refact pkg/parser: extract RuntimeGrokPattern (#3916)

mmetc · web-flow · commit 5476977ee14c · 2025-09-26T12:10:25.000+02:00
diff --git a/.golangci.yml b/.golangci.yml
@@ -236,8 +236,8 @@ linters:
         - name: function-length
           arguments:
             # lower this after refactoring
-            - 87
-            - 198
+            - 86
+            - 174
         - name: get-return
           disabled: true
         - name: increment-decrement
diff --git a/cmd/crowdsec-cli/clilapi/context.go b/cmd/crowdsec-cli/clilapi/context.go
@@ -306,8 +306,8 @@ func detectStaticField(grokStatics []parser.Static) []string {
 func detectNode(node parser.Node, parserCTX parser.UnixParserCtx) []string {
 	ret := make([]string, 0)
 
-	if node.Grok.RunTimeRegexp != nil {
-		for _, capturedField := range node.Grok.RunTimeRegexp.Names() {
+	if node.RuntimeGrok.RunTimeRegexp != nil {
+		for _, capturedField := range node.RuntimeGrok.RunTimeRegexp.Names() {
 			fieldName := "evt.Parsed." + capturedField
 			if !slices.Contains(ret, fieldName) {
 				ret = append(ret, fieldName)
@@ -353,8 +353,8 @@ func detectSubNode(node parser.Node, parserCTX parser.UnixParserCtx) []string {
 	ret := make([]string, 0)
 
 	for _, subnode := range node.LeavesNodes {
-		if subnode.Grok.RunTimeRegexp != nil {
-			for _, capturedField := range subnode.Grok.RunTimeRegexp.Names() {
+		if subnode.RuntimeGrok.RunTimeRegexp != nil {
+			for _, capturedField := range subnode.RuntimeGrok.RunTimeRegexp.Names() {
 				fieldName := "evt.Parsed." + capturedField
 				if !slices.Contains(ret, fieldName) {
 					ret = append(ret, fieldName)
diff --git a/pkg/parser/grok.go b/pkg/parser/grok.go
@@ -3,6 +3,7 @@ package parser
 import (
 	"errors"
 	"fmt"
+	"strings"
 	"time"
 
 	"github.com/expr-lang/expr"
@@ -27,13 +28,13 @@ type Static struct {
 	// the source is a static value
 	Value string `yaml:"value,omitempty"`
 	// or the result of an Expression
-	ExpValue     string      `yaml:"expression,omitempty"`
+	ExpValue string `yaml:"expression,omitempty"`
 	// or an enrichment method
 	Method string `yaml:"method,omitempty"`
 }
 
 type RuntimeStatic struct {
-	Config *Static
+	Config       *Static
 	RunTimeValue *vm.Program
 }
 
@@ -84,14 +85,77 @@ type GrokPattern struct {
 	RegexpName string `yaml:"name,omitempty"`
 	// a proper grok pattern
 	RegexpValue string `yaml:"pattern,omitempty"`
-	// the runtime form of regexpname / regexpvalue
-	RunTimeRegexp grokky.Pattern `yaml:"-"` // the actual regexp
 	// the output of the expression is going to be the source for regexp
-	ExpValue     string      `yaml:"expression,omitempty"`
-	RunTimeValue *vm.Program `yaml:"-"` // the actual compiled filter
+	ExpValue string `yaml:"expression,omitempty"`
 	// a grok can contain statics that apply if pattern is successful
 	Statics []Static `yaml:"statics,omitempty"`
-	RuntimeStatics []RuntimeStatic `yaml:"-"`
+}
+
+type RuntimeGrokPattern struct {
+	Config *GrokPattern
+
+	RunTimeRegexp  grokky.Pattern // the actual regexp
+	RunTimeValue   *vm.Program    // the actual compiled filter
+	RuntimeStatics []RuntimeStatic
+}
+
+func (g *GrokPattern) Compile(pctx *UnixParserCtx, logger *log.Entry) (*RuntimeGrokPattern, error) {
+	var err error
+
+	rg := &RuntimeGrokPattern{}
+	/* load grok by name or compile in-place */
+	if g.RegexpName != "" {
+		logger.Tracef("+ Regexp Compilation %q", g.RegexpName)
+
+		rg.RunTimeRegexp, err = pctx.Grok.Get(g.RegexpName)
+		if err != nil {
+			return nil, fmt.Errorf("unable to find grok %q: %v", g.RegexpName, err)
+		}
+
+		if rg.RunTimeRegexp == nil {
+			return nil, fmt.Errorf("empty grok %q", g.RegexpName)
+		}
+
+		logger.Tracef("%s regexp: %s", g.RegexpName, rg.RunTimeRegexp.String())
+	} else if g.RegexpValue != "" {
+		if strings.HasSuffix(g.RegexpValue, "\n") {
+			logger.Debugf("Beware, pattern ends with \\n: %q", g.RegexpValue)
+		}
+
+		rg.RunTimeRegexp, err = pctx.Grok.Compile(g.RegexpValue)
+		if err != nil {
+			return nil, fmt.Errorf("failed to compile grok %q: %v", g.RegexpValue, err)
+		}
+
+		if rg.RunTimeRegexp == nil {
+			// We shouldn't be here because compilation succeeded, so regexp shouldn't be nil
+			return nil, fmt.Errorf("grok compilation failure: %s", g.RegexpValue)
+		}
+
+		logger.Tracef("%s regexp: %s", g.RegexpValue, rg.RunTimeRegexp.String())
+	}
+
+	// if grok source is an expression
+	if g.ExpValue != "" {
+		rg.RunTimeValue, err = expr.Compile(g.ExpValue,
+			exprhelpers.GetExprOptions(map[string]any{"evt": &types.Event{}})...)
+		if err != nil {
+			return nil, fmt.Errorf("while compiling grok's expression: %w", err)
+		}
+	}
+
+	/* load grok statics */
+	// compile expr statics if present
+	for _, static := range g.Statics {
+		compiled, err := static.Compile()
+		if err != nil {
+			return nil, err
+		}
+
+		rg.RuntimeStatics = append(rg.RuntimeStatics, *compiled)
+	}
+
+	return rg, nil
 }
 
 type DataCapture struct {
diff --git a/pkg/parser/node.go b/pkg/parser/node.go
@@ -57,9 +57,10 @@ type Node struct {
 	SubGroks yaml.MapSlice `yaml:"pattern_syntax,omitempty"`
 
 	// Holds a grok pattern
-	Grok GrokPattern `yaml:"grok,omitempty"`
+	Grok        GrokPattern        `yaml:"grok,omitempty"`
+	RuntimeGrok RuntimeGrokPattern `yaml:"-"`
 	// Statics can be present in any type of node and is executed last
-	Statics []Static `yaml:"statics,omitempty"`
+	Statics        []Static        `yaml:"statics,omitempty"`
 	RuntimeStatics []RuntimeStatic `yaml:"-"`
 	// Stash allows to capture data from the log line and store it in an accessible cache
 	Stash []DataCapture `yaml:"stash,omitempty"`
@@ -83,7 +84,7 @@ func (n *Node) validate(ectx EnricherCtx) error {
 		return fmt.Errorf("non-empty filter %q was not compiled", n.Filter)
 	}
 
-	if n.Grok.RunTimeRegexp != nil || n.Grok.TargetField != "" {
+	if n.RuntimeGrok.RunTimeRegexp != nil || n.Grok.TargetField != "" {
 		if n.Grok.TargetField == "" && n.Grok.ExpValue == "" {
 			return errors.New("grok requires 'expression' or 'apply_on'")
 		}
@@ -202,12 +203,12 @@ func (n *Node) processGrok(p *types.Event, cachedExprEnv map[string]any) (bool,
 	clog := n.Logger
 	gstr := ""
 
-	if n.Grok.RunTimeRegexp == nil {
-		clog.Tracef("! No grok pattern: %p", n.Grok.RunTimeRegexp)
+	if n.RuntimeGrok.RunTimeRegexp == nil {
+		clog.Tracef("! No grok pattern: %p", n.RuntimeGrok.RunTimeRegexp)
 		return true, false, nil
 	}
 
-	clog.Tracef("Processing grok pattern: %s: %p", n.Grok.RegexpName, n.Grok.RunTimeRegexp)
+	clog.Tracef("Processing grok pattern: %s: %p", n.Grok.RegexpName, n.RuntimeGrok.RunTimeRegexp)
 	// for unparsed, parsed etc. set sensible defaults to reduce user hassle
 	if n.Grok.TargetField != "" {
 		// it's a hack to avoid using real reflect
@@ -219,8 +220,8 @@ func (n *Node) processGrok(p *types.Event, cachedExprEnv map[string]any) (bool,
 			clog.Debugf("(%s) target field %q doesn't exist in %v", n.rn, n.Grok.TargetField, p.Parsed)
 			return false, false, nil
 		}
-	} else if n.Grok.RunTimeValue != nil {
-		output, err := exprhelpers.Run(n.Grok.RunTimeValue, cachedExprEnv, clog, n.Debug)
+	} else if n.RuntimeGrok.RunTimeValue != nil {
+		output, err := exprhelpers.Run(n.RuntimeGrok.RunTimeValue, cachedExprEnv, clog, n.Debug)
 		if err != nil {
 			clog.Warningf("failed to run RunTimeValue: %v", err)
 			return false, false, nil
@@ -245,7 +246,7 @@ func (n *Node) processGrok(p *types.Event, cachedExprEnv map[string]any) (bool,
 		groklabel = n.Grok.RegexpName
 	}
 
-	grok := n.Grok.RunTimeRegexp.Parse(gstr)
+	grok := n.RuntimeGrok.RunTimeRegexp.Parse(gstr)
 
 	if len(grok) == 0 {
 		// grok failed, node failed
@@ -263,7 +264,7 @@ func (n *Node) processGrok(p *types.Event, cachedExprEnv map[string]any) (bool,
 		p.Parsed[k] = v
 	}
 	// if the grok succeed, process associated statics
-	err := n.ProcessStatics(n.Grok.RuntimeStatics, p)
+	err := n.RuntimeGrok.ProcessStatics(p, n.EnrichFunctions, clog, n.Debug)
 	if err != nil {
 		clog.Errorf("(%s) Failed to process statics: %v", n.rn, err)
 		return false, false, err
@@ -340,6 +341,7 @@ func (n *Node) processLeaves(
 		if err != nil {
 			n.Logger.Tracef("\tNode (%s) failed: %v", child.rn, err)
 			n.Logger.Debugf("Event leaving node: ko")
+
 			return false, err
 		}
 
@@ -395,7 +397,7 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx, expressionEnv map[stri
 	}
 
 	// Process the stash (data collection) if: a grok was present and succeeded, or if there is no grok
-	if nodeHasOKGrok || n.Grok.RunTimeRegexp == nil {
+	if nodeHasOKGrok || n.RuntimeGrok.RunTimeRegexp == nil {
 		if err := n.processStash(p, cachedExprEnv, clog); err != nil {
 			return false, err
 		}
@@ -435,7 +437,7 @@ func (n *Node) process(p *types.Event, ctx UnixParserCtx, expressionEnv map[stri
 	if len(n.Statics) > 0 && (isWhitelisted || !n.ContainsWLs()) {
 		clog.Debugf("+ Processing %d statics", len(n.Statics))
 		// if all else is good in whitelist, process node's statics
-		err := n.ProcessStatics(n.RuntimeStatics, p)
+		err := n.ProcessStatics(p)
 		if err != nil {
 			clog.Errorf("Failed to process statics: %v", err)
 			return false, err
@@ -523,61 +525,13 @@ func (n *Node) compile(pctx *UnixParserCtx, ectx EnricherCtx) error {
 		}
 	}
 
-	/* load grok by name or compile in-place */
-	if n.Grok.RegexpName != "" {
-		n.Logger.Tracef("+ Regexp Compilation %q", n.Grok.RegexpName)
-
-		n.Grok.RunTimeRegexp, err = pctx.Grok.Get(n.Grok.RegexpName)
-		if err != nil {
-			return fmt.Errorf("unable to find grok %q: %v", n.Grok.RegexpName, err)
-		}
-
-		if n.Grok.RunTimeRegexp == nil {
-			return fmt.Errorf("empty grok %q", n.Grok.RegexpName)
-		}
-
-		n.Logger.Tracef("%s regexp: %s", n.Grok.RegexpName, n.Grok.RunTimeRegexp.String())
-
-		valid = true
-	} else if n.Grok.RegexpValue != "" {
-		if strings.HasSuffix(n.Grok.RegexpValue, "\n") {
-			n.Logger.Debugf("Beware, pattern ends with \\n: %q", n.Grok.RegexpValue)
-		}
-
-		n.Grok.RunTimeRegexp, err = pctx.Grok.Compile(n.Grok.RegexpValue)
-		if err != nil {
-			return fmt.Errorf("failed to compile grok %q: %v", n.Grok.RegexpValue, err)
-		}
-
-		if n.Grok.RunTimeRegexp == nil {
-			// We shouldn't be here because compilation succeeded, so regexp shouldn't be nil
-			return fmt.Errorf("grok compilation failure: %s", n.Grok.RegexpValue)
-		}
-
-		n.Logger.Tracef("%s regexp: %s", n.Grok.RegexpValue, n.Grok.RunTimeRegexp.String())
-
-		valid = true
-	}
-
-	// if grok source is an expression
-	if n.Grok.ExpValue != "" {
-		n.Grok.RunTimeValue, err = expr.Compile(n.Grok.ExpValue,
-			exprhelpers.GetExprOptions(map[string]any{"evt": &types.Event{}})...)
-		if err != nil {
-			return fmt.Errorf("while compiling grok's expression: %w", err)
-		}
-	}
-
-	/* load grok statics */
-	// compile expr statics if present
-	for _, static := range n.Grok.Statics {
-		compiled, err := static.Compile()
+	if n.Grok.RegexpName != "" || n.Grok.RegexpValue != "" || n.Grok.ExpValue != "" {
+		rg, err := n.Grok.Compile(pctx, n.Logger)
 		if err != nil {
 			return err
 		}
 
-		n.Grok.RuntimeStatics = append(n.Grok.RuntimeStatics, *compiled)
-
+		n.RuntimeGrok = *rg
 		valid = true
 	}
 
diff --git a/pkg/parser/runtime.go b/pkg/parser/runtime.go
@@ -212,10 +212,20 @@ func (rs *RuntimeStatic) Apply(event *types.Event, enrichFunctions EnricherCtx,
 	return nil
 }
 
-func (n *Node) ProcessStatics(statics []RuntimeStatic, event *types.Event) error {
-	for _, rs := range statics {
+func (n *Node) ProcessStatics(event *types.Event) error {
+	for _, rs := range n.RuntimeStatics {
 		if err := rs.Apply(event, n.EnrichFunctions, n.Logger, n.Debug); err != nil {
-			return fmt.Errorf("applying static %s: %w", rs.Config.targetExpr(), err)
+			return fmt.Errorf("applying %s: %w", rs.Config.targetExpr(), err)
+		}
+	}
+
+	return nil
+}
+
+func (rg *RuntimeGrokPattern) ProcessStatics(event *types.Event, ectx EnricherCtx, logger *log.Entry, debug bool) error {
+	for _, rs := range rg.RuntimeStatics {
+		if err := rs.Apply(event, ectx, logger, debug); err != nil {
+			return fmt.Errorf("applying %s: %w", rs.Config.targetExpr(), err)
 		}
 	}
 
@@ -301,6 +311,7 @@ func Parse(ctx UnixParserCtx, xp types.Event, nodes []Node) (types.Event, error)
 		if event.Stage != stage {
 			log.Debugf("Event not parsed, expected stage '%s' got '%s', abort", stage, event.Stage)
 			event.Process = false
+
 			return event, nil
 		}
 
@@ -340,6 +351,7 @@ func Parse(ctx UnixParserCtx, xp types.Event, nodes []Node) (types.Event, error)
 
 				// ensure the stage map exists
 				StageParseMutex.Lock()
+
 				stageMap, ok := StageParseCache[stage]
 				if !ok {
 					stageMap = make(map[string][]dumps.ParserResult)
@@ -381,6 +393,7 @@ func Parse(ctx UnixParserCtx, xp types.Event, nodes []Node) (types.Event, error)
 		if !isStageOK {
 			log.Debugf("Log didn't finish stage %s", event.Stage)
 			event.Process = false
+
 			return event, nil
 		}
 	}
