Skip to content

feat(convert): add LynxDB backend#62

Merged
mostafa merged 1 commit intomainfrom
feat/lynxdb-backend
May 2, 2026
Merged

feat(convert): add LynxDB backend#62
mostafa merged 1 commit intomainfrom
feat/lynxdb-backend

Conversation

@mostafa
Copy link
Copy Markdown
Member

@mostafa mostafa commented May 2, 2026
edited
Loading

Summary

  • Add a new rsigma-convert backend targeting the LynxDB log analytics engine, generating SPL2-compatible FROM <index> | search <predicates> queries
  • Handle LynxDB-specific semantics: glob wildcards (*), deferred | where clauses for regex/CIDR/single-char wildcards, CASE() for case-sensitive matching, and explicit AND-group parenthesization for LynxDB's non-standard boolean precedence (NOT > OR > AND)
  • Register backend in CLI (-t lynxdb), add unit tests (30+ cases covering all value types, modifiers, boolean logic, deferred expressions, output formats), golden tests for 9 representative Sigma rules, and documentation in both crate and root READMEs

What's included

Backend (crates/rsigma-convert/src/backends/lynxdb/mod.rs)

  • LYNXDB_CONFIG (TextQueryConfig) with LynxDB-specific tokens, operators, wildcards, quoting, and expression templates
  • LynxDbBackend implementing the Backend trait with overrides for:
    • convert_condition_and / convert_condition_or: filter empty strings from deferred items and parenthesize AND groups
    • convert_field_eq_re / convert_field_eq_cidr: return ConvertResult::Deferred for | where pipeline stages
    • finish_query: apply pipeline state (e.g. custom index) before defaults
    • finalize_query: support default and minimal output formats

Tests

  • 30+ in-module unit tests covering equality, wildcards, modifiers (contains/startswith/endswith/cased), regex, CIDR, numeric comparisons, boolean logic, field existence/null, keywords, deferred expressions, output formats, and index override
  • 9 golden tests with committed .yml + .expected pairs: simple_eq, and_or_not, wildcards, regex, cidr, keywords, exists_null_bool, numeric_compare, brute_force

CLI & docs

  • Registered lynxdb target in get_backend() and cmd_list_targets()
  • Updated CLI snapshot tests
  • Updated crates/rsigma-convert/README.md with usage examples, output formats, index selection, modifier mapping table, precedence and deferred expression documentation
  • Updated root README.md with CLI examples and architecture diagram

Test plan

  • cargo fmt --all -- --check passes
  • cargo clippy --workspace --all-targets --all-features -- -D warnings passes
  • cargo test --workspace passes (all existing + new tests)
  • Golden tests produce expected LynxDB query output
  • CI passes on all matrix targets (ubuntu, macOS, windows)

@OrlovEvgeny Please test and provide feedback.

@mostafa
feat(convert): add LynxDB backend for SPL2-compatible search queries
b7f9755 
Add a new conversion backend targeting the LynxDB log analytics engine.
The backend generates `FROM <index> | search <predicates>` queries with
glob wildcards, deferred `| where` clauses for regex and CIDR matching,
CASE() for case-sensitive values, and explicit AND-group parenthesization
to handle LynxDB's non-standard boolean precedence (NOT > OR > AND).

Includes unit tests, golden tests for 9 representative Sigma rules,
CLI registration, and README documentation for both the crate and root.
@mostafa mostafa merged commit c72030c into main May 2, 2026
8 checks passed
@mostafa mostafa deleted the feat/lynxdb-backend branch May 2, 2026 10:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mostafa