tellaro-query-language 0.2.8__py3-none-any.whl → 0.2.10__py3-none-any.whl

{tellaro_query_language-0.2.8.dist-info → tellaro_query_language-0.2.10.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: tellaro-query-language
-Version: 0.2.8
+Version: 0.2.10
 Summary: A flexible, human-friendly query language for searching and filtering structured data
 License: Proprietary
 License-File: LICENSE

{tellaro_query_language-0.2.8.dist-info → tellaro_query_language-0.2.10.dist-info}/RECORD

@@ -9,7 +9,7 @@ tql/core.py,sha256=_OlFGTrvJ8cBz3OliRxSz-IbD6e1t_nYC5YZFVkOAfc,58413
 tql/core_components/README.md,sha256=Rm7w4UHdQ0vPBEFybE5b62IOvSA5Nzq2GRvtBHOapmc,3068
 tql/core_components/__init__.py,sha256=v8BBybPlqV7dkVY9mw1mblvqyAFJZ7Pf_bEc-jAL7FI,643
 tql/core_components/file_operations.py,sha256=Jr0kkxz_OP2KHOAsIr7KMtYe_lbu8LuBUySt2LQbjJw,3925
-tql/core_components/opensearch_operations.py,sha256=zgxGiDpXyPW0ZUX-StpZXxf84s8eLxSymAGM5UUJimk,55253
+tql/core_components/opensearch_operations.py,sha256=gj5u_WG0PIfIBcxat4VaTViHJbL5AGJq4rgIxaES8hg,55307
 tql/core_components/stats_operations.py,sha256=aqTGAqIFvR6EkSbJEd0qft8Ldy8uiTrK2XI9o5bZUOs,8014
 tql/core_components/validation_operations.py,sha256=_VPXh0HABBjsXF99jFT7B6-5QAPsADOCy6poinGrxeE,22454
 tql/evaluator.py,sha256=6BtC0njH_aR_lXiU6GU5vM5MRhQeSoxL7F95xh-2-ho,17903
@@ -24,7 +24,7 @@ tql/geoip_normalizer.py,sha256=tvie-5xevJEeLp2KmjoXDjYdND8AvyVE7lCO8qgUzGY,10486
 tql/mutator_analyzer.py,sha256=OWx3k5lK5aFHWU9Ez6DaIhenEZDxj9CbB0vM71xqUTw,55670
 tql/mutators/__init__.py,sha256=eTK8sRw4KXXnTZTn5ETIqwcaIek5rSUIVyZsxTwNNHA,6966
 tql/mutators/base.py,sha256=4Ze_x1sTO11OILXfcF2XN7ttyHcZ4gwn96UXFMMaC6M,2523
-tql/mutators/dns.py,sha256=1IKgHolFLRMR4TOgK0AiLjz5vDtFiqO328mVF4Vzk3s,14428
+tql/mutators/dns.py,sha256=E4JmEyfZJO7OKpMsCb_jM-79xcQRcuEjzQSMBpRuNXo,15987
 tql/mutators/encoding.py,sha256=yt12BJrHAIJfBesP8VOSfVlvJqB1yOmEeT_8QDPvNN8,7985
 tql/mutators/geo.py,sha256=H-_5oDvuYaAG8Re17RkGjzCc6Z07YHd7Cr95g6JbnyE,16188
 tql/mutators/list.py,sha256=949ZrKKhL4INkH2Od8bq7Ey80kFX_23PEfRKueG82cU,7084
@@ -52,8 +52,8 @@ tql/stats_evaluator.py,sha256=2qnjeH5Qx14qpHDS_YJn9jRPeoPUfkeiYJabBagdfRs,36126
 tql/stats_transformer.py,sha256=MT-4rDWZSySgn4Fuq9H0c-mvwFYLM6FqWpPv2rHX-rE,7588
 tql/streaming_file_processor.py,sha256=cftWhYcvUo984P3ALf2CO3FoCQPJPe_2s2HLcXTp5UQ,12437
 tql/validators.py,sha256=e9MlX-zQ_O3M8YP8vXyMjKU8iiJMTh6mMK0iv0_4gTY,3771
-tellaro_query_language-0.2.8.dist-info/METADATA,sha256=NwgXSoSzBB6oDL-aBxAnjwB46BWYiwbi_D16TMoBjE8,21891
-tellaro_query_language-0.2.8.dist-info/WHEEL,sha256=3ny-bZhpXrU6vSQ1UPG34FoxZBp3lVcvK0LkgUz6VLk,88
-tellaro_query_language-0.2.8.dist-info/entry_points.txt,sha256=D0lbIGUYuDyfcYeqju1rWcMBFzft4sZtfIlw5uPNx5g,181
-tellaro_query_language-0.2.8.dist-info/licenses/LICENSE,sha256=eWf8lkuXlVX_8WiDpUgQvzxc1cxCeVne_e6P-pVJpwM,3038
-tellaro_query_language-0.2.8.dist-info/RECORD,,
+tellaro_query_language-0.2.10.dist-info/METADATA,sha256=4hZ9XRUa0FjMZi6URvcfy5Iapazvj8Mn17o-q-UspM4,21892
+tellaro_query_language-0.2.10.dist-info/WHEEL,sha256=3ny-bZhpXrU6vSQ1UPG34FoxZBp3lVcvK0LkgUz6VLk,88
+tellaro_query_language-0.2.10.dist-info/entry_points.txt,sha256=D0lbIGUYuDyfcYeqju1rWcMBFzft4sZtfIlw5uPNx5g,181
+tellaro_query_language-0.2.10.dist-info/licenses/LICENSE,sha256=eWf8lkuXlVX_8WiDpUgQvzxc1cxCeVne_e6P-pVJpwM,3038
+tellaro_query_language-0.2.10.dist-info/RECORD,,

tql/core_components/opensearch_operations.py

@@ -813,10 +813,10 @@ class OpenSearchOperations:
             # scan_all mode with post-processing - process all results
             processor = QueryPostProcessor()
 
-            # Extract all documents from hits
+            # Extract all documents from initial_hits (which contains all scrolled results)
             documents = []
             hit_metadata = []
-            for hit in hits:
+            for hit in initial_hits:
                 documents.append(hit["_source"])
                 hit_metadata.append(
                     {

tql/mutators/dns.py

@@ -246,20 +246,53 @@ class NSLookupMutator(BaseMutator):
 
         # Save enrichment if requested
         if save_enrichment:
-            # Always store ECS data directly, never use IP addresses as field names
+            # Determine the DNS data field (for full ECS structure)
+            # If append_field is like "destination.domain", dns_field is "destination.dns"
+            if append_field.endswith(".domain"):
+                dns_field = append_field.rsplit(".domain", 1)[0] + ".dns"
+            elif append_field == "domain":
+                dns_field = "dns"
+            else:
+                dns_field = append_field + "_dns"
+
             if len(queries) == 1 and queries[0] in resolved_results:
-                # Single query: store the ECS data directly
-                append_to_result(record, append_field, resolved_results[queries[0]])
+                # Single query: extract domain names for the domain field
+                dns_data = resolved_results[queries[0]]
+                answers = dns_data.get("answers", [])
+
+                # Store domain name(s) in the domain field (string or list of strings)
+                if len(answers) == 1:
+                    append_to_result(record, append_field, answers[0])
+                elif len(answers) > 1:
+                    append_to_result(record, append_field, answers)
+                # If no answers, don't set the domain field (leave it unset)
+
+                # Store full ECS data in the dns field
+                append_to_result(record, dns_field, dns_data)
+
             elif len(queries) > 1:
-                # Multiple queries: store as array of ECS results
+                # Multiple queries: collect all domain names and ECS results
+                all_domains = []
                 results_array = []
                 for query in queries:
                     if query in resolved_results:
-                        results_array.append(resolved_results[query])
-                append_to_result(record, append_field, results_array)
-            else:
-                # No results
-                append_to_result(record, append_field, None)
+                        dns_data = resolved_results[query]
+                        results_array.append(dns_data)
+                        answers = dns_data.get("answers", [])
+                        all_domains.extend(answers)
+
+                # Store unique domain names in the domain field
+                if all_domains:
+                    unique_domains = list(dict.fromkeys(all_domains))  # Preserve order, remove dupes
+                    if len(unique_domains) == 1:
+                        append_to_result(record, append_field, unique_domains[0])
+                    else:
+                        append_to_result(record, append_field, unique_domains)
+
+                # Store full ECS data array in the dns field
+                if results_array:
+                    append_to_result(record, dns_field, results_array)
+            # If no results, don't set any fields
 
         # For enrichment mutators, return data for comparison
         # The full enrichment data is stored via append_to_result above