fix(transforms): Fix matching boolean values for Datadog search s… (#…

…21624) * fix(datadog_search): Fix matching boolean values for Datadog search syntax * added suggested changes + changelog * add author in changelog * format
vectordotdev · Oct 28, 2024 · 4c3aa35 · 4c3aa35
1 parent d90a95c
commit 4c3aa35
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 5 deletions.
diff --git a/changelog.d/fix_matching_boolean_fields_in_datadog_search.fix.md b/changelog.d/fix_matching_boolean_fields_in_datadog_search.fix.md
@@ -0,0 +1,3 @@
+Fix bug in implementation of Datadog search syntax which causes queries based on attributes with boolean values to be ignored.
+
+authors: ArunPiduguDD
diff --git a/src/conditions/datadog_search.rs b/src/conditions/datadog_search.rs
@@ -141,7 +141,7 @@ impl Filter<LogEvent> for EventFilter {
             Field::Attribute(field) => {
                 let to_match = to_match.to_owned();
 
-                string_or_numeric_match(field, move |value| value == to_match)
+                simple_scalar_match(field, move |value| value == to_match)
             }
         })
     }
@@ -303,9 +303,9 @@ impl Filter<LogEvent> for EventFilter {
     }
 }
 
-/// Returns a `Matcher` that returns true if the log event resolves to a string or
-/// numeric which matches the provided `func`.
-fn string_or_numeric_match<S, F>(field: S, func: F) -> Box<dyn Matcher<LogEvent>>
+/// Returns a `Matcher` that returns true if the field resolves to a string,
+/// numeric, or boolean which matches the provided `func`.
+fn simple_scalar_match<S, F>(field: S, func: F) -> Box<dyn Matcher<LogEvent>>
 where
     S: Into<String>,
     F: Fn(Cow<str>) -> bool + Send + Sync + Clone + 'static,
@@ -314,6 +314,7 @@ where
 
     Run::boxed(move |log: &LogEvent| {
         match log.parse_path_and_get_value(field.as_str()).ok().flatten() {
+            Some(Value::Boolean(v)) => func(v.to_string().into()),
             Some(Value::Bytes(v)) => func(String::from_utf8_lossy(v)),
             Some(Value::Integer(v)) => func(v.to_string().into()),
             Some(Value::Float(v)) => func(v.to_string().into()),
@@ -322,7 +323,7 @@ where
     })
 }
 
-/// Returns a `Matcher` that returns true if the log event resolves to a string which
+/// Returns a `Matcher` that returns true if the field resolves to a string which
 /// matches the provided `func`.
 fn string_match<S, F>(field: S, func: F) -> Box<dyn Matcher<LogEvent>>
 where
@@ -621,6 +622,14 @@ mod test {
                 log_event!["a" => "bla"],
                 log_event!["tags" => vec!["a:bla"]],
             ),
+            // Boolean attribute match.
+            ("@a:true", log_event!["a" => true], log_event!["a" => false]),
+            // Boolean attribute match (negate).
+            (
+                "NOT @a:false",
+                log_event!["a" => true],
+                log_event!["a" => false],
+            ),
             // String attribute match.
             (
                 "@a:bla",
@@ -1172,6 +1181,12 @@ mod test {
                 log_event!["field" => "value1"],
                 log_event!["field" => "value"],
             ),
+            // negate AND of bool and string
+            (
+                "NOT (@field:true AND @field2:value2)",
+                log_event!["field" => false, "field2" => "value2"],
+                log_event!["field" => true, "field2" => "value2"],
+            ),
         ]
     }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		Fix bug in implementation of Datadog search syntax which causes queries based on attributes with boolean values to be ignored.

		authors: ArunPiduguDD