output not found field to n/a (#531)

* changed no found placeholder output to n/a #528 * added n/a output to details when not found placeholder * added v1.3.0 changelog describe and #528 enhance * fixed typo and fixed markdown format * fixed test * readme, changelog, version update Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
2022-05-23 00:20:08 +09:00
parent 684c8a9688
commit 995aa1d75b
6 changed files with 39 additions and 9 deletions
--- a/src/detections/print.rs
+++ b/src/detections/print.rs
@@ -161,22 +161,22 @@ impl Message {
                };

            let split: Vec<&str> = array_str.split('.').collect();
-            let mut is_exist_event_key = false;
            let mut tmp_event_record: &Value = event_record;
            for s in &split {
                if let Some(record) = tmp_event_record.get(s) {
-                    is_exist_event_key = true;
                    tmp_event_record = record;
                }
            }
-            if is_exist_event_key {
-                let hash_value = get_serde_number_to_string(tmp_event_record);
+            let hash_value = get_serde_number_to_string(tmp_event_record);
+            if hash_value.is_some() {
                if let Some(hash_value) = hash_value {
                    // UnicodeのWhitespace characterをそのままCSVに出力すると見難いので、スペースに変換する。なお、先頭と最後のWhitespace characterは単に削除される。
                    let hash_value: Vec<&str> = hash_value.split_whitespace().collect();
                    let hash_value = hash_value.join(" ");
                    hash_map.insert(full_target_str.to_string(), hash_value);
                }
+            } else {
+                hash_map.insert(full_target_str.to_string(), "n/a".to_string());
            }
        }

@@ -492,7 +492,7 @@ mod tests {
        }
    "##;
        let event_record: Value = serde_json::from_str(json_str).unwrap();
-        let expected = "NoExistAlias:%NoAliasNoHit%";
+        let expected = "NoExistAlias:n/a";
        assert_eq!(
            message.parse_message(&event_record, "NoExistAlias:%NoAliasNoHit%".to_owned()),
            expected,
@@ -517,7 +517,7 @@ mod tests {
        }
    "##;
        let event_record: Value = serde_json::from_str(json_str).unwrap();
-        let expected = "commandline:parsetest3 computername:%ComputerName%";
+        let expected = "commandline:parsetest3 computername:n/a";
        assert_eq!(
            message.parse_message(
                &event_record,