Prefix support combined with equals-ignore-case
Closed this issue · 7 comments
What is your idea?
Prefix works great on fields exact string match, but customer needs the ability to combine that with "equals-ignore-case" to be able to match complex custom event patterns where string values can come up with combined case combinations.
Example could be:
"query_text": [
{
"prefix": "ALTER DATABASE"
},
{
"equals-ignore-case": "ALTER DATABASE"
}
]
Would you be willing to make the change?
Yes
Additional context
The above change will reduce lot of complex matching patterns, when there is a string that can come up in multiple case combinations from user/custom events - for instance a DB query text like above. The elaborate working way is to do this currently:
{
"$or": [{
"query_text": [{
"prefix": "ALTER DATABASE"
}]
},
{
"query_text": [{
"prefix": "ALTER database"
}]
},
{
"query_text": [{
"prefix": "alter database"
}]
},
{
"query_text": [{
"prefix": "alter DATABASE"
}]
}
]
}
Add any other context (such as images, docs, posts) about the idea here.
This is a neat way to add two matchers @awsree but I'm worried that there will be ordering implications for anyone writing a rule.
{
"query_text": [{
"prefix": "ALTER DATABASE"
},
{
"equals-ignore-case": "ALTER DATABASE"
}
]
}
Do you have any optinions on using nesting instead, like
{
"query_text": [{
"prefix": {
"equals-ignore-case": "ALTER DATABASE"
}
}]
}
this would be in-line with how anything-but & equals-ignore-case works as show in the last example within https://github.com/aws/event-ruler#anything-but-matching.
This is a neat way to add two matchers @awsree but I'm worried that there will be ordering implications for anyone writing a rule.
{ "query_text": [{ "prefix": "ALTER DATABASE" }, { "equals-ignore-case": "ALTER DATABASE" } ] }Do you have any optinions on using nesting instead, like
{ "query_text": [{ "prefix": { "equals-ignore-case": "ALTER DATABASE" } }] }this would be in-line with how anything-but & equals-ignore-case works as show in the last example within https://github.com/aws/event-ruler#anything-but-matching.
Yes ! I am good with the approach , that is in line with anything-but and equals-ignore-case
But currently that format, gives an error as prefix only support string at this point.
And as long as we can enhance and define a format for allowing equals-ignore-case to work with prefix, that would be great !
You would need to implement a change similar to this commit to make it work : 3b6202d .
btw, another option here would be to implement ignore case with wild-cards https://github.com/aws/event-ruler#wildcard-matching. This would allow for case insensitive matching for prefix, suffix, and any other sub-strings. Its more powerful.
either, way if you plan to start on it, I'd like to first understand the use-case more and see if it makes sense to change the library to support it.
btw, another option here would be to implement ignore case with wild-cards https://github.com/aws/event-ruler#wildcard-matching. This would allow for case insensitive matching for prefix, suffix, and any other sub-strings. Its more powerful.
yes, I tried checking that wildcard too. If we can combine that with prefix, suffix to allow for case insensitive matching , works too. And I am not sure if I can start the implementation, as I m less an expertise in this repo - but if it entails us releasing this faster, will sync up with you
Resolving this issue, since it has been implemented by the related PR.