diff --git a/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/BaseEqlSpecTestCase.java b/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/BaseEqlSpecTestCase.java
index d774539ec03..798eb868659 100644
--- a/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/BaseEqlSpecTestCase.java
+++ b/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/BaseEqlSpecTestCase.java
@@ -32,7 +32,7 @@ import static java.util.stream.Collectors.toList;
public abstract class BaseEqlSpecTestCase extends ESRestTestCase {
- protected static final String PARAM_FORMATTING = "%1$s.test -> %2$s";
+ protected static final String PARAM_FORMATTING = "%2$s";
private RestHighLevelClient highLevelClient;
diff --git a/x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml b/x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml
index 2ffc81eed9c..6647eb13ea3 100644
--- a/x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml
+++ b/x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml
@@ -5,14 +5,14 @@
name = "betweenAdditional1"
expected_event_ids = [95]
query = '''
-file where between(file_path, "dev", ".json", false) == "\\TestLogs\\something"
+file where between(file_path, "dev", ".json", false) : "\\TestLogs\\something"
'''
[[queries]]
name = "betweenAdditional2"
expected_event_ids = [95]
query = '''
-file where between(file_path, "dev", ".json", true) == "\\TestLogs\\something"
+file where between(file_path, "dev", ".json", true) : "\\TestLogs\\something"
'''
[[queries]]
@@ -26,7 +26,7 @@ network where cidrMatch(source_address, "10.6.48.157/8") == true
name = "stringCidrMatch2"
expected_event_ids = [75304, 75305]
query = '''
-network where string(cidrMatch(source_address, "10.6.48.157/8")) == "true"
+network where string(cidrMatch(source_address, "10.6.48.157/8")) : "true"
'''
[[queries]]
@@ -62,14 +62,14 @@ network where cidrMatch(source_address, "0.0.0.0/0") == true
name = "concatEquals1"
description = "test string concatenation. update test to avoid case-sensitivity issues"
query = '''
-process where concat(serial_event_id, "::", process_name, "::", opcode) == "5::wininit.exe::3"
+process where concat(serial_event_id, "::", process_name, "::", opcode) : "5::wininit.exe::3"
'''
expected_event_ids = [5]
[[queries]]
name = "concatEquals2"
-query = 'process where concat(serial_event_id) == "1"'
+query = 'process where concat(serial_event_id) : "1"'
expected_event_ids = [1]
[[queries]]
@@ -98,7 +98,7 @@ expected_event_ids = [1, 2, 3, 4]
[[queries]]
name = "numberStringConversion1"
-query = 'process where string(serial_event_id) == "1"'
+query = 'process where string(serial_event_id) : "1"'
expected_event_ids = [1]
diff --git a/x-pack/plugin/eql/qa/common/src/main/resources/test_queries.toml b/x-pack/plugin/eql/qa/common/src/main/resources/test_queries.toml
index c57ffb9dfe5..86c7da35654 100644
--- a/x-pack/plugin/eql/qa/common/src/main/resources/test_queries.toml
+++ b/x-pack/plugin/eql/qa/common/src/main/resources/test_queries.toml
@@ -31,7 +31,7 @@ query = 'process where bad_field == null | head 5'
[[queries]]
name = "processNameInexistent"
query = '''
-process where process_name == "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1)
+process where process_name : "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1)
'''
expected_event_ids = [4]
@@ -253,7 +253,7 @@ expected_event_ids = [1, 2]
name = "processWithStringEqualityCaseInsensitive1"
case_insensitive = true
query = '''
-process where process_name == "VMACTHLP.exe" and unique_pid == 12
+process where process_name : "VMACTHLP.exe" and unique_pid == 12
| filter true
'''
expected_event_ids = [12]
@@ -351,47 +351,47 @@ name = "lengthCaseInsensitive1"
case_insensitive = true
expected_event_ids = [57]
query = '''
-registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] == "EN"
+registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] : "EN"
'''
[[queries]]
name = "keyPathWildcard"
query = '''
-registry where key_path == "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F"
+registry where key_path : "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F"
'''
expected_event_ids = [79]
[[queries]]
name = "processPathWildcardAndIN"
query = '''
-process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4)
+process where process_path : "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4)
'''
expected_event_ids = [84, 85]
[[queries]]
name = "descendant1"
query = '''
-file where file_name == "csrss.exe" and opcode==0
- and descendant of [process where opcode in (1,3) and process_name=="cmd.exe"]
+file where file_name : "csrss.exe" and opcode==0
+ and descendant of [process where opcode in (1,3) and process_name:"cmd.exe"]
'''
expected_event_ids = [72]
[[queries]]
name = "descendant2"
query = '''
-process where opcode==1 and process_name == "csrss.exe"
- and descendant of [file where file_name == "csrss.exe" and opcode==0]
+process where opcode==1 and process_name : "csrss.exe"
+ and descendant of [file where file_name : "csrss.exe" and opcode==0]
'''
expected_event_ids = [73]
[[queries]]
name = "descendant3"
query = '''
-process where opcode==1 and process_name == "smss.exe"
+process where opcode==1 and process_name : "smss.exe"
and descendant of [
- file where file_name == "csrss.exe" and opcode==0
+ file where file_name : "csrss.exe" and opcode==0
and descendant of [
- process where opcode in(1,3) and process_name=="cmd.exe"
+ process where opcode in(1,3) and process_name:"cmd.exe"
]
]
'''
@@ -400,24 +400,24 @@ expected_event_ids = [78]
[[queries]]
name = "wildcardAndMultipleConditions1"
query = '''
-file where file_path=="*\\red_ttp\\winin*.*"
- and opcode in (0,1,2) and user_name=="vagrant"
+file where file_path:"*\\red_ttp\\winin*.*"
+ and opcode in (0,1,2) and user_name:"vagrant"
'''
expected_event_ids = [83, 86]
[[queries]]
name = "wildcardAndMultipleConditions2"
query = '''
-file where file_path=="*\\red_ttp\\winin*.*"
- and opcode not in (0,1,2) and user_name=="vagrant"
+file where file_path:"*\\red_ttp\\winin*.*"
+ and opcode not in (0,1,2) and user_name:"vagrant"
'''
expected_event_ids = []
[[queries]]
name = "wildcardAndMultipleConditions3"
query = '''
-file where file_path=="*\\red_ttp\\winin*.*"
- and opcode not in (3, 4, 5, 6 ,7) and user_name=="vagrant"
+file where file_path:"*\\red_ttp\\winin*.*"
+ and opcode not in (3, 4, 5, 6 ,7) and user_name:"vagrant"
'''
expected_event_ids = [83, 86]
@@ -762,7 +762,7 @@ expected_event_ids = [1, 2,
name = "sequencesOnDifferentEventTypes1"
query = '''
sequence by unique_pid
- [process where opcode==1 and process_name == "MSBuild.exe"]
+ [process where opcode==1 and process_name : "MSBuild.exe"]
[network where true]
'''
expected_event_ids = [75273, 75304]
@@ -773,10 +773,10 @@ description = "test that process sequences are working correctly"
name = "sequencesOnDifferentEventTypes2"
query = '''
sequence
- [file where event_subtype_full == "file_create_event"] by file_path
+ [file where event_subtype_full : "file_create_event"] by file_path
[process where opcode == 1] by process_path
[process where opcode == 2] by process_path
- [file where event_subtype_full == "file_delete_event"] by file_path
+ [file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2
'''
@@ -787,10 +787,10 @@ expected_event_ids = [67, 68, 69, 70,
name = "sequencesOnDifferentEventTypes3"
query = '''
sequence with maxspan=1d
- [file where event_subtype_full == "file_create_event"] by file_path
+ [file where event_subtype_full : "file_create_event"] by file_path
[process where opcode == 1] by process_path
[process where opcode == 2] by process_path
- [file where event_subtype_full == "file_delete_event"] by file_path
+ [file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2
'''
@@ -801,10 +801,10 @@ expected_event_ids = [67, 68, 69, 70,
name = "sequencesOnDifferentEventTypes4"
query = '''
sequence with maxspan=1h
- [file where event_subtype_full == "file_create_event"] by file_path
+ [file where event_subtype_full : "file_create_event"] by file_path
[process where opcode == 1] by process_path
[process where opcode == 2] by process_path
- [file where event_subtype_full == "file_delete_event"] by file_path
+ [file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2
'''
@@ -815,10 +815,10 @@ expected_event_ids = [67, 68, 69, 70,
name = "sequencesOnDifferentEventTypes5"
query = '''
sequence with maxspan=1m
- [file where event_subtype_full == "file_create_event"] by file_path
+ [file where event_subtype_full : "file_create_event"] by file_path
[process where opcode == 1] by process_path
[process where opcode == 2] by process_path
- [file where event_subtype_full == "file_delete_event"] by file_path
+ [file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2
'''
@@ -829,10 +829,10 @@ expected_event_ids = [67, 68, 69, 70,
name = "sequencesOnDifferentEventTypes6"
query = '''
sequence with maxspan=10s
- [file where event_subtype_full == "file_create_event"] by file_path
+ [file where event_subtype_full : "file_create_event"] by file_path
[process where opcode == 1] by process_path
[process where opcode == 2] by process_path
- [file where event_subtype_full == "file_delete_event"] by file_path
+ [file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2
'''
@@ -843,10 +843,10 @@ expected_event_ids = [67, 68, 69, 70,
name = "sequencesOnDifferentEventTypes7"
query = '''
sequence with maxspan=500ms
- [file where event_subtype_full == "file_create_event"] by file_path
+ [file where event_subtype_full : "file_create_event"] by file_path
[process where opcode == 1] by process_path
[process where opcode == 2] by process_path
- [file where event_subtype_full == "file_delete_event"] by file_path
+ [file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2
'''
@@ -867,7 +867,7 @@ expected_event_ids = [1, 2,
name = "sequencesOnDifferentEventTypesWithBy"
query = '''
sequence
- [file where opcode==0 and file_name=="svchost.exe"] by unique_pid
+ [file where opcode==0 and file_name:"svchost.exe"] by unique_pid
[process where opcode == 1] by unique_ppid
'''
expected_event_ids = [55, 56]
@@ -896,8 +896,8 @@ expected_event_ids = [87, 92]
name = "doubleSameSequenceWithByUntilAndHead1"
query = '''
sequence
- [file where opcode==0 and file_name=="*.exe"] by unique_pid
- [file where opcode==0 and file_name=="*.exe"] by unique_pid
+ [file where opcode==0 and file_name:"*.exe"] by unique_pid
+ [file where opcode==0 and file_name:"*.exe"] by unique_pid
until [process where opcode==5000] by unique_ppid
| head 1
'''
@@ -907,8 +907,8 @@ expected_event_ids = [55, 61]
name = "doubleSameSequenceWithByUntilAndHead2"
query = '''
sequence
- [file where opcode==0 and file_name=="*.exe"] by unique_pid
- [file where opcode==0 and file_name=="*.exe"] by unique_pid
+ [file where opcode==0 and file_name:"*.exe"] by unique_pid
+ [file where opcode==0 and file_name:"*.exe"] by unique_pid
until [process where opcode==1] by unique_ppid
| head 1
'''
@@ -918,8 +918,8 @@ expected_event_ids = []
name = "doubleJoinWithByUntilAndHead"
query = '''
join
- [file where opcode==0 and file_name=="*.exe"] by unique_pid
- [file where opcode==2 and file_name=="*.exe"] by unique_pid
+ [file where opcode==0 and file_name:"*.exe"] by unique_pid
+ [file where opcode==2 and file_name:"*.exe"] by unique_pid
until [process where opcode==1] by unique_ppid
| head 1
'''
@@ -929,8 +929,8 @@ expected_event_ids = [61, 59]
name = "twoJoins1"
query = '''
join by user_name
- [process where opcode in (1,3) and process_name=="smss.exe"]
- [process where opcode in (1,3) and process_name == "python.exe"]
+ [process where opcode in (1,3) and process_name:"smss.exe"]
+ [process where opcode in (1,3) and process_name : "python.exe"]
'''
expected_event_ids = [78, 48]
@@ -939,8 +939,8 @@ name = "threeJoins1"
query = '''
join by unique_pid
[process where opcode==1]
- [file where opcode==0 and file_name=="svchost.exe"]
- [file where opcode == 0 and file_name == "lsass.exe"]
+ [file where opcode==0 and file_name:"svchost.exe"]
+ [file where opcode == 0 and file_name : "lsass.exe"]
'''
expected_event_ids = [54, 55, 61]
@@ -949,8 +949,8 @@ name = "threeJoins2"
query = '''
join by string(unique_pid)
[process where opcode==1]
- [file where opcode==0 and file_name=="svchost.exe"]
- [file where opcode == 0 and file_name == "lsass.exe"]
+ [file where opcode==0 and file_name:"svchost.exe"]
+ [file where opcode == 0 and file_name : "lsass.exe"]
'''
expected_event_ids = [54, 55, 61]
@@ -959,8 +959,8 @@ name = "threeJoinsWithUntil1"
query = '''
join by unique_pid
[process where opcode==1]
- [file where opcode==0 and file_name=="svchost.exe"]
- [file where opcode == 0 and file_name == "lsass.exe"]
+ [file where opcode==0 and file_name:"svchost.exe"]
+ [file where opcode == 0 and file_name : "lsass.exe"]
until [file where opcode == 2]
'''
expected_event_ids = []
@@ -970,8 +970,8 @@ name = "threeJoinsWithUntil2"
query = '''
join by string(unique_pid), unique_pid, unique_pid * 2
[process where opcode==1]
- [file where opcode==0 and file_name=="svchost.exe"]
- [file where opcode == 0 and file_name == "lsass.exe"]
+ [file where opcode==0 and file_name:"svchost.exe"]
+ [file where opcode == 0 and file_name : "lsass.exe"]
until [file where opcode == 2]
'''
expected_event_ids = []
@@ -980,7 +980,7 @@ expected_event_ids = []
name = "twoJoins2"
query = '''
join
- [file where opcode==0 and file_name=="svchost.exe"] by unique_pid
+ [file where opcode==0 and file_name:"svchost.exe"] by unique_pid
[process where opcode == 1] by unique_ppid
'''
expected_event_ids = [55, 56]
@@ -989,8 +989,8 @@ expected_event_ids = [55, 56]
name = "twoJoins3"
query = '''
join by unique_pid
- [process where opcode in (1,3) and process_name=="python.exe"]
- [file where file_name == "*.exe"]
+ [process where opcode in (1,3) and process_name:"python.exe"]
+ [file where file_name : "*.exe"]
'''
expected_event_ids = [54, 55]
@@ -998,8 +998,8 @@ expected_event_ids = [54, 55]
name = "twoJoins4"
query = '''
join by user_name
- [process where opcode in (1,3) and process_name=="python.exe"]
- [process where opcode in (1,3) and process_name == "smss.exe"]
+ [process where opcode in (1,3) and process_name:"python.exe"]
+ [process where opcode in (1,3) and process_name : "smss.exe"]
'''
expected_event_ids = [48, 78]
@@ -1007,8 +1007,8 @@ expected_event_ids = [48, 78]
name = "twoJoins5"
query = '''
join
- [process where opcode in (1,3) and process_name=="python.exe"]
- [process where opcode in (1,3) and process_name == "smss.exe"]
+ [process where opcode in (1,3) and process_name:"python.exe"]
+ [process where opcode in (1,3) and process_name : "smss.exe"]
'''
expected_event_ids = [48, 3, 50, 78]
@@ -1016,7 +1016,7 @@ expected_event_ids = [48, 3, 50, 78]
name = "fakeField"
expected_event_ids = []
query = '''
-process where fake_field == "*"
+process where fake_field : "*"
'''
[[queries]]
@@ -1033,7 +1033,7 @@ expected_event_ids = []
[[queries]]
name = "fakeFieldWithHead2"
query = '''
-process where not (fake_field == "*")
+process where not (fake_field : "*")
| head 4
'''
# no longer valid, since this returns `null`, and `not null` is still null
@@ -1059,9 +1059,9 @@ name = "multipleConditions2"
query = '''
process where opcode == 1
and process_name in ("net.exe", "net1.exe")
- and not (parent_process_name == "net.exe"
- and process_name == "net1.exe")
- and command_line == "*group *admin*" and command_line != "* /add*"
+ and not (parent_process_name : "net.exe"
+ and process_name : "net1.exe")
+ and command_line : "*group *admin*" and command_line != "* /add*"
'''
expected_event_ids = [97]
@@ -1077,7 +1077,7 @@ any where true
name = "multipleConditionsWithDescendant1"
query = '''
process where opcode==1 and process_name in ("services.exe", "smss.exe", "lsass.exe")
- and descendant of [process where process_name == "cmd.exe" ]
+ and descendant of [process where process_name : "cmd.exe" ]
'''
expected_event_ids = [62, 68, 78]
@@ -1085,7 +1085,7 @@ expected_event_ids = [62, 68, 78]
name = "INWithDescendant"
query = '''
process where process_name in ("services.exe", "smss.exe", "lsass.exe")
- and descendant of [process where process_name == "cmd.exe" ]
+ and descendant of [process where process_name : "cmd.exe" ]
'''
expected_event_ids = [62, 64, 68, 69, 78, 80]
@@ -1093,23 +1093,23 @@ expected_event_ids = [62, 64, 68, 69, 78, 80]
name = "multipleConditionsWithDescendant2"
query = '''
process where opcode==2 and process_name in ("services.exe", "smss.exe", "lsass.exe")
- and descendant of [process where process_name == "cmd.exe" ]
+ and descendant of [process where process_name : "cmd.exe" ]
'''
expected_event_ids = [64, 69, 80]
[[queries]]
name = "childOf1"
query = '''
-process where process_name=="svchost.exe"
- and child of [file where file_name=="svchost.exe" and opcode==0]
+process where process_name:"svchost.exe"
+ and child of [file where file_name:"svchost.exe" and opcode==0]
'''
expected_event_ids = [56, 58]
[[queries]]
name = "childOf2"
query = '''
-process where process_name=="svchost.exe"
- and not child of [file where file_name=="svchost.exe" and opcode==0]
+process where process_name:"svchost.exe"
+ and not child of [file where file_name:"svchost.exe" and opcode==0]
| head 3
'''
expected_event_ids = [11, 13, 15]
@@ -1117,10 +1117,10 @@ expected_event_ids = [11, 13, 15]
[[queries]]
name = "nestedChildOf1"
query = '''
-process where process_name=="lsass.exe"
+process where process_name:"lsass.exe"
and child of [
- process where process_name=="python.exe"
- and child of [process where process_name=="cmd.exe"]
+ process where process_name:"python.exe"
+ and child of [process where process_name:"cmd.exe"]
]
'''
expected_event_ids = [62, 64]
@@ -1130,7 +1130,7 @@ name = "nestedChildOf2"
query = '''
file where child of [
process where child of [
- process where child of [process where process_name=="*wsmprovhost.exe"]
+ process where child of [process where process_name:"*wsmprovhost.exe"]
]
]
| tail 1
@@ -1140,7 +1140,7 @@ expected_event_ids = [91]
[[queries]]
name = "fileByUniquePid1"
query = '''
-file where process_name == "python.exe"
+file where process_name : "python.exe"
| unique unique_pid
'''
expected_event_ids = [55, 95]
@@ -1148,7 +1148,7 @@ expected_event_ids = [55, 95]
[[queries]]
name = "fileByUniquePid2"
query = '''
-file where event of [process where process_name == "python.exe" ]
+file where event of [process where process_name : "python.exe" ]
| unique unique_pid
'''
expected_event_ids = [55, 95]
@@ -1156,20 +1156,20 @@ expected_event_ids = [55, 95]
[[queries]]
name = "simpleStringEquality"
query = '''
-process where process_name == "python.exe"
+process where process_name : "python.exe"
'''
expected_event_ids = [48, 50, 51, 54, 93]
[[queries]]
name = "eventOfProcess"
-query = 'process where event of [process where process_name == "python.exe" ]'
+query = 'process where event of [process where process_name : "python.exe" ]'
expected_event_ids = [48, 50, 51, 54, 93]
[[queries]]
name = "twoSequencesWithKeys2"
query = '''
sequence
- [file where file_name=="lsass.exe"] by file_path,process_path
+ [file where file_name:"lsass.exe"] by file_path,process_path
[process where true] by process_path,parent_process_path
'''
expected_event_ids = [61, 62]
@@ -1178,7 +1178,7 @@ expected_event_ids = [61, 62]
name = "twoSequencesWithKeys3"
query = '''
sequence by user_name
- [file where file_name=="lsass.exe"] by file_path, process_path
+ [file where file_name:"lsass.exe"] by file_path, process_path
[process where true] by process_path, parent_process_path
'''
expected_event_ids = [61, 62]
@@ -1187,7 +1187,7 @@ expected_event_ids = [61, 62]
name = "twoSequencesWithKeys4"
query = '''
sequence by pid
- [file where file_name=="lsass.exe"] by file_path,process_path
+ [file where file_name:"lsass.exe"] by file_path,process_path
[process where true] by process_path,parent_process_path
'''
expected_event_ids = []
@@ -1263,21 +1263,21 @@ expected_event_ids = [54, 55, 56, 54, 61, 62, 54, 67, 68, 54, 72, 73]
[[queries]]
name = "wildcard1"
query = '''
-process where command_line == "*%*"
+process where command_line : "*%*"
'''
expected_event_ids = [4, 6, 28]
[[queries]]
name = "wildcard2"
query = '''
-process where command_line == "*%*%*"
+process where command_line : "*%*%*"
'''
expected_event_ids = [4, 6, 28]
[[queries]]
name = "wildcard3"
query = '''
-process where command_line == "%*%*"
+process where command_line : "%*%*"
'''
expected_event_ids = [4, 6, 28]
@@ -1285,7 +1285,7 @@ expected_event_ids = [4, 6, 28]
name = "uniqueCount1"
expected_event_ids = [11, 60, 63]
query = '''
-any where process_name == "svchost.exe"
+any where process_name : "svchost.exe"
| unique_count event_type_full process_name
'''
@@ -1293,7 +1293,7 @@ any where process_name == "svchost.exe"
name = "uniqueCount2"
expected_event_ids = [63, 60, 11]
query = '''
-any where process_name == "svchost.exe"
+any where process_name : "svchost.exe"
| sort event_type_full serial_event_id
| unique_count event_type_full process_name
'''
@@ -1302,7 +1302,7 @@ any where process_name == "svchost.exe"
name = "uniqueCount3"
expected_event_ids = [60]
query = '''
-any where process_name == "svchost.exe"
+any where process_name : "svchost.exe"
| unique_count event_type_full opcode
| filter count == 7
'''
@@ -1311,7 +1311,7 @@ any where process_name == "svchost.exe"
name = "uniqueCountAndFilter"
expected_event_ids = [11]
query = '''
-any where process_name == "svchost.exe"
+any where process_name : "svchost.exe"
| unique_count event_type_full opcode
| filter percent >= .5
'''
@@ -1338,7 +1338,7 @@ name = "lengthCaseInsensitive2"
case_insensitive = true
expected_event_ids = [57]
query = '''
-registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == "EN-us"
+registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] : "EN-us"
'''
[[queries]]
@@ -1346,7 +1346,7 @@ name = "arrayCaseInsensitive1"
case_insensitive = true
expected_event_ids = [57]
query = '''
-registry where bytes_written_string_list[0] == "EN-us"
+registry where bytes_written_string_list[0] : "EN-us"
'''
[[queries]]
@@ -1354,7 +1354,7 @@ name = "arrayCaseInsensitive2"
case_insensitive = true
expected_event_ids = [57]
query = '''
-registry where bytes_written_string_list[1] == "EN"
+registry where bytes_written_string_list[1] : "EN"
'''
@@ -1379,21 +1379,21 @@ name = "arrayCaseInsensitive3"
case_insensitive = true
expected_event_ids = [57]
query = '''
-registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == "en-US"
+registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] : "en-US"
'''
[[queries]]
name = "arrayEquality1"
expected_event_ids = [57]
query = '''
-registry where bytes_written_string_list[0] == "en-US"
+registry where bytes_written_string_list[0] : "en-US"
'''
[[queries]]
name = "arrayEquality2"
expected_event_ids = [57]
query = '''
-registry where bytes_written_string_list[1] == "en"
+registry where bytes_written_string_list[1] : "en"
'''
[[queries]]
@@ -1436,7 +1436,7 @@ name = "stringEqualsCaseInsensitive1"
case_insensitive = true
query = '''
process where "net.EXE" == original_file_name
-| filter process_name=="net*.exe"
+| filter process_name:"net*.exe"
'''
expected_event_ids = [97]
note = "check that case insensitive comparisons are performed even for lhs strings."
@@ -1445,7 +1445,7 @@ note = "check that case insensitive comparisons are performed even for lhs strin
name = "stringEqualsCaseInsensitive2"
case_insensitive = true
query = '''
-process where process_name == original_file_name and process_name=="net*.exe"
+process where process_name == original_file_name and process_name:"net*.exe"
'''
expected_event_ids = [97, 98]
note = "check that case insensitive comparisons are performed for fields."
@@ -1649,7 +1649,7 @@ description = "check substring ranges"
name = "substring1"
case_insensitive = true
query = '''
-file where serial_event_id==88 and substring(file_name, 0, 4) == "expl"
+file where serial_event_id==88 and substring(file_name, 0, 4) : "expl"
'''
expected_event_ids = [88]
description = "check substring ranges"
@@ -1667,7 +1667,7 @@ description = "check substring ranges"
name = "substring3"
case_insensitive = true
query = '''
-file where substring(file_name, 1, 3) == "xp"
+file where substring(file_name, 1, 3) : "xp"
'''
expected_event_ids = [88, 91, 92]
description = "check substring ranges"
@@ -1675,7 +1675,7 @@ description = "check substring ranges"
[[queries]]
name = "substring4"
query = '''
-file where substring(file_name, -4) == ".exe"
+file where substring(file_name, -4) : ".exe"
'''
expected_event_ids = [55, 59, 61, 65, 67, 70, 72, 75, 76, 81, 83, 86, 88, 91]
description = "check substring ranges"
@@ -1683,7 +1683,7 @@ description = "check substring ranges"
[[queries]]
name = "substring5"
query = '''
-file where substring(file_name, -4, -1) == ".ex"
+file where substring(file_name, -4, -1) : ".ex"
'''
expected_event_ids = [55, 59, 61, 65, 67, 70, 72, 75, 76, 81, 83, 86, 88, 91]
description = "check substring ranges"
@@ -1747,7 +1747,7 @@ process where serial_event_id == number("32", 16)
[[queries]]
name = "concat1"
query = '''
-process where concat(serial_event_id, ":", process_name, opcode) == "5:wininit.exe3"
+process where concat(serial_event_id, ":", process_name, opcode) : "5:wininit.exe3"
'''
expected_event_ids = [5]
description = "test string concatenation"
@@ -1756,7 +1756,7 @@ description = "test string concatenation"
name = "concatCaseInsensitive"
case_insensitive = true
query = '''
-process where concat(serial_event_id, ":", process_name, opcode) == "5:winINIT.exe3"
+process where concat(serial_event_id, ":", process_name, opcode) : "5:winINIT.exe3"
'''
expected_event_ids = [5]
description = "test string concatenation"
@@ -1776,7 +1776,7 @@ name = "arraySearch1"
expected_event_ids = [57]
description = "test arraySearch functionality for lists of strings, and lists of objects"
query = '''
-registry where arraySearch(bytes_written_string_list, a, a == "en-US")
+registry where arraySearch(bytes_written_string_list, a, a : "en-US")
'''
[[queries]]
@@ -1785,7 +1785,7 @@ case_sensitive = true
expected_event_ids = []
description = "test arraySearch functionality for lists of strings, and lists of objects"
query = '''
-registry where arraySearch(bytes_written_string_list, a, a == "EN-US")
+registry where arraySearch(bytes_written_string_list, a, a : "EN-US")
'''
[[queries]]
@@ -1794,7 +1794,7 @@ case_insensitive = true
expected_event_ids = [57]
description = "test arraySearch functionality for lists of strings, and lists of objects"
query = '''
-registry where arraySearch(bytes_written_string_list, a, a == "en-us")
+registry where arraySearch(bytes_written_string_list, a, a : "en-us")
'''
[[queries]]
@@ -1828,7 +1828,7 @@ name = "arraySearchWithMysteriousField3"
expected_event_ids = [75305]
description = "test arraySearch - conditional"
query = '''
-network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == "s0-*")
+network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a : "s0-*")
'''
[[queries]]
@@ -1846,7 +1846,7 @@ description = "test arraySearch - nested"
query = '''
network where mysterious_field
and arraySearch(mysterious_field.subarray, sub1,
- arraySearch(sub1.c, nested, nested.x.y == "*"))
+ arraySearch(sub1.c, nested, nested.x.y : "*"))
'''
[[queries]]
@@ -1856,7 +1856,7 @@ description = "test arraySearch - nested with cross-check pass"
query = '''
network where mysterious_field
and arraySearch(mysterious_field.subarray, sub1,
- sub1.a == "s0-a" and arraySearch(sub1.c, nested, nested.z == "s0-c1-x-z"))
+ sub1.a : "s0-a" and arraySearch(sub1.c, nested, nested.z : "s0-c1-x-z"))
'''
[[queries]]
@@ -1866,7 +1866,7 @@ description = "test arraySearch - nested with cross-check pass"
query = '''
network where mysterious_field
and arraySearch(mysterious_field.subarray, sub1,
- sub1.a == "s0-a" and arraySearch(sub1.c, nested, nested.z == sub1.cross_match))
+ sub1.a : "s0-a" and arraySearch(sub1.c, nested, nested.z == sub1.cross_match))
'''
[[queries]]
@@ -1901,7 +1901,7 @@ name = "arrayCount1"
case_insensitive = true
expected_event_ids = [57]
query = '''
-registry where arrayCount(bytes_written_string_list, s, s == "*-us") == 1
+registry where arrayCount(bytes_written_string_list, s, s : "*-us") == 1
'''
[[queries]]
@@ -1909,7 +1909,7 @@ name = "arrayCount2"
case_insensitive = true
expected_event_ids = [57]
query = '''
-registry where arrayCount(bytes_written_string_list, s, s == "*en*") == 2
+registry where arrayCount(bytes_written_string_list, s, s : "*en*") == 2
'''
[[queries]]
@@ -1955,7 +1955,7 @@ name = "betweenCaseInsensitive1"
case_insensitive = true
expected_event_ids = [1, 2]
query = '''
-process where between(process_name, "s", "e") == "yst"
+process where between(process_name, "s", "e") : "yst"
'''
[[queries]]
@@ -1963,7 +1963,7 @@ name = "betweenCaseInsensitive2"
case_insensitive = true
expected_event_ids = [1, 2]
query = '''
-process where between(process_name, "s", "e", false) == "yst"
+process where between(process_name, "s", "e", false) : "yst"
'''
[[queries]]
@@ -1971,14 +1971,14 @@ name = "betweenCaseSensitive"
case_sensitive = true
expected_event_ids = [1, 2, 42]
query = '''
-process where between(process_name, "s", "e", false) == "t"
+process where between(process_name, "s", "e", false) : "t"
'''
[[queries]]
name = "between1"
expected_event_ids = [1]
query = '''
-process where between(process_name, "S", "e", true) == "ystem Idle Proc"
+process where between(process_name, "S", "e", true) : "ystem Idle Proc"
'''
[[queries]]
@@ -1986,21 +1986,21 @@ name = "betweenCaseInsensitive3"
case_insensitive = true
expected_event_ids = [1]
query = '''
-process where between(process_name, "s", "e", true) == "ystem Idle Proc"
+process where between(process_name, "s", "e", true) : "ystem Idle Proc"
'''
[[queries]]
name = "between2"
expected_event_ids = [95]
query = '''
-file where between(file_path, "dev", ".json", false) == "\\TestLogs\\something"
+file where between(file_path, "dev", ".json", false) : "\\TestLogs\\something"
'''
[[queries]]
name = "between3"
expected_event_ids = [95]
query = '''
-file where between(file_path, "dev", ".json", true) == "\\TestLogs\\something"
+file where between(file_path, "dev", ".json", true) : "\\TestLogs\\something"
'''
diff --git a/x-pack/plugin/eql/qa/common/src/main/resources/test_queries_unsupported.toml b/x-pack/plugin/eql/qa/common/src/main/resources/test_queries_unsupported.toml
index e9fef03a995..012d424a140 100644
--- a/x-pack/plugin/eql/qa/common/src/main/resources/test_queries_unsupported.toml
+++ b/x-pack/plugin/eql/qa/common/src/main/resources/test_queries_unsupported.toml
@@ -134,7 +134,7 @@ expected_event_ids = [1, 2]
name = "processWithStringEqualityCaseInsensitive1"
case_insensitive = true
query = '''
-process where process_name == "VMACTHLP.exe" and unique_pid == 12
+process where process_name : "VMACTHLP.exe" and unique_pid == 12
| filter true
'''
expected_event_ids = [12]
@@ -232,33 +232,33 @@ name = "lengthCaseInsensitive"
case_insensitive = true
expected_event_ids = [57]
query = '''
-registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] == "EN"
+registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] : "EN"
'''
[[queries]]
name = "descendant1"
query = '''
-file where file_name == "csrss.exe" and opcode==0
- and descendant of [process where opcode in (1,3) and process_name=="cmd.exe"]
+file where file_name : "csrss.exe" and opcode==0
+ and descendant of [process where opcode in (1,3) and process_name:"cmd.exe"]
'''
expected_event_ids = [72]
[[queries]]
name = "descendant2"
query = '''
-process where opcode==1 and process_name == "csrss.exe"
- and descendant of [file where file_name == "csrss.exe" and opcode==0]
+process where opcode==1 and process_name : "csrss.exe"
+ and descendant of [file where file_name : "csrss.exe" and opcode==0]
'''
expected_event_ids = [73]
[[queries]]
name = "descendant3"
query = '''
-process where opcode==1 and process_name == "smss.exe"
+process where opcode==1 and process_name : "smss.exe"
and descendant of [
- file where file_name == "csrss.exe" and opcode==0
+ file where file_name : "csrss.exe" and opcode==0
and descendant of [
- process where opcode in(1,3) and process_name=="cmd.exe"
+ process where opcode in(1,3) and process_name:"cmd.exe"
]
]
'''
@@ -359,8 +359,8 @@ expected_event_ids = [87, 92]
name = "doubleSameSequenceWithByUntilAndHead2"
query = '''
join
- [file where opcode==0 and file_name=="*.exe"] by unique_pid
- [file where opcode==2 and file_name=="*.exe"] by unique_pid
+ [file where opcode==0 and file_name:"*.exe"] by unique_pid
+ [file where opcode==2 and file_name:"*.exe"] by unique_pid
until [process where opcode==1] by unique_ppid
| head 1
'''
@@ -370,8 +370,8 @@ expected_event_ids = [61, 59]
name = "twoJoins1"
query = '''
join by user_name
- [process where opcode in (1,3) and process_name=="smss.exe"]
- [process where opcode in (1,3) and process_name == "python.exe"]
+ [process where opcode in (1,3) and process_name:"smss.exe"]
+ [process where opcode in (1,3) and process_name : "python.exe"]
'''
expected_event_ids = [78, 48]
@@ -380,8 +380,8 @@ name = "threeJoins1"
query = '''
join by unique_pid
[process where opcode==1]
- [file where opcode==0 and file_name=="svchost.exe"]
- [file where opcode == 0 and file_name == "lsass.exe"]
+ [file where opcode==0 and file_name:"svchost.exe"]
+ [file where opcode == 0 and file_name : "lsass.exe"]
'''
expected_event_ids = [54, 55, 61]
@@ -390,8 +390,8 @@ name = "threeJoins2"
query = '''
join by string(unique_pid)
[process where opcode==1]
- [file where opcode==0 and file_name=="svchost.exe"]
- [file where opcode == 0 and file_name == "lsass.exe"]
+ [file where opcode==0 and file_name:"svchost.exe"]
+ [file where opcode == 0 and file_name : "lsass.exe"]
'''
expected_event_ids = [54, 55, 61]
@@ -400,8 +400,8 @@ name = "threeJoinsWithUntil1"
query = '''
join by unique_pid
[process where opcode==1]
- [file where opcode==0 and file_name=="svchost.exe"]
- [file where opcode == 0 and file_name == "lsass.exe"]
+ [file where opcode==0 and file_name:"svchost.exe"]
+ [file where opcode == 0 and file_name : "lsass.exe"]
until [file where opcode == 2]
'''
expected_event_ids = []
@@ -411,8 +411,8 @@ name = "threeJoinsWithUntil1"
query = '''
join by string(unique_pid), unique_pid, unique_pid * 2
[process where opcode==1]
- [file where opcode==0 and file_name=="svchost.exe"]
- [file where opcode == 0 and file_name == "lsass.exe"]
+ [file where opcode==0 and file_name:"svchost.exe"]
+ [file where opcode == 0 and file_name : "lsass.exe"]
until [file where opcode == 2]
'''
expected_event_ids = []
@@ -421,7 +421,7 @@ expected_event_ids = []
name = "twoJoins2"
query = '''
join
- [file where opcode==0 and file_name=="svchost.exe"] by unique_pid
+ [file where opcode==0 and file_name:"svchost.exe"] by unique_pid
[process where opcode == 1] by unique_ppid
'''
expected_event_ids = [55, 56]
@@ -430,8 +430,8 @@ expected_event_ids = [55, 56]
name = "twoJoins3"
query = '''
join by unique_pid
- [process where opcode in (1,3) and process_name=="python.exe"]
- [file where file_name == "*.exe"]
+ [process where opcode in (1,3) and process_name:"python.exe"]
+ [file where file_name : "*.exe"]
'''
expected_event_ids = [54, 55]
@@ -439,8 +439,8 @@ expected_event_ids = [54, 55]
name = "twoJoins4"
query = '''
join by user_name
- [process where opcode in (1,3) and process_name=="python.exe"]
- [process where opcode in (1,3) and process_name == "smss.exe"]
+ [process where opcode in (1,3) and process_name:"python.exe"]
+ [process where opcode in (1,3) and process_name : "smss.exe"]
'''
expected_event_ids = [48, 78]
@@ -448,8 +448,8 @@ expected_event_ids = [48, 78]
name = "twoJoins5"
query = '''
join
- [process where opcode in (1,3) and process_name=="python.exe"]
- [process where opcode in (1,3) and process_name == "smss.exe"]
+ [process where opcode in (1,3) and process_name:"python.exe"]
+ [process where opcode in (1,3) and process_name : "smss.exe"]
'''
expected_event_ids = [48, 3, 50, 78]
@@ -457,7 +457,7 @@ expected_event_ids = [48, 3, 50, 78]
name = "fakeField"
expected_event_ids = []
query = '''
-process where fake_field == "*"
+process where fake_field : "*"
'''
[[queries]]
@@ -476,7 +476,7 @@ name = "fakeFieldWithHead2"
# expected_event_ids = [1, 2, 3, 4]
expected_event_ids = []
query = '''
-process where not (fake_field == "*")
+process where not (fake_field : "*")
| head 4
'''
@@ -569,7 +569,7 @@ any where true
name = "multipleConditionsWithDescendant1"
query = '''
process where opcode==1 and process_name in ("services.exe", "smss.exe", "lsass.exe")
- and descendant of [process where process_name == "cmd.exe" ]
+ and descendant of [process where process_name : "cmd.exe" ]
'''
expected_event_ids = [62, 68, 78]
@@ -577,7 +577,7 @@ expected_event_ids = [62, 68, 78]
name = "INWithDescendant"
query = '''
process where process_name in ("services.exe", "smss.exe", "lsass.exe")
- and descendant of [process where process_name == "cmd.exe" ]
+ and descendant of [process where process_name : "cmd.exe" ]
'''
expected_event_ids = [62, 64, 68, 69, 78, 80]
@@ -585,23 +585,23 @@ expected_event_ids = [62, 64, 68, 69, 78, 80]
name = "multipleConditionsWithDescendant2"
query = '''
process where opcode==2 and process_name in ("services.exe", "smss.exe", "lsass.exe")
- and descendant of [process where process_name == "cmd.exe" ]
+ and descendant of [process where process_name : "cmd.exe" ]
'''
expected_event_ids = [64, 69, 80]
[[queries]]
name = "childOf1"
query = '''
-process where process_name=="svchost.exe"
- and child of [file where file_name=="svchost.exe" and opcode==0]
+process where process_name:"svchost.exe"
+ and child of [file where file_name:"svchost.exe" and opcode==0]
'''
expected_event_ids = [56, 58]
[[queries]]
name = "childOf2"
query = '''
-process where process_name=="svchost.exe"
- and not child of [file where file_name=="svchost.exe" and opcode==0]
+process where process_name:"svchost.exe"
+ and not child of [file where file_name:"svchost.exe" and opcode==0]
| head 3
'''
expected_event_ids = [11, 13, 15]
@@ -609,10 +609,10 @@ expected_event_ids = [11, 13, 15]
[[queries]]
name = "nestedChildOf1"
query = '''
-process where process_name=="lsass.exe"
+process where process_name:"lsass.exe"
and child of [
- process where process_name=="python.exe"
- and child of [process where process_name=="cmd.exe"]
+ process where process_name:"python.exe"
+ and child of [process where process_name:"cmd.exe"]
]
'''
expected_event_ids = [62, 64]
@@ -622,7 +622,7 @@ name = "nestedChildOf2"
query = '''
file where child of [
process where child of [
- process where child of [process where process_name=="*wsmprovhost.exe"]
+ process where child of [process where process_name:"*wsmprovhost.exe"]
]
]
| tail 1
@@ -632,7 +632,7 @@ expected_event_ids = [91]
[[queries]]
name = "fileByUniquePid1"
query = '''
-file where process_name == "python.exe"
+file where process_name : "python.exe"
| unique unique_pid
'''
expected_event_ids = [55, 95]
@@ -640,7 +640,7 @@ expected_event_ids = [55, 95]
[[queries]]
name = "fileByUniquePid2"
query = '''
-file where event of [process where process_name == "python.exe" ]
+file where event of [process where process_name : "python.exe" ]
| unique unique_pid
'''
expected_event_ids = [55, 95]
@@ -648,13 +648,13 @@ expected_event_ids = [55, 95]
[[queries]]
name = "simpleStringEquality"
query = '''
-process where process_name == "python.exe"
+process where process_name : "python.exe"
'''
expected_event_ids = [48, 50, 51, 54, 93]
[[queries]]
name = "eventOfProcess"
-query = 'process where event of [process where process_name == "python.exe" ]'
+query = 'process where event of [process where process_name : "python.exe" ]'
expected_event_ids = [48, 50, 51, 54, 93]
[[queries]]
@@ -682,7 +682,7 @@ expected_event_ids = [54, 55, 56, 54, 61, 62, 54, 67, 68, 54, 72, 73]
name = "uniqueCount1"
expected_event_ids = [11, 60, 63]
query = '''
-any where process_name == "svchost.exe"
+any where process_name : "svchost.exe"
| unique_count event_type_full process_name
'''
@@ -690,7 +690,7 @@ any where process_name == "svchost.exe"
name = "uniqueCount2"
expected_event_ids = [63, 60, 11]
query = '''
-any where process_name == "svchost.exe"
+any where process_name : "svchost.exe"
| sort event_type_full serial_event_id
| unique_count event_type_full process_name
'''
@@ -699,7 +699,7 @@ any where process_name == "svchost.exe"
name = "uniqueCount3"
expected_event_ids = [60]
query = '''
-any where process_name == "svchost.exe"
+any where process_name : "svchost.exe"
| unique_count event_type_full opcode
| filter count == 7
'''
@@ -708,7 +708,7 @@ any where process_name == "svchost.exe"
name = "uniqueCountAndFilter"
expected_event_ids = [11]
query = '''
-any where process_name == "svchost.exe"
+any where process_name : "svchost.exe"
| unique_count event_type_full opcode
| filter percent >= .5
'''
@@ -735,7 +735,7 @@ name = "lengthCaseInsensitive"
case_insensitive = true
expected_event_ids = [57]
query = '''
-registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == "EN-us"
+registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] : "EN-us"
'''
[[queries]]
@@ -743,7 +743,7 @@ name = "arrayCaseInsensitive1"
case_insensitive = true
expected_event_ids = [57]
query = '''
-registry where bytes_written_string_list[0] == "EN-us"
+registry where bytes_written_string_list[0] : "EN-us"
'''
[[queries]]
@@ -751,7 +751,7 @@ name = "arrayCaseInsensitive2"
case_insensitive = true
expected_event_ids = [57]
query = '''
-registry where bytes_written_string_list[1] == "EN"
+registry where bytes_written_string_list[1] : "EN"
'''
@@ -776,21 +776,21 @@ name = "arrayCaseInsensitive3"
case_insensitive = true
expected_event_ids = [57]
query = '''
-registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == "en-US"
+registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] : "en-US"
'''
[[queries]]
name = "arrayEquality1"
expected_event_ids = [57]
query = '''
-registry where bytes_written_string_list[0] == "en-US"
+registry where bytes_written_string_list[0] : "en-US"
'''
[[queries]]
name = "arrayEquality2"
expected_event_ids = [57]
query = '''
-registry where bytes_written_string_list[1] == "en"
+registry where bytes_written_string_list[1] : "en"
'''
# character classes aren't supported. custom tests made in test_queries_supported.toml
@@ -834,7 +834,7 @@ name = "stringEqualsCaseInsensitive1"
case_insensitive = true
query = '''
process where "net.EXE" == original_file_name
-| filter process_name=="net*.exe"
+| filter process_name:"net*.exe"
'''
expected_event_ids = [97]
note = "check that case insensitive comparisons are performed even for lhs strings."
@@ -843,7 +843,7 @@ note = "check that case insensitive comparisons are performed even for lhs strin
name = "stringEqualsCaseInsensitive2"
case_insensitive = true
query = '''
-process where process_name == original_file_name and process_name=="net*.exe"
+process where process_name == original_file_name and process_name:"net*.exe"
'''
expected_event_ids = [97, 98]
note = "check that case insensitive comparisons are performed for fields."
@@ -861,7 +861,7 @@ description = "check that case insensitive comparisons are performed for fields.
name = "substring3"
case_insensitive = true
query = '''
-file where substring(file_name, 1, 3) == "xp"
+file where substring(file_name, 1, 3) : "xp"
'''
expected_event_ids = [88, 91, 92]
description = "check substring ranges"
@@ -878,7 +878,7 @@ description = "test built-in math functions"
name = "concatCaseInsensitive"
case_insensitive = true
query = '''
-process where concat(serial_event_id, ":", process_name, opcode) == "5:winINIT.exe3"
+process where concat(serial_event_id, ":", process_name, opcode) : "5:winINIT.exe3"
'''
expected_event_ids = [5]
description = "test string concatenation"
@@ -898,7 +898,7 @@ name = "arraySearch1"
expected_event_ids = [57]
description = "test arraySearch functionality for lists of strings, and lists of objects"
query = '''
-registry where arraySearch(bytes_written_string_list, a, a == "en-US")
+registry where arraySearch(bytes_written_string_list, a, a : "en-US")
'''
[[queries]]
@@ -907,7 +907,7 @@ case_sensitive = true
expected_event_ids = []
description = "test arraySearch functionality for lists of strings, and lists of objects"
query = '''
-registry where arraySearch(bytes_written_string_list, a, a == "EN-US")
+registry where arraySearch(bytes_written_string_list, a, a : "EN-US")
'''
[[queries]]
@@ -916,7 +916,7 @@ case_insensitive = true
expected_event_ids = [57]
description = "test arraySearch functionality for lists of strings, and lists of objects"
query = '''
-registry where arraySearch(bytes_written_string_list, a, a == "en-us")
+registry where arraySearch(bytes_written_string_list, a, a : "en-us")
'''
[[queries]]
@@ -950,7 +950,7 @@ name = "arraySearchWithMysteriousField3"
expected_event_ids = [75305]
description = "test arraySearch - conditional"
query = '''
-network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == "s0-*")
+network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a : "s0-*")
'''
[[queries]]
@@ -968,7 +968,7 @@ description = "test arraySearch - nested"
query = '''
network where mysterious_field
and arraySearch(mysterious_field.subarray, sub1,
- arraySearch(sub1.c, nested, nested.x.y == "*"))
+ arraySearch(sub1.c, nested, nested.x.y : "*"))
'''
[[queries]]
@@ -978,7 +978,7 @@ description = "test arraySearch - nested with cross-check pass"
query = '''
network where mysterious_field
and arraySearch(mysterious_field.subarray, sub1,
- sub1.a == "s0-a" and arraySearch(sub1.c, nested, nested.z == "s0-c1-x-z"))
+ sub1.a : "s0-a" and arraySearch(sub1.c, nested, nested.z : "s0-c1-x-z"))
'''
[[queries]]
@@ -988,7 +988,7 @@ description = "test arraySearch - nested with cross-check pass"
query = '''
network where mysterious_field
and arraySearch(mysterious_field.subarray, sub1,
- sub1.a == "s0-a" and arraySearch(sub1.c, nested, nested.z == sub1.cross_match))
+ sub1.a : "s0-a" and arraySearch(sub1.c, nested, nested.z == sub1.cross_match))
'''
[[queries]]
@@ -1023,7 +1023,7 @@ name = "arrayCount1"
case_insensitive = true
expected_event_ids = [57]
query = '''
-registry where arrayCount(bytes_written_string_list, s, s == "*-us") == 1
+registry where arrayCount(bytes_written_string_list, s, s : "*-us") == 1
'''
[[queries]]
@@ -1031,7 +1031,7 @@ name = "arrayCount2"
case_insensitive = true
expected_event_ids = [57]
query = '''
-registry where arrayCount(bytes_written_string_list, s, s == "*en*") == 2
+registry where arrayCount(bytes_written_string_list, s, s : "*en*") == 2
'''
[[queries]]
@@ -1072,7 +1072,7 @@ name = "betweenCaseSensitive"
case_sensitive = true
expected_event_ids = [1, 2, 42]
query = '''
-process where between(process_name, "s", "e", false) == "t"
+process where between(process_name, "s", "e", false) : "t"
'''
# TODO: add toggles to this function so it's not always insensitive
diff --git a/x-pack/plugin/eql/src/main/antlr/EqlBase.g4 b/x-pack/plugin/eql/src/main/antlr/EqlBase.g4
index c24e748c032..5c6d59cbb1f 100644
--- a/x-pack/plugin/eql/src/main/antlr/EqlBase.g4
+++ b/x-pack/plugin/eql/src/main/antlr/EqlBase.g4
@@ -65,7 +65,7 @@ subquery
eventQuery
: eventFilter
;
-
+
eventFilter
: (ANY | event=identifier) WHERE expression
;
@@ -121,7 +121,7 @@ constant
;
comparisonOperator
- : EQ | NEQ | LT | LTE | GT | GTE
+ : SEQ | EQ | NEQ | LT | LTE | GT | GTE
;
booleanValue
@@ -168,6 +168,9 @@ WHERE: 'where';
WITH: 'with';
// Operators
+// dedicated string equality - case-insensitive and supporting * operator
+SEQ : ':';
+// regular operators
ASGN : '=';
EQ : '==';
NEQ : '!=';
diff --git a/x-pack/plugin/eql/src/main/antlr/EqlBase.tokens b/x-pack/plugin/eql/src/main/antlr/EqlBase.tokens
index a1bde64e87e..fcbe45b3615 100644
--- a/x-pack/plugin/eql/src/main/antlr/EqlBase.tokens
+++ b/x-pack/plugin/eql/src/main/antlr/EqlBase.tokens
@@ -14,33 +14,34 @@ TRUE=13
UNTIL=14
WHERE=15
WITH=16
-ASGN=17
-EQ=18
-NEQ=19
-LT=20
-LTE=21
-GT=22
-GTE=23
-PLUS=24
-MINUS=25
-ASTERISK=26
-SLASH=27
-PERCENT=28
-DOT=29
-COMMA=30
-LB=31
-RB=32
-LP=33
-RP=34
-PIPE=35
-ESCAPED_IDENTIFIER=36
-STRING=37
-INTEGER_VALUE=38
-DECIMAL_VALUE=39
-IDENTIFIER=40
-LINE_COMMENT=41
-BRACKETED_COMMENT=42
-WS=43
+SEQ=17
+ASGN=18
+EQ=19
+NEQ=20
+LT=21
+LTE=22
+GT=23
+GTE=24
+PLUS=25
+MINUS=26
+ASTERISK=27
+SLASH=28
+PERCENT=29
+DOT=30
+COMMA=31
+LB=32
+RB=33
+LP=34
+RP=35
+PIPE=36
+ESCAPED_IDENTIFIER=37
+STRING=38
+INTEGER_VALUE=39
+DECIMAL_VALUE=40
+IDENTIFIER=41
+LINE_COMMENT=42
+BRACKETED_COMMENT=43
+WS=44
'and'=1
'any'=2
'by'=3
@@ -57,22 +58,23 @@ WS=43
'until'=14
'where'=15
'with'=16
-'='=17
-'=='=18
-'!='=19
-'<'=20
-'<='=21
-'>'=22
-'>='=23
-'+'=24
-'-'=25
-'*'=26
-'/'=27
-'%'=28
-'.'=29
-','=30
-'['=31
-']'=32
-'('=33
-')'=34
-'|'=35
+':'=17
+'='=18
+'=='=19
+'!='=20
+'<'=21
+'<='=22
+'>'=23
+'>='=24
+'+'=25
+'-'=26
+'*'=27
+'/'=28
+'%'=29
+'.'=30
+','=31
+'['=32
+']'=33
+'('=34
+')'=35
+'|'=36
diff --git a/x-pack/plugin/eql/src/main/antlr/EqlBaseLexer.tokens b/x-pack/plugin/eql/src/main/antlr/EqlBaseLexer.tokens
index a1bde64e87e..fcbe45b3615 100644
--- a/x-pack/plugin/eql/src/main/antlr/EqlBaseLexer.tokens
+++ b/x-pack/plugin/eql/src/main/antlr/EqlBaseLexer.tokens
@@ -14,33 +14,34 @@ TRUE=13
UNTIL=14
WHERE=15
WITH=16
-ASGN=17
-EQ=18
-NEQ=19
-LT=20
-LTE=21
-GT=22
-GTE=23
-PLUS=24
-MINUS=25
-ASTERISK=26
-SLASH=27
-PERCENT=28
-DOT=29
-COMMA=30
-LB=31
-RB=32
-LP=33
-RP=34
-PIPE=35
-ESCAPED_IDENTIFIER=36
-STRING=37
-INTEGER_VALUE=38
-DECIMAL_VALUE=39
-IDENTIFIER=40
-LINE_COMMENT=41
-BRACKETED_COMMENT=42
-WS=43
+SEQ=17
+ASGN=18
+EQ=19
+NEQ=20
+LT=21
+LTE=22
+GT=23
+GTE=24
+PLUS=25
+MINUS=26
+ASTERISK=27
+SLASH=28
+PERCENT=29
+DOT=30
+COMMA=31
+LB=32
+RB=33
+LP=34
+RP=35
+PIPE=36
+ESCAPED_IDENTIFIER=37
+STRING=38
+INTEGER_VALUE=39
+DECIMAL_VALUE=40
+IDENTIFIER=41
+LINE_COMMENT=42
+BRACKETED_COMMENT=43
+WS=44
'and'=1
'any'=2
'by'=3
@@ -57,22 +58,23 @@ WS=43
'until'=14
'where'=15
'with'=16
-'='=17
-'=='=18
-'!='=19
-'<'=20
-'<='=21
-'>'=22
-'>='=23
-'+'=24
-'-'=25
-'*'=26
-'/'=27
-'%'=28
-'.'=29
-','=30
-'['=31
-']'=32
-'('=33
-')'=34
-'|'=35
+':'=17
+'='=18
+'=='=19
+'!='=20
+'<'=21
+'<='=22
+'>'=23
+'>='=24
+'+'=25
+'-'=26
+'*'=27
+'/'=28
+'%'=29
+'.'=30
+','=31
+'['=32
+']'=33
+'('=34
+')'=35
+'|'=36
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/function/scalar/whitelist/InternalEqlScriptUtils.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/function/scalar/whitelist/InternalEqlScriptUtils.java
index 9443fde3784..c0cf355ab52 100644
--- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/function/scalar/whitelist/InternalEqlScriptUtils.java
+++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/function/scalar/whitelist/InternalEqlScriptUtils.java
@@ -6,6 +6,7 @@
package org.elasticsearch.xpack.eql.expression.function.scalar.whitelist;
+import org.elasticsearch.xpack.eql.expression.function.scalar.math.ToNumberFunctionProcessor;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.BetweenFunctionProcessor;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.CIDRMatchFunctionProcessor;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.ConcatFunctionProcessor;
@@ -14,12 +15,13 @@ import org.elasticsearch.xpack.eql.expression.function.scalar.string.IndexOfFunc
import org.elasticsearch.xpack.eql.expression.function.scalar.string.LengthFunctionProcessor;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.StringContainsFunctionProcessor;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.SubstringFunctionProcessor;
-import org.elasticsearch.xpack.eql.expression.function.scalar.math.ToNumberFunctionProcessor;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.ToStringFunctionProcessor;
import org.elasticsearch.xpack.ql.expression.function.scalar.whitelist.InternalQlScriptUtils;
import java.util.List;
+import static org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveBinaryComparisonProcessor.InsensitiveBinaryComparisonOperation;
+
/*
* Whitelisted class for EQL scripts.
* Acts as a registry of the various static methods used internally by the scalar functions
@@ -29,6 +31,14 @@ public class InternalEqlScriptUtils extends InternalQlScriptUtils {
InternalEqlScriptUtils() {}
+ public static Boolean seq(Object left, Object right) {
+ return InsensitiveBinaryComparisonOperation.SEQ.apply(left, right);
+ }
+
+ public static Boolean sneq(Object left, Object right) {
+ return InsensitiveBinaryComparisonOperation.SNEQ.apply(left, right);
+ }
+
public static String between(String s, String left, String right, Boolean greedy, Boolean caseSensitive) {
return (String) BetweenFunctionProcessor.doProcess(s, left, right, greedy, caseSensitive);
}
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparison.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparison.java
new file mode 100644
index 00000000000..4de323d7294
--- /dev/null
+++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparison.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.eql.expression.predicate.operator.comparison;
+
+import org.elasticsearch.common.logging.LoggerMessageFormat;
+import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveBinaryComparisonProcessor.InsensitiveBinaryComparisonOperation;
+import org.elasticsearch.xpack.ql.expression.Expression;
+import org.elasticsearch.xpack.ql.expression.Expressions;
+import org.elasticsearch.xpack.ql.expression.Expressions.ParamOrdinal;
+import org.elasticsearch.xpack.ql.expression.TypeResolutions;
+import org.elasticsearch.xpack.ql.expression.gen.pipeline.Pipe;
+import org.elasticsearch.xpack.ql.expression.predicate.BinaryOperator;
+import org.elasticsearch.xpack.ql.tree.Source;
+import org.elasticsearch.xpack.ql.type.DataType;
+import org.elasticsearch.xpack.ql.type.DataTypes;
+
+import java.time.ZoneId;
+
+// marker class to indicate operations that rely on values
+public abstract class InsensitiveBinaryComparison extends BinaryOperator {
+
+ private final ZoneId zoneId;
+
+ protected InsensitiveBinaryComparison(Source source, Expression left, Expression right, InsensitiveBinaryComparisonOperation operation,
+ ZoneId zoneId) {
+ super(source, left, right, operation);
+ this.zoneId = zoneId;
+ }
+
+ public ZoneId zoneId() {
+ return zoneId;
+ }
+
+ @Override
+ protected TypeResolution resolveInputType(Expression e, ParamOrdinal paramOrdinal) {
+ String op = function().symbol();
+ TypeResolution resolution = TypeResolutions.isString(e, op, paramOrdinal);
+ if (resolution.unresolved()) {
+ String message = LoggerMessageFormat.format(null, "{}; consider using [{}] instead", resolution.message(),
+ regularOperatorSymbol());
+ resolution = new TypeResolution(message);
+ }
+ return resolution;
+ }
+
+ /**
+ * Symbol of the regular
+ */
+ protected abstract String regularOperatorSymbol();
+
+ @Override
+ protected Expression canonicalize() {
+ return left().hashCode() > right().hashCode() ? swapLeftAndRight() : this;
+ }
+
+ @Override
+ public DataType dataType() {
+ return DataTypes.BOOLEAN;
+ }
+
+ @Override
+ protected Pipe makePipe() {
+ return new InsensitiveBinaryComparisonPipe(source(), this, Expressions.pipe(left()), Expressions.pipe(right()), function());
+ }
+}
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparisonPipe.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparisonPipe.java
new file mode 100644
index 00000000000..47a5bbf538b
--- /dev/null
+++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparisonPipe.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.eql.expression.predicate.operator.comparison;
+
+import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveBinaryComparisonProcessor.InsensitiveBinaryComparisonOperation;
+import org.elasticsearch.xpack.ql.expression.Expression;
+import org.elasticsearch.xpack.ql.expression.gen.pipeline.BinaryPipe;
+import org.elasticsearch.xpack.ql.expression.gen.pipeline.Pipe;
+import org.elasticsearch.xpack.ql.tree.NodeInfo;
+import org.elasticsearch.xpack.ql.tree.Source;
+
+import java.util.Objects;
+
+public class InsensitiveBinaryComparisonPipe extends BinaryPipe {
+
+ private final InsensitiveBinaryComparisonOperation operation;
+
+ public InsensitiveBinaryComparisonPipe(Source source, Expression expression, Pipe left, Pipe right,
+ InsensitiveBinaryComparisonOperation operation) {
+ super(source, expression, left, right);
+ this.operation = operation;
+ }
+
+ @Override
+ protected NodeInfo info() {
+ return NodeInfo.create(this, InsensitiveBinaryComparisonPipe::new, expression(), left(), right(), operation);
+ }
+
+ @Override
+ protected InsensitiveBinaryComparisonPipe replaceChildren(Pipe left, Pipe right) {
+ return new InsensitiveBinaryComparisonPipe(source(), expression(), left, right, operation);
+ }
+
+ @Override
+ public InsensitiveBinaryComparisonProcessor asProcessor() {
+ return new InsensitiveBinaryComparisonProcessor(left().asProcessor(), right().asProcessor(), operation);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(super.hashCode(), operation);
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (super.equals(obj)) {
+ InsensitiveBinaryComparisonPipe other = (InsensitiveBinaryComparisonPipe) obj;
+ return Objects.equals(operation, other.operation);
+ }
+ return false;
+ }
+}
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparisonProcessor.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparisonProcessor.java
new file mode 100644
index 00000000000..35c4a3a1eca
--- /dev/null
+++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparisonProcessor.java
@@ -0,0 +1,72 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.eql.expression.predicate.operator.comparison;
+
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.xpack.ql.expression.gen.processor.FunctionalEnumBinaryProcessor;
+import org.elasticsearch.xpack.ql.expression.gen.processor.Processor;
+import org.elasticsearch.xpack.ql.expression.predicate.PredicateBiFunction;
+
+import java.io.IOException;
+import java.util.function.BiFunction;
+
+public class InsensitiveBinaryComparisonProcessor extends
+ FunctionalEnumBinaryProcessor {
+
+ public enum InsensitiveBinaryComparisonOperation implements PredicateBiFunction {
+
+ SEQ(StringComparisons::insensitiveEquals, ":"),
+ SNEQ(StringComparisons::insensitiveNotEquals, "!:");
+
+ private final BiFunction process;
+ private final String symbol;
+
+ InsensitiveBinaryComparisonOperation(BiFunction process, String symbol) {
+ this.process = process;
+ this.symbol = symbol;
+ }
+
+ @Override
+ public String symbol() {
+ return symbol;
+ }
+
+ @Override
+ public Boolean apply(Object left, Object right) {
+ return doApply(left, right);
+ }
+
+ @Override
+ public final Boolean doApply(Object left, Object right) {
+ return process.apply(left, right);
+ }
+
+ @Override
+ public String toString() {
+ return symbol;
+ }
+ }
+
+ public static final String NAME = "cscb";
+
+ public InsensitiveBinaryComparisonProcessor(Processor left, Processor right, InsensitiveBinaryComparisonOperation operation) {
+ super(left, right, operation);
+ }
+
+ public InsensitiveBinaryComparisonProcessor(StreamInput in) throws IOException {
+ super(in, i -> i.readEnum(InsensitiveBinaryComparisonOperation.class));
+ }
+
+ @Override
+ public String getWriteableName() {
+ return NAME;
+ }
+
+ @Override
+ public Object process(Object input) {
+ return doProcess(left().process(input), right().process(input));
+ }
+}
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveEquals.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveEquals.java
new file mode 100644
index 00000000000..2d233bf5e22
--- /dev/null
+++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveEquals.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.eql.expression.predicate.operator.comparison;
+
+import org.elasticsearch.xpack.ql.expression.Expression;
+import org.elasticsearch.xpack.ql.expression.predicate.Negatable;
+import org.elasticsearch.xpack.ql.expression.predicate.operator.comparison.BinaryComparisonProcessor.BinaryComparisonOperation;
+import org.elasticsearch.xpack.ql.tree.NodeInfo;
+import org.elasticsearch.xpack.ql.tree.Source;
+
+import java.time.ZoneId;
+
+public class InsensitiveEquals extends InsensitiveBinaryComparison implements Negatable {
+
+ public InsensitiveEquals(Source source, Expression left, Expression right) {
+ this(source, left, right, null);
+ }
+
+ public InsensitiveEquals(Source source, Expression left, Expression right, ZoneId zoneId) {
+ super(source, left, right, InsensitiveBinaryComparisonProcessor.InsensitiveBinaryComparisonOperation.SEQ, zoneId);
+ }
+
+ @Override
+ protected NodeInfo info() {
+ return NodeInfo.create(this, InsensitiveEquals::new, left(), right(), zoneId());
+ }
+
+ @Override
+ protected InsensitiveEquals replaceChildren(Expression newLeft, Expression newRight) {
+ return new InsensitiveEquals(source(), newLeft, newRight, zoneId());
+ }
+
+ @Override
+ public InsensitiveEquals swapLeftAndRight() {
+ return new InsensitiveEquals(source(), right(), left(), zoneId());
+ }
+
+ @Override
+ public InsensitiveBinaryComparison negate() {
+ return new InsensitiveNotEquals(source(), left(), right(), zoneId());
+ }
+
+ @Override
+ protected String regularOperatorSymbol() {
+ return BinaryComparisonOperation.EQ.symbol();
+ }
+}
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveNotEquals.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveNotEquals.java
new file mode 100644
index 00000000000..192e2a91be4
--- /dev/null
+++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveNotEquals.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.eql.expression.predicate.operator.comparison;
+
+import org.elasticsearch.xpack.ql.expression.Expression;
+import org.elasticsearch.xpack.ql.expression.predicate.Negatable;
+import org.elasticsearch.xpack.ql.expression.predicate.operator.comparison.BinaryComparisonProcessor.BinaryComparisonOperation;
+import org.elasticsearch.xpack.ql.tree.NodeInfo;
+import org.elasticsearch.xpack.ql.tree.Source;
+
+import java.time.ZoneId;
+
+;
+
+public class InsensitiveNotEquals extends InsensitiveBinaryComparison implements Negatable {
+
+ public InsensitiveNotEquals(Source source, Expression left, Expression right, ZoneId zoneId) {
+ super(source, left, right, InsensitiveBinaryComparisonProcessor.InsensitiveBinaryComparisonOperation.SNEQ, zoneId);
+ }
+
+ @Override
+ protected NodeInfo info() {
+ return NodeInfo.create(this, InsensitiveNotEquals::new, left(), right(), zoneId());
+ }
+
+ @Override
+ protected InsensitiveNotEquals replaceChildren(Expression newLeft, Expression newRight) {
+ return new InsensitiveNotEquals(source(), newLeft, newRight, zoneId());
+ }
+
+ @Override
+ public InsensitiveNotEquals swapLeftAndRight() {
+ return new InsensitiveNotEquals(source(), right(), left(), zoneId());
+ }
+
+ @Override
+ public InsensitiveBinaryComparison negate() {
+ return new InsensitiveEquals(source(), left(), right(), zoneId());
+ }
+
+ @Override
+ protected String regularOperatorSymbol() {
+ return BinaryComparisonOperation.NEQ.symbol();
+ }
+}
+
+
+
+
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/StringComparisons.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/StringComparisons.java
new file mode 100644
index 00000000000..fe0923407db
--- /dev/null
+++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/StringComparisons.java
@@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.eql.expression.predicate.operator.comparison;
+
+import org.elasticsearch.xpack.eql.EqlIllegalArgumentException;
+
+/**
+ * EQL specific string comparison utilities.
+ */
+public final class StringComparisons {
+
+ private StringComparisons() {}
+
+ static Boolean insensitiveEquals(Object l, Object r) {
+ if (l instanceof String && r instanceof String) {
+ return ((String)l).compareToIgnoreCase((String) r) == 0;
+ }
+ if (l == null || r == null) {
+ return null;
+ }
+ throw new EqlIllegalArgumentException("Insensitive comparison can be applied only on strings");
+ }
+
+ static Boolean insensitiveNotEquals(Object l, Object r) {
+ Boolean equal = insensitiveEquals(l, r);
+ return equal == null ? null : (equal == Boolean.TRUE ? Boolean.FALSE : Boolean.TRUE);
+ }
+}
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/optimizer/Optimizer.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/optimizer/Optimizer.java
index f6a51254fc5..fdce2498a1c 100644
--- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/optimizer/Optimizer.java
+++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/optimizer/Optimizer.java
@@ -7,6 +7,8 @@
package org.elasticsearch.xpack.eql.optimizer;
import org.elasticsearch.xpack.eql.EqlIllegalArgumentException;
+import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveBinaryComparison;
+import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveNotEquals;
import org.elasticsearch.xpack.eql.plan.logical.Join;
import org.elasticsearch.xpack.eql.plan.logical.KeyedFilter;
import org.elasticsearch.xpack.eql.plan.logical.LimitWithOffset;
@@ -38,8 +40,8 @@ import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.ConstantFolding;
import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.OptimizerRule;
import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.PropagateEquals;
import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.PruneLiteralsInOrderBy;
-import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.ReplaceSurrogateFunction;
import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.ReplaceMatchAll;
+import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.ReplaceSurrogateFunction;
import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.SetAsOptimized;
import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.TransformDirection;
import org.elasticsearch.xpack.ql.plan.logical.Filter;
@@ -54,6 +56,7 @@ import org.elasticsearch.xpack.ql.type.DataTypes;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
+import java.util.Objects;
import static java.util.Collections.singletonList;
import static java.util.stream.Collectors.toList;
@@ -67,11 +70,9 @@ public class Optimizer extends RuleExecutor {
@Override
protected Iterable.Batch> batches() {
Batch substitutions = new Batch("Substitution", Limiter.ONCE,
- // needed for replace wildcards
- new BooleanLiteralsOnTheRight(),
- new ReplaceWildcards(),
- new ReplaceSurrogateFunction(),
- new ReplaceMatchAll());
+ new ReplaceWildcards(),
+ new ReplaceSurrogateFunction(),
+ new ReplaceMatchAll());
Batch operators = new Batch("Operator Optimization",
new ConstantFolding(),
@@ -109,26 +110,29 @@ public class Optimizer extends RuleExecutor {
private static class ReplaceWildcards extends OptimizerRule {
- private static boolean isWildcard(Expression expr) {
- if (expr instanceof Literal) {
- Object value = expr.fold();
- return value instanceof String && value.toString().contains("*");
- }
- return false;
- }
-
@Override
protected LogicalPlan rule(Filter filter) {
return filter.transformExpressionsUp(e -> {
- // expr == "wildcard*phrase" || expr != "wildcard*phrase"
- if (e instanceof Equals || e instanceof NotEquals) {
- BinaryComparison cmp = (BinaryComparison) e;
+ // expr : "wildcard*phrase" || expr !: "wildcard*phrase"
+ if (e instanceof InsensitiveBinaryComparison) {
+ InsensitiveBinaryComparison cmp = (InsensitiveBinaryComparison) e;
- if (isWildcard(cmp.right())) {
- String wcString = cmp.right().fold().toString();
- Expression like = new Like(e.source(), cmp.left(), StringUtils.toLikePattern(wcString));
+ Expression target = null;
+ String wildString = null;
- if (e instanceof NotEquals) {
+ // check either side since the literals can be on both sides
+ // "a" : "*" is the same as "*" : "a"
+ if (isWildcard(cmp.left())) {
+ wildString = (String) cmp.left().fold();
+ target = cmp.right();
+ } else if (isWildcard(cmp.right())) {
+ wildString = (String) cmp.right().fold();
+ target = cmp.left();
+ }
+
+ if (target != null) {
+ Expression like = new Like(e.source(), target, StringUtils.toLikePattern(wildString));
+ if (e instanceof InsensitiveNotEquals) {
like = new Not(e.source(), like);
}
@@ -139,6 +143,14 @@ public class Optimizer extends RuleExecutor {
return e;
});
}
+
+ private static boolean isWildcard(Expression expr) {
+ if (expr instanceof Literal) {
+ Object value = expr.fold();
+ return value instanceof String && ((String) value).contains("*");
+ }
+ return false;
+ }
}
private static class ReplaceNullChecks extends OptimizerRule {
@@ -275,7 +287,7 @@ public class Optimizer extends RuleExecutor {
*/
static class PropagateJoinKeyConstraints extends OptimizerRule {
- class Constraint {
+ static class Constraint {
private final Expression condition;
private final KeyedFilter keyedFilter;
private final int keyPosition;
@@ -354,7 +366,7 @@ public class Optimizer extends RuleExecutor {
private KeyedFilter addConstraint(KeyedFilter k, List constraints) {
Expression constraint = Predicates.combineAnd(constraints.stream()
.map(c -> c.constraintFor(k))
- .filter(c -> c != null)
+ .filter(Objects::nonNull)
.collect(toList()));
return constraint != null
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseLexer.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseLexer.java
index 3ad5afebec9..98041c68716 100644
--- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseLexer.java
+++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseLexer.java
@@ -18,20 +18,20 @@ class EqlBaseLexer extends Lexer {
new PredictionContextCache();
public static final int
AND=1, ANY=2, BY=3, FALSE=4, IN=5, JOIN=6, MAXSPAN=7, NOT=8, NULL=9, OF=10,
- OR=11, SEQUENCE=12, TRUE=13, UNTIL=14, WHERE=15, WITH=16, ASGN=17, EQ=18,
- NEQ=19, LT=20, LTE=21, GT=22, GTE=23, PLUS=24, MINUS=25, ASTERISK=26,
- SLASH=27, PERCENT=28, DOT=29, COMMA=30, LB=31, RB=32, LP=33, RP=34, PIPE=35,
- ESCAPED_IDENTIFIER=36, STRING=37, INTEGER_VALUE=38, DECIMAL_VALUE=39,
- IDENTIFIER=40, LINE_COMMENT=41, BRACKETED_COMMENT=42, WS=43;
+ OR=11, SEQUENCE=12, TRUE=13, UNTIL=14, WHERE=15, WITH=16, SEQ=17, ASGN=18,
+ EQ=19, NEQ=20, LT=21, LTE=22, GT=23, GTE=24, PLUS=25, MINUS=26, ASTERISK=27,
+ SLASH=28, PERCENT=29, DOT=30, COMMA=31, LB=32, RB=33, LP=34, RP=35, PIPE=36,
+ ESCAPED_IDENTIFIER=37, STRING=38, INTEGER_VALUE=39, DECIMAL_VALUE=40,
+ IDENTIFIER=41, LINE_COMMENT=42, BRACKETED_COMMENT=43, WS=44;
public static String[] modeNames = {
"DEFAULT_MODE"
};
public static final String[] ruleNames = {
"AND", "ANY", "BY", "FALSE", "IN", "JOIN", "MAXSPAN", "NOT", "NULL", "OF",
- "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "ASGN", "EQ", "NEQ",
- "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH", "PERCENT",
- "DOT", "COMMA", "LB", "RB", "LP", "RP", "PIPE", "ESCAPED_IDENTIFIER",
+ "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "SEQ", "ASGN", "EQ",
+ "NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH",
+ "PERCENT", "DOT", "COMMA", "LB", "RB", "LP", "RP", "PIPE", "ESCAPED_IDENTIFIER",
"STRING", "INTEGER_VALUE", "DECIMAL_VALUE", "IDENTIFIER", "EXPONENT",
"DIGIT", "LETTER", "LINE_COMMENT", "BRACKETED_COMMENT", "WS"
};
@@ -39,14 +39,14 @@ class EqlBaseLexer extends Lexer {
private static final String[] _LITERAL_NAMES = {
null, "'and'", "'any'", "'by'", "'false'", "'in'", "'join'", "'maxspan'",
"'not'", "'null'", "'of'", "'or'", "'sequence'", "'true'", "'until'",
- "'where'", "'with'", "'='", "'=='", "'!='", "'<'", "'<='", "'>'", "'>='",
- "'+'", "'-'", "'*'", "'/'", "'%'", "'.'", "','", "'['", "']'", "'('",
- "')'", "'|'"
+ "'where'", "'with'", "':'", "'='", "'=='", "'!='", "'<'", "'<='", "'>'",
+ "'>='", "'+'", "'-'", "'*'", "'/'", "'%'", "'.'", "','", "'['", "']'",
+ "'('", "')'", "'|'"
};
private static final String[] _SYMBOLIC_NAMES = {
null, "AND", "ANY", "BY", "FALSE", "IN", "JOIN", "MAXSPAN", "NOT", "NULL",
- "OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "ASGN", "EQ",
- "NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH",
+ "OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "SEQ", "ASGN",
+ "EQ", "NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH",
"PERCENT", "DOT", "COMMA", "LB", "RB", "LP", "RP", "PIPE", "ESCAPED_IDENTIFIER",
"STRING", "INTEGER_VALUE", "DECIMAL_VALUE", "IDENTIFIER", "LINE_COMMENT",
"BRACKETED_COMMENT", "WS"
@@ -106,140 +106,142 @@ class EqlBaseLexer extends Lexer {
public ATN getATN() { return _ATN; }
public static final String _serializedATN =
- "\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\2-\u0182\b\1\4\2\t"+
+ "\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\2.\u0186\b\1\4\2\t"+
"\2\4\3\t\3\4\4\t\4\4\5\t\5\4\6\t\6\4\7\t\7\4\b\t\b\4\t\t\t\4\n\t\n\4\13"+
"\t\13\4\f\t\f\4\r\t\r\4\16\t\16\4\17\t\17\4\20\t\20\4\21\t\21\4\22\t\22"+
"\4\23\t\23\4\24\t\24\4\25\t\25\4\26\t\26\4\27\t\27\4\30\t\30\4\31\t\31"+
"\4\32\t\32\4\33\t\33\4\34\t\34\4\35\t\35\4\36\t\36\4\37\t\37\4 \t \4!"+
"\t!\4\"\t\"\4#\t#\4$\t$\4%\t%\4&\t&\4\'\t\'\4(\t(\4)\t)\4*\t*\4+\t+\4"+
- ",\t,\4-\t-\4.\t.\4/\t/\3\2\3\2\3\2\3\2\3\3\3\3\3\3\3\3\3\4\3\4\3\4\3\5"+
- "\3\5\3\5\3\5\3\5\3\5\3\6\3\6\3\6\3\7\3\7\3\7\3\7\3\7\3\b\3\b\3\b\3\b\3"+
- "\b\3\b\3\b\3\b\3\t\3\t\3\t\3\t\3\n\3\n\3\n\3\n\3\n\3\13\3\13\3\13\3\f"+
- "\3\f\3\f\3\r\3\r\3\r\3\r\3\r\3\r\3\r\3\r\3\r\3\16\3\16\3\16\3\16\3\16"+
- "\3\17\3\17\3\17\3\17\3\17\3\17\3\20\3\20\3\20\3\20\3\20\3\20\3\21\3\21"+
- "\3\21\3\21\3\21\3\22\3\22\3\23\3\23\3\23\3\24\3\24\3\24\3\25\3\25\3\26"+
- "\3\26\3\26\3\27\3\27\3\30\3\30\3\30\3\31\3\31\3\32\3\32\3\33\3\33\3\34"+
- "\3\34\3\35\3\35\3\36\3\36\3\37\3\37\3 \3 \3!\3!\3\"\3\"\3#\3#\3$\3$\3"+
- "%\3%\3%\3%\7%\u00dd\n%\f%\16%\u00e0\13%\3%\3%\3&\3&\3&\3&\7&\u00e8\n&"+
- "\f&\16&\u00eb\13&\3&\3&\3&\3&\3&\7&\u00f2\n&\f&\16&\u00f5\13&\3&\3&\3"+
- "&\3&\3&\3&\3&\7&\u00fe\n&\f&\16&\u0101\13&\3&\3&\3&\3&\3&\3&\3&\7&\u010a"+
- "\n&\f&\16&\u010d\13&\3&\5&\u0110\n&\3\'\6\'\u0113\n\'\r\'\16\'\u0114\3"+
- "(\6(\u0118\n(\r(\16(\u0119\3(\3(\7(\u011e\n(\f(\16(\u0121\13(\3(\3(\6"+
- "(\u0125\n(\r(\16(\u0126\3(\6(\u012a\n(\r(\16(\u012b\3(\3(\7(\u0130\n("+
- "\f(\16(\u0133\13(\5(\u0135\n(\3(\3(\3(\3(\6(\u013b\n(\r(\16(\u013c\3("+
- "\3(\5(\u0141\n(\3)\3)\5)\u0145\n)\3)\3)\3)\7)\u014a\n)\f)\16)\u014d\13"+
- ")\3*\3*\5*\u0151\n*\3*\6*\u0154\n*\r*\16*\u0155\3+\3+\3,\3,\3-\3-\3-\3"+
- "-\7-\u0160\n-\f-\16-\u0163\13-\3-\5-\u0166\n-\3-\5-\u0169\n-\3-\3-\3."+
- "\3.\3.\3.\3.\7.\u0172\n.\f.\16.\u0175\13.\3.\3.\3.\3.\3.\3/\6/\u017d\n"+
- "/\r/\16/\u017e\3/\3/\3\u0173\2\60\3\3\5\4\7\5\t\6\13\7\r\b\17\t\21\n\23"+
+ ",\t,\4-\t-\4.\t.\4/\t/\4\60\t\60\3\2\3\2\3\2\3\2\3\3\3\3\3\3\3\3\3\4\3"+
+ "\4\3\4\3\5\3\5\3\5\3\5\3\5\3\5\3\6\3\6\3\6\3\7\3\7\3\7\3\7\3\7\3\b\3\b"+
+ "\3\b\3\b\3\b\3\b\3\b\3\b\3\t\3\t\3\t\3\t\3\n\3\n\3\n\3\n\3\n\3\13\3\13"+
+ "\3\13\3\f\3\f\3\f\3\r\3\r\3\r\3\r\3\r\3\r\3\r\3\r\3\r\3\16\3\16\3\16\3"+
+ "\16\3\16\3\17\3\17\3\17\3\17\3\17\3\17\3\20\3\20\3\20\3\20\3\20\3\20\3"+
+ "\21\3\21\3\21\3\21\3\21\3\22\3\22\3\23\3\23\3\24\3\24\3\24\3\25\3\25\3"+
+ "\25\3\26\3\26\3\27\3\27\3\27\3\30\3\30\3\31\3\31\3\31\3\32\3\32\3\33\3"+
+ "\33\3\34\3\34\3\35\3\35\3\36\3\36\3\37\3\37\3 \3 \3!\3!\3\"\3\"\3#\3#"+
+ "\3$\3$\3%\3%\3&\3&\3&\3&\7&\u00e1\n&\f&\16&\u00e4\13&\3&\3&\3\'\3\'\3"+
+ "\'\3\'\7\'\u00ec\n\'\f\'\16\'\u00ef\13\'\3\'\3\'\3\'\3\'\3\'\7\'\u00f6"+
+ "\n\'\f\'\16\'\u00f9\13\'\3\'\3\'\3\'\3\'\3\'\3\'\3\'\7\'\u0102\n\'\f\'"+
+ "\16\'\u0105\13\'\3\'\3\'\3\'\3\'\3\'\3\'\3\'\7\'\u010e\n\'\f\'\16\'\u0111"+
+ "\13\'\3\'\5\'\u0114\n\'\3(\6(\u0117\n(\r(\16(\u0118\3)\6)\u011c\n)\r)"+
+ "\16)\u011d\3)\3)\7)\u0122\n)\f)\16)\u0125\13)\3)\3)\6)\u0129\n)\r)\16"+
+ ")\u012a\3)\6)\u012e\n)\r)\16)\u012f\3)\3)\7)\u0134\n)\f)\16)\u0137\13"+
+ ")\5)\u0139\n)\3)\3)\3)\3)\6)\u013f\n)\r)\16)\u0140\3)\3)\5)\u0145\n)\3"+
+ "*\3*\5*\u0149\n*\3*\3*\3*\7*\u014e\n*\f*\16*\u0151\13*\3+\3+\5+\u0155"+
+ "\n+\3+\6+\u0158\n+\r+\16+\u0159\3,\3,\3-\3-\3.\3.\3.\3.\7.\u0164\n.\f"+
+ ".\16.\u0167\13.\3.\5.\u016a\n.\3.\5.\u016d\n.\3.\3.\3/\3/\3/\3/\3/\7/"+
+ "\u0176\n/\f/\16/\u0179\13/\3/\3/\3/\3/\3/\3\60\6\60\u0181\n\60\r\60\16"+
+ "\60\u0182\3\60\3\60\3\u0177\2\61\3\3\5\4\7\5\t\6\13\7\r\b\17\t\21\n\23"+
"\13\25\f\27\r\31\16\33\17\35\20\37\21!\22#\23%\24\'\25)\26+\27-\30/\31"+
- "\61\32\63\33\65\34\67\359\36;\37= ?!A\"C#E$G%I&K\'M(O)Q*S\2U\2W\2Y+[,"+
- "]-\3\2\17\3\2bb\n\2$$))^^ddhhppttvv\6\2\f\f\17\17))^^\6\2\f\f\17\17$$"+
- "^^\5\2\f\f\17\17$$\5\2\f\f\17\17))\4\2BBaa\4\2GGgg\4\2--//\3\2\62;\4\2"+
- "C\\c|\4\2\f\f\17\17\5\2\13\f\17\17\"\"\u01a2\2\3\3\2\2\2\2\5\3\2\2\2\2"+
- "\7\3\2\2\2\2\t\3\2\2\2\2\13\3\2\2\2\2\r\3\2\2\2\2\17\3\2\2\2\2\21\3\2"+
- "\2\2\2\23\3\2\2\2\2\25\3\2\2\2\2\27\3\2\2\2\2\31\3\2\2\2\2\33\3\2\2\2"+
- "\2\35\3\2\2\2\2\37\3\2\2\2\2!\3\2\2\2\2#\3\2\2\2\2%\3\2\2\2\2\'\3\2\2"+
- "\2\2)\3\2\2\2\2+\3\2\2\2\2-\3\2\2\2\2/\3\2\2\2\2\61\3\2\2\2\2\63\3\2\2"+
- "\2\2\65\3\2\2\2\2\67\3\2\2\2\29\3\2\2\2\2;\3\2\2\2\2=\3\2\2\2\2?\3\2\2"+
- "\2\2A\3\2\2\2\2C\3\2\2\2\2E\3\2\2\2\2G\3\2\2\2\2I\3\2\2\2\2K\3\2\2\2\2"+
- "M\3\2\2\2\2O\3\2\2\2\2Q\3\2\2\2\2Y\3\2\2\2\2[\3\2\2\2\2]\3\2\2\2\3_\3"+
- "\2\2\2\5c\3\2\2\2\7g\3\2\2\2\tj\3\2\2\2\13p\3\2\2\2\rs\3\2\2\2\17x\3\2"+
- "\2\2\21\u0080\3\2\2\2\23\u0084\3\2\2\2\25\u0089\3\2\2\2\27\u008c\3\2\2"+
- "\2\31\u008f\3\2\2\2\33\u0098\3\2\2\2\35\u009d\3\2\2\2\37\u00a3\3\2\2\2"+
- "!\u00a9\3\2\2\2#\u00ae\3\2\2\2%\u00b0\3\2\2\2\'\u00b3\3\2\2\2)\u00b6\3"+
- "\2\2\2+\u00b8\3\2\2\2-\u00bb\3\2\2\2/\u00bd\3\2\2\2\61\u00c0\3\2\2\2\63"+
- "\u00c2\3\2\2\2\65\u00c4\3\2\2\2\67\u00c6\3\2\2\29\u00c8\3\2\2\2;\u00ca"+
- "\3\2\2\2=\u00cc\3\2\2\2?\u00ce\3\2\2\2A\u00d0\3\2\2\2C\u00d2\3\2\2\2E"+
- "\u00d4\3\2\2\2G\u00d6\3\2\2\2I\u00d8\3\2\2\2K\u010f\3\2\2\2M\u0112\3\2"+
- "\2\2O\u0140\3\2\2\2Q\u0144\3\2\2\2S\u014e\3\2\2\2U\u0157\3\2\2\2W\u0159"+
- "\3\2\2\2Y\u015b\3\2\2\2[\u016c\3\2\2\2]\u017c\3\2\2\2_`\7c\2\2`a\7p\2"+
- "\2ab\7f\2\2b\4\3\2\2\2cd\7c\2\2de\7p\2\2ef\7{\2\2f\6\3\2\2\2gh\7d\2\2"+
- "hi\7{\2\2i\b\3\2\2\2jk\7h\2\2kl\7c\2\2lm\7n\2\2mn\7u\2\2no\7g\2\2o\n\3"+
- "\2\2\2pq\7k\2\2qr\7p\2\2r\f\3\2\2\2st\7l\2\2tu\7q\2\2uv\7k\2\2vw\7p\2"+
- "\2w\16\3\2\2\2xy\7o\2\2yz\7c\2\2z{\7z\2\2{|\7u\2\2|}\7r\2\2}~\7c\2\2~"+
- "\177\7p\2\2\177\20\3\2\2\2\u0080\u0081\7p\2\2\u0081\u0082\7q\2\2\u0082"+
- "\u0083\7v\2\2\u0083\22\3\2\2\2\u0084\u0085\7p\2\2\u0085\u0086\7w\2\2\u0086"+
- "\u0087\7n\2\2\u0087\u0088\7n\2\2\u0088\24\3\2\2\2\u0089\u008a\7q\2\2\u008a"+
- "\u008b\7h\2\2\u008b\26\3\2\2\2\u008c\u008d\7q\2\2\u008d\u008e\7t\2\2\u008e"+
- "\30\3\2\2\2\u008f\u0090\7u\2\2\u0090\u0091\7g\2\2\u0091\u0092\7s\2\2\u0092"+
- "\u0093\7w\2\2\u0093\u0094\7g\2\2\u0094\u0095\7p\2\2\u0095\u0096\7e\2\2"+
- "\u0096\u0097\7g\2\2\u0097\32\3\2\2\2\u0098\u0099\7v\2\2\u0099\u009a\7"+
- "t\2\2\u009a\u009b\7w\2\2\u009b\u009c\7g\2\2\u009c\34\3\2\2\2\u009d\u009e"+
- "\7w\2\2\u009e\u009f\7p\2\2\u009f\u00a0\7v\2\2\u00a0\u00a1\7k\2\2\u00a1"+
- "\u00a2\7n\2\2\u00a2\36\3\2\2\2\u00a3\u00a4\7y\2\2\u00a4\u00a5\7j\2\2\u00a5"+
- "\u00a6\7g\2\2\u00a6\u00a7\7t\2\2\u00a7\u00a8\7g\2\2\u00a8 \3\2\2\2\u00a9"+
- "\u00aa\7y\2\2\u00aa\u00ab\7k\2\2\u00ab\u00ac\7v\2\2\u00ac\u00ad\7j\2\2"+
- "\u00ad\"\3\2\2\2\u00ae\u00af\7?\2\2\u00af$\3\2\2\2\u00b0\u00b1\7?\2\2"+
- "\u00b1\u00b2\7?\2\2\u00b2&\3\2\2\2\u00b3\u00b4\7#\2\2\u00b4\u00b5\7?\2"+
- "\2\u00b5(\3\2\2\2\u00b6\u00b7\7>\2\2\u00b7*\3\2\2\2\u00b8\u00b9\7>\2\2"+
- "\u00b9\u00ba\7?\2\2\u00ba,\3\2\2\2\u00bb\u00bc\7@\2\2\u00bc.\3\2\2\2\u00bd"+
- "\u00be\7@\2\2\u00be\u00bf\7?\2\2\u00bf\60\3\2\2\2\u00c0\u00c1\7-\2\2\u00c1"+
- "\62\3\2\2\2\u00c2\u00c3\7/\2\2\u00c3\64\3\2\2\2\u00c4\u00c5\7,\2\2\u00c5"+
- "\66\3\2\2\2\u00c6\u00c7\7\61\2\2\u00c78\3\2\2\2\u00c8\u00c9\7\'\2\2\u00c9"+
- ":\3\2\2\2\u00ca\u00cb\7\60\2\2\u00cb<\3\2\2\2\u00cc\u00cd\7.\2\2\u00cd"+
- ">\3\2\2\2\u00ce\u00cf\7]\2\2\u00cf@\3\2\2\2\u00d0\u00d1\7_\2\2\u00d1B"+
- "\3\2\2\2\u00d2\u00d3\7*\2\2\u00d3D\3\2\2\2\u00d4\u00d5\7+\2\2\u00d5F\3"+
- "\2\2\2\u00d6\u00d7\7~\2\2\u00d7H\3\2\2\2\u00d8\u00de\7b\2\2\u00d9\u00dd"+
- "\n\2\2\2\u00da\u00db\7b\2\2\u00db\u00dd\7b\2\2\u00dc\u00d9\3\2\2\2\u00dc"+
- "\u00da\3\2\2\2\u00dd\u00e0\3\2\2\2\u00de\u00dc\3\2\2\2\u00de\u00df\3\2"+
- "\2\2\u00df\u00e1\3\2\2\2\u00e0\u00de\3\2\2\2\u00e1\u00e2\7b\2\2\u00e2"+
- "J\3\2\2\2\u00e3\u00e9\7)\2\2\u00e4\u00e5\7^\2\2\u00e5\u00e8\t\3\2\2\u00e6"+
- "\u00e8\n\4\2\2\u00e7\u00e4\3\2\2\2\u00e7\u00e6\3\2\2\2\u00e8\u00eb\3\2"+
- "\2\2\u00e9\u00e7\3\2\2\2\u00e9\u00ea\3\2\2\2\u00ea\u00ec\3\2\2\2\u00eb"+
- "\u00e9\3\2\2\2\u00ec\u0110\7)\2\2\u00ed\u00f3\7$\2\2\u00ee\u00ef\7^\2"+
- "\2\u00ef\u00f2\t\3\2\2\u00f0\u00f2\n\5\2\2\u00f1\u00ee\3\2\2\2\u00f1\u00f0"+
- "\3\2\2\2\u00f2\u00f5\3\2\2\2\u00f3\u00f1\3\2\2\2\u00f3\u00f4\3\2\2\2\u00f4"+
- "\u00f6\3\2\2\2\u00f5\u00f3\3\2\2\2\u00f6\u0110\7$\2\2\u00f7\u00f8\7A\2"+
- "\2\u00f8\u00f9\7$\2\2\u00f9\u00ff\3\2\2\2\u00fa\u00fb\7^\2\2\u00fb\u00fe"+
- "\7$\2\2\u00fc\u00fe\n\6\2\2\u00fd\u00fa\3\2\2\2\u00fd\u00fc\3\2\2\2\u00fe"+
- "\u0101\3\2\2\2\u00ff\u00fd\3\2\2\2\u00ff\u0100\3\2\2\2\u0100\u0102\3\2"+
- "\2\2\u0101\u00ff\3\2\2\2\u0102\u0110\7$\2\2\u0103\u0104\7A\2\2\u0104\u0105"+
- "\7)\2\2\u0105\u010b\3\2\2\2\u0106\u0107\7^\2\2\u0107\u010a\7)\2\2\u0108"+
- "\u010a\n\7\2\2\u0109\u0106\3\2\2\2\u0109\u0108\3\2\2\2\u010a\u010d\3\2"+
- "\2\2\u010b\u0109\3\2\2\2\u010b\u010c\3\2\2\2\u010c\u010e\3\2\2\2\u010d"+
- "\u010b\3\2\2\2\u010e\u0110\7)\2\2\u010f\u00e3\3\2\2\2\u010f\u00ed\3\2"+
- "\2\2\u010f\u00f7\3\2\2\2\u010f\u0103\3\2\2\2\u0110L\3\2\2\2\u0111\u0113"+
- "\5U+\2\u0112\u0111\3\2\2\2\u0113\u0114\3\2\2\2\u0114\u0112\3\2\2\2\u0114"+
- "\u0115\3\2\2\2\u0115N\3\2\2\2\u0116\u0118\5U+\2\u0117\u0116\3\2\2\2\u0118"+
- "\u0119\3\2\2\2\u0119\u0117\3\2\2\2\u0119\u011a\3\2\2\2\u011a\u011b\3\2"+
- "\2\2\u011b\u011f\5;\36\2\u011c\u011e\5U+\2\u011d\u011c\3\2\2\2\u011e\u0121"+
- "\3\2\2\2\u011f\u011d\3\2\2\2\u011f\u0120\3\2\2\2\u0120\u0141\3\2\2\2\u0121"+
- "\u011f\3\2\2\2\u0122\u0124\5;\36\2\u0123\u0125\5U+\2\u0124\u0123\3\2\2"+
- "\2\u0125\u0126\3\2\2\2\u0126\u0124\3\2\2\2\u0126\u0127\3\2\2\2\u0127\u0141"+
- "\3\2\2\2\u0128\u012a\5U+\2\u0129\u0128\3\2\2\2\u012a\u012b\3\2\2\2\u012b"+
- "\u0129\3\2\2\2\u012b\u012c\3\2\2\2\u012c\u0134\3\2\2\2\u012d\u0131\5;"+
- "\36\2\u012e\u0130\5U+\2\u012f\u012e\3\2\2\2\u0130\u0133\3\2\2\2\u0131"+
- "\u012f\3\2\2\2\u0131\u0132\3\2\2\2\u0132\u0135\3\2\2\2\u0133\u0131\3\2"+
- "\2\2\u0134\u012d\3\2\2\2\u0134\u0135\3\2\2\2\u0135\u0136\3\2\2\2\u0136"+
- "\u0137\5S*\2\u0137\u0141\3\2\2\2\u0138\u013a\5;\36\2\u0139\u013b\5U+\2"+
- "\u013a\u0139\3\2\2\2\u013b\u013c\3\2\2\2\u013c\u013a\3\2\2\2\u013c\u013d"+
- "\3\2\2\2\u013d\u013e\3\2\2\2\u013e\u013f\5S*\2\u013f\u0141\3\2\2\2\u0140"+
- "\u0117\3\2\2\2\u0140\u0122\3\2\2\2\u0140\u0129\3\2\2\2\u0140\u0138\3\2"+
- "\2\2\u0141P\3\2\2\2\u0142\u0145\5W,\2\u0143\u0145\t\b\2\2\u0144\u0142"+
- "\3\2\2\2\u0144\u0143\3\2\2\2\u0145\u014b\3\2\2\2\u0146\u014a\5W,\2\u0147"+
- "\u014a\5U+\2\u0148\u014a\7a\2\2\u0149\u0146\3\2\2\2\u0149\u0147\3\2\2"+
- "\2\u0149\u0148\3\2\2\2\u014a\u014d\3\2\2\2\u014b\u0149\3\2\2\2\u014b\u014c"+
- "\3\2\2\2\u014cR\3\2\2\2\u014d\u014b\3\2\2\2\u014e\u0150\t\t\2\2\u014f"+
- "\u0151\t\n\2\2\u0150\u014f\3\2\2\2\u0150\u0151\3\2\2\2\u0151\u0153\3\2"+
- "\2\2\u0152\u0154\5U+\2\u0153\u0152\3\2\2\2\u0154\u0155\3\2\2\2\u0155\u0153"+
- "\3\2\2\2\u0155\u0156\3\2\2\2\u0156T\3\2\2\2\u0157\u0158\t\13\2\2\u0158"+
- "V\3\2\2\2\u0159\u015a\t\f\2\2\u015aX\3\2\2\2\u015b\u015c\7\61\2\2\u015c"+
- "\u015d\7\61\2\2\u015d\u0161\3\2\2\2\u015e\u0160\n\r\2\2\u015f\u015e\3"+
- "\2\2\2\u0160\u0163\3\2\2\2\u0161\u015f\3\2\2\2\u0161\u0162\3\2\2\2\u0162"+
- "\u0165\3\2\2\2\u0163\u0161\3\2\2\2\u0164\u0166\7\17\2\2\u0165\u0164\3"+
- "\2\2\2\u0165\u0166\3\2\2\2\u0166\u0168\3\2\2\2\u0167\u0169\7\f\2\2\u0168"+
- "\u0167\3\2\2\2\u0168\u0169\3\2\2\2\u0169\u016a\3\2\2\2\u016a\u016b\b-"+
- "\2\2\u016bZ\3\2\2\2\u016c\u016d\7\61\2\2\u016d\u016e\7,\2\2\u016e\u0173"+
- "\3\2\2\2\u016f\u0172\5[.\2\u0170\u0172\13\2\2\2\u0171\u016f\3\2\2\2\u0171"+
- "\u0170\3\2\2\2\u0172\u0175\3\2\2\2\u0173\u0174\3\2\2\2\u0173\u0171\3\2"+
- "\2\2\u0174\u0176\3\2\2\2\u0175\u0173\3\2\2\2\u0176\u0177\7,\2\2\u0177"+
- "\u0178\7\61\2\2\u0178\u0179\3\2\2\2\u0179\u017a\b.\2\2\u017a\\\3\2\2\2"+
- "\u017b\u017d\t\16\2\2\u017c\u017b\3\2\2\2\u017d\u017e\3\2\2\2\u017e\u017c"+
- "\3\2\2\2\u017e\u017f\3\2\2\2\u017f\u0180\3\2\2\2\u0180\u0181\b/\2\2\u0181"+
- "^\3\2\2\2\"\2\u00dc\u00de\u00e7\u00e9\u00f1\u00f3\u00fd\u00ff\u0109\u010b"+
- "\u010f\u0114\u0119\u011f\u0126\u012b\u0131\u0134\u013c\u0140\u0144\u0149"+
- "\u014b\u0150\u0155\u0161\u0165\u0168\u0171\u0173\u017e\3\2\3\2";
+ "\61\32\63\33\65\34\67\359\36;\37= ?!A\"C#E$G%I&K\'M(O)Q*S+U\2W\2Y\2[,"+
+ "]-_.\3\2\17\3\2bb\n\2$$))^^ddhhppttvv\6\2\f\f\17\17))^^\6\2\f\f\17\17"+
+ "$$^^\5\2\f\f\17\17$$\5\2\f\f\17\17))\4\2BBaa\4\2GGgg\4\2--//\3\2\62;\4"+
+ "\2C\\c|\4\2\f\f\17\17\5\2\13\f\17\17\"\"\u01a6\2\3\3\2\2\2\2\5\3\2\2\2"+
+ "\2\7\3\2\2\2\2\t\3\2\2\2\2\13\3\2\2\2\2\r\3\2\2\2\2\17\3\2\2\2\2\21\3"+
+ "\2\2\2\2\23\3\2\2\2\2\25\3\2\2\2\2\27\3\2\2\2\2\31\3\2\2\2\2\33\3\2\2"+
+ "\2\2\35\3\2\2\2\2\37\3\2\2\2\2!\3\2\2\2\2#\3\2\2\2\2%\3\2\2\2\2\'\3\2"+
+ "\2\2\2)\3\2\2\2\2+\3\2\2\2\2-\3\2\2\2\2/\3\2\2\2\2\61\3\2\2\2\2\63\3\2"+
+ "\2\2\2\65\3\2\2\2\2\67\3\2\2\2\29\3\2\2\2\2;\3\2\2\2\2=\3\2\2\2\2?\3\2"+
+ "\2\2\2A\3\2\2\2\2C\3\2\2\2\2E\3\2\2\2\2G\3\2\2\2\2I\3\2\2\2\2K\3\2\2\2"+
+ "\2M\3\2\2\2\2O\3\2\2\2\2Q\3\2\2\2\2S\3\2\2\2\2[\3\2\2\2\2]\3\2\2\2\2_"+
+ "\3\2\2\2\3a\3\2\2\2\5e\3\2\2\2\7i\3\2\2\2\tl\3\2\2\2\13r\3\2\2\2\ru\3"+
+ "\2\2\2\17z\3\2\2\2\21\u0082\3\2\2\2\23\u0086\3\2\2\2\25\u008b\3\2\2\2"+
+ "\27\u008e\3\2\2\2\31\u0091\3\2\2\2\33\u009a\3\2\2\2\35\u009f\3\2\2\2\37"+
+ "\u00a5\3\2\2\2!\u00ab\3\2\2\2#\u00b0\3\2\2\2%\u00b2\3\2\2\2\'\u00b4\3"+
+ "\2\2\2)\u00b7\3\2\2\2+\u00ba\3\2\2\2-\u00bc\3\2\2\2/\u00bf\3\2\2\2\61"+
+ "\u00c1\3\2\2\2\63\u00c4\3\2\2\2\65\u00c6\3\2\2\2\67\u00c8\3\2\2\29\u00ca"+
+ "\3\2\2\2;\u00cc\3\2\2\2=\u00ce\3\2\2\2?\u00d0\3\2\2\2A\u00d2\3\2\2\2C"+
+ "\u00d4\3\2\2\2E\u00d6\3\2\2\2G\u00d8\3\2\2\2I\u00da\3\2\2\2K\u00dc\3\2"+
+ "\2\2M\u0113\3\2\2\2O\u0116\3\2\2\2Q\u0144\3\2\2\2S\u0148\3\2\2\2U\u0152"+
+ "\3\2\2\2W\u015b\3\2\2\2Y\u015d\3\2\2\2[\u015f\3\2\2\2]\u0170\3\2\2\2_"+
+ "\u0180\3\2\2\2ab\7c\2\2bc\7p\2\2cd\7f\2\2d\4\3\2\2\2ef\7c\2\2fg\7p\2\2"+
+ "gh\7{\2\2h\6\3\2\2\2ij\7d\2\2jk\7{\2\2k\b\3\2\2\2lm\7h\2\2mn\7c\2\2no"+
+ "\7n\2\2op\7u\2\2pq\7g\2\2q\n\3\2\2\2rs\7k\2\2st\7p\2\2t\f\3\2\2\2uv\7"+
+ "l\2\2vw\7q\2\2wx\7k\2\2xy\7p\2\2y\16\3\2\2\2z{\7o\2\2{|\7c\2\2|}\7z\2"+
+ "\2}~\7u\2\2~\177\7r\2\2\177\u0080\7c\2\2\u0080\u0081\7p\2\2\u0081\20\3"+
+ "\2\2\2\u0082\u0083\7p\2\2\u0083\u0084\7q\2\2\u0084\u0085\7v\2\2\u0085"+
+ "\22\3\2\2\2\u0086\u0087\7p\2\2\u0087\u0088\7w\2\2\u0088\u0089\7n\2\2\u0089"+
+ "\u008a\7n\2\2\u008a\24\3\2\2\2\u008b\u008c\7q\2\2\u008c\u008d\7h\2\2\u008d"+
+ "\26\3\2\2\2\u008e\u008f\7q\2\2\u008f\u0090\7t\2\2\u0090\30\3\2\2\2\u0091"+
+ "\u0092\7u\2\2\u0092\u0093\7g\2\2\u0093\u0094\7s\2\2\u0094\u0095\7w\2\2"+
+ "\u0095\u0096\7g\2\2\u0096\u0097\7p\2\2\u0097\u0098\7e\2\2\u0098\u0099"+
+ "\7g\2\2\u0099\32\3\2\2\2\u009a\u009b\7v\2\2\u009b\u009c\7t\2\2\u009c\u009d"+
+ "\7w\2\2\u009d\u009e\7g\2\2\u009e\34\3\2\2\2\u009f\u00a0\7w\2\2\u00a0\u00a1"+
+ "\7p\2\2\u00a1\u00a2\7v\2\2\u00a2\u00a3\7k\2\2\u00a3\u00a4\7n\2\2\u00a4"+
+ "\36\3\2\2\2\u00a5\u00a6\7y\2\2\u00a6\u00a7\7j\2\2\u00a7\u00a8\7g\2\2\u00a8"+
+ "\u00a9\7t\2\2\u00a9\u00aa\7g\2\2\u00aa \3\2\2\2\u00ab\u00ac\7y\2\2\u00ac"+
+ "\u00ad\7k\2\2\u00ad\u00ae\7v\2\2\u00ae\u00af\7j\2\2\u00af\"\3\2\2\2\u00b0"+
+ "\u00b1\7<\2\2\u00b1$\3\2\2\2\u00b2\u00b3\7?\2\2\u00b3&\3\2\2\2\u00b4\u00b5"+
+ "\7?\2\2\u00b5\u00b6\7?\2\2\u00b6(\3\2\2\2\u00b7\u00b8\7#\2\2\u00b8\u00b9"+
+ "\7?\2\2\u00b9*\3\2\2\2\u00ba\u00bb\7>\2\2\u00bb,\3\2\2\2\u00bc\u00bd\7"+
+ ">\2\2\u00bd\u00be\7?\2\2\u00be.\3\2\2\2\u00bf\u00c0\7@\2\2\u00c0\60\3"+
+ "\2\2\2\u00c1\u00c2\7@\2\2\u00c2\u00c3\7?\2\2\u00c3\62\3\2\2\2\u00c4\u00c5"+
+ "\7-\2\2\u00c5\64\3\2\2\2\u00c6\u00c7\7/\2\2\u00c7\66\3\2\2\2\u00c8\u00c9"+
+ "\7,\2\2\u00c98\3\2\2\2\u00ca\u00cb\7\61\2\2\u00cb:\3\2\2\2\u00cc\u00cd"+
+ "\7\'\2\2\u00cd<\3\2\2\2\u00ce\u00cf\7\60\2\2\u00cf>\3\2\2\2\u00d0\u00d1"+
+ "\7.\2\2\u00d1@\3\2\2\2\u00d2\u00d3\7]\2\2\u00d3B\3\2\2\2\u00d4\u00d5\7"+
+ "_\2\2\u00d5D\3\2\2\2\u00d6\u00d7\7*\2\2\u00d7F\3\2\2\2\u00d8\u00d9\7+"+
+ "\2\2\u00d9H\3\2\2\2\u00da\u00db\7~\2\2\u00dbJ\3\2\2\2\u00dc\u00e2\7b\2"+
+ "\2\u00dd\u00e1\n\2\2\2\u00de\u00df\7b\2\2\u00df\u00e1\7b\2\2\u00e0\u00dd"+
+ "\3\2\2\2\u00e0\u00de\3\2\2\2\u00e1\u00e4\3\2\2\2\u00e2\u00e0\3\2\2\2\u00e2"+
+ "\u00e3\3\2\2\2\u00e3\u00e5\3\2\2\2\u00e4\u00e2\3\2\2\2\u00e5\u00e6\7b"+
+ "\2\2\u00e6L\3\2\2\2\u00e7\u00ed\7)\2\2\u00e8\u00e9\7^\2\2\u00e9\u00ec"+
+ "\t\3\2\2\u00ea\u00ec\n\4\2\2\u00eb\u00e8\3\2\2\2\u00eb\u00ea\3\2\2\2\u00ec"+
+ "\u00ef\3\2\2\2\u00ed\u00eb\3\2\2\2\u00ed\u00ee\3\2\2\2\u00ee\u00f0\3\2"+
+ "\2\2\u00ef\u00ed\3\2\2\2\u00f0\u0114\7)\2\2\u00f1\u00f7\7$\2\2\u00f2\u00f3"+
+ "\7^\2\2\u00f3\u00f6\t\3\2\2\u00f4\u00f6\n\5\2\2\u00f5\u00f2\3\2\2\2\u00f5"+
+ "\u00f4\3\2\2\2\u00f6\u00f9\3\2\2\2\u00f7\u00f5\3\2\2\2\u00f7\u00f8\3\2"+
+ "\2\2\u00f8\u00fa\3\2\2\2\u00f9\u00f7\3\2\2\2\u00fa\u0114\7$\2\2\u00fb"+
+ "\u00fc\7A\2\2\u00fc\u00fd\7$\2\2\u00fd\u0103\3\2\2\2\u00fe\u00ff\7^\2"+
+ "\2\u00ff\u0102\7$\2\2\u0100\u0102\n\6\2\2\u0101\u00fe\3\2\2\2\u0101\u0100"+
+ "\3\2\2\2\u0102\u0105\3\2\2\2\u0103\u0101\3\2\2\2\u0103\u0104\3\2\2\2\u0104"+
+ "\u0106\3\2\2\2\u0105\u0103\3\2\2\2\u0106\u0114\7$\2\2\u0107\u0108\7A\2"+
+ "\2\u0108\u0109\7)\2\2\u0109\u010f\3\2\2\2\u010a\u010b\7^\2\2\u010b\u010e"+
+ "\7)\2\2\u010c\u010e\n\7\2\2\u010d\u010a\3\2\2\2\u010d\u010c\3\2\2\2\u010e"+
+ "\u0111\3\2\2\2\u010f\u010d\3\2\2\2\u010f\u0110\3\2\2\2\u0110\u0112\3\2"+
+ "\2\2\u0111\u010f\3\2\2\2\u0112\u0114\7)\2\2\u0113\u00e7\3\2\2\2\u0113"+
+ "\u00f1\3\2\2\2\u0113\u00fb\3\2\2\2\u0113\u0107\3\2\2\2\u0114N\3\2\2\2"+
+ "\u0115\u0117\5W,\2\u0116\u0115\3\2\2\2\u0117\u0118\3\2\2\2\u0118\u0116"+
+ "\3\2\2\2\u0118\u0119\3\2\2\2\u0119P\3\2\2\2\u011a\u011c\5W,\2\u011b\u011a"+
+ "\3\2\2\2\u011c\u011d\3\2\2\2\u011d\u011b\3\2\2\2\u011d\u011e\3\2\2\2\u011e"+
+ "\u011f\3\2\2\2\u011f\u0123\5=\37\2\u0120\u0122\5W,\2\u0121\u0120\3\2\2"+
+ "\2\u0122\u0125\3\2\2\2\u0123\u0121\3\2\2\2\u0123\u0124\3\2\2\2\u0124\u0145"+
+ "\3\2\2\2\u0125\u0123\3\2\2\2\u0126\u0128\5=\37\2\u0127\u0129\5W,\2\u0128"+
+ "\u0127\3\2\2\2\u0129\u012a\3\2\2\2\u012a\u0128\3\2\2\2\u012a\u012b\3\2"+
+ "\2\2\u012b\u0145\3\2\2\2\u012c\u012e\5W,\2\u012d\u012c\3\2\2\2\u012e\u012f"+
+ "\3\2\2\2\u012f\u012d\3\2\2\2\u012f\u0130\3\2\2\2\u0130\u0138\3\2\2\2\u0131"+
+ "\u0135\5=\37\2\u0132\u0134\5W,\2\u0133\u0132\3\2\2\2\u0134\u0137\3\2\2"+
+ "\2\u0135\u0133\3\2\2\2\u0135\u0136\3\2\2\2\u0136\u0139\3\2\2\2\u0137\u0135"+
+ "\3\2\2\2\u0138\u0131\3\2\2\2\u0138\u0139\3\2\2\2\u0139\u013a\3\2\2\2\u013a"+
+ "\u013b\5U+\2\u013b\u0145\3\2\2\2\u013c\u013e\5=\37\2\u013d\u013f\5W,\2"+
+ "\u013e\u013d\3\2\2\2\u013f\u0140\3\2\2\2\u0140\u013e\3\2\2\2\u0140\u0141"+
+ "\3\2\2\2\u0141\u0142\3\2\2\2\u0142\u0143\5U+\2\u0143\u0145\3\2\2\2\u0144"+
+ "\u011b\3\2\2\2\u0144\u0126\3\2\2\2\u0144\u012d\3\2\2\2\u0144\u013c\3\2"+
+ "\2\2\u0145R\3\2\2\2\u0146\u0149\5Y-\2\u0147\u0149\t\b\2\2\u0148\u0146"+
+ "\3\2\2\2\u0148\u0147\3\2\2\2\u0149\u014f\3\2\2\2\u014a\u014e\5Y-\2\u014b"+
+ "\u014e\5W,\2\u014c\u014e\7a\2\2\u014d\u014a\3\2\2\2\u014d\u014b\3\2\2"+
+ "\2\u014d\u014c\3\2\2\2\u014e\u0151\3\2\2\2\u014f\u014d\3\2\2\2\u014f\u0150"+
+ "\3\2\2\2\u0150T\3\2\2\2\u0151\u014f\3\2\2\2\u0152\u0154\t\t\2\2\u0153"+
+ "\u0155\t\n\2\2\u0154\u0153\3\2\2\2\u0154\u0155\3\2\2\2\u0155\u0157\3\2"+
+ "\2\2\u0156\u0158\5W,\2\u0157\u0156\3\2\2\2\u0158\u0159\3\2\2\2\u0159\u0157"+
+ "\3\2\2\2\u0159\u015a\3\2\2\2\u015aV\3\2\2\2\u015b\u015c\t\13\2\2\u015c"+
+ "X\3\2\2\2\u015d\u015e\t\f\2\2\u015eZ\3\2\2\2\u015f\u0160\7\61\2\2\u0160"+
+ "\u0161\7\61\2\2\u0161\u0165\3\2\2\2\u0162\u0164\n\r\2\2\u0163\u0162\3"+
+ "\2\2\2\u0164\u0167\3\2\2\2\u0165\u0163\3\2\2\2\u0165\u0166\3\2\2\2\u0166"+
+ "\u0169\3\2\2\2\u0167\u0165\3\2\2\2\u0168\u016a\7\17\2\2\u0169\u0168\3"+
+ "\2\2\2\u0169\u016a\3\2\2\2\u016a\u016c\3\2\2\2\u016b\u016d\7\f\2\2\u016c"+
+ "\u016b\3\2\2\2\u016c\u016d\3\2\2\2\u016d\u016e\3\2\2\2\u016e\u016f\b."+
+ "\2\2\u016f\\\3\2\2\2\u0170\u0171\7\61\2\2\u0171\u0172\7,\2\2\u0172\u0177"+
+ "\3\2\2\2\u0173\u0176\5]/\2\u0174\u0176\13\2\2\2\u0175\u0173\3\2\2\2\u0175"+
+ "\u0174\3\2\2\2\u0176\u0179\3\2\2\2\u0177\u0178\3\2\2\2\u0177\u0175\3\2"+
+ "\2\2\u0178\u017a\3\2\2\2\u0179\u0177\3\2\2\2\u017a\u017b\7,\2\2\u017b"+
+ "\u017c\7\61\2\2\u017c\u017d\3\2\2\2\u017d\u017e\b/\2\2\u017e^\3\2\2\2"+
+ "\u017f\u0181\t\16\2\2\u0180\u017f\3\2\2\2\u0181\u0182\3\2\2\2\u0182\u0180"+
+ "\3\2\2\2\u0182\u0183\3\2\2\2\u0183\u0184\3\2\2\2\u0184\u0185\b\60\2\2"+
+ "\u0185`\3\2\2\2\"\2\u00e0\u00e2\u00eb\u00ed\u00f5\u00f7\u0101\u0103\u010d"+
+ "\u010f\u0113\u0118\u011d\u0123\u012a\u012f\u0135\u0138\u0140\u0144\u0148"+
+ "\u014d\u014f\u0154\u0159\u0165\u0169\u016c\u0175\u0177\u0182\3\2\3\2";
public static final ATN _ATN =
new ATNDeserializer().deserialize(_serializedATN.toCharArray());
static {
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseParser.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseParser.java
index a7c675cfe37..e4bf64a4531 100644
--- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseParser.java
+++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseParser.java
@@ -18,11 +18,11 @@ class EqlBaseParser extends Parser {
new PredictionContextCache();
public static final int
AND=1, ANY=2, BY=3, FALSE=4, IN=5, JOIN=6, MAXSPAN=7, NOT=8, NULL=9, OF=10,
- OR=11, SEQUENCE=12, TRUE=13, UNTIL=14, WHERE=15, WITH=16, ASGN=17, EQ=18,
- NEQ=19, LT=20, LTE=21, GT=22, GTE=23, PLUS=24, MINUS=25, ASTERISK=26,
- SLASH=27, PERCENT=28, DOT=29, COMMA=30, LB=31, RB=32, LP=33, RP=34, PIPE=35,
- ESCAPED_IDENTIFIER=36, STRING=37, INTEGER_VALUE=38, DECIMAL_VALUE=39,
- IDENTIFIER=40, LINE_COMMENT=41, BRACKETED_COMMENT=42, WS=43;
+ OR=11, SEQUENCE=12, TRUE=13, UNTIL=14, WHERE=15, WITH=16, SEQ=17, ASGN=18,
+ EQ=19, NEQ=20, LT=21, LTE=22, GT=23, GTE=24, PLUS=25, MINUS=26, ASTERISK=27,
+ SLASH=28, PERCENT=29, DOT=30, COMMA=31, LB=32, RB=33, LP=34, RP=35, PIPE=36,
+ ESCAPED_IDENTIFIER=37, STRING=38, INTEGER_VALUE=39, DECIMAL_VALUE=40,
+ IDENTIFIER=41, LINE_COMMENT=42, BRACKETED_COMMENT=43, WS=44;
public static final int
RULE_singleStatement = 0, RULE_singleExpression = 1, RULE_statement = 2,
RULE_query = 3, RULE_sequenceParams = 4, RULE_sequence = 5, RULE_join = 6,
@@ -45,14 +45,14 @@ class EqlBaseParser extends Parser {
private static final String[] _LITERAL_NAMES = {
null, "'and'", "'any'", "'by'", "'false'", "'in'", "'join'", "'maxspan'",
"'not'", "'null'", "'of'", "'or'", "'sequence'", "'true'", "'until'",
- "'where'", "'with'", "'='", "'=='", "'!='", "'<'", "'<='", "'>'", "'>='",
- "'+'", "'-'", "'*'", "'/'", "'%'", "'.'", "','", "'['", "']'", "'('",
- "')'", "'|'"
+ "'where'", "'with'", "':'", "'='", "'=='", "'!='", "'<'", "'<='", "'>'",
+ "'>='", "'+'", "'-'", "'*'", "'/'", "'%'", "'.'", "','", "'['", "']'",
+ "'('", "')'", "'|'"
};
private static final String[] _SYMBOLIC_NAMES = {
null, "AND", "ANY", "BY", "FALSE", "IN", "JOIN", "MAXSPAN", "NOT", "NULL",
- "OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "ASGN", "EQ",
- "NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH",
+ "OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "SEQ", "ASGN",
+ "EQ", "NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH",
"PERCENT", "DOT", "COMMA", "LB", "RB", "LP", "RP", "PIPE", "ESCAPED_IDENTIFIER",
"STRING", "INTEGER_VALUE", "DECIMAL_VALUE", "IDENTIFIER", "LINE_COMMENT",
"BRACKETED_COMMENT", "WS"
@@ -2077,6 +2077,7 @@ class EqlBaseParser extends Parser {
}
public static class ComparisonOperatorContext extends ParserRuleContext {
+ public TerminalNode SEQ() { return getToken(EqlBaseParser.SEQ, 0); }
public TerminalNode EQ() { return getToken(EqlBaseParser.EQ, 0); }
public TerminalNode NEQ() { return getToken(EqlBaseParser.NEQ, 0); }
public TerminalNode LT() { return getToken(EqlBaseParser.LT, 0); }
@@ -2111,7 +2112,7 @@ class EqlBaseParser extends Parser {
{
setState(251);
_la = _input.LA(1);
- if ( !((((_la) & ~0x3f) == 0 && ((1L << _la) & ((1L << EQ) | (1L << NEQ) | (1L << LT) | (1L << LTE) | (1L << GT) | (1L << GTE))) != 0)) ) {
+ if ( !((((_la) & ~0x3f) == 0 && ((1L << _la) & ((1L << SEQ) | (1L << EQ) | (1L << NEQ) | (1L << LT) | (1L << LTE) | (1L << GT) | (1L << GTE))) != 0)) ) {
_errHandler.recoverInline(this);
} else {
consume();
@@ -2549,7 +2550,7 @@ class EqlBaseParser extends Parser {
}
public static final String _serializedATN =
- "\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\3-\u011d\4\2\t\2\4"+
+ "\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\3.\u011d\4\2\t\2\4"+
"\3\t\3\4\4\t\4\4\5\t\5\4\6\t\6\4\7\t\7\4\b\t\b\4\t\t\t\4\n\t\n\4\13\t"+
"\13\4\f\t\f\4\r\t\r\4\16\t\16\4\17\t\17\4\20\t\20\4\21\t\21\4\22\t\22"+
"\4\23\t\23\4\24\t\24\4\25\t\25\4\26\t\26\4\27\t\27\4\30\t\30\4\31\t\31"+
@@ -2572,80 +2573,80 @@ class EqlBaseParser extends Parser {
"\3\32\3\32\3\32\3\32\6\32\u0107\n\32\r\32\16\32\u0108\3\32\7\32\u010c"+
"\n\32\f\32\16\32\u010f\13\32\3\33\3\33\3\34\3\34\5\34\u0115\n\34\3\35"+
"\3\35\5\35\u0119\n\35\3\36\3\36\3\36\2\4 $\37\2\4\6\b\n\f\16\20\22\24"+
- "\26\30\32\34\36 \"$&(*,.\60\62\64\668:\2\7\3\2\32\33\3\2\34\36\3\2\24"+
- "\31\4\2\6\6\17\17\4\2&&**\u0129\2<\3\2\2\2\4?\3\2\2\2\6B\3\2\2\2\bL\3"+
- "\2\2\2\nN\3\2\2\2\fS\3\2\2\2\16h\3\2\2\2\20v\3\2\2\2\22\u0082\3\2\2\2"+
- "\24\u008b\3\2\2\2\26\u008f\3\2\2\2\30\u0093\3\2\2\2\32\u0097\3\2\2\2\34"+
- "\u009b\3\2\2\2\36\u00a0\3\2\2\2 \u00a9\3\2\2\2\"\u00bb\3\2\2\2$\u00c4"+
- "\3\2\2\2&\u00d2\3\2\2\2(\u00e7\3\2\2\2*\u00e9\3\2\2\2,\u00fb\3\2\2\2."+
- "\u00fd\3\2\2\2\60\u00ff\3\2\2\2\62\u0101\3\2\2\2\64\u0110\3\2\2\2\66\u0112"+
- "\3\2\2\28\u0118\3\2\2\2:\u011a\3\2\2\2<=\5\6\4\2=>\7\2\2\3>\3\3\2\2\2"+
- "?@\5\36\20\2@A\7\2\2\3A\5\3\2\2\2BF\5\b\5\2CE\5\20\t\2DC\3\2\2\2EH\3\2"+
- "\2\2FD\3\2\2\2FG\3\2\2\2G\7\3\2\2\2HF\3\2\2\2IM\5\f\7\2JM\5\16\b\2KM\5"+
- "\32\16\2LI\3\2\2\2LJ\3\2\2\2LK\3\2\2\2M\t\3\2\2\2NO\7\22\2\2OP\7\t\2\2"+
- "PQ\7\23\2\2QR\5\66\34\2R\13\3\2\2\2S\\\7\16\2\2TV\5\22\n\2UW\5\n\6\2V"+
- "U\3\2\2\2VW\3\2\2\2W]\3\2\2\2XZ\5\n\6\2Y[\5\22\n\2ZY\3\2\2\2Z[\3\2\2\2"+
- "[]\3\2\2\2\\T\3\2\2\2\\X\3\2\2\2\\]\3\2\2\2]^\3\2\2\2^`\5\26\f\2_a\5\26"+
- "\f\2`_\3\2\2\2ab\3\2\2\2b`\3\2\2\2bc\3\2\2\2cf\3\2\2\2de\7\20\2\2eg\5"+
- "\26\f\2fd\3\2\2\2fg\3\2\2\2g\r\3\2\2\2hj\7\b\2\2ik\5\22\n\2ji\3\2\2\2"+
- "jk\3\2\2\2kl\3\2\2\2ln\5\24\13\2mo\5\24\13\2nm\3\2\2\2op\3\2\2\2pn\3\2"+
- "\2\2pq\3\2\2\2qt\3\2\2\2rs\7\20\2\2su\5\24\13\2tr\3\2\2\2tu\3\2\2\2u\17"+
- "\3\2\2\2vw\7%\2\2w\u0080\7*\2\2x}\5 \21\2yz\7 \2\2z|\5 \21\2{y\3\2\2\2"+
- "|\177\3\2\2\2}{\3\2\2\2}~\3\2\2\2~\u0081\3\2\2\2\177}\3\2\2\2\u0080x\3"+
- "\2\2\2\u0080\u0081\3\2\2\2\u0081\21\3\2\2\2\u0082\u0083\7\5\2\2\u0083"+
- "\u0088\5\36\20\2\u0084\u0085\7 \2\2\u0085\u0087\5\36\20\2\u0086\u0084"+
- "\3\2\2\2\u0087\u008a\3\2\2\2\u0088\u0086\3\2\2\2\u0088\u0089\3\2\2\2\u0089"+
- "\23\3\2\2\2\u008a\u0088\3\2\2\2\u008b\u008d\5\30\r\2\u008c\u008e\5\22"+
- "\n\2\u008d\u008c\3\2\2\2\u008d\u008e\3\2\2\2\u008e\25\3\2\2\2\u008f\u0091"+
- "\5\30\r\2\u0090\u0092\5\22\n\2\u0091\u0090\3\2\2\2\u0091\u0092\3\2\2\2"+
- "\u0092\27\3\2\2\2\u0093\u0094\7!\2\2\u0094\u0095\5\34\17\2\u0095\u0096"+
- "\7\"\2\2\u0096\31\3\2\2\2\u0097\u0098\5\34\17\2\u0098\33\3\2\2\2\u0099"+
- "\u009c\7\4\2\2\u009a\u009c\5\64\33\2\u009b\u0099\3\2\2\2\u009b\u009a\3"+
- "\2\2\2\u009c\u009d\3\2\2\2\u009d\u009e\7\21\2\2\u009e\u009f\5\36\20\2"+
- "\u009f\35\3\2\2\2\u00a0\u00a1\5 \21\2\u00a1\37\3\2\2\2\u00a2\u00a3\b\21"+
- "\1\2\u00a3\u00a4\7\n\2\2\u00a4\u00aa\5 \21\7\u00a5\u00a6\7*\2\2\u00a6"+
- "\u00a7\7\f\2\2\u00a7\u00aa\5\30\r\2\u00a8\u00aa\5\"\22\2\u00a9\u00a2\3"+
- "\2\2\2\u00a9\u00a5\3\2\2\2\u00a9\u00a8\3\2\2\2\u00aa\u00b3\3\2\2\2\u00ab"+
- "\u00ac\f\4\2\2\u00ac\u00ad\7\3\2\2\u00ad\u00b2\5 \21\5\u00ae\u00af\f\3"+
- "\2\2\u00af\u00b0\7\r\2\2\u00b0\u00b2\5 \21\4\u00b1\u00ab\3\2\2\2\u00b1"+
- "\u00ae\3\2\2\2\u00b2\u00b5\3\2\2\2\u00b3\u00b1\3\2\2\2\u00b3\u00b4\3\2"+
- "\2\2\u00b4!\3\2\2\2\u00b5\u00b3\3\2\2\2\u00b6\u00bc\5$\23\2\u00b7\u00b8"+
- "\5$\23\2\u00b8\u00b9\5.\30\2\u00b9\u00ba\5$\23\2\u00ba\u00bc\3\2\2\2\u00bb"+
- "\u00b6\3\2\2\2\u00bb\u00b7\3\2\2\2\u00bc#\3\2\2\2\u00bd\u00be\b\23\1\2"+
- "\u00be\u00c0\5(\25\2\u00bf\u00c1\5&\24\2\u00c0\u00bf\3\2\2\2\u00c0\u00c1"+
- "\3\2\2\2\u00c1\u00c5\3\2\2\2\u00c2\u00c3\t\2\2\2\u00c3\u00c5\5$\23\5\u00c4"+
- "\u00bd\3\2\2\2\u00c4\u00c2\3\2\2\2\u00c5\u00ce\3\2\2\2\u00c6\u00c7\f\4"+
- "\2\2\u00c7\u00c8\t\3\2\2\u00c8\u00cd\5$\23\5\u00c9\u00ca\f\3\2\2\u00ca"+
- "\u00cb\t\2\2\2\u00cb\u00cd\5$\23\4\u00cc\u00c6\3\2\2\2\u00cc\u00c9\3\2"+
- "\2\2\u00cd\u00d0\3\2\2\2\u00ce\u00cc\3\2\2\2\u00ce\u00cf\3\2\2\2\u00cf"+
- "%\3\2\2\2\u00d0\u00ce\3\2\2\2\u00d1\u00d3\7\n\2\2\u00d2\u00d1\3\2\2\2"+
- "\u00d2\u00d3\3\2\2\2\u00d3\u00d4\3\2\2\2\u00d4\u00d5\7\7\2\2\u00d5\u00d6"+
- "\7#\2\2\u00d6\u00db\5\36\20\2\u00d7\u00d8\7 \2\2\u00d8\u00da\5\36\20\2"+
- "\u00d9\u00d7\3\2\2\2\u00da\u00dd\3\2\2\2\u00db\u00d9\3\2\2\2\u00db\u00dc"+
- "\3\2\2\2\u00dc\u00de\3\2\2\2\u00dd\u00db\3\2\2\2\u00de\u00df\7$\2\2\u00df"+
- "\'\3\2\2\2\u00e0\u00e8\5,\27\2\u00e1\u00e8\5*\26\2\u00e2\u00e8\5\62\32"+
- "\2\u00e3\u00e4\7#\2\2\u00e4\u00e5\5\36\20\2\u00e5\u00e6\7$\2\2\u00e6\u00e8"+
- "\3\2\2\2\u00e7\u00e0\3\2\2\2\u00e7\u00e1\3\2\2\2\u00e7\u00e2\3\2\2\2\u00e7"+
- "\u00e3\3\2\2\2\u00e8)\3\2\2\2\u00e9\u00ea\7*\2\2\u00ea\u00f3\7#\2\2\u00eb"+
- "\u00f0\5\36\20\2\u00ec\u00ed\7 \2\2\u00ed\u00ef\5\36\20\2\u00ee\u00ec"+
- "\3\2\2\2\u00ef\u00f2\3\2\2\2\u00f0\u00ee\3\2\2\2\u00f0\u00f1\3\2\2\2\u00f1"+
- "\u00f4\3\2\2\2\u00f2\u00f0\3\2\2\2\u00f3\u00eb\3\2\2\2\u00f3\u00f4\3\2"+
- "\2\2\u00f4\u00f5\3\2\2\2\u00f5\u00f6\7$\2\2\u00f6+\3\2\2\2\u00f7\u00fc"+
- "\7\13\2\2\u00f8\u00fc\58\35\2\u00f9\u00fc\5\60\31\2\u00fa\u00fc\5:\36"+
- "\2\u00fb\u00f7\3\2\2\2\u00fb\u00f8\3\2\2\2\u00fb\u00f9\3\2\2\2\u00fb\u00fa"+
- "\3\2\2\2\u00fc-\3\2\2\2\u00fd\u00fe\t\4\2\2\u00fe/\3\2\2\2\u00ff\u0100"+
- "\t\5\2\2\u0100\61\3\2\2\2\u0101\u010d\5\64\33\2\u0102\u0103\7\37\2\2\u0103"+
- "\u010c\5\64\33\2\u0104\u0106\7!\2\2\u0105\u0107\7(\2\2\u0106\u0105\3\2"+
- "\2\2\u0107\u0108\3\2\2\2\u0108\u0106\3\2\2\2\u0108\u0109\3\2\2\2\u0109"+
- "\u010a\3\2\2\2\u010a\u010c\7\"\2\2\u010b\u0102\3\2\2\2\u010b\u0104\3\2"+
- "\2\2\u010c\u010f\3\2\2\2\u010d\u010b\3\2\2\2\u010d\u010e\3\2\2\2\u010e"+
- "\63\3\2\2\2\u010f\u010d\3\2\2\2\u0110\u0111\t\6\2\2\u0111\65\3\2\2\2\u0112"+
- "\u0114\58\35\2\u0113\u0115\7*\2\2\u0114\u0113\3\2\2\2\u0114\u0115\3\2"+
- "\2\2\u0115\67\3\2\2\2\u0116\u0119\7)\2\2\u0117\u0119\7(\2\2\u0118\u0116"+
- "\3\2\2\2\u0118\u0117\3\2\2\2\u01199\3\2\2\2\u011a\u011b\7\'\2\2\u011b"+
- ";\3\2\2\2%FLVZ\\bfjpt}\u0080\u0088\u008d\u0091\u009b\u00a9\u00b1\u00b3"+
- "\u00bb\u00c0\u00c4\u00cc\u00ce\u00d2\u00db\u00e7\u00f0\u00f3\u00fb\u0108"+
- "\u010b\u010d\u0114\u0118";
+ "\26\30\32\34\36 \"$&(*,.\60\62\64\668:\2\7\3\2\33\34\3\2\35\37\4\2\23"+
+ "\23\25\32\4\2\6\6\17\17\4\2\'\'++\u0129\2<\3\2\2\2\4?\3\2\2\2\6B\3\2\2"+
+ "\2\bL\3\2\2\2\nN\3\2\2\2\fS\3\2\2\2\16h\3\2\2\2\20v\3\2\2\2\22\u0082\3"+
+ "\2\2\2\24\u008b\3\2\2\2\26\u008f\3\2\2\2\30\u0093\3\2\2\2\32\u0097\3\2"+
+ "\2\2\34\u009b\3\2\2\2\36\u00a0\3\2\2\2 \u00a9\3\2\2\2\"\u00bb\3\2\2\2"+
+ "$\u00c4\3\2\2\2&\u00d2\3\2\2\2(\u00e7\3\2\2\2*\u00e9\3\2\2\2,\u00fb\3"+
+ "\2\2\2.\u00fd\3\2\2\2\60\u00ff\3\2\2\2\62\u0101\3\2\2\2\64\u0110\3\2\2"+
+ "\2\66\u0112\3\2\2\28\u0118\3\2\2\2:\u011a\3\2\2\2<=\5\6\4\2=>\7\2\2\3"+
+ ">\3\3\2\2\2?@\5\36\20\2@A\7\2\2\3A\5\3\2\2\2BF\5\b\5\2CE\5\20\t\2DC\3"+
+ "\2\2\2EH\3\2\2\2FD\3\2\2\2FG\3\2\2\2G\7\3\2\2\2HF\3\2\2\2IM\5\f\7\2JM"+
+ "\5\16\b\2KM\5\32\16\2LI\3\2\2\2LJ\3\2\2\2LK\3\2\2\2M\t\3\2\2\2NO\7\22"+
+ "\2\2OP\7\t\2\2PQ\7\24\2\2QR\5\66\34\2R\13\3\2\2\2S\\\7\16\2\2TV\5\22\n"+
+ "\2UW\5\n\6\2VU\3\2\2\2VW\3\2\2\2W]\3\2\2\2XZ\5\n\6\2Y[\5\22\n\2ZY\3\2"+
+ "\2\2Z[\3\2\2\2[]\3\2\2\2\\T\3\2\2\2\\X\3\2\2\2\\]\3\2\2\2]^\3\2\2\2^`"+
+ "\5\26\f\2_a\5\26\f\2`_\3\2\2\2ab\3\2\2\2b`\3\2\2\2bc\3\2\2\2cf\3\2\2\2"+
+ "de\7\20\2\2eg\5\26\f\2fd\3\2\2\2fg\3\2\2\2g\r\3\2\2\2hj\7\b\2\2ik\5\22"+
+ "\n\2ji\3\2\2\2jk\3\2\2\2kl\3\2\2\2ln\5\24\13\2mo\5\24\13\2nm\3\2\2\2o"+
+ "p\3\2\2\2pn\3\2\2\2pq\3\2\2\2qt\3\2\2\2rs\7\20\2\2su\5\24\13\2tr\3\2\2"+
+ "\2tu\3\2\2\2u\17\3\2\2\2vw\7&\2\2w\u0080\7+\2\2x}\5 \21\2yz\7!\2\2z|\5"+
+ " \21\2{y\3\2\2\2|\177\3\2\2\2}{\3\2\2\2}~\3\2\2\2~\u0081\3\2\2\2\177}"+
+ "\3\2\2\2\u0080x\3\2\2\2\u0080\u0081\3\2\2\2\u0081\21\3\2\2\2\u0082\u0083"+
+ "\7\5\2\2\u0083\u0088\5\36\20\2\u0084\u0085\7!\2\2\u0085\u0087\5\36\20"+
+ "\2\u0086\u0084\3\2\2\2\u0087\u008a\3\2\2\2\u0088\u0086\3\2\2\2\u0088\u0089"+
+ "\3\2\2\2\u0089\23\3\2\2\2\u008a\u0088\3\2\2\2\u008b\u008d\5\30\r\2\u008c"+
+ "\u008e\5\22\n\2\u008d\u008c\3\2\2\2\u008d\u008e\3\2\2\2\u008e\25\3\2\2"+
+ "\2\u008f\u0091\5\30\r\2\u0090\u0092\5\22\n\2\u0091\u0090\3\2\2\2\u0091"+
+ "\u0092\3\2\2\2\u0092\27\3\2\2\2\u0093\u0094\7\"\2\2\u0094\u0095\5\34\17"+
+ "\2\u0095\u0096\7#\2\2\u0096\31\3\2\2\2\u0097\u0098\5\34\17\2\u0098\33"+
+ "\3\2\2\2\u0099\u009c\7\4\2\2\u009a\u009c\5\64\33\2\u009b\u0099\3\2\2\2"+
+ "\u009b\u009a\3\2\2\2\u009c\u009d\3\2\2\2\u009d\u009e\7\21\2\2\u009e\u009f"+
+ "\5\36\20\2\u009f\35\3\2\2\2\u00a0\u00a1\5 \21\2\u00a1\37\3\2\2\2\u00a2"+
+ "\u00a3\b\21\1\2\u00a3\u00a4\7\n\2\2\u00a4\u00aa\5 \21\7\u00a5\u00a6\7"+
+ "+\2\2\u00a6\u00a7\7\f\2\2\u00a7\u00aa\5\30\r\2\u00a8\u00aa\5\"\22\2\u00a9"+
+ "\u00a2\3\2\2\2\u00a9\u00a5\3\2\2\2\u00a9\u00a8\3\2\2\2\u00aa\u00b3\3\2"+
+ "\2\2\u00ab\u00ac\f\4\2\2\u00ac\u00ad\7\3\2\2\u00ad\u00b2\5 \21\5\u00ae"+
+ "\u00af\f\3\2\2\u00af\u00b0\7\r\2\2\u00b0\u00b2\5 \21\4\u00b1\u00ab\3\2"+
+ "\2\2\u00b1\u00ae\3\2\2\2\u00b2\u00b5\3\2\2\2\u00b3\u00b1\3\2\2\2\u00b3"+
+ "\u00b4\3\2\2\2\u00b4!\3\2\2\2\u00b5\u00b3\3\2\2\2\u00b6\u00bc\5$\23\2"+
+ "\u00b7\u00b8\5$\23\2\u00b8\u00b9\5.\30\2\u00b9\u00ba\5$\23\2\u00ba\u00bc"+
+ "\3\2\2\2\u00bb\u00b6\3\2\2\2\u00bb\u00b7\3\2\2\2\u00bc#\3\2\2\2\u00bd"+
+ "\u00be\b\23\1\2\u00be\u00c0\5(\25\2\u00bf\u00c1\5&\24\2\u00c0\u00bf\3"+
+ "\2\2\2\u00c0\u00c1\3\2\2\2\u00c1\u00c5\3\2\2\2\u00c2\u00c3\t\2\2\2\u00c3"+
+ "\u00c5\5$\23\5\u00c4\u00bd\3\2\2\2\u00c4\u00c2\3\2\2\2\u00c5\u00ce\3\2"+
+ "\2\2\u00c6\u00c7\f\4\2\2\u00c7\u00c8\t\3\2\2\u00c8\u00cd\5$\23\5\u00c9"+
+ "\u00ca\f\3\2\2\u00ca\u00cb\t\2\2\2\u00cb\u00cd\5$\23\4\u00cc\u00c6\3\2"+
+ "\2\2\u00cc\u00c9\3\2\2\2\u00cd\u00d0\3\2\2\2\u00ce\u00cc\3\2\2\2\u00ce"+
+ "\u00cf\3\2\2\2\u00cf%\3\2\2\2\u00d0\u00ce\3\2\2\2\u00d1\u00d3\7\n\2\2"+
+ "\u00d2\u00d1\3\2\2\2\u00d2\u00d3\3\2\2\2\u00d3\u00d4\3\2\2\2\u00d4\u00d5"+
+ "\7\7\2\2\u00d5\u00d6\7$\2\2\u00d6\u00db\5\36\20\2\u00d7\u00d8\7!\2\2\u00d8"+
+ "\u00da\5\36\20\2\u00d9\u00d7\3\2\2\2\u00da\u00dd\3\2\2\2\u00db\u00d9\3"+
+ "\2\2\2\u00db\u00dc\3\2\2\2\u00dc\u00de\3\2\2\2\u00dd\u00db\3\2\2\2\u00de"+
+ "\u00df\7%\2\2\u00df\'\3\2\2\2\u00e0\u00e8\5,\27\2\u00e1\u00e8\5*\26\2"+
+ "\u00e2\u00e8\5\62\32\2\u00e3\u00e4\7$\2\2\u00e4\u00e5\5\36\20\2\u00e5"+
+ "\u00e6\7%\2\2\u00e6\u00e8\3\2\2\2\u00e7\u00e0\3\2\2\2\u00e7\u00e1\3\2"+
+ "\2\2\u00e7\u00e2\3\2\2\2\u00e7\u00e3\3\2\2\2\u00e8)\3\2\2\2\u00e9\u00ea"+
+ "\7+\2\2\u00ea\u00f3\7$\2\2\u00eb\u00f0\5\36\20\2\u00ec\u00ed\7!\2\2\u00ed"+
+ "\u00ef\5\36\20\2\u00ee\u00ec\3\2\2\2\u00ef\u00f2\3\2\2\2\u00f0\u00ee\3"+
+ "\2\2\2\u00f0\u00f1\3\2\2\2\u00f1\u00f4\3\2\2\2\u00f2\u00f0\3\2\2\2\u00f3"+
+ "\u00eb\3\2\2\2\u00f3\u00f4\3\2\2\2\u00f4\u00f5\3\2\2\2\u00f5\u00f6\7%"+
+ "\2\2\u00f6+\3\2\2\2\u00f7\u00fc\7\13\2\2\u00f8\u00fc\58\35\2\u00f9\u00fc"+
+ "\5\60\31\2\u00fa\u00fc\5:\36\2\u00fb\u00f7\3\2\2\2\u00fb\u00f8\3\2\2\2"+
+ "\u00fb\u00f9\3\2\2\2\u00fb\u00fa\3\2\2\2\u00fc-\3\2\2\2\u00fd\u00fe\t"+
+ "\4\2\2\u00fe/\3\2\2\2\u00ff\u0100\t\5\2\2\u0100\61\3\2\2\2\u0101\u010d"+
+ "\5\64\33\2\u0102\u0103\7 \2\2\u0103\u010c\5\64\33\2\u0104\u0106\7\"\2"+
+ "\2\u0105\u0107\7)\2\2\u0106\u0105\3\2\2\2\u0107\u0108\3\2\2\2\u0108\u0106"+
+ "\3\2\2\2\u0108\u0109\3\2\2\2\u0109\u010a\3\2\2\2\u010a\u010c\7#\2\2\u010b"+
+ "\u0102\3\2\2\2\u010b\u0104\3\2\2\2\u010c\u010f\3\2\2\2\u010d\u010b\3\2"+
+ "\2\2\u010d\u010e\3\2\2\2\u010e\63\3\2\2\2\u010f\u010d\3\2\2\2\u0110\u0111"+
+ "\t\6\2\2\u0111\65\3\2\2\2\u0112\u0114\58\35\2\u0113\u0115\7+\2\2\u0114"+
+ "\u0113\3\2\2\2\u0114\u0115\3\2\2\2\u0115\67\3\2\2\2\u0116\u0119\7*\2\2"+
+ "\u0117\u0119\7)\2\2\u0118\u0116\3\2\2\2\u0118\u0117\3\2\2\2\u01199\3\2"+
+ "\2\2\u011a\u011b\7(\2\2\u011b;\3\2\2\2%FLVZ\\bfjpt}\u0080\u0088\u008d"+
+ "\u0091\u009b\u00a9\u00b1\u00b3\u00bb\u00c0\u00c4\u00cc\u00ce\u00d2\u00db"+
+ "\u00e7\u00f0\u00f3\u00fb\u0108\u010b\u010d\u0114\u0118";
public static final ATN _ATN =
new ATNDeserializer().deserialize(_serializedATN.toCharArray());
static {
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/ExpressionBuilder.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/ExpressionBuilder.java
index 4d82f4b7711..f222d220e49 100644
--- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/ExpressionBuilder.java
+++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/ExpressionBuilder.java
@@ -9,6 +9,7 @@ package org.elasticsearch.xpack.eql.parser;
import org.antlr.v4.runtime.ParserRuleContext;
import org.antlr.v4.runtime.tree.ParseTree;
import org.antlr.v4.runtime.tree.TerminalNode;
+import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveEquals;
import org.elasticsearch.xpack.eql.parser.EqlBaseParser.ArithmeticUnaryContext;
import org.elasticsearch.xpack.eql.parser.EqlBaseParser.ComparisonContext;
import org.elasticsearch.xpack.eql.parser.EqlBaseParser.DereferenceContext;
@@ -130,6 +131,8 @@ public class ExpressionBuilder extends IdentifierBuilder {
ZoneId zoneId = params.zoneId();
switch (op.getSymbol().getType()) {
+ case EqlBaseParser.SEQ:
+ return new InsensitiveEquals(source, left, right, zoneId);
case EqlBaseParser.EQ:
return new Equals(source, left, right, zoneId);
case EqlBaseParser.NEQ:
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/planner/QueryTranslator.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/planner/QueryTranslator.java
index 2a8a0294046..c9cca060eea 100644
--- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/planner/QueryTranslator.java
+++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/planner/QueryTranslator.java
@@ -9,6 +9,9 @@ package org.elasticsearch.xpack.eql.planner;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.CIDRMatch;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.EndsWith;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.StringContains;
+import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveBinaryComparison;
+import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveEquals;
+import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveNotEquals;
import org.elasticsearch.xpack.ql.QlIllegalArgumentException;
import org.elasticsearch.xpack.ql.expression.Expression;
import org.elasticsearch.xpack.ql.expression.Expressions;
@@ -20,10 +23,14 @@ import org.elasticsearch.xpack.ql.expression.predicate.logical.Or;
import org.elasticsearch.xpack.ql.planner.ExpressionTranslator;
import org.elasticsearch.xpack.ql.planner.ExpressionTranslators;
import org.elasticsearch.xpack.ql.planner.TranslatorHandler;
+import org.elasticsearch.xpack.ql.querydsl.query.NotQuery;
import org.elasticsearch.xpack.ql.querydsl.query.Query;
import org.elasticsearch.xpack.ql.querydsl.query.ScriptQuery;
+import org.elasticsearch.xpack.ql.querydsl.query.TermQuery;
import org.elasticsearch.xpack.ql.querydsl.query.TermsQuery;
import org.elasticsearch.xpack.ql.querydsl.query.WildcardQuery;
+import org.elasticsearch.xpack.ql.tree.Source;
+import org.elasticsearch.xpack.ql.util.Check;
import org.elasticsearch.xpack.ql.util.CollectionUtils;
import java.util.Arrays;
@@ -37,6 +44,7 @@ import static org.elasticsearch.xpack.ql.planner.ExpressionTranslators.or;
final class QueryTranslator {
public static final List> QUERY_TRANSLATORS = Arrays.asList(
+ new InsensitiveBinaryComparisons(),
new ExpressionTranslators.BinaryComparisons(),
new ExpressionTranslators.Ranges(),
new BinaryLogic(),
@@ -65,6 +73,49 @@ final class QueryTranslator {
throw new QlIllegalArgumentException("Don't know how to translate {} {}", e.nodeName(), e);
}
+ public static class InsensitiveBinaryComparisons extends ExpressionTranslator {
+
+ @Override
+ protected Query asQuery(InsensitiveBinaryComparison bc, TranslatorHandler handler) {
+ return doTranslate(bc, handler);
+ }
+
+ public static Query doTranslate(InsensitiveBinaryComparison bc, TranslatorHandler handler) {
+ checkInsensitiveComparison(bc);
+ return handler.wrapFunctionQuery(bc, bc.left(), translate(bc, handler));
+ }
+
+ public static void checkInsensitiveComparison(InsensitiveBinaryComparison bc) {
+ Check.isTrue(bc.right().foldable(),
+ "Line {}:{}: Comparisons against fields are not (currently) supported; offender [{}] in [{}]",
+ bc.right().sourceLocation().getLineNumber(), bc.right().sourceLocation().getColumnNumber(),
+ Expressions.name(bc.right()), bc.symbol());
+ }
+
+ private static Query translate(InsensitiveBinaryComparison bc, TranslatorHandler handler) {
+ Source source = bc.source();
+ String name = handler.nameOf(bc.left());
+ Object value = valueOf(bc.right());
+
+ if (bc instanceof InsensitiveEquals || bc instanceof InsensitiveNotEquals) {
+ if (bc.left() instanceof FieldAttribute) {
+ // equality should always be against an exact match
+ // (which is important for strings)
+ name = ((FieldAttribute) bc.left()).exactAttribute().name();
+ }
+ Query query = new TermQuery(source, name, value);
+
+ if (bc instanceof InsensitiveNotEquals) {
+ query = new NotQuery(source, query);
+ }
+
+ return query;
+ }
+
+ throw new QlIllegalArgumentException("Don't know how to translate binary comparison [{}] in [{}]", bc.right().nodeString(), bc);
+ }
+ }
+
public static class BinaryLogic extends ExpressionTranslator {
@Override
diff --git a/x-pack/plugin/eql/src/main/resources/org/elasticsearch/xpack/eql/plugin/eql_whitelist.txt b/x-pack/plugin/eql/src/main/resources/org/elasticsearch/xpack/eql/plugin/eql_whitelist.txt
index e490fef17c3..a87176deb33 100644
--- a/x-pack/plugin/eql/src/main/resources/org/elasticsearch/xpack/eql/plugin/eql_whitelist.txt
+++ b/x-pack/plugin/eql/src/main/resources/org/elasticsearch/xpack/eql/plugin/eql_whitelist.txt
@@ -75,4 +75,10 @@ class org.elasticsearch.xpack.eql.expression.function.scalar.whitelist.InternalE
String string(Object)
Boolean stringContains(String, String, Boolean)
String substring(String, Number, Number)
+
+#
+# Comparison
+#
+ Boolean seq(Object, Object)
+ Boolean sneq(Object, Object)
}
diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java
index 1c010b823bf..ab208aad433 100644
--- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java
+++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java
@@ -11,7 +11,10 @@ import org.elasticsearch.tasks.TaskId;
import org.elasticsearch.xpack.core.async.AsyncExecutionId;
import org.elasticsearch.xpack.eql.action.EqlSearchAction;
import org.elasticsearch.xpack.eql.action.EqlSearchTask;
+import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveEquals;
+import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveNotEquals;
import org.elasticsearch.xpack.eql.session.EqlConfiguration;
+import org.elasticsearch.xpack.ql.expression.Expression;
import java.util.Collections;
@@ -21,6 +24,7 @@ import static org.elasticsearch.test.ESTestCase.randomIntBetween;
import static org.elasticsearch.test.ESTestCase.randomLong;
import static org.elasticsearch.test.ESTestCase.randomNonNegativeLong;
import static org.elasticsearch.test.ESTestCase.randomZone;
+import static org.elasticsearch.xpack.ql.tree.Source.EMPTY;
public final class EqlTestUtils {
@@ -62,4 +66,13 @@ public final class EqlTestUtils {
return new EqlSearchTask(randomLong(), "transport", EqlSearchAction.NAME, "", null, Collections.emptyMap(), Collections.emptyMap(),
new AsyncExecutionId("", new TaskId(randomAlphaOfLength(10), 1)), TimeValue.timeValueDays(5));
}
+
+ public static InsensitiveEquals seq(Expression left, Expression right) {
+ return new InsensitiveEquals(EMPTY, left, right, randomZone());
+ }
+
+ public static InsensitiveNotEquals sneq(Expression left, Expression right) {
+ return new InsensitiveNotEquals(EMPTY, left, right, randomZone());
+ }
+
}
diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java
index 17d9517ed01..fe27c045a7b 100644
--- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java
+++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java
@@ -332,4 +332,11 @@ public class VerifierTests extends ESTestCase {
"define one or use MATCH/QUERY instead",
error(idxr, "process where string(multi_field.english) == \"foo\""));
}
+
+ public void testIncorrectUsageOfStringEquals() {
+ final IndexResolution idxr = loadIndexResolution("mapping-default.json");
+ assertEquals("1:11: first argument of [:] must be [string], found value [pid] type [long]; consider using [==] instead",
+ error(idxr, "foo where pid : 123"));
+ }
+
}
diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparisonPipeTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparisonPipeTests.java
new file mode 100644
index 00000000000..9674bcad0ad
--- /dev/null
+++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparisonPipeTests.java
@@ -0,0 +1,129 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.eql.expression.predicate.operator.comparison;
+
+import org.elasticsearch.xpack.ql.TestUtils;
+import org.elasticsearch.xpack.ql.expression.Expression;
+import org.elasticsearch.xpack.ql.expression.function.scalar.FunctionTestUtils;
+import org.elasticsearch.xpack.ql.expression.gen.pipeline.Pipe;
+import org.elasticsearch.xpack.ql.tree.AbstractNodeTestCase;
+import org.elasticsearch.xpack.ql.tree.Source;
+import org.elasticsearch.xpack.ql.tree.SourceTests;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;
+import java.util.function.Function;
+
+import static org.elasticsearch.xpack.ql.expression.Expressions.pipe;
+import static org.elasticsearch.xpack.ql.expression.function.scalar.FunctionTestUtils.randomStringLiteral;
+import static org.elasticsearch.xpack.ql.tree.SourceTests.randomSource;
+
+public class InsensitiveBinaryComparisonPipeTests extends AbstractNodeTestCase {
+
+ @Override
+ protected InsensitiveBinaryComparisonPipe randomInstance() {
+ return randomInsensitiveBinaryComparisonPipe();
+ }
+
+ private Expression randomInsensitiveBinaryComparisonExpression() {
+ return randomInsensitiveBinaryComparisonPipe().expression();
+ }
+
+ public static InsensitiveBinaryComparisonPipe randomInsensitiveBinaryComparisonPipe() {
+ return (InsensitiveBinaryComparisonPipe) (new InsensitiveEquals(randomSource(),
+ randomStringLiteral(),
+ randomStringLiteral(),
+ TestUtils.UTC).
+ makePipe());
+ }
+
+ @Override
+ public void testTransform() {
+ // test transforming only the properties (source, expression),
+ // skipping the children (string and substring) which are tested separately
+ InsensitiveBinaryComparisonPipe pipe = randomInstance();
+ Expression newExpression = randomValueOtherThan(pipe.expression(), this::randomInsensitiveBinaryComparisonExpression);
+ InsensitiveBinaryComparisonPipe newPipe = new InsensitiveBinaryComparisonPipe(
+ pipe.source(),
+ newExpression,
+ pipe.left(),
+ pipe.right(),
+ pipe.asProcessor().function());
+ assertEquals(newPipe,
+ pipe.transformPropertiesOnly(v -> Objects.equals(v, pipe.expression()) ? newExpression : v, Expression.class));
+
+ InsensitiveBinaryComparisonPipe anotherPipe = randomInstance();
+ Source newLoc = randomValueOtherThan(anotherPipe.source(), SourceTests::randomSource);
+ newPipe = new InsensitiveBinaryComparisonPipe(
+ newLoc,
+ anotherPipe.expression(),
+ anotherPipe.left(),
+ anotherPipe.right(),
+ anotherPipe.asProcessor().function());
+ assertEquals(newPipe,
+ anotherPipe.transformPropertiesOnly(v -> Objects.equals(v, anotherPipe.source()) ? newLoc : v, Source.class));
+ }
+
+ @Override
+ public void testReplaceChildren() {
+ InsensitiveBinaryComparisonPipe pipe = randomInstance();
+ Pipe newLeft = pipe(((Expression) randomValueOtherThan(pipe.left(), FunctionTestUtils::randomStringLiteral)));
+ Pipe newRight = pipe(((Expression) randomValueOtherThan(pipe.right(), FunctionTestUtils::randomStringLiteral)));
+ InsensitiveBinaryComparisonPipe newPipe =
+ new InsensitiveBinaryComparisonPipe(pipe.source(), pipe.expression(), pipe.left(), pipe.right(), pipe.asProcessor().function());
+
+ InsensitiveBinaryComparisonPipe transformed = newPipe.replaceChildren(newLeft, pipe.right());
+ assertEquals(transformed.source(), pipe.source());
+ assertEquals(transformed.expression(), pipe.expression());
+ assertEquals(transformed.left(), newLeft);
+ assertEquals(transformed.right(), pipe.right());
+
+ transformed = newPipe.replaceChildren(pipe.left(), newRight);
+ assertEquals(transformed.source(), pipe.source());
+ assertEquals(transformed.expression(), pipe.expression());
+ assertEquals(transformed.left(), pipe.left());
+ assertEquals(transformed.right(), newRight);
+
+ transformed = newPipe.replaceChildren(newLeft, newRight);
+ assertEquals(transformed.source(), pipe.source());
+ assertEquals(transformed.expression(), pipe.expression());
+ assertEquals(transformed.left(), newLeft);
+ assertEquals(transformed.right(), newRight);
+ }
+
+ @Override
+ protected InsensitiveBinaryComparisonPipe mutate(InsensitiveBinaryComparisonPipe instance) {
+ List> randoms = new ArrayList<>();
+ randoms.add(f -> new InsensitiveBinaryComparisonPipe(f.source(),
+ f.expression(),
+ pipe(((Expression) randomValueOtherThan(f.left(), FunctionTestUtils::randomStringLiteral))),
+ f.right(),
+ f.asProcessor().function()));
+ randoms.add(f -> new InsensitiveBinaryComparisonPipe(f.source(),
+ f.expression(),
+ f.left(),
+ pipe(((Expression) randomValueOtherThan(f.right(), FunctionTestUtils::randomStringLiteral))),
+ f.asProcessor().function()));
+ randoms.add(f -> new InsensitiveBinaryComparisonPipe(f.source(),
+ f.expression(),
+ pipe(((Expression) randomValueOtherThan(f.left(), FunctionTestUtils::randomStringLiteral))),
+ pipe(((Expression) randomValueOtherThan(f.right(), FunctionTestUtils::randomStringLiteral))),
+ f.asProcessor().function()));
+
+ return randomFrom(randoms).apply(instance);
+ }
+
+ @Override
+ protected InsensitiveBinaryComparisonPipe copy(InsensitiveBinaryComparisonPipe instance) {
+ return new InsensitiveBinaryComparisonPipe(instance.source(),
+ instance.expression(),
+ instance.left(),
+ instance.right(),
+ instance.asProcessor().function());
+ }
+}
diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparisonProcessorTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparisonProcessorTests.java
new file mode 100644
index 00000000000..b94a8dda23f
--- /dev/null
+++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparisonProcessorTests.java
@@ -0,0 +1,93 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.eql.expression.predicate.operator.comparison;
+
+import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
+import org.elasticsearch.common.io.stream.Writeable.Reader;
+import org.elasticsearch.test.AbstractWireSerializingTestCase;
+import org.elasticsearch.xpack.eql.EqlIllegalArgumentException;
+import org.elasticsearch.xpack.ql.TestUtils;
+import org.elasticsearch.xpack.ql.expression.Literal;
+import org.elasticsearch.xpack.ql.expression.gen.processor.ConstantProcessor;
+import org.elasticsearch.xpack.ql.expression.processor.Processors;
+
+import static org.elasticsearch.xpack.eql.EqlTestUtils.seq;
+import static org.elasticsearch.xpack.eql.EqlTestUtils.sneq;
+import static org.elasticsearch.xpack.ql.tree.Source.EMPTY;
+
+public class InsensitiveBinaryComparisonProcessorTests extends AbstractWireSerializingTestCase {
+ public static InsensitiveBinaryComparisonProcessor randomProcessor() {
+ return new InsensitiveBinaryComparisonProcessor(
+ new ConstantProcessor(randomLong()),
+ new ConstantProcessor(randomLong()),
+ randomFrom(InsensitiveBinaryComparisonProcessor.InsensitiveBinaryComparisonOperation.values()));
+ }
+
+ @Override
+ protected InsensitiveBinaryComparisonProcessor createTestInstance() {
+ return randomProcessor();
+ }
+
+ @Override
+ protected Reader instanceReader() {
+ return InsensitiveBinaryComparisonProcessor::new;
+ }
+
+ @Override
+ protected NamedWriteableRegistry getNamedWriteableRegistry() {
+ return new NamedWriteableRegistry(Processors.getNamedWriteables());
+ }
+
+ public void testStringEq() {
+ assertEquals(true, p(seq(l("a"), l("a"))));
+ assertEquals(true, p(seq(l("A"), l("a"))));
+ assertEquals(true, p(seq(l("aBcD"), l("AbCd"))));
+ assertEquals(true, p(seq(l("abc"), l("abc"))));
+
+ assertEquals(false, p(seq(l("abc"), l("cba"))));
+ }
+
+ public void testNonStringArguments() {
+ expectThrows(EqlIllegalArgumentException.class, () -> p(seq(l(12), l(12))));
+ expectThrows(EqlIllegalArgumentException.class, () -> p(seq(l(12), l("12"))));
+ expectThrows(EqlIllegalArgumentException.class, () -> p(seq(l("12"), l(12))));
+ }
+
+ public void testNullStringEquals() {
+ assertNull(p(seq(l(null), l(null))));
+ assertNull(p(seq(l("a"), l(null))));
+ assertNull(p(seq(l(null), l("a"))));
+ }
+
+ public void testStringNotEquals() {
+ assertEquals(false, p(sneq(l("a"), l("a"))));
+ assertEquals(false, p(sneq(l("A"), l("a"))));
+ assertEquals(false, p(sneq(l("aBcD"), l("AbCd"))));
+ assertEquals(false, p(sneq(l("abc"), l("abc"))));
+
+ assertEquals(true, p(sneq(l("abc"), l("cba"))));
+ }
+
+ public void testNullStringNotEquals() {
+ assertNull(p(sneq(l(null), l(null))));
+ assertNull(p(sneq(l("a"), l(null))));
+ assertNull(p(sneq(l(null), l("a"))));
+ }
+
+ public void testRegularNotEquals() {
+ expectThrows(EqlIllegalArgumentException.class, () -> p(sneq(l(12), l(12))));
+ expectThrows(EqlIllegalArgumentException.class, () -> p(sneq(l(12), l("12"))));
+ expectThrows(EqlIllegalArgumentException.class, () -> p(sneq(l("12"), l(12))));
+ }
+
+ private static Literal l(Object value) {
+ return TestUtils.of(EMPTY, value);
+ }
+
+ private static Object p(InsensitiveBinaryComparison ibc) {
+ return ibc.makePipe().asProcessor().process(null);
+ }
+}
diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/optimizer/OptimizerTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/optimizer/OptimizerTests.java
index a6f4fe5c1db..c94d89c9554 100644
--- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/optimizer/OptimizerTests.java
+++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/optimizer/OptimizerTests.java
@@ -30,7 +30,6 @@ import org.elasticsearch.xpack.ql.expression.Order;
import org.elasticsearch.xpack.ql.expression.Order.NullsPosition;
import org.elasticsearch.xpack.ql.expression.Order.OrderDirection;
import org.elasticsearch.xpack.ql.expression.predicate.logical.And;
-import org.elasticsearch.xpack.ql.expression.predicate.logical.Not;
import org.elasticsearch.xpack.ql.expression.predicate.logical.Or;
import org.elasticsearch.xpack.ql.expression.predicate.nulls.IsNotNull;
import org.elasticsearch.xpack.ql.expression.predicate.nulls.IsNull;
@@ -134,8 +133,8 @@ public class OptimizerTests extends ESTestCase {
public void testEqualsWildcard() {
List tests = Arrays.asList(
- "foo where command_line == \"* bar *\"",
- "foo where \"* bar *\" == command_line"
+ "foo where command_line : \"* bar *\"",
+ "foo where \"* bar *\" : command_line"
);
for (String q : tests) {
@@ -154,32 +153,25 @@ public class OptimizerTests extends ESTestCase {
}
}
- public void testNotEqualsWildcard() {
+ // test wildcard gets applied for literals as well regardless of the side used
+ public void testEqualsWildcardWithLiterals() {
List tests = Arrays.asList(
- "foo where command_line != \"* baz *\"",
- "foo where \"* baz *\" != command_line"
+ "foo where \"abc\": \"*b*\"",
+ "foo where \"*b*\" : \"abc\""
);
for (String q : tests) {
LogicalPlan plan = defaultPipes(accept(q));
-
assertTrue(plan instanceof Filter);
-
+ // check the optimizer kicked in and folding was applied
Filter filter = (Filter) plan;
- And condition = (And) filter.condition();
- assertTrue(condition.right() instanceof Not);
-
- Not not = (Not) condition.right();
- Like like = (Like) not.field();
- assertEquals(((FieldAttribute) like.field()).name(), "command_line");
- assertEquals(like.pattern().asJavaRegex(), "^.* baz .*$");
- assertEquals(like.pattern().asLuceneWildcard(), "* baz *");
- assertEquals(like.pattern().asIndexNameWildcard(), "* baz *");
+ Equals condition = (Equals) filter.condition();
+ assertEquals("foo", condition.right().fold());
}
}
public void testWildcardEscapes() {
- LogicalPlan plan = defaultPipes(accept("foo where command_line == \"* %bar_ * \\\\ \\n \\r \\t\""));
+ LogicalPlan plan = defaultPipes(accept("foo where command_line : \"* %bar_ * \\\\ \\n \\r \\t\""));
assertTrue(plan instanceof Filter);
Filter filter = (Filter) plan;
diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/planner/QueryFolderOkTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/planner/QueryFolderOkTests.java
index ff0d84d5672..68f8705f436 100644
--- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/planner/QueryFolderOkTests.java
+++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/planner/QueryFolderOkTests.java
@@ -7,7 +7,6 @@
package org.elasticsearch.xpack.eql.planner;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
-
import org.elasticsearch.common.Strings;
import org.elasticsearch.xpack.eql.plan.physical.EsQueryExec;
import org.elasticsearch.xpack.eql.plan.physical.PhysicalPlan;
diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/planner/QueryTranslationTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/planner/QueryTranslationTests.java
index 7e007b4918c..922f647752c 100644
--- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/planner/QueryTranslationTests.java
+++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/planner/QueryTranslationTests.java
@@ -12,8 +12,13 @@ import static org.hamcrest.Matchers.containsString;
public class QueryTranslationTests extends AbstractQueryFolderTestCase {
- public void testLikeOptimization() throws Exception {
+ public void testLikeExactEqualsNoOptimization() throws Exception {
PhysicalPlan plan = plan("process where process_name == \"*\" ");
+ assertThat(asQuery(plan), containsString("\"term\":{\"process_name\""));
+ }
+
+ public void testLikeOptimization() throws Exception {
+ PhysicalPlan plan = plan("process where process_name : \"*\" ");
assertThat(asQuery(plan), containsString("\"exists\":{\"field\":\"process_name\""));
}
diff --git a/x-pack/plugin/eql/src/test/resources/queries-supported.eql b/x-pack/plugin/eql/src/test/resources/queries-supported.eql
index 775161e46b5..b0d277d877f 100644
--- a/x-pack/plugin/eql/src/test/resources/queries-supported.eql
+++ b/x-pack/plugin/eql/src/test/resources/queries-supported.eql
@@ -1,13 +1,13 @@
-process where process_name == "svchost.exe" and command_line != "* -k *";
+process where process_name : "svchost.exe" and command_line != "* -k *";
process where process_name in ("ipconfig.exe", "netstat.exe", "systeminfo.exe", "route.exe");
process where subtype.create and wildcard(command_line, "*.ost *", "*.pst *")
;
process where subtype.create and
- process_name == "attrib.exe" and command_line == "* +h*"
+ process_name : "attrib.exe" and command_line : "* +h*"
;
-file where file_name == "*Library/Preferences/*.plist";
+file where file_name : "*Library/Preferences/*.plist";
/* UNIT TESTS FROM
* https://github.com/endgameinc/eql/blob/master/tests/test_parser.py
@@ -21,25 +21,25 @@ file where false or true;
registry where not pid;
-process where process_name == "net.exe" and command_line == "* user*.exe";
+process where process_name : "net.exe" and command_line : "* user*.exe";
-process where command_line == "~!@#$%^&*();'[]{}\\|<>?,./:\"-= ' ";
+process where command_line : "~!@#$%^&*();'[]{}\\|<>?,./:\"-= ' ";
process where
- pid == 4;
+ pid : 4;
process where process_name in ("net.exe", "cmd.exe", "at.exe");
-process where command_line == "*.exe *admin*" or command_line == "* a b*";
+process where command_line : "*.exe *admin*" or command_line : "* a b*";
-process where pid in (1,2,3,4,5,6,7,8) and abc == 100 and def == 200 and ghi == 300 and jkl == x;
+process where pid in (1,2,3,4,5,6,7,8) and abc : 100 and def : 200 and ghi : 300 and jkl : x;
process where ppid != pid;
image_load where not x != y;
-image_load where not x == y;
+image_load where not x : y;
image_load where not not not not x < y;
@@ -49,9 +49,9 @@ image_load where not x >= y;
image_load where not x > y;
-process where _leadingUnderscore == 100;
+process where _leadingUnderscore : 100;
-network where 1 * 2 + 3 * 4 + 10 / 2 == 2 + 12 + 5;
+network where 1 * 2 + 3 * 4 + 10 / 2 : 2 + 12 + 5;
file where 1 - -2;
@@ -61,15 +61,15 @@ file where 1 * (-2);
file where 3 * -length(file_path);
-network where a * b + c * d + e / f == g + h + i;
+network where a * b + c * d + e / f : g + h + i;
-network where a * (b + c * d) + e / f == g + h + i;
+network where a * (b + c * d) + e / f : g + h + i;
-process where pid == 4 or pid == 5 or pid == 6 or pid == 7 or pid == 8;
+process where pid : 4 or pid : 5 or pid : 6 or pid : 7 or pid : 8;
-network where pid == 0 or pid == 4 or (ppid == 0 or ppid == 4) or (abc == defgh) and process_name == "*" ;
+network where pid : 0 or pid : 4 or (ppid : 0 or ppid : 4) or (abc : defgh) and process_name : "*" ;
-network where pid == 4;
+network where pid : 4;
registry where a.b;
@@ -86,7 +86,7 @@ process where a > 100000000000000000000000000000000;
/* TESTS FROM
* https://raw.githubusercontent.com/endgameinc/eql/master/eql/etc/test_queries.toml
*/
-process where serial_event_id == 1;
+process where serial_event_id : 1;
process where serial_event_id < 4;
@@ -95,7 +95,7 @@ process where false;
process where missing_field != null;
-process where process_name == "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1)
+process where process_name : "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1)
;
@@ -122,30 +122,30 @@ process where 0 < exit_code;
process where 0 > exit_code;
-process where (serial_event_id<=8 and serial_event_id > 7) and (opcode==3 and opcode>2);
+process where (serial_event_id<=8 and serial_event_id > 7) and (opcode:3 and opcode>2);
-process where (serial_event_id<9 and serial_event_id >= 7) or (opcode == pid);
+process where (serial_event_id<9 and serial_event_id >= 7) or (opcode : pid);
-registry where key_path == "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F";
+registry where key_path : "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F";
-process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4);
+process where process_path : "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4);
-file where file_path=="*\\red_ttp\\winin*.*"
- and opcode in (0,1,2) and user_name=="vagrant"
+file where file_path:"*\\red_ttp\\winin*.*"
+ and opcode in (0,1,2) and user_name:"vagrant"
;
-file where file_path=="*\\red_ttp\\winin*.*"
- and opcode not in (0,1,2) and user_name=="vagrant"
+file where file_path:"*\\red_ttp\\winin*.*"
+ and opcode not in (0,1,2) and user_name:"vagrant"
;
-file where file_path=="*\\red_ttp\\winin*.*"
- and opcode not in (3, 4, 5, 6 ,7) and user_name=="vagrant"
+file where file_path:"*\\red_ttp\\winin*.*"
+ and opcode not in (3, 4, 5, 6 ,7) and user_name:"vagrant"
;
-file where file_name in ("wininit.exe", "lsass.exe") and opcode == 2
+file where file_name in ("wininit.exe", "lsass.exe") and opcode : 2
;
@@ -153,7 +153,7 @@ process where opcode in (1,3) and process_name in (parent_process_name, "SYSTEM"
;
-process where fake_field == "*";
+process where fake_field : "*";
registry where invalid_field_name != null;
@@ -161,21 +161,21 @@ registry where invalid_field_name != null;
registry where length(bad_field) > 0
;
-process where opcode == 1
+process where opcode : 1
and process_name in ("net.exe", "net1.exe")
- and not (parent_process_name == "net.exe"
- and process_name == "net1.exe")
- and command_line == "*group *admin*" and command_line != "* /add*";
+ and not (parent_process_name : "net.exe"
+ and process_name : "net1.exe")
+ and command_line : "*group *admin*" and command_line != "* /add*";
-process where process_name == "python.exe";
+process where process_name : "python.exe";
-process where command_line == "*%*" ;
+process where command_line : "*%*" ;
-process where command_line == "*%*%*" ;
+process where command_line : "*%*%*" ;
-process where command_line == "%*%*" ;
+process where command_line : "%*%*" ;
process where match(?".*?net1\s+localgroup\s+.*?", command_line)
@@ -193,70 +193,70 @@ process where match(?".*?net1\s+\w{4,15}\s+.*?", command_line)
process where match(?".*?net1\s+[localgrup]{4,15}\s+.*?", command_line)
;
-file where opcode==0 and startsWith(file_name, "exploRER.")
+file where opcode:0 and startsWith(file_name, "exploRER.")
;
-file where opcode==0 and startsWith(file_name, "expLORER.exe")
+file where opcode:0 and startsWith(file_name, "expLORER.exe")
;
-file where opcode==0 and endsWith(file_name, "loREr.exe");
+file where opcode:0 and endsWith(file_name, "loREr.exe");
-file where opcode==0 and startsWith(file_name, "explORER.EXE");
+file where opcode:0 and startsWith(file_name, "explORER.EXE");
-file where opcode==0 and startsWith("explorer.exeaaaaaaaa", file_name);
+file where opcode:0 and startsWith("explorer.exeaaaaaaaa", file_name);
-file where opcode==0 and serial_event_id == 88 and startsWith("explorer.exeaAAAA", "EXPLORER.exe");
+file where opcode:0 and serial_event_id : 88 and startsWith("explorer.exeaAAAA", "EXPLORER.exe");
-file where opcode==0 and stringContains("ABCDEFGHIexplorer.exeJKLMNOP", file_name)
+file where opcode:0 and stringContains("ABCDEFGHIexplorer.exeJKLMNOP", file_name)
;
-file where opcode==0 and indexOf(file_name, "plore") == 2 and not indexOf(file_name, ".pf")
+file where opcode:0 and indexOf(file_name, "plore") : 2 and not indexOf(file_name, ".pf")
;
-file where opcode==0 and indexOf(file_name, "explorer.") and indexOf(file_name, "plore", 100)
+file where opcode:0 and indexOf(file_name, "explorer.") and indexOf(file_name, "plore", 100)
;
-file where opcode==0 and indexOf(file_name, "plorer.", 0) == 2;
+file where opcode:0 and indexOf(file_name, "plorer.", 0) : 2;
-file where opcode==0 and indexOf(file_name, "plorer.", 2);
+file where opcode:0 and indexOf(file_name, "plorer.", 2);
-file where opcode==0 and indexOf(file_name, "plorer.", 4);
+file where opcode:0 and indexOf(file_name, "plorer.", 4);
-file where opcode==0 and indexOf(file_name, "thing that never happened");
+file where opcode:0 and indexOf(file_name, "thing that never happened");
-file where opcode==0 and indexOf(file_name, "plorer.", 2) == 2;
+file where opcode:0 and indexOf(file_name, "plorer.", 2) : 2;
-file where opcode==0 and indexOf(file_name, "explorer.", 0) == 0;
+file where opcode:0 and indexOf(file_name, "explorer.", 0) : 0;
-file where serial_event_id==88 and substring(file_name, 0, 4) == "expl"
+file where serial_event_id:88 and substring(file_name, 0, 4) : "expl"
;
-file where serial_event_id==88 and substring(file_name, 1, 3) == "xp"
+file where serial_event_id:88 and substring(file_name, 1, 3) : "xp"
;
-file where serial_event_id==88 and substring(file_name, -4) == ".exe"
+file where serial_event_id:88 and substring(file_name, -4) : ".exe"
;
-file where serial_event_id==88 and substring(file_name, -4, -1) == ".ex"
+file where serial_event_id:88 and substring(file_name, -4, -1) : ".ex"
;
-process where add(serial_event_id, 0) == 1 and add(0, 1) == serial_event_id;
+process where add(serial_event_id, 0) : 1 and add(0, 1) : serial_event_id;
-process where subtract(serial_event_id, -5) == 6;
+process where subtract(serial_event_id, -5) : 6;
-process where multiply(6, serial_event_id) == 30 and divide(30, 4.0) == 7.5;
+process where multiply(6, serial_event_id) : 30 and divide(30, 4.0) : 7.5;
-process where modulo(11, add(serial_event_id, 1)) == serial_event_id;
+process where modulo(11, add(serial_event_id, 1)) : serial_event_id;
-process where serial_event_id == number("5");
+process where serial_event_id : number("5");
-process where serial_event_id == number("0x32", 16);
+process where serial_event_id : number("0x32", 16);
-process where serial_event_id == number("32", 16);
+process where serial_event_id : number("32", 16);
-process where number(serial_event_id) == number(5);
+process where number(serial_event_id) : number(5);
-process where concat(serial_event_id, ":", process_name, opcode) == "5:winINIT.exe3"
+process where concat(serial_event_id, ":", process_name, opcode) : "5:winINIT.exe3"
;
@@ -264,42 +264,42 @@ process where concat(serial_event_id, ":", process_name, opcode) == "5:winINIT.e
// network where safe(divide(process_name, process_name))
//;
-file where serial_event_id == 82 and (true == (process_name in ("svchost.EXE", "bad.exe", "bad2.exe")))
+file where serial_event_id : 82 and (true : (process_name in ("svchost.EXE", "bad.exe", "bad2.exe")))
;
-file where serial_event_id - 1 == 81;
+file where serial_event_id - 1 : 81;
-file where serial_event_id + 1 == 83;
+file where serial_event_id + 1 : 83;
-file where serial_event_id * 2 == 164;
+file where serial_event_id * 2 : 164;
-file where serial_event_id / 2 == 41;
+file where serial_event_id / 2 : 41;
-file where serial_event_id % 40 == 2;
+file where serial_event_id % 40 : 2;
-process where between(process_name, "s", "e") == "yst"
+process where between(process_name, "s", "e") : "yst"
;
-process where between(process_name, "s", "e", false) == "yst"
+process where between(process_name, "s", "e", false) : "yst"
;
-process where between(process_name, "s", "e", false, true) == "yst"
+process where between(process_name, "s", "e", false, true) : "yst"
;
-process where between(process_name, "s", "e", false, true) == "t"
+process where between(process_name, "s", "e", false, true) : "t"
;
-process where between(process_name, "S", "e", false, true) == "yst"
+process where between(process_name, "S", "e", false, true) : "yst"
;
-process where between(process_name, "s", "e", true) == "ystem Idle Proc"
+process where between(process_name, "s", "e", true) : "ystem Idle Proc"
;
-file where between(file_path, "dev", ".json", false) == "\\testlogs\\something"
+file where between(file_path, "dev", ".json", false) : "\\testlogs\\something"
;
-file where between(file_path, "dev", ".json", true) == "\\testlogs\\something"
+file where between(file_path, "dev", ".json", true) : "\\testlogs\\something"
;
network where cidrMatch(source_address, "10.6.48.157/8")
@@ -324,12 +324,12 @@ process where length(between(process_name, "g", "z")) > 0
// additional queries added for the elasticsearch specific implementation
// dots will still be interpreted by ES per usual
-something where `my-hyphenated-field` == "value";
-something where `my-hyphenated-field.with.nested.dots` == "value";
-something where `@timestamp` == "2020-01-01 00:00:00";
-something where `some escaped identifier` == "blah";
-something where `some escaped identifier` == "blah";
-something where `some.escaped.identifier` == "blah";
+something where `my-hyphenated-field` : "value";
+something where `my-hyphenated-field.with.nested.dots` : "value";
+something where `@timestamp` : "2020-01-01 00:00:00";
+something where `some escaped identifier` : "blah";
+something where `some escaped identifier` : "blah";
+something where `some.escaped.identifier` : "blah";
//
@@ -344,9 +344,9 @@ something where `some.escaped.identifier` == "blah";
// docs
join by source_ip, destination_ip
- [network where destination_port == 3389] // RDP
- [network where destination_port == 135] // RPC
- [network where destination_port == 445] // SMB
+ [network where destination_port : 3389] // RDP
+ [network where destination_port : 135] // RPC
+ [network where destination_port : 445] // SMB
;
join by pid
@@ -355,61 +355,61 @@ join by pid
[registry where true]
[file where true]
-until [process where event_subtype_full == "termination_event"]
+until [process where event_subtype_full : "termination_event"]
;
///
join
- [process where process_name == "*"]
- [file where file_path == "*"]
+ [process where process_name : "*"]
+ [file where file_path : "*"]
;
-join by pid
- [process where name == "*"]
- [file where path == "*"]
-until [process where opcode == 2]
-;
-
-join
- [process where process_name == "*"] by process_path
- [file where file_path == "*"] by image_path
-;
-
-join by user_name
- [process where opcode in (1,3) and process_name=="smss.exe"]
- [process where opcode in (1,3) and process_name == "python.exe"]
-;
-
-join by unique_pid
- [process where opcode==1]
- [file where opcode==0 and file_name=="svchost.exe"]
- [file where opcode == 0 and file_name == "lsass.exe"]
-;
-
-join by unique_pid
- [process where opcode==1]
- [file where opcode==0 and file_name=="svchost.exe"]
- [file where opcode == 0 and file_name == "lsass.exe"]
-until [file where opcode == 2];
-
-join
- [file where opcode==0 and file_name=="svchost.exe"] by unique_pid
- [process where opcode == 1] by unique_ppid
-;
-
-join by unique_pid
- [process where opcode in (1,3) and process_name=="python.exe"]
- [file where file_name == "*.exe"];
-
-join by user_name
- [process where opcode in (1,3) and process_name=="python.exe"]
- [process where opcode in (1,3) and process_name == "smss.exe"]
+join by pid
+ [process where name : "*"]
+ [file where path : "*"]
+until [process where opcode : 2]
;
join
- [process where opcode in (1,3) and process_name=="python.exe"]
- [process where opcode in (1,3) and process_name == "smss.exe"]
+ [process where process_name : "*"] by process_path
+ [file where file_path : "*"] by image_path
+;
+
+join by user_name
+ [process where opcode in (1,3) and process_name:"smss.exe"]
+ [process where opcode in (1,3) and process_name : "python.exe"]
+;
+
+join by unique_pid
+ [process where opcode:1]
+ [file where opcode:0 and file_name:"svchost.exe"]
+ [file where opcode : 0 and file_name : "lsass.exe"]
+;
+
+join by unique_pid
+ [process where opcode:1]
+ [file where opcode:0 and file_name:"svchost.exe"]
+ [file where opcode : 0 and file_name : "lsass.exe"]
+until [file where opcode : 2];
+
+join
+ [file where opcode:0 and file_name:"svchost.exe"] by unique_pid
+ [process where opcode : 1] by unique_ppid
+;
+
+join by unique_pid
+ [process where opcode in (1,3) and process_name:"python.exe"]
+ [file where file_name : "*.exe"];
+
+join by user_name
+ [process where opcode in (1,3) and process_name:"python.exe"]
+ [process where opcode in (1,3) and process_name : "smss.exe"]
+;
+
+join
+ [process where opcode in (1,3) and process_name:"python.exe"]
+ [process where opcode in (1,3) and process_name : "smss.exe"]
;
@@ -419,90 +419,90 @@ join
// docs
sequence by user_name
- [process where process_name == "whoami"]
- [process where process_name == "hostname"]
- [process where process_name == "ifconfig"]
+ [process where process_name : "whoami"]
+ [process where process_name : "hostname"]
+ [process where process_name : "ifconfig"]
;
sequence with maxspan=30s
- [network where destination_port==3389 and event_subtype_full=="*_accept_event*"]
- [security where event_id in (4624, 4625) and logon_type == 10]
+ [network where destination_port:3389 and event_subtype_full:"*_accept_event*"]
+ [security where event_id in (4624, 4625) and logon_type : 10]
;
sequence with maxspan=30s
- [network where destination_port==3389 and event_subtype_full=="*_accept_event"] by source_address
- [security where event_id in (4624, 4625) and logon_type == 10] by ip_address
+ [network where destination_port:3389 and event_subtype_full:"*_accept_event"] by source_address
+ [security where event_id in (4624, 4625) and logon_type : 10] by ip_address
;
sequence with maxspan=5m
- [file where file_name == "*.exe"] by user_name, file_path
+ [file where file_name : "*.exe"] by user_name, file_path
[process where true] by user_name, process_path
;
sequence by user_name with maxspan=5m
- [file where file_name == "*.exe"] by file_path
+ [file where file_name : "*.exe"] by file_path
[process where true] by process_path
;
//
-sequence
- [process where name == "*"]
- [file where path == "*"]
-until [process where opcode == 2]
+sequence
+ [process where name : "*"]
+ [file where path : "*"]
+until [process where opcode : 2]
;
-sequence by pid
- [process where name == "*"]
- [file where path == "*"]
-until [process where opcode == 2]
+sequence by pid
+ [process where name : "*"]
+ [file where path : "*"]
+until [process where opcode : 2]
;
-sequence
- [process where process_name == "*"] by process_path
- [file where file_path == "*"] by image_path
+sequence
+ [process where process_name : "*"] by process_path
+ [file where file_path : "*"] by image_path
;
-sequence by pid
- [process where process_name == "*"]
- [file where file_path == "*"]
+sequence by pid
+ [process where process_name : "*"]
+ [file where file_path : "*"]
;
sequence by field1
- [file where true] by f1
+ [file where true] by f1
[process where true] by f1
;
-sequence by a,b,c,d
- [file where true] by f1,f2
+sequence by a,b,c,d
+ [file where true] by f1,f2
[process where true] by f1,f2
;
-sequence
- [file where 1] by f1,f2
- [process where 1] by f1,f2
+sequence
+ [file where 1] by f1,f2
+ [process where 1] by f1,f2
until [process where 1] by f1,f2
;
-sequence by f
- [file where true] by a,b
- [process where true] by c,d
+sequence by f
+ [file where true] by a,b
+ [process where true] by c,d
until [process where 1] by e,f
;
sequence
- [process where serial_event_id == 1]
- [process where serial_event_id == 2]
+ [process where serial_event_id : 1]
+ [process where serial_event_id : 2]
;
sequence
[process where serial_event_id < 5]
- [process where serial_event_id == 5]
+ [process where serial_event_id : 5]
;
sequence
- [process where serial_event_id==1] by unique_pid
+ [process where serial_event_id:1] by unique_pid
[process where true] by unique_ppid;
sequence
@@ -516,54 +516,54 @@ sequence
;
sequence
- [file where opcode==0 and file_name=="svchost.exe"] by unique_pid
- [process where opcode == 1] by unique_ppid
+ [file where opcode:0 and file_name:"svchost.exe"] by unique_pid
+ [process where opcode : 1] by unique_ppid
;
sequence
- [file where file_name=="lsass.exe"] by file_path,process_path
+ [file where file_name:"lsass.exe"] by file_path,process_path
[process where true] by process_path,parent_process_path
;
sequence by user_name
- [file where file_name=="lsass.exe"] by file_path, process_path
+ [file where file_name:"lsass.exe"] by file_path, process_path
[process where true] by process_path, parent_process_path
;
sequence by pid
- [file where file_name=="lsass.exe"] by file_path,process_path
+ [file where file_name:"lsass.exe"] by file_path,process_path
[process where true] by process_path,parent_process_path
;
sequence by user_name
- [file where opcode==0] by pid,file_path
- [file where opcode==2] by pid,file_path
-until [process where opcode==2] by ppid,process_path
+ [file where opcode:0] by pid,file_path
+ [file where opcode:2] by pid,file_path
+until [process where opcode:2] by ppid,process_path
;
-sequence by unique_pid
- [process where opcode==1 and process_name == "msbuild.exe"]
+sequence by unique_pid
+ [process where opcode:1 and process_name : "msbuild.exe"]
[network where true]
;
sequence by pid with maxspan=200s
- [process where process_name == "*" ]
- [file where file_path == "*"]
+ [process where process_name : "*" ]
+ [file where file_path : "*"]
;
-sequence by pid with maxspan=2s
- [process where process_name == "*" ]
- [file where file_path == "*"]
+sequence by pid with maxspan=2s
+ [process where process_name : "*" ]
+ [file where file_path : "*"]
;
-sequence by pid with maxspan=500ms
- [process where process_name == "*" ]
- [file where file_path == "*"]
+sequence by pid with maxspan=500ms
+ [process where process_name : "*" ]
+ [file where file_path : "*"]
;
sequence by pid with maxspan=2h
- [process where process_name == "*" ]
- [file where file_path == "*"]
+ [process where process_name : "*" ]
+ [file where file_path : "*"]
;
//
@@ -571,12 +571,12 @@ sequence by pid with maxspan=2h
//
-security where event_id == 4624
+security where event_id : 4624
| tail 10
;
process where true | head 6;
-process where bad_field == null | head 5;
+process where bad_field : null | head 5;
process where not (exit_code > -1)
and serial_event_id in (58, 64, 69, 74, 80, 85, 90, 93, 94)
@@ -593,88 +593,88 @@ file where true
| tail 3;
sequence
- [file where event_subtype_full == "file_create_event"] by file_path
- [process where opcode == 1] by process_path
- [process where opcode == 2] by process_path
- [file where event_subtype_full == "file_delete_event"] by file_path
+ [file where event_subtype_full : "file_create_event"] by file_path
+ [process where opcode : 1] by process_path
+ [process where opcode : 2] by process_path
+ [file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2;
sequence
- [file where opcode==0] by unique_pid
- [file where opcode==0] by unique_pid
+ [file where opcode:0] by unique_pid
+ [file where opcode:0] by unique_pid
| head 1;
sequence with maxspan=1d
- [file where event_subtype_full == "file_create_event"] by file_path
- [process where opcode == 1] by process_path
- [process where opcode == 2] by process_path
- [file where event_subtype_full == "file_delete_event"] by file_path
+ [file where event_subtype_full : "file_create_event"] by file_path
+ [process where opcode : 1] by process_path
+ [process where opcode : 2] by process_path
+ [file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2;
sequence with maxspan=1h
- [file where event_subtype_full == "file_create_event"] by file_path
- [process where opcode == 1] by process_path
- [process where opcode == 2] by process_path
- [file where event_subtype_full == "file_delete_event"] by file_path
+ [file where event_subtype_full : "file_create_event"] by file_path
+ [process where opcode : 1] by process_path
+ [process where opcode : 2] by process_path
+ [file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2;
sequence with maxspan=1m
- [file where event_subtype_full == "file_create_event"] by file_path
- [process where opcode == 1] by process_path
- [process where opcode == 2] by process_path
- [file where event_subtype_full == "file_delete_event"] by file_path
+ [file where event_subtype_full : "file_create_event"] by file_path
+ [process where opcode : 1] by process_path
+ [process where opcode : 2] by process_path
+ [file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2;
sequence with maxspan=10s
- [file where event_subtype_full == "file_create_event"] by file_path
- [process where opcode == 1] by process_path
- [process where opcode == 2] by process_path
- [file where event_subtype_full == "file_delete_event"] by file_path
+ [file where event_subtype_full : "file_create_event"] by file_path
+ [process where opcode : 1] by process_path
+ [process where opcode : 2] by process_path
+ [file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2;
sequence
- [file where opcode==0 and file_name=="*.exe"] by unique_pid
- [file where opcode==0 and file_name=="*.exe"] by unique_pid
-until [process where opcode==5000] by unique_ppid
+ [file where opcode:0 and file_name:"*.exe"] by unique_pid
+ [file where opcode:0 and file_name:"*.exe"] by unique_pid
+until [process where opcode:5000] by unique_ppid
| head 1;
sequence
- [file where opcode==0 and file_name=="*.exe"] by unique_pid
- [file where opcode==0 and file_name=="*.exe"] by unique_pid
-until [process where opcode==1] by unique_ppid
+ [file where opcode:0 and file_name:"*.exe"] by unique_pid
+ [file where opcode:0 and file_name:"*.exe"] by unique_pid
+until [process where opcode:1] by unique_ppid
| head 1;
join
- [file where opcode==0 and file_name=="*.exe"] by unique_pid
- [file where opcode==2 and file_name=="*.exe"] by unique_pid
-until [process where opcode==1] by unique_ppid
+ [file where opcode:0 and file_name:"*.exe"] by unique_pid
+ [file where opcode:2 and file_name:"*.exe"] by unique_pid
+until [process where opcode:1] by unique_ppid
| head 1;
sequence by user_name
- [file where opcode==0] by file_path
- [process where opcode==1] by process_path
- [process where opcode==2] by process_path
- [file where opcode==2] by file_path
+ [file where opcode:0] by file_path
+ [process where opcode:1] by process_path
+ [process where opcode:2] by process_path
+ [file where opcode:2] by file_path
| tail 1;
sequence by user_name
- [file where opcode==0] by pid,file_path
- [file where opcode==2] by pid,file_path
-until [process where opcode==5] by ppid,process_path
+ [file where opcode:0] by pid,file_path
+ [file where opcode:2] by pid,file_path
+until [process where opcode:5] by ppid,process_path
| head 2;
sequence by pid
- [file where opcode==0] by file_path
- [process where opcode==1] by process_path
- [process where opcode==2] by process_path
- [file where opcode==2] by file_path
+ [file where opcode:0] by file_path
+ [process where opcode:1] by process_path
+ [process where opcode:2] by process_path
+ [file where opcode:2] by file_path
| tail 1;
join by user_name
@@ -685,5 +685,5 @@ join by user_name
process where fake_field != "*"
| head 4;
-process where not (fake_field == "*")
+process where not (fake_field : "*")
| head 4;
diff --git a/x-pack/plugin/eql/src/test/resources/queryfolder_tests.txt b/x-pack/plugin/eql/src/test/resources/queryfolder_tests.txt
index 2f1594f03ef..ab823ec36bb 100644
--- a/x-pack/plugin/eql/src/test/resources/queryfolder_tests.txt
+++ b/x-pack/plugin/eql/src/test/resources/queryfolder_tests.txt
@@ -49,7 +49,7 @@ process where serial_event_id >= 4
;
mixedTypeFilter
-process where process_name == "notepad.exe" or (serial_event_id < 4.5 and serial_event_id >= 3.1)
+process where process_name : "notepad.exe" or (serial_event_id < 4.5 and serial_event_id >= 3.1)
;
"term":{"process_name":{"value":"notepad.exe"
"range":{"serial_event_id":{"from":3.1,"to":4.5,"include_lower":true,"include_upper":false
@@ -68,7 +68,7 @@ process where process_name in ("python.exe", "SMSS.exe", "explorer.exe")
;
equalsAndInFilter
-process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3)
+process where process_path : "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3)
;
"wildcard":{"process_path":{"wildcard":"*\\\\red_ttp\\\\wininit.*"
{"terms":{"opcode":[0,1,2,3]
@@ -103,14 +103,14 @@ process where cidrMatch(source_address, "10.0.0.0/8") != false
;
twoFunctionsEqualsBooleanLiterals-caseSensitive
-process where endsWith(process_path, "x") == true and endsWith(process_path, "yx") == false
+process where endsWith(process_path, "x") == true and endsWith(process_path, "yx") != true
;
{"bool":{"must":[{"wildcard":{"process_path":{"wildcard":"*x","boost":1.0}}},
{"bool":{"must_not":[{"wildcard":{"process_path":{"wildcard":"*yx","boost":1.0}}}],"adjust_pure_negative":true,"boost":1.0}}],"adjust_pure_negative":true,"boost":1.0}}
;
twoFunctionsEqualsBooleanLiterals-caseInsensitive
-process where endsWith(process_path, "x") == true and endsWith(process_path, "yx") == false
+process where endsWith(process_path, "x") == true and endsWith(process_path, "yx") != true
;
"bool":{"must":[{"term":{"event.category":{"value":"process"
"must":[{"script":{"script":{"source":"InternalQlScriptUtils.nullSafeFilter(
@@ -214,9 +214,9 @@ InternalQlScriptUtils.docValue(doc,params.v0),params.v1,params.v2))"
stringFunction
-process where string(pid) == "123"
+process where string(pid) : "123"
;
-"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(
+"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(
InternalEqlScriptUtils.string(InternalQlScriptUtils.docValue(doc,params.v0)),params.v1))",
"params":{"v0":"pid","v1":"123"}
;
@@ -238,25 +238,25 @@ InternalEqlScriptUtils.indexOf(InternalQlScriptUtils.docValue(doc,params.v0),par
;
substringFunction
-process where substring(file_name, -4) == ".exe"
+process where substring(file_name, -4) : ".exe"
;
-"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(
+"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(
InternalEqlScriptUtils.substring(InternalQlScriptUtils.docValue(doc,params.v0),params.v1,params.v2),params.v3))",
"params":{"v0":"file_name.keyword","v1":-4,"v2":null,"v3":".exe"}
;
betweenFunction
-process where between(process_name, "s", "e") == "yst"
+process where between(process_name, "s", "e") : "yst"
;
-"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(
+"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(
InternalEqlScriptUtils.between(InternalQlScriptUtils.docValue(doc,params.v0),params.v1,params.v2,params.v3,params.v4),params.v5))",
"params":{"v0":"process_name","v1":"s","v2":"e","v3":false,"v4":false,"v5":"yst"}
;
concatFunction
-process where concat(process_name, "::foo::", null, 1) == "net.exe::foo::1"
+process where concat(process_name, "::foo::", null, 1) : "net.exe::foo::1"
;
-"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(
+"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(
InternalEqlScriptUtils.concat([InternalQlScriptUtils.docValue(doc,params.v0),params.v1,params.v2,params.v3]),params.v4))",
"params":{"v0":"process_name","v1":"::foo::","v2":null,"v3":1,"v4":"net.exe::foo::1"}
;
@@ -297,9 +297,9 @@ process where cidrMatch(source_address, "10.0.0.0/8", "192.168.0.0/16", "2001:db
;
cidrMatchFunctionWrapped
-process where string(cidrMatch(source_address, "10.6.48.157/8")) == "true"
+process where string(cidrMatch(source_address, "10.6.48.157/8")) : "true"
;
-{"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalEqlScriptUtils.string(
+{"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(InternalEqlScriptUtils.string(
InternalEqlScriptUtils.cidrMatch(InternalQlScriptUtils.docValue(doc,params.v0),params.v1)),params.v2))"
"params":{"v0":"source_address","v1":["10.6.48.157/8"],"v2":"true"}
;