def test_search_fields_join_prettyprint_table(self): expected = [ 'index ip handle event ', "['ip_rdap', 'rdap'] 7 handle1 4 ", "['ip_rdap', 'rdap'] 10 handle2 5 ", "['ip_rdap', 'rdap'] [15, 19, 21] handle3 6 " ] actual = list( search.query( 'search index=ip_rdap OR index=rdap | fields index ip handle event | join BY handle | prettyprint format=table', self.wh)) self.assertEqual(expected, actual)
def test_search_le_expression(self): expected = [{ 'event': 1, 'k': 'v', 'ip': 7, 'index': 'geoip' }, { 'event': 2, 'k': 'v', 'ip': 10, 'index': 'geoip' }] actual = list(search.query('search index=geoip ip<=10', self.wh)) self.assertEqual(expected, actual)
def test_search_not(self): expected = [{ 'event': 1, 'k': 'v', 'ip': 7, 'index': 'geoip' }, { 'event': 3, 'k': 'v', 'ip': 15, 'index': 'geoip' }] actual = list(search.query('search index=geoip NOT ip=10', self.wh)) self.assertEqual(expected, actual)
def test_search_fields(self): expected = [{ 'event': 1, 'ip': 7 }, { 'event': 2, 'ip': 10 }, { 'event': 3, 'ip': 15 }] actual = list( search.query('search index=geoip | fields event ip', self.wh)) self.assertEqual(expected, actual)
def test_search_disjunction(self): expected = [{ 'event': 2, 'k': 'v', 'ip': 10, 'index': 'geoip' }, { 'event': 3, 'k': 'v', 'ip': 15, 'index': 'geoip' }] actual = list( search.query('search index=geoip ip=10 OR ip=15', self.wh)) self.assertEqual(expected, actual)
def test_search_asterisk(self): expected = [{ 'event': 1, 'k': 'v', 'ip': 7, 'index': 'geoip' }, { 'event': 2, 'k': 'v', 'ip': 10, 'index': 'geoip' }, { 'event': 3, 'k': 'v', 'ip': 15, 'index': 'geoip' }] actual = list(search.query('search index=geoip ip=*', self.wh)) self.assertEqual(expected, actual)
def input_loop(self): """ Loop and accept input for querying the data. """ running = True while running: try: print() s = input('> ') parts = s.split(' ') command = parts[0] if command == 'search': query = ' '.join(parts[1:]) if not query: print('No query!') continue try: results = search.query('search ' + query, self.warehouse, verbose=self.args.verbose) print('results:') for result in results: print(result) except lark.exceptions.ParseError: print('Parse error') continue elif command == 'exit' or command == 'quit': running = False elif command == '': continue else: print(f'Unknown command: {command}') continue except KeyboardInterrupt: running = False print()
def test_search_fields_join_prettyprint_json(self): expected = [ '{\n' ' "index": [\n' ' "ip_rdap",\n' ' "rdap"\n' ' ],\n' ' "ip": 7,\n' ' "handle": "handle1",\n' ' "event": 4\n' '}', '{\n' ' "index": [\n' ' "ip_rdap",\n' ' "rdap"\n' ' ],\n' ' "ip": 10,\n' ' "handle": "handle2",\n' ' "event": 5\n' '}', '{\n' ' "index": [\n' ' "ip_rdap",\n' ' "rdap"\n' ' ],\n' ' "ip": [\n' ' 15,\n' ' 19,\n' ' 21\n' ' ],\n' ' "handle": "handle3",\n' ' "event": 6\n' '}' ] actual = list( search.query( 'search index=ip_rdap OR index=rdap | fields index ip handle event | join BY handle | prettyprint format=json', self.wh)) self.assertEqual(expected, actual)
def test_search_fields_join(self): expected = [{ 'handle': 'handle1', 'index': ['ip_rdap', 'rdap'], 'event': 4, 'ip': 7 }, { 'handle': 'handle2', 'index': ['ip_rdap', 'rdap'], 'event': 5, 'ip': 10 }, { 'handle': 'handle3', 'index': ['ip_rdap', 'rdap'], 'event': 6, 'ip': [15, 19, 21] }] actual = list( search.query( 'search index=ip_rdap OR index=rdap OR index=geoip | fields index ip handle event | join BY handle', self.wh)) self.assertEqual(expected, actual)
def test_search_no_matches(self): expected = [] actual = list(search.query('search index=geoip ip=2', self.wh)) self.assertEqual(expected, actual)
def test_search_field_dne(self): expected = [] actual = list(search.query('search index=geoip derp=herp', self.wh)) self.assertEqual(expected, actual)
def test_search_gt_expression(self): expected = [{'event': 3, 'k': 'v', 'ip': 15, 'index': 'geoip'}] actual = list(search.query('search index=geoip ip>10', self.wh)) self.assertEqual(expected, actual)