github.com/crowdsecurity/crowdsec@v1.6.1/pkg/parser/tests/base-grok-stash/base-grok-stash.yaml

github.com/crowdsecurity/crowdsec@v1.6.1/pkg/parser/tests/base-grok-stash/base-grok-stash.yaml (about)

     1  filter: "evt.Line.Labels.type == 'testlog'"
     2  debug: true
     3  onsuccess: next_stage
     4  name: tests/base-grok-stash
     5  pattern_syntax:
     6    TEST_START: start %{DATA:program} thing with pid %{NUMBER:pid}
     7    TEST_CONTINUED: pid %{NUMBER:pid} did a forbidden thing
     8  nodes:
     9    - #name: tests/base-grok-stash-sub-start
    10      grok:
    11        name: "TEST_START"
    12        apply_on: Line.Raw
    13        statics:
    14          - meta: log_type
    15            value: test_start
    16      stash:
    17        - name: test_program_pid_assoc
    18          key: evt.Parsed.pid
    19          value: evt.Parsed.program
    20          ttl: 30s
    21          size: 10
    22    - #name: tests/base-grok-stash-sub-cont
    23      grok:
    24        name: "TEST_CONTINUED"
    25        apply_on: Line.Raw
    26        statics:
    27          - meta: log_type
    28            value: test_continue
    29          - meta: associated_prog_name
    30            expression: GetFromStash("test_program_pid_assoc", evt.Parsed.pid)
    31