Fixed new bug with unary not. Other minor syntax corrections. Other m…

…inor syntax enhancements. Brought query success rate up to 64% and command success rate up to 87%.
rearc · Oct 2, 2024 · e63776f · e63776f
1 parent 90ce8d2
commit e63776f
Show file tree

Hide file tree

Showing 4 changed files with 203 additions and 30 deletions.
diff --git a/src/commands/cmd_search/spl.rs b/src/commands/cmd_search/spl.rs
@@ -429,4 +429,71 @@ mod tests {
             ))
         );
     }
+
+    #[test]
+    fn test_search_10() {
+        let query = r#"
+        eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security
+        EventCode=5137 OR (
+            EventCode=5136
+            AttributeValue!="New Group Policy Object" AND
+            (
+                AttributeLDAPDisplayName=displayName OR
+                AttributeLDAPDisplayName=gPCFileSysPath
+            )
+        )
+        ObjectClass=groupPolicyContainer"#;
+
+        assert_eq!(
+            SearchParser::parse(query),
+            Ok((
+                "",
+                SearchCommand {
+                    expr: _and(
+                        _and(
+                            _or(
+                                _eq(
+                                    ast::Field::from("eventtype"),
+                                    ast::Field::from("wineventlog_security")
+                                ),
+                                _or(
+                                    _eq(ast::Field::from("Channel"), ast::Field::from("security")),
+                                    _eq(
+                                        ast::Field::from("source"),
+                                        ast::Field::from("XmlWinEventLog:Security")
+                                    ),
+                                ),
+                            ),
+                            _or(
+                                _eq(ast::Field::from("EventCode"), ast::IntValue::from(5137)),
+                                _and(
+                                    _eq(ast::Field::from("EventCode"), ast::IntValue::from(5136)),
+                                    _and(
+                                        _neq(
+                                            ast::Field::from("AttributeValue"),
+                                            ast::StrValue::from("New Group Policy Object")
+                                        ),
+                                        _or(
+                                            _eq(
+                                                ast::Field::from("AttributeLDAPDisplayName"),
+                                                ast::Field::from("displayName")
+                                            ),
+                                            _eq(
+                                                ast::Field::from("AttributeLDAPDisplayName"),
+                                                ast::Field::from("gPCFileSysPath")
+                                            )
+                                        )
+                                    )
+                                )
+                            ),
+                        ),
+                        _eq(
+                            ast::Field::from("ObjectClass"),
+                            ast::Field::from("groupPolicyContainer")
+                        )
+                    ),
+                }
+            ))
+        );
+    }
 }
diff --git a/src/commands/cmd_t_stats/spl.rs b/src/commands/cmd_t_stats/spl.rs
@@ -312,7 +312,7 @@ mod tests {
                 where (Processes.process_name=wmic.exe OR Processes.original_file_name=wmic.exe) Processes.process = "*os get*" Processes.process="*/format:*" Processes.process = "*.xsl*"
                 by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user"#;
         assert_eq!(
-            all_consuming(TStatsParser::parse)(query),
+            TStatsParser::parse(query),
             Ok((
                 "",
                 TStatsCommand {
@@ -915,4 +915,70 @@ mod tests {
             ))
         );
     }
+
+    #[test]
+    fn test_tstats_10() {
+        let query = r#"tstats
+        summariesonly=false allow_old_summaries=true fillnull_value=null
+        count min(_time) as firstTime max(_time) as lastTime
+        from datamodel=Endpoint.Processes
+        where (Processes.process_name=sc.exe OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\* AND Processes.process=*start*)
+        by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id"#;
+
+        assert_eq!(
+            TStatsParser::parse(query),
+            Ok((
+                "",
+                TStatsCommand {
+                    prestats: false,
+                    local: false,
+                    append: false,
+                    summaries_only: false,
+                    include_reduced_buckets: false,
+                    allow_old_summaries: true,
+                    chunk_size: 10000000,
+                    fillnull_value: Some("null".into()),
+                    exprs: vec![
+                        _call!(count()).into(),
+                        _alias("firstTime", _call!(min(ast::Field::from("_time")))).into(),
+                        _alias("lastTime", _call!(max(ast::Field::from("_time")))).into(),
+                    ],
+                    datamodel: Some("Endpoint.Processes".into()),
+                    nodename: None,
+                    where_condition: Some(_and(
+                        _or(
+                            _eq(
+                                ast::Field::from("Processes.process_name"),
+                                ast::StrValue::from("sc.exe")
+                            ),
+                            _eq(
+                                ast::Field::from("Processes.original_file_name"),
+                                ast::StrValue::from("sc.exe")
+                            ),
+                        ),
+                        _and(
+                            _eq(
+                                ast::Field::from("Processes.process"),
+                                ast::Wildcard::from(r#"*\\\\*"#)
+                            ),
+                            _eq(
+                                ast::Field::from("Processes.process"),
+                                ast::Wildcard::from(r#"*start*"#)
+                            ),
+                        )
+                    )),
+                    by_fields: Some(vec![
+                        ast::Field::from("Processes.dest").into(),
+                        ast::Field::from("Processes.user").into(),
+                        ast::Field::from("Processes.parent_process_name").into(),
+                        ast::Field::from("Processes.process_name").into(),
+                        ast::Field::from("Processes.process").into(),
+                        ast::Field::from("Processes.process_id").into(),
+                        ast::Field::from("Processes.parent_process_id").into(),
+                    ]),
+                    by_prefix: None,
+                }
+            ))
+        );
+    }
 }
diff --git a/src/pyspark/mod.rs b/src/pyspark/mod.rs
@@ -1088,4 +1088,12 @@ mod tests {
     fn test_tail_1() {
         generates(r#"tail 5"#, r#"spark.table("main").tail(5)"#);
     }
+
+    #[test]
+    fn test_neq_wildcard_1() {
+        generates(
+            r#"search note!=ESCU*"#,
+            r#"spark.table("main").where(~F.col("note").like("ESCU%"))"#,
+        )
+    }
 }