perf(rule_engine,filter): Improve bound sequences

Refactor bound sequence evaluation logic
to speed it up, most notably, by deferring
the field hash calculation only when the
event matches. Furthermore, the accessor
is tied to the bound field avoiding iteration
across filter's registered accessors.

Author: rabbitstack

pkg/filter/accessor.go

@@ -153,7 +153,7 @@ func (*evtAccessor) Get(f Field, evt *event.Event) (params.Value, error) {
 // referenced in the bound field.
 func (f *filter) narrowAccessors() {
 	var (
-		removeKevtAccessor       = true
+		removeEvtAccessor        = true
 		removePsAccessor         = true
 		removeThreadAccessor     = true
 		removeImageAccessor      = true
@@ -169,8 +169,8 @@ func (f *filter) narrowAccessors() {
 
 	for _, field := range f.fields {
 		switch {
-		case field.Name.IsKevtField():
-			removeKevtAccessor = false
+		case field.Name.IsKevtField(), field.Name.IsEvtField():
+			removeEvtAccessor = false
 		case field.Name.IsPsField():
 			removePsAccessor = false
 		case field.Name.IsThreadField():
@@ -196,7 +196,7 @@ func (f *filter) narrowAccessors() {
 		}
 	}
 
-	if removeKevtAccessor {
+	if removeEvtAccessor {
 		f.removeAccessor(&evtAccessor{})
 	}
 	if removePsAccessor {

pkg/filter/fields/fields_windows.go

@@ -619,7 +619,8 @@ func (f Field) String() string { return string(f) }
 func (f Field) Type() params.Type { return fields[f].Type }
 
 func (f Field) IsPsField() bool         { return strings.HasPrefix(string(f), "ps.") }
-func (f Field) IsKevtField() bool       { return strings.HasPrefix(string(f), "evt.") }
+func (f Field) IsKevtField() bool       { return strings.HasPrefix(string(f), "kevt.") }
+func (f Field) IsEvtField() bool        { return strings.HasPrefix(string(f), "evt.") }
 func (f Field) IsThreadField() bool     { return strings.HasPrefix(string(f), "thread.") }
 func (f Field) IsImageField() bool      { return strings.HasPrefix(string(f), "image.") }
 func (f Field) IsFileField() bool       { return strings.HasPrefix(string(f), "file.") }