diff --git a/src/afterfact.rs b/src/afterfact.rs index 7ef1678b8..c0412a0b4 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -411,6 +411,7 @@ fn emit_csv( jsonl_output_flag, GEOIP_DB_PARSER.read().unwrap().is_some(), remove_duplicate_data_flag, + detect_info.is_condition, &[&detect_info.details_convert_map, &prev_details_convert_map], ); prev_message = result.1; @@ -425,6 +426,7 @@ fn emit_csv( jsonl_output_flag, GEOIP_DB_PARSER.read().unwrap().is_some(), remove_duplicate_data_flag, + detect_info.is_condition, &[&detect_info.details_convert_map, &prev_details_convert_map], ); prev_message = result.1; @@ -1431,6 +1433,7 @@ pub fn output_json_str( jsonl_output_flag: bool, is_included_geo_ip: bool, remove_duplicate_flag: bool, + is_condition: bool, details_infos: &[&HashMap>], ) -> (String, HashMap) { let mut target: Vec = vec![]; @@ -1538,19 +1541,47 @@ pub fn output_json_str( } Profile::Details(_) | Profile::AllFieldInfo(_) | Profile::ExtraFieldInfo(_) => { let mut output_stock: Vec = vec![]; - output_stock.push(format!(" \"{key}\": {{")); let details_key = match profile { Profile::Details(_) => "Details", Profile::AllFieldInfo(_) => "AllFieldInfo", Profile::ExtraFieldInfo(_) => "ExtraFieldInfo", _ => "", }; - // 個々の段階でDetails, AllFieldInfo, ExtraFieldInfoの要素はdetails_infosに格納されているのでunwrapする let details_target_stocks = details_infos[0].get(&CompactString::from(format!("#{details_key}"))); if details_target_stocks.is_none() { continue; } + // aggregation conditionの場合は分解せずにそのまま出力する + if is_condition { + let agg_result = &details_target_stocks.unwrap(); + if agg_result.is_empty() { + output_stock.push(format!( + "{}", + _create_json_output_format( + &key, + "-", + key.starts_with('\"'), + false, + 4 + ) + )); + } else { + output_stock.push(format!( + "{}", + _create_json_output_format( + &key, + agg_result[0].as_str(), + key.starts_with('\"'), + agg_result[0].starts_with('\"'), + 4 + ) + )); + } + continue; + } else { + output_stock.push(format!(" \"{key}\": {{")); + }; let details_stocks = details_target_stocks.unwrap(); for (idx, contents) in details_stocks.iter().enumerate() { let (key, value) = contents.split_once(": ").unwrap_or_default(); diff --git a/src/detections/message.rs b/src/detections/message.rs index bc2e0b851..76b98f958 100644 --- a/src/detections/message.rs +++ b/src/detections/message.rs @@ -125,6 +125,8 @@ pub fn insert( ), ) { let mut record_details_info_map = HashMap::new(); + println!("dbg timestamp: {:?}", time); + println!("dbg output: {:?}", &output); if !is_agg { //ここの段階でdetailsの内容でaliasを置き換えた内容と各種、key,valueの組み合わせのmapを取得する let (removed_sp_parsed_detail, details_in_record) = parse_message( @@ -182,7 +184,7 @@ pub fn insert( } else { replaced_profiles .push((key.to_owned(), Details(detect_info.detail.clone().into()))); - detect_info.details_convert_map.insert( + record_details_info_map.insert( "#Details".into(), detect_info.detail.split(" ¦ ").map(|x| x.into()).collect(), ); diff --git a/src/timeline/search.rs b/src/timeline/search.rs index 893293c41..ae3300e2e 100644 --- a/src/timeline/search.rs +++ b/src/timeline/search.rs @@ -465,6 +465,7 @@ pub fn search_result_dsp_msg( jsonl_output, false, false, + false, &[&HashMap::default(), &HashMap::default()], );