def test_blacklist():
events = [{
'@timestamp': ts_to_dt('2014-09-26T12:34:56Z'),
'term': 'good'
}, {
'@timestamp': ts_to_dt('2014-09-26T12:34:57Z'),
'term': 'bad'
}, {
'@timestamp': ts_to_dt('2014-09-26T12:34:58Z'),
'term': 'also good'
}, {
'@timestamp': ts_to_dt('2014-09-26T12:34:59Z'),
'term': 'really bad'
}, {
'@timestamp': ts_to_dt('2014-09-26T12:35:00Z'),
'no_term': 'bad'
}]
rules = {
'blacklist': ['bad', 'really bad'],
'compare_key': 'term',
'timestamp_field': '@timestamp'
}
rule = BlacklistRule(rules)
rule.add_data(events)
assert_matches_have(rule.matches, [('term', 'bad'),
('term', 'really bad')])
def test_blacklist():
events = [{'@timestamp': ts_to_dt('2014-09-26T12:34:56Z'), 'term': 'good'},
{'@timestamp': ts_to_dt('2014-09-26T12:34:57Z'), 'term': 'bad'},
{'@timestamp': ts_to_dt('2014-09-26T12:34:58Z'), 'term': 'also good'},
{'@timestamp': ts_to_dt('2014-09-26T12:34:59Z'), 'term': 'really bad'},
{'@timestamp': ts_to_dt('2014-09-26T12:35:00Z'), 'no_term': 'bad'}]
rules = {'blacklist': ['bad', 'really bad'],
'compare_key': 'term',
'timestamp_field': '@timestamp'}
rule = BlacklistRule(rules)
rule.add_data(events)
assert_matches_have(rule.matches, [('term', 'bad'), ('term', 'really bad')])
def test_blacklist():
events = [
{"@timestamp": ts_to_dt("2014-09-26T12:34:56Z"), "term": "good"},
{"@timestamp": ts_to_dt("2014-09-26T12:34:57Z"), "term": "bad"},
{"@timestamp": ts_to_dt("2014-09-26T12:34:58Z"), "term": "also good"},
{"@timestamp": ts_to_dt("2014-09-26T12:34:59Z"), "term": "really bad"},
{"@timestamp": ts_to_dt("2014-09-26T12:35:00Z"), "no_term": "bad"},
]
rules = {"blacklist": ["bad", "really bad"], "compare_key": "term", "timestamp_field": "@timestamp"}
rule = BlacklistRule(rules)
rule.add_data(events)
assert_matches_have(rule.matches, [("term", "bad"), ("term", "really bad")])