Implement a K/V container

[alexkornitzer]

We currently support a single container type for Chainsaw rules used when hunting which is JSON. Currently the way containers work is a tad confusing, there is room for improvement but that is not in scope for now.

Since it is not documented anywhere i'll list how it currently works:

- name:               # Friendly name for extracted field 
  container:
    field: example    # The field containing the embedded data
    format: json      # How to extract the embedded data
  to: foo             # The field to map to within the embedded data
  from: example.foo   # The name of the field in the filter to map from

The plan is to add a new container that will extract key value pairs from a string given a delimiter and a separator. To elaborate:

key1:value1 key2:value2

With separator : and delimiter we would get:

key1: value1
key2: value2

[alexkornitzer]

Here is an example:

{
  "timestamp": "1990-01-01T00:00:00Z",
  "name": "foo",
  "embedded": "flip:flop\r\nflap:flap"
}

---
title: Container Example
group: Example
description: Showcase containers
authors: [alexkornitzer]
kind: json
level: info
status: stable
timestamp: timestamp

fields:
  - name: Name
    to: name
  - name: Embedded
    container:
      field: embedded
      format: kv
      delimiter: "\r\n"
      separator: ':'
    to: flip
    from: embedded.flip

filter:
  name: foo
  embedded.flip: flop

[+] Group: Example
┌───────────────────────────┬─────────────────────┬──────┬──────────┐
│         timestamp         │     detections      │ Name │ Embedded │
├───────────────────────────┼─────────────────────┼──────┼──────────┤
│ 1990-01-01 00:00:00+00:00 │ ‣ Container Example │ foo  │ flop     │
└───────────────────────────┴─────────────────────┴──────┴──────────┘