Project

General

Custom queries

Profile

Actions
Copy link

Feature #5262

open

run.py: should tell which fields are mismatching

Added by Shivani Bhardwaj about 3 years ago. Updated over 1 year ago.

Status:
Assigned
Priority:
Normal
Assignee:
Shivani Bhardwaj
Target version:
QA
Effort:
Difficulty:
Label:
Python

Description

Something like

Sub task 1
----------
        email.to[0]: <recipient@example.com>
        event_type: smtp
        pcap_cnt: 89                                 <---- Mismatch
        proto: TCP 
        smtp.helo: client-1016363.example.int
        tx_id: 0

would be nice since it'll help us see which fields exactly to look at unless the entire event is missing.

Idea proposed by: Victor Julien

Actions
Copy link
 #1

Updated by Shivani Bhardwaj about 3 years ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Victor Julien almost 3 years ago

  • Assignee changed from Community Ticket to Shivani Bhardwaj
Actions
Copy link
 #3

Updated by Shivani Bhardwaj over 1 year ago

This turned out harder than expected bc the match object does not carry the context.
The way we go about it is:
1. Go over each event and try to match against a filter, return immediately in case of a mismatch.
2. If there was a match, increment the match count.
3. Check if the match count is the expected count in the test.

Actions
Copy link

Also available in: Atom PDF