def test_whitelist_dont_ignore_nulls():
events = [{
'@timestamp': ts_to_dt('2014-09-26T12:34:56Z'),
'term': 'good'
}, {
'@timestamp': ts_to_dt('2014-09-26T12:34:57Z'),
'term': 'bad'
}, {
'@timestamp': ts_to_dt('2014-09-26T12:34:58Z'),
'term': 'also good'
}, {
'@timestamp': ts_to_dt('2014-09-26T12:34:59Z'),
'term': 'really bad'
}, {
'@timestamp': ts_to_dt('2014-09-26T12:35:00Z'),
'no_term': 'bad'
}]
rules = {
'whitelist': ['good', 'also good'],
'compare_key': 'term',
'ignore_null': True,
'timestamp_field': '@timestamp'
}
rules['ignore_null'] = False
rule = WhitelistRule(rules)
rule.add_data(events)
assert_matches_have(rule.matches, [('term', 'bad'), ('term', 'really bad'),
('no_term', 'bad')])
def test_whitelist():
events = [{'@timestamp': ts_to_dt('2014-09-26T12:34:56Z'), 'term': 'good'},
{'@timestamp': ts_to_dt('2014-09-26T12:34:57Z'), 'term': 'bad'},
{'@timestamp': ts_to_dt('2014-09-26T12:34:58Z'), 'term': 'also good'},
{'@timestamp': ts_to_dt('2014-09-26T12:34:59Z'), 'term': 'really bad'},
{'@timestamp': ts_to_dt('2014-09-26T12:35:00Z'), 'no_term': 'bad'}]
rules = {'whitelist': ['good', 'also good'],
'compare_key': 'term',
'ignore_null': True,
'timestamp_field': '@timestamp'}
rule = WhitelistRule(rules)
rule.add_data(events)
assert_matches_have(rule.matches, [('term', 'bad'), ('term', 'really bad')])
def test_whitelist():
events = [
{"@timestamp": ts_to_dt("2014-09-26T12:34:56Z"), "term": "good"},
{"@timestamp": ts_to_dt("2014-09-26T12:34:57Z"), "term": "bad"},
{"@timestamp": ts_to_dt("2014-09-26T12:34:58Z"), "term": "also good"},
{"@timestamp": ts_to_dt("2014-09-26T12:34:59Z"), "term": "really bad"},
{"@timestamp": ts_to_dt("2014-09-26T12:35:00Z"), "no_term": "bad"},
]
rules = {
"whitelist": ["good", "also good"],
"compare_key": "term",
"ignore_null": True,
"timestamp_field": "@timestamp",
}
rule = WhitelistRule(rules)
rule.add_data(events)
assert_matches_have(rule.matches, [("term", "bad"), ("term", "really bad")])