Change generated LogQL queries to be case insensitive by default #53
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
String values in Sigma rules must be interpreted as case insensitive, but when checking equality with strings in LogQL, those values are treated as case sensitive. To workaround this and ensure broad compatibility, any such string values must be converted into regular expressions that have the case insensitive flag
(?i)
at the start.However, such LogQL queries will inherently be slower than the same queries using string equality, and hence I have added a
case_insensitive
flag (default: True) in the backend, which can be used to toggle back to the previous behaviour. This should only be used when the rule converter is confident that the Sigma rule's string values will have the same case as the data they are querying over.Note: at this point, Loki has an open issue grafana/loki#9294 around its handling of case-insensitive field equality - so this PR should not be merged into main until it is resolved.
Closes #50.