DATA:test}>,<%{DATA:suspicious_client}>,<%{DATA:crawler_status}>,<%{DATA:recaptcha.score}>,<%{DATA:recaptcha.cookie}>,HL=%{DATA},AL=%{DATA},PL=%{DATA},SL=%{DATA},DDL=%{DATA},RLL=%{DATA},WL=%{DATA},MML=<%{DATA:maxmind.geo.city_name}>,<%{DATA:maxmind.geo.location.lat}>,<%{DATA:maxmind.geo.location.lon}>,<%{DATA:maxmind.geo.timezone}>,<%{DATA:maxmind.test}>,<%{DATA:maxmind.geo.country_name}>,<%{DATA:maxmind.geo.country_code}>,<%{DATA:maxmind.geo.continent_name}>,<%{DATA:maxmind.geo.continent_code}>,<%{DATA:maxmind.bar}>,<%{DATA:maxmind.foo}>,<%{DATA:maxmind.geo.region_name}>,<%{DATA:maxmind.geo.region_code}>,<%{DATA:maxmind.geo.request.limit}>,<%{DATA:maxmind.geo.request.hits}>,<%{DATA:maxmind.geo.request.action}>,<%{DATA:maxmind.geo.peak_hour_start}>,<%{DATA:maxmind.geo.peak_hour_end}>,PCL=%{DATA},BOT=<%{DATA:botmgmt.country_block_score}>,<%{DATA:botmgmt.country_recaptcha_score}>,<%{DATA:botmgmt.score}>,<%{DATA:botmgmt.crawler}>,<%{DATA:botmgmt.label}>,<%{DATA:botmgmt.verified_bot}>,<%{DATA:botmgmt.DATA_tag}>,<%{DATA:botmgmt.triggers}>,<%{DATA:botmgmt.magic}>,<%{DATA:botmgmt.magic_score}>,<%{DATA:botmgmt.ext}>,<%{DATA:botmgmt.magic_label}>,<%{DATA:botmgmt.triggers_hc}>,<%{DATA:botmgmt.verified_bot_category}>,<%{DATA:botmgmt.triggers_hc_http_req_cnt_cur}>,<%{DATA:botmgmt.triggers_hc_http_req_cnt_max}>,SPOE=%{DATA},CL=%{DATA}".to_string()
+            ],
+            BTreeMap::new()
+        ).expect("couldn't parse rules");
+
+        let parsed = parse_grok(
+            r#"Oct  1 03:55:13 test test-lb[1234567]: DL=[01/Oct/2024:03:55:12.764],<1234567>,<12345678>,<00-12312312312312312312312312312312-abc123abc123ab-01>,<1>,<1>,<1>,<1234>,<123>,<1234567>,<->,<->,<123.123.123.123>,<12345>,<123.12.1.12>,<123>,<test>,<test~>,<test>,<123.12.12.12>,<1234>,<+1234>,<1>,<--VN>,<1>,<1>,TML=<+123>,<+123>,<1>,<12>,<+123>,<1>,<1>,<1>,<123>,<0>,<01/Oct/2024:03:55:12.779>,<->,QL=<1>,<1>,<1>,CONNL=<12>,<1234>,<123>,<12>,<12>,<123>,<12>,<1>,<12>,<12>,<1>,TL=<aBc123AbC123aBc123AbC123aBc123AbC123aBc123AbC123aBc123AbC123aBc123AbC123aBc123AbC123aBc123AbC123aBc123AbC123aBc123AbC123aBc123Ab>,<aBc123AbC123aBc1>,<->,<>,<->,<->,<->,<false>,<a-abc1233--a-a-a-abcd1234-abcd1234-abcd1234-abcd1234-abcd1234-a-b-1.2-a-a-a-a-a>,<1>,<NC>,<NDC>,<->,<->,HL=<0>,<Success>,<->,<POST>,<HTTP/1.1>,<https://test.test.com/test/test/test>,<123>,<aBc123AbC123aBc1aBc123AbC123aBc1>,<\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/123.12 (KHTML, like Gecko) Chrome/12.1.1234.123 Safari/123.45\">,AL=<->,<ABC1234>,<->,<ABC1234567>,<\"\">,<\"\">,<->,<->,<->,<->,<->,<->,<->,PL=<->,<->,<->,<->,<->,<OTA_AirPriceRQ>,<->,<->,<->,SL=<TLSv1.3>,<TLS_AES_256_GCM_SHA384>,<test.test.com>,<1>,<->,DDL=<1>/<12>,<12>/<123>,<->,<12>/<123>,<1>/<123>,RLL=<123>,<12>,WL=<->,MML=<Greenwich>,<12.123456>,<0.123456>,<Europe/London>,<12>,<United Kingdom>,<GB>,<Europe>,<EU>,<1234>,<Test Test Test>,<England>,<ENG>,<->,<->,<->,<->,<->,PCL=<->,<JSESSIONID=abcd1234~ABC123ABC123ABC123ABC123ABC123.abc123>,BOT=<12>,<12>,<12>,<->,<bot>,<->,<2024-09-19T15-11-21.123456>,<aBc123AbC123aBc1:12;aBc123AbC123aBc1:12;aBc123AbC123aBc1:12>,<12121212121212121212121212121212121212121212121212>,<12>,<aBc123AbC12+aBc123AbC1/aBc123aBc123aBc123aBc123aBc123aBc123aBc+aBc123AbC123aBc123AbC123aBc123AbC123aBc123AbC123aBc123AbC123aBc123AbC123aBc123/aB1/aB1/aB1/aB1/aB1/aB1/aB1/aB1/aB1/aB1/aB1/aBc123AbC12/abc12>,<suspicious>,<abc123abc123abc123abc123abc123abc123abc123abc123>,<->,<->,<->,SPOE=<->,<true>,<->,PAYL=<->,<->,<->,<->,<->,<->,<->,<->,<->,<->,<->,<->,<->,<->,CL=<\"test.test.com\">,<1234>,<\"text/xml\">,<\"\">,<\"https://test.test.com/test/test/test\">,<->,<->,<TLSv1.3>,<->,<\"text/xml;charset=UTF-8\">,<\"immutabl\">,<AbC123aBc123ABc123abC123AbC123aBc123ABc123abC123AbC123aBc123ABc123abC123AbC123aBc123ABc123abC123AbC123aBc123ABc123abC123AbC123aBc123ABc123abC123AbC123aBc123ABc123abC123AbC123aBc123ABc123abC123AbC123aBc123ABc123abC123AbC123aBc123ABc123abC123AbC123aBc123ABc123abC123AbC123aBc123ABc123abC123AbC123aBc123ABc123abC123AbC123aBc123ABc123abC123AbC123aBc123ABc123abC123AbC123aBc12=>,<https://test.test.com/test/test/test>,<->,<true>,<abcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdefgabcdef"#,
+            &rules,
+        );
+
+        assert_eq!(parsed.unwrap_err(), Error::FailedToMatch("Regex search error, try simplifying your regex to decrease the amount of match retries".to_string()))
+    }
+
     #[test]
     fn appends_to_the_same_field() {
         let rules = parse_grok_rules(