From: Jason Ish <jason.ish@oisf.net>
Date: Tue, 7 May 2024 16:42:54 +0000 (-0600)
Subject: readme: add example for __find
X-Git-Tag: suricata-6.0.20~47
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0fe8542b54faaae8cdfc9e6f9926aa501d5c3166;p=thirdparty%2Fsuricata-verify.git

readme: add example for __find

__find can be used to search for a substring in a json field.
---

diff --git a/README.md b/README.md
index f0a9d61cd..a6d4ce99d 100644
--- a/README.md
+++ b/README.md
@@ -151,6 +151,14 @@ checks:
         # Check that a field does not exist:
         not-has-key: flow
 
+  - filter:
+	  # Use a filename other than eve.json
+	  filename: suricata.json
+	  count: 1
+	  match:
+	    # Find a substring in a field
+		engine.message.__find: script failed
+
   - shell:
       # A simple shell check. If the command exits with a non-0 exit code the
       # check will fail. The script is run in the output directory of the