github.com/crowdsecurity/crowdsec@v1.6.1/pkg/parser/tests/base-tree/base-grok.yaml (about) 1 #Here we are testing the trees within the node 2 filter: "evt.Line.Labels.type == 'type1'" 3 debug: true 4 name: tests/base-grok-root 5 pattern_syntax: 6 MYCAP4: ".*" 7 grok: 8 pattern: ^xxheader %{MYCAP4:extracted_value} trailing stuff$ 9 apply_on: Line.Raw 10 statics: 11 - meta: state 12 value: root-done 13 - meta: state_sub 14 expression: evt.Parsed.extracted_value 15 --- 16 filter: "evt.Line.Labels.type == 'type1' && evt.Meta.state == 'root-done'" 17 debug: true 18 onsuccess: next_stage 19 name: tests/base-grok-leafs 20 #the sub-nodes will process the result of the master node 21 nodes: 22 - filter: "evt.Parsed.extracted_value == 'VALUE1'" 23 debug: true 24 statics: 25 - meta: final_state 26 value: leaf1 27 - filter: "evt.Parsed.extracted_value == 'VALUE2'" 28 debug: true 29 statics: 30 - meta: final_state 31 value: leaf2 32 33