in geneve/events_emitter_eql.py [0:0]
def cc_in_set(node: eql.ast.InSet, negate: bool, max_branches: int) -> Root:
if not isinstance(node.expression, eql.ast.Field):
raise NotImplementedError(f"Unsupported expression type: {type(node.expression)}")
branches = []
if negate:
field = node.expression.render()
doc = Document()
for term in node.container:
doc.append_constraint(field, "!=", term.value)
branches.append(Branch([doc]))
else:
for term in node.container:
branches.extend(cc_field(node.expression, term.value, negate, max_branches))
return Root(branches)