honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-25 06:16:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

EQL: Introduce case-sensitive equality (#63121)

Browse Source 
Introduce : operator for doing case insensitive string comparisons.
Recognizes "*" for wildcard matches in string literals.
Restricted only to string types.

Relates #62941

(cherry picked from commit 201e577e65f26a9b958a6197fe6c7268da39de29)
This commit is contained in:
Costin Leau 2020-10-02 00:19:59 +03:00 committed by Costin Leau
parent d864d14832
commit 614f4c13a5
29 changed files with 1465 additions and 805 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/BaseEqlSpecTestCase.java
View File

@ -32,7 +32,7 @@ import static java.util.stream.Collectors.toList;
public abstract class BaseEqlSpecTestCase extends ESRestTestCase {
protected static final String PARAM_FORMATTING = "%1$s.test -> %2$s";
protected static final String PARAM_FORMATTING = "%2$s";
private RestHighLevelClient highLevelClient;

12
x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml
View File

@ -5,14 +5,14 @@
name = "betweenAdditional1"
expected_event_ids = [95]
query = '''
file where between(file_path, "dev", ".json", false) == "\\TestLogs\\something"
file where between(file_path, "dev", ".json", false) : "\\TestLogs\\something"
'''
[[queries]]
name = "betweenAdditional2"
expected_event_ids = [95]
query = '''
file where between(file_path, "dev", ".json", true) == "\\TestLogs\\something"
file where between(file_path, "dev", ".json", true) : "\\TestLogs\\something"
'''
[[queries]]
@ -26,7 +26,7 @@ network where cidrMatch(source_address, "10.6.48.157/8") == true
name = "stringCidrMatch2"
expected_event_ids = [75304, 75305]
query = '''
network where string(cidrMatch(source_address, "10.6.48.157/8")) == "true"
network where string(cidrMatch(source_address, "10.6.48.157/8")) : "true"
'''
[[queries]]
@ -62,14 +62,14 @@ network where cidrMatch(source_address, "0.0.0.0/0") == true
name = "concatEquals1"
description = "test string concatenation. update test to avoid case-sensitivity issues"
query = '''
process where concat(serial_event_id, "::", process_name, "::", opcode) == "5::wininit.exe::3"
process where concat(serial_event_id, "::", process_name, "::", opcode) : "5::wininit.exe::3"
'''
expected_event_ids = [5]
[[queries]]
name = "concatEquals2"
query = 'process where concat(serial_event_id) == "1"'
query = 'process where concat(serial_event_id) : "1"'
expected_event_ids = [1]
[[queries]]
@ -98,7 +98,7 @@ expected_event_ids = [1, 2, 3, 4]
[[queries]]
name = "numberStringConversion1"
query = 'process where string(serial_event_id) == "1"'
query = 'process where string(serial_event_id) : "1"'
expected_event_ids = [1]

230
x-pack/plugin/eql/qa/common/src/main/resources/test_queries.toml
View File

@ -31,7 +31,7 @@ query = 'process where bad_field == null | head 5'
[[queries]]
name = "processNameInexistent"
query = '''
process where process_name == "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1)
process where process_name : "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1)
'''
expected_event_ids = [4]
@ -253,7 +253,7 @@ expected_event_ids = [1, 2]
name = "processWithStringEqualityCaseInsensitive1"
case_insensitive = true
query = '''
process where process_name == "VMACTHLP.exe" and unique_pid == 12
process where process_name : "VMACTHLP.exe" and unique_pid == 12
| filter true
'''
expected_event_ids = [12]
@ -351,47 +351,47 @@ name = "lengthCaseInsensitive1"
case_insensitive = true
expected_event_ids = [57]
query = '''
registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] == "EN"
registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] : "EN"
'''
[[queries]]
name = "keyPathWildcard"
query = '''
registry where key_path == "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F"
registry where key_path : "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F"
'''
expected_event_ids = [79]
[[queries]]
name = "processPathWildcardAndIN"
query = '''
process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4)
process where process_path : "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4)
'''
expected_event_ids = [84, 85]
[[queries]]
name = "descendant1"
query = '''
file where file_name == "csrss.exe" and opcode==0
and descendant of [process where opcode in (1,3) and process_name=="cmd.exe"]
file where file_name : "csrss.exe" and opcode==0
and descendant of [process where opcode in (1,3) and process_name:"cmd.exe"]
'''
expected_event_ids = [72]
[[queries]]
name = "descendant2"
query = '''
process where opcode==1 and process_name == "csrss.exe"
and descendant of [file where file_name == "csrss.exe" and opcode==0]
process where opcode==1 and process_name : "csrss.exe"
and descendant of [file where file_name : "csrss.exe" and opcode==0]
'''
expected_event_ids = [73]
[[queries]]
name = "descendant3"
query = '''
process where opcode==1 and process_name == "smss.exe"
process where opcode==1 and process_name : "smss.exe"
and descendant of [
file where file_name == "csrss.exe" and opcode==0
file where file_name : "csrss.exe" and opcode==0
and descendant of [
process where opcode in(1,3) and process_name=="cmd.exe"
process where opcode in(1,3) and process_name:"cmd.exe"
]
]
'''
@ -400,24 +400,24 @@ expected_event_ids = [78]
[[queries]]
name = "wildcardAndMultipleConditions1"
query = '''
file where file_path=="*\\red_ttp\\winin*.*"
and opcode in (0,1,2) and user_name=="vagrant"
file where file_path:"*\\red_ttp\\winin*.*"
and opcode in (0,1,2) and user_name:"vagrant"
'''
expected_event_ids = [83, 86]
[[queries]]
name = "wildcardAndMultipleConditions2"
query = '''
file where file_path=="*\\red_ttp\\winin*.*"
and opcode not in (0,1,2) and user_name=="vagrant"
file where file_path:"*\\red_ttp\\winin*.*"
and opcode not in (0,1,2) and user_name:"vagrant"
'''
expected_event_ids = []
[[queries]]
name = "wildcardAndMultipleConditions3"
query = '''
file where file_path=="*\\red_ttp\\winin*.*"
and opcode not in (3, 4, 5, 6 ,7) and user_name=="vagrant"
file where file_path:"*\\red_ttp\\winin*.*"
and opcode not in (3, 4, 5, 6 ,7) and user_name:"vagrant"
'''
expected_event_ids = [83, 86]
@ -762,7 +762,7 @@ expected_event_ids = [1, 2,
name = "sequencesOnDifferentEventTypes1"
query = '''
sequence by unique_pid
[process where opcode==1 and process_name == "MSBuild.exe"]
[process where opcode==1 and process_name : "MSBuild.exe"]
[network where true]
'''
expected_event_ids = [75273, 75304]
@ -773,10 +773,10 @@ description = "test that process sequences are working correctly"
name = "sequencesOnDifferentEventTypes2"
query = '''
sequence
[file where event_subtype_full == "file_create_event"] by file_path
[file where event_subtype_full : "file_create_event"] by file_path
[process where opcode == 1] by process_path
[process where opcode == 2] by process_path
[file where event_subtype_full == "file_delete_event"] by file_path
[file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2
'''
@ -787,10 +787,10 @@ expected_event_ids = [67, 68, 69, 70,
name = "sequencesOnDifferentEventTypes3"
query = '''
sequence with maxspan=1d
[file where event_subtype_full == "file_create_event"] by file_path
[file where event_subtype_full : "file_create_event"] by file_path
[process where opcode == 1] by process_path
[process where opcode == 2] by process_path
[file where event_subtype_full == "file_delete_event"] by file_path
[file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2
'''
@ -801,10 +801,10 @@ expected_event_ids = [67, 68, 69, 70,
name = "sequencesOnDifferentEventTypes4"
query = '''
sequence with maxspan=1h
[file where event_subtype_full == "file_create_event"] by file_path
[file where event_subtype_full : "file_create_event"] by file_path
[process where opcode == 1] by process_path
[process where opcode == 2] by process_path
[file where event_subtype_full == "file_delete_event"] by file_path
[file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2
'''
@ -815,10 +815,10 @@ expected_event_ids = [67, 68, 69, 70,
name = "sequencesOnDifferentEventTypes5"
query = '''
sequence with maxspan=1m
[file where event_subtype_full == "file_create_event"] by file_path
[file where event_subtype_full : "file_create_event"] by file_path
[process where opcode == 1] by process_path
[process where opcode == 2] by process_path
[file where event_subtype_full == "file_delete_event"] by file_path
[file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2
'''
@ -829,10 +829,10 @@ expected_event_ids = [67, 68, 69, 70,
name = "sequencesOnDifferentEventTypes6"
query = '''
sequence with maxspan=10s
[file where event_subtype_full == "file_create_event"] by file_path
[file where event_subtype_full : "file_create_event"] by file_path
[process where opcode == 1] by process_path
[process where opcode == 2] by process_path
[file where event_subtype_full == "file_delete_event"] by file_path
[file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2
'''
@ -843,10 +843,10 @@ expected_event_ids = [67, 68, 69, 70,
name = "sequencesOnDifferentEventTypes7"
query = '''
sequence with maxspan=500ms
[file where event_subtype_full == "file_create_event"] by file_path
[file where event_subtype_full : "file_create_event"] by file_path
[process where opcode == 1] by process_path
[process where opcode == 2] by process_path
[file where event_subtype_full == "file_delete_event"] by file_path
[file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2
'''
@ -867,7 +867,7 @@ expected_event_ids = [1, 2,
name = "sequencesOnDifferentEventTypesWithBy"
query = '''
sequence
[file where opcode==0 and file_name=="svchost.exe"] by unique_pid
[file where opcode==0 and file_name:"svchost.exe"] by unique_pid
[process where opcode == 1] by unique_ppid
'''
expected_event_ids = [55, 56]
@ -896,8 +896,8 @@ expected_event_ids = [87, 92]
name = "doubleSameSequenceWithByUntilAndHead1"
query = '''
sequence
[file where opcode==0 and file_name=="*.exe"] by unique_pid
[file where opcode==0 and file_name=="*.exe"] by unique_pid
[file where opcode==0 and file_name:"*.exe"] by unique_pid
[file where opcode==0 and file_name:"*.exe"] by unique_pid
until [process where opcode==5000] by unique_ppid
| head 1
'''
@ -907,8 +907,8 @@ expected_event_ids = [55, 61]
name = "doubleSameSequenceWithByUntilAndHead2"
query = '''
sequence
[file where opcode==0 and file_name=="*.exe"] by unique_pid
[file where opcode==0 and file_name=="*.exe"] by unique_pid
[file where opcode==0 and file_name:"*.exe"] by unique_pid
[file where opcode==0 and file_name:"*.exe"] by unique_pid
until [process where opcode==1] by unique_ppid
| head 1
'''
@ -918,8 +918,8 @@ expected_event_ids = []
name = "doubleJoinWithByUntilAndHead"
query = '''
join
[file where opcode==0 and file_name=="*.exe"] by unique_pid
[file where opcode==2 and file_name=="*.exe"] by unique_pid
[file where opcode==0 and file_name:"*.exe"] by unique_pid
[file where opcode==2 and file_name:"*.exe"] by unique_pid
until [process where opcode==1] by unique_ppid
| head 1
'''
@ -929,8 +929,8 @@ expected_event_ids = [61, 59]
name = "twoJoins1"
query = '''
join by user_name
[process where opcode in (1,3) and process_name=="smss.exe"]
[process where opcode in (1,3) and process_name == "python.exe"]
[process where opcode in (1,3) and process_name:"smss.exe"]
[process where opcode in (1,3) and process_name : "python.exe"]
'''
expected_event_ids = [78, 48]
@ -939,8 +939,8 @@ name = "threeJoins1"
query = '''
join by unique_pid
[process where opcode==1]
[file where opcode==0 and file_name=="svchost.exe"]
[file where opcode == 0 and file_name == "lsass.exe"]
[file where opcode==0 and file_name:"svchost.exe"]
[file where opcode == 0 and file_name : "lsass.exe"]
'''
expected_event_ids = [54, 55, 61]
@ -949,8 +949,8 @@ name = "threeJoins2"
query = '''
join by string(unique_pid)
[process where opcode==1]
[file where opcode==0 and file_name=="svchost.exe"]
[file where opcode == 0 and file_name == "lsass.exe"]
[file where opcode==0 and file_name:"svchost.exe"]
[file where opcode == 0 and file_name : "lsass.exe"]
'''
expected_event_ids = [54, 55, 61]
@ -959,8 +959,8 @@ name = "threeJoinsWithUntil1"
query = '''
join by unique_pid
[process where opcode==1]
[file where opcode==0 and file_name=="svchost.exe"]
[file where opcode == 0 and file_name == "lsass.exe"]
[file where opcode==0 and file_name:"svchost.exe"]
[file where opcode == 0 and file_name : "lsass.exe"]
until [file where opcode == 2]
'''
expected_event_ids = []
@ -970,8 +970,8 @@ name = "threeJoinsWithUntil2"
query = '''
join by string(unique_pid), unique_pid, unique_pid * 2
[process where opcode==1]
[file where opcode==0 and file_name=="svchost.exe"]
[file where opcode == 0 and file_name == "lsass.exe"]
[file where opcode==0 and file_name:"svchost.exe"]
[file where opcode == 0 and file_name : "lsass.exe"]
until [file where opcode == 2]
'''
expected_event_ids = []
@ -980,7 +980,7 @@ expected_event_ids = []
name = "twoJoins2"
query = '''
join
[file where opcode==0 and file_name=="svchost.exe"] by unique_pid
[file where opcode==0 and file_name:"svchost.exe"] by unique_pid
[process where opcode == 1] by unique_ppid
'''
expected_event_ids = [55, 56]
@ -989,8 +989,8 @@ expected_event_ids = [55, 56]
name = "twoJoins3"
query = '''
join by unique_pid
[process where opcode in (1,3) and process_name=="python.exe"]
[file where file_name == "*.exe"]
[process where opcode in (1,3) and process_name:"python.exe"]
[file where file_name : "*.exe"]
'''
expected_event_ids = [54, 55]
@ -998,8 +998,8 @@ expected_event_ids = [54, 55]
name = "twoJoins4"
query = '''
join by user_name
[process where opcode in (1,3) and process_name=="python.exe"]
[process where opcode in (1,3) and process_name == "smss.exe"]
[process where opcode in (1,3) and process_name:"python.exe"]
[process where opcode in (1,3) and process_name : "smss.exe"]
'''
expected_event_ids = [48, 78]
@ -1007,8 +1007,8 @@ expected_event_ids = [48, 78]
name = "twoJoins5"
query = '''
join
[process where opcode in (1,3) and process_name=="python.exe"]
[process where opcode in (1,3) and process_name == "smss.exe"]
[process where opcode in (1,3) and process_name:"python.exe"]
[process where opcode in (1,3) and process_name : "smss.exe"]
'''
expected_event_ids = [48, 3, 50, 78]
@ -1016,7 +1016,7 @@ expected_event_ids = [48, 3, 50, 78]
name = "fakeField"
expected_event_ids = []
query = '''
process where fake_field == "*"
process where fake_field : "*"
'''
[[queries]]
@ -1033,7 +1033,7 @@ expected_event_ids = []
[[queries]]
name = "fakeFieldWithHead2"
query = '''
process where not (fake_field == "*")
process where not (fake_field : "*")
| head 4
'''
# no longer valid, since this returns `null`, and `not null` is still null
@ -1059,9 +1059,9 @@ name = "multipleConditions2"
query = '''
process where opcode == 1
and process_name in ("net.exe", "net1.exe")
and not (parent_process_name == "net.exe"
and process_name == "net1.exe")
and command_line == "*group *admin*" and command_line != "* /add*"
and not (parent_process_name : "net.exe"
and process_name : "net1.exe")
and command_line : "*group *admin*" and command_line != "* /add*"
'''
expected_event_ids = [97]
@ -1077,7 +1077,7 @@ any where true
name = "multipleConditionsWithDescendant1"
query = '''
process where opcode==1 and process_name in ("services.exe", "smss.exe", "lsass.exe")
and descendant of [process where process_name == "cmd.exe" ]
and descendant of [process where process_name : "cmd.exe" ]
'''
expected_event_ids = [62, 68, 78]
@ -1085,7 +1085,7 @@ expected_event_ids = [62, 68, 78]
name = "INWithDescendant"
query = '''
process where process_name in ("services.exe", "smss.exe", "lsass.exe")
and descendant of [process where process_name == "cmd.exe" ]
and descendant of [process where process_name : "cmd.exe" ]
'''
expected_event_ids = [62, 64, 68, 69, 78, 80]
@ -1093,23 +1093,23 @@ expected_event_ids = [62, 64, 68, 69, 78, 80]
name = "multipleConditionsWithDescendant2"
query = '''
process where opcode==2 and process_name in ("services.exe", "smss.exe", "lsass.exe")
and descendant of [process where process_name == "cmd.exe" ]
and descendant of [process where process_name : "cmd.exe" ]
'''
expected_event_ids = [64, 69, 80]
[[queries]]
name = "childOf1"
query = '''
process where process_name=="svchost.exe"
and child of [file where file_name=="svchost.exe" and opcode==0]
process where process_name:"svchost.exe"
and child of [file where file_name:"svchost.exe" and opcode==0]
'''
expected_event_ids = [56, 58]
[[queries]]
name = "childOf2"
query = '''
process where process_name=="svchost.exe"
and not child of [file where file_name=="svchost.exe" and opcode==0]
process where process_name:"svchost.exe"
and not child of [file where file_name:"svchost.exe" and opcode==0]
| head 3
'''
expected_event_ids = [11, 13, 15]
@ -1117,10 +1117,10 @@ expected_event_ids = [11, 13, 15]
[[queries]]
name = "nestedChildOf1"
query = '''
process where process_name=="lsass.exe"
process where process_name:"lsass.exe"
and child of [
process where process_name=="python.exe"
and child of [process where process_name=="cmd.exe"]
process where process_name:"python.exe"
and child of [process where process_name:"cmd.exe"]
]
'''
expected_event_ids = [62, 64]
@ -1130,7 +1130,7 @@ name = "nestedChildOf2"
query = '''
file where child of [
process where child of [
process where child of [process where process_name=="*wsmprovhost.exe"]
process where child of [process where process_name:"*wsmprovhost.exe"]
]
]
| tail 1
@ -1140,7 +1140,7 @@ expected_event_ids = [91]
[[queries]]
name = "fileByUniquePid1"
query = '''
file where process_name == "python.exe"
file where process_name : "python.exe"
| unique unique_pid
'''
expected_event_ids = [55, 95]
@ -1148,7 +1148,7 @@ expected_event_ids = [55, 95]
[[queries]]
name = "fileByUniquePid2"
query = '''
file where event of [process where process_name == "python.exe" ]
file where event of [process where process_name : "python.exe" ]
| unique unique_pid
'''
expected_event_ids = [55, 95]
@ -1156,20 +1156,20 @@ expected_event_ids = [55, 95]
[[queries]]
name = "simpleStringEquality"
query = '''
process where process_name == "python.exe"
process where process_name : "python.exe"
'''
expected_event_ids = [48, 50, 51, 54, 93]
[[queries]]
name = "eventOfProcess"
query = 'process where event of [process where process_name == "python.exe" ]'
query = 'process where event of [process where process_name : "python.exe" ]'
expected_event_ids = [48, 50, 51, 54, 93]
[[queries]]
name = "twoSequencesWithKeys2"
query = '''
sequence
[file where file_name=="lsass.exe"] by file_path,process_path
[file where file_name:"lsass.exe"] by file_path,process_path
[process where true] by process_path,parent_process_path
'''
expected_event_ids = [61, 62]
@ -1178,7 +1178,7 @@ expected_event_ids = [61, 62]
name = "twoSequencesWithKeys3"
query = '''
sequence by user_name
[file where file_name=="lsass.exe"] by file_path, process_path
[file where file_name:"lsass.exe"] by file_path, process_path
[process where true] by process_path, parent_process_path
'''
expected_event_ids = [61, 62]
@ -1187,7 +1187,7 @@ expected_event_ids = [61, 62]
name = "twoSequencesWithKeys4"
query = '''
sequence by pid
[file where file_name=="lsass.exe"] by file_path,process_path
[file where file_name:"lsass.exe"] by file_path,process_path
[process where true] by process_path,parent_process_path
'''
expected_event_ids = []
@ -1263,21 +1263,21 @@ expected_event_ids = [54, 55, 56, 54, 61, 62, 54, 67, 68, 54, 72, 73]
[[queries]]
name = "wildcard1"
query = '''
process where command_line == "*%*"
process where command_line : "*%*"
'''
expected_event_ids = [4, 6, 28]
[[queries]]
name = "wildcard2"
query = '''
process where command_line == "*%*%*"
process where command_line : "*%*%*"
'''
expected_event_ids = [4, 6, 28]
[[queries]]
name = "wildcard3"
query = '''
process where command_line == "%*%*"
process where command_line : "%*%*"
'''
expected_event_ids = [4, 6, 28]
@ -1285,7 +1285,7 @@ expected_event_ids = [4, 6, 28]
name = "uniqueCount1"
expected_event_ids = [11, 60, 63]
query = '''
any where process_name == "svchost.exe"
any where process_name : "svchost.exe"
| unique_count event_type_full process_name
'''
@ -1293,7 +1293,7 @@ any where process_name == "svchost.exe"
name = "uniqueCount2"
expected_event_ids = [63, 60, 11]
query = '''
any where process_name == "svchost.exe"
any where process_name : "svchost.exe"
| sort event_type_full serial_event_id
| unique_count event_type_full process_name
'''
@ -1302,7 +1302,7 @@ any where process_name == "svchost.exe"
name = "uniqueCount3"
expected_event_ids = [60]
query = '''
any where process_name == "svchost.exe"
any where process_name : "svchost.exe"
| unique_count event_type_full opcode
| filter count == 7
'''
@ -1311,7 +1311,7 @@ any where process_name == "svchost.exe"
name = "uniqueCountAndFilter"
expected_event_ids = [11]
query = '''
any where process_name == "svchost.exe"
any where process_name : "svchost.exe"
| unique_count event_type_full opcode
| filter percent >= .5
'''
@ -1338,7 +1338,7 @@ name = "lengthCaseInsensitive2"
case_insensitive = true
expected_event_ids = [57]
query = '''
registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == "EN-us"
registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] : "EN-us"
'''
[[queries]]
@ -1346,7 +1346,7 @@ name = "arrayCaseInsensitive1"
case_insensitive = true
expected_event_ids = [57]
query = '''
registry where bytes_written_string_list[0] == "EN-us"
registry where bytes_written_string_list[0] : "EN-us"
'''
[[queries]]
@ -1354,7 +1354,7 @@ name = "arrayCaseInsensitive2"
case_insensitive = true
expected_event_ids = [57]
query = '''
registry where bytes_written_string_list[1] == "EN"
registry where bytes_written_string_list[1] : "EN"
'''
@ -1379,21 +1379,21 @@ name = "arrayCaseInsensitive3"
case_insensitive = true
expected_event_ids = [57]
query = '''
registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == "en-US"
registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] : "en-US"
'''
[[queries]]
name = "arrayEquality1"
expected_event_ids = [57]
query = '''
registry where bytes_written_string_list[0] == "en-US"
registry where bytes_written_string_list[0] : "en-US"
'''
[[queries]]
name = "arrayEquality2"
expected_event_ids = [57]
query = '''
registry where bytes_written_string_list[1] == "en"
registry where bytes_written_string_list[1] : "en"
'''
[[queries]]
@ -1436,7 +1436,7 @@ name = "stringEqualsCaseInsensitive1"
case_insensitive = true
query = '''
process where "net.EXE" == original_file_name
| filter process_name=="net*.exe"
| filter process_name:"net*.exe"
'''
expected_event_ids = [97]
note = "check that case insensitive comparisons are performed even for lhs strings."
@ -1445,7 +1445,7 @@ note = "check that case insensitive comparisons are performed even for lhs strin
name = "stringEqualsCaseInsensitive2"
case_insensitive = true
query = '''
process where process_name == original_file_name and process_name=="net*.exe"
process where process_name == original_file_name and process_name:"net*.exe"
'''
expected_event_ids = [97, 98]
note = "check that case insensitive comparisons are performed for fields."
@ -1649,7 +1649,7 @@ description = "check substring ranges"
name = "substring1"
case_insensitive = true
query = '''
file where serial_event_id==88 and substring(file_name, 0, 4) == "expl"
file where serial_event_id==88 and substring(file_name, 0, 4) : "expl"
'''
expected_event_ids = [88]
description = "check substring ranges"
@ -1667,7 +1667,7 @@ description = "check substring ranges"
name = "substring3"
case_insensitive = true
query = '''
file where substring(file_name, 1, 3) == "xp"
file where substring(file_name, 1, 3) : "xp"
'''
expected_event_ids = [88, 91, 92]
description = "check substring ranges"
@ -1675,7 +1675,7 @@ description = "check substring ranges"
[[queries]]
name = "substring4"
query = '''
file where substring(file_name, -4) == ".exe"
file where substring(file_name, -4) : ".exe"
'''
expected_event_ids = [55, 59, 61, 65, 67, 70, 72, 75, 76, 81, 83, 86, 88, 91]
description = "check substring ranges"
@ -1683,7 +1683,7 @@ description = "check substring ranges"
[[queries]]
name = "substring5"
query = '''
file where substring(file_name, -4, -1) == ".ex"
file where substring(file_name, -4, -1) : ".ex"
'''
expected_event_ids = [55, 59, 61, 65, 67, 70, 72, 75, 76, 81, 83, 86, 88, 91]
description = "check substring ranges"
@ -1747,7 +1747,7 @@ process where serial_event_id == number("32", 16)
[[queries]]
name = "concat1"
query = '''
process where concat(serial_event_id, ":", process_name, opcode) == "5:wininit.exe3"
process where concat(serial_event_id, ":", process_name, opcode) : "5:wininit.exe3"
'''
expected_event_ids = [5]
description = "test string concatenation"
@ -1756,7 +1756,7 @@ description = "test string concatenation"
name = "concatCaseInsensitive"
case_insensitive = true
query = '''
process where concat(serial_event_id, ":", process_name, opcode) == "5:winINIT.exe3"
process where concat(serial_event_id, ":", process_name, opcode) : "5:winINIT.exe3"
'''
expected_event_ids = [5]
description = "test string concatenation"
@ -1776,7 +1776,7 @@ name = "arraySearch1"
expected_event_ids = [57]
description = "test arraySearch functionality for lists of strings, and lists of objects"
query = '''
registry where arraySearch(bytes_written_string_list, a, a == "en-US")
registry where arraySearch(bytes_written_string_list, a, a : "en-US")
'''
[[queries]]
@ -1785,7 +1785,7 @@ case_sensitive = true
expected_event_ids = []
description = "test arraySearch functionality for lists of strings, and lists of objects"
query = '''
registry where arraySearch(bytes_written_string_list, a, a == "EN-US")
registry where arraySearch(bytes_written_string_list, a, a : "EN-US")
'''
[[queries]]
@ -1794,7 +1794,7 @@ case_insensitive = true
expected_event_ids = [57]
description = "test arraySearch functionality for lists of strings, and lists of objects"
query = '''
registry where arraySearch(bytes_written_string_list, a, a == "en-us")
registry where arraySearch(bytes_written_string_list, a, a : "en-us")
'''
[[queries]]
@ -1828,7 +1828,7 @@ name = "arraySearchWithMysteriousField3"
expected_event_ids = [75305]
description = "test arraySearch - conditional"
query = '''
network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == "s0-*")
network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a : "s0-*")
'''
[[queries]]
@ -1846,7 +1846,7 @@ description = "test arraySearch - nested"
query = '''
network where mysterious_field
and arraySearch(mysterious_field.subarray, sub1,
arraySearch(sub1.c, nested, nested.x.y == "*"))
arraySearch(sub1.c, nested, nested.x.y : "*"))
'''
[[queries]]
@ -1856,7 +1856,7 @@ description = "test arraySearch - nested with cross-check pass"
query = '''
network where mysterious_field
and arraySearch(mysterious_field.subarray, sub1,
sub1.a == "s0-a" and arraySearch(sub1.c, nested, nested.z == "s0-c1-x-z"))
sub1.a : "s0-a" and arraySearch(sub1.c, nested, nested.z : "s0-c1-x-z"))
'''
[[queries]]
@ -1866,7 +1866,7 @@ description = "test arraySearch - nested with cross-check pass"
query = '''
network where mysterious_field
and arraySearch(mysterious_field.subarray, sub1,
sub1.a == "s0-a" and arraySearch(sub1.c, nested, nested.z == sub1.cross_match))
sub1.a : "s0-a" and arraySearch(sub1.c, nested, nested.z == sub1.cross_match))
'''
[[queries]]
@ -1901,7 +1901,7 @@ name = "arrayCount1"
case_insensitive = true
expected_event_ids = [57]
query = '''
registry where arrayCount(bytes_written_string_list, s, s == "*-us") == 1
registry where arrayCount(bytes_written_string_list, s, s : "*-us") == 1
'''
[[queries]]
@ -1909,7 +1909,7 @@ name = "arrayCount2"
case_insensitive = true
expected_event_ids = [57]
query = '''
registry where arrayCount(bytes_written_string_list, s, s == "*en*") == 2
registry where arrayCount(bytes_written_string_list, s, s : "*en*") == 2
'''
[[queries]]
@ -1955,7 +1955,7 @@ name = "betweenCaseInsensitive1"
case_insensitive = true
expected_event_ids = [1, 2]
query = '''
process where between(process_name, "s", "e") == "yst"
process where between(process_name, "s", "e") : "yst"
'''
[[queries]]
@ -1963,7 +1963,7 @@ name = "betweenCaseInsensitive2"
case_insensitive = true
expected_event_ids = [1, 2]
query = '''
process where between(process_name, "s", "e", false) == "yst"
process where between(process_name, "s", "e", false) : "yst"
'''
[[queries]]
@ -1971,14 +1971,14 @@ name = "betweenCaseSensitive"
case_sensitive = true
expected_event_ids = [1, 2, 42]
query = '''
process where between(process_name, "s", "e", false) == "t"
process where between(process_name, "s", "e", false) : "t"
'''
[[queries]]
name = "between1"
expected_event_ids = [1]
query = '''
process where between(process_name, "S", "e", true) == "ystem Idle Proc"
process where between(process_name, "S", "e", true) : "ystem Idle Proc"
'''
[[queries]]
@ -1986,21 +1986,21 @@ name = "betweenCaseInsensitive3"
case_insensitive = true
expected_event_ids = [1]
query = '''
process where between(process_name, "s", "e", true) == "ystem Idle Proc"
process where between(process_name, "s", "e", true) : "ystem Idle Proc"
'''
[[queries]]
name = "between2"
expected_event_ids = [95]
query = '''
file where between(file_path, "dev", ".json", false) == "\\TestLogs\\something"
file where between(file_path, "dev", ".json", false) : "\\TestLogs\\something"
'''
[[queries]]
name = "between3"
expected_event_ids = [95]
query = '''
file where between(file_path, "dev", ".json", true) == "\\TestLogs\\something"
file where between(file_path, "dev", ".json", true) : "\\TestLogs\\something"
'''

138
x-pack/plugin/eql/qa/common/src/main/resources/test_queries_unsupported.toml
View File

@ -134,7 +134,7 @@ expected_event_ids = [1, 2]
name = "processWithStringEqualityCaseInsensitive1"
case_insensitive = true
query = '''
process where process_name == "VMACTHLP.exe" and unique_pid == 12
process where process_name : "VMACTHLP.exe" and unique_pid == 12
| filter true
'''
expected_event_ids = [12]
@ -232,33 +232,33 @@ name = "lengthCaseInsensitive"
case_insensitive = true
expected_event_ids = [57]
query = '''
registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] == "EN"
registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] : "EN"
'''
[[queries]]
name = "descendant1"
query = '''
file where file_name == "csrss.exe" and opcode==0
and descendant of [process where opcode in (1,3) and process_name=="cmd.exe"]
file where file_name : "csrss.exe" and opcode==0
and descendant of [process where opcode in (1,3) and process_name:"cmd.exe"]
'''
expected_event_ids = [72]
[[queries]]
name = "descendant2"
query = '''
process where opcode==1 and process_name == "csrss.exe"
and descendant of [file where file_name == "csrss.exe" and opcode==0]
process where opcode==1 and process_name : "csrss.exe"
and descendant of [file where file_name : "csrss.exe" and opcode==0]
'''
expected_event_ids = [73]
[[queries]]
name = "descendant3"
query = '''
process where opcode==1 and process_name == "smss.exe"
process where opcode==1 and process_name : "smss.exe"
and descendant of [
file where file_name == "csrss.exe" and opcode==0
file where file_name : "csrss.exe" and opcode==0
and descendant of [
process where opcode in(1,3) and process_name=="cmd.exe"
process where opcode in(1,3) and process_name:"cmd.exe"
]
]
'''
@ -359,8 +359,8 @@ expected_event_ids = [87, 92]
name = "doubleSameSequenceWithByUntilAndHead2"
query = '''
join
[file where opcode==0 and file_name=="*.exe"] by unique_pid
[file where opcode==2 and file_name=="*.exe"] by unique_pid
[file where opcode==0 and file_name:"*.exe"] by unique_pid
[file where opcode==2 and file_name:"*.exe"] by unique_pid
until [process where opcode==1] by unique_ppid
| head 1
'''
@ -370,8 +370,8 @@ expected_event_ids = [61, 59]
name = "twoJoins1"
query = '''
join by user_name
[process where opcode in (1,3) and process_name=="smss.exe"]
[process where opcode in (1,3) and process_name == "python.exe"]
[process where opcode in (1,3) and process_name:"smss.exe"]
[process where opcode in (1,3) and process_name : "python.exe"]
'''
expected_event_ids = [78, 48]
@ -380,8 +380,8 @@ name = "threeJoins1"
query = '''
join by unique_pid
[process where opcode==1]
[file where opcode==0 and file_name=="svchost.exe"]
[file where opcode == 0 and file_name == "lsass.exe"]
[file where opcode==0 and file_name:"svchost.exe"]
[file where opcode == 0 and file_name : "lsass.exe"]
'''
expected_event_ids = [54, 55, 61]
@ -390,8 +390,8 @@ name = "threeJoins2"
query = '''
join by string(unique_pid)
[process where opcode==1]
[file where opcode==0 and file_name=="svchost.exe"]
[file where opcode == 0 and file_name == "lsass.exe"]
[file where opcode==0 and file_name:"svchost.exe"]
[file where opcode == 0 and file_name : "lsass.exe"]
'''
expected_event_ids = [54, 55, 61]
@ -400,8 +400,8 @@ name = "threeJoinsWithUntil1"
query = '''
join by unique_pid
[process where opcode==1]
[file where opcode==0 and file_name=="svchost.exe"]
[file where opcode == 0 and file_name == "lsass.exe"]
[file where opcode==0 and file_name:"svchost.exe"]
[file where opcode == 0 and file_name : "lsass.exe"]
until [file where opcode == 2]
'''
expected_event_ids = []
@ -411,8 +411,8 @@ name = "threeJoinsWithUntil1"
query = '''
join by string(unique_pid), unique_pid, unique_pid * 2
[process where opcode==1]
[file where opcode==0 and file_name=="svchost.exe"]
[file where opcode == 0 and file_name == "lsass.exe"]
[file where opcode==0 and file_name:"svchost.exe"]
[file where opcode == 0 and file_name : "lsass.exe"]
until [file where opcode == 2]
'''
expected_event_ids = []
@ -421,7 +421,7 @@ expected_event_ids = []
name = "twoJoins2"
query = '''
join
[file where opcode==0 and file_name=="svchost.exe"] by unique_pid
[file where opcode==0 and file_name:"svchost.exe"] by unique_pid
[process where opcode == 1] by unique_ppid
'''
expected_event_ids = [55, 56]
@ -430,8 +430,8 @@ expected_event_ids = [55, 56]
name = "twoJoins3"
query = '''
join by unique_pid
[process where opcode in (1,3) and process_name=="python.exe"]
[file where file_name == "*.exe"]
[process where opcode in (1,3) and process_name:"python.exe"]
[file where file_name : "*.exe"]
'''
expected_event_ids = [54, 55]
@ -439,8 +439,8 @@ expected_event_ids = [54, 55]
name = "twoJoins4"
query = '''
join by user_name
[process where opcode in (1,3) and process_name=="python.exe"]
[process where opcode in (1,3) and process_name == "smss.exe"]
[process where opcode in (1,3) and process_name:"python.exe"]
[process where opcode in (1,3) and process_name : "smss.exe"]
'''
expected_event_ids = [48, 78]
@ -448,8 +448,8 @@ expected_event_ids = [48, 78]
name = "twoJoins5"
query = '''
join
[process where opcode in (1,3) and process_name=="python.exe"]
[process where opcode in (1,3) and process_name == "smss.exe"]
[process where opcode in (1,3) and process_name:"python.exe"]
[process where opcode in (1,3) and process_name : "smss.exe"]
'''
expected_event_ids = [48, 3, 50, 78]
@ -457,7 +457,7 @@ expected_event_ids = [48, 3, 50, 78]
name = "fakeField"
expected_event_ids = []
query = '''
process where fake_field == "*"
process where fake_field : "*"
'''
[[queries]]
@ -476,7 +476,7 @@ name = "fakeFieldWithHead2"
# expected_event_ids = [1, 2, 3, 4]
expected_event_ids = []
query = '''
process where not (fake_field == "*")
process where not (fake_field : "*")
| head 4
'''
@ -569,7 +569,7 @@ any where true
name = "multipleConditionsWithDescendant1"
query = '''
process where opcode==1 and process_name in ("services.exe", "smss.exe", "lsass.exe")
and descendant of [process where process_name == "cmd.exe" ]
and descendant of [process where process_name : "cmd.exe" ]
'''
expected_event_ids = [62, 68, 78]
@ -577,7 +577,7 @@ expected_event_ids = [62, 68, 78]
name = "INWithDescendant"
query = '''
process where process_name in ("services.exe", "smss.exe", "lsass.exe")
and descendant of [process where process_name == "cmd.exe" ]
and descendant of [process where process_name : "cmd.exe" ]
'''
expected_event_ids = [62, 64, 68, 69, 78, 80]
@ -585,23 +585,23 @@ expected_event_ids = [62, 64, 68, 69, 78, 80]
name = "multipleConditionsWithDescendant2"
query = '''
process where opcode==2 and process_name in ("services.exe", "smss.exe", "lsass.exe")
and descendant of [process where process_name == "cmd.exe" ]
and descendant of [process where process_name : "cmd.exe" ]
'''
expected_event_ids = [64, 69, 80]
[[queries]]
name = "childOf1"
query = '''
process where process_name=="svchost.exe"
and child of [file where file_name=="svchost.exe" and opcode==0]
process where process_name:"svchost.exe"
and child of [file where file_name:"svchost.exe" and opcode==0]
'''
expected_event_ids = [56, 58]
[[queries]]
name = "childOf2"
query = '''
process where process_name=="svchost.exe"
and not child of [file where file_name=="svchost.exe" and opcode==0]
process where process_name:"svchost.exe"
and not child of [file where file_name:"svchost.exe" and opcode==0]
| head 3
'''
expected_event_ids = [11, 13, 15]
@ -609,10 +609,10 @@ expected_event_ids = [11, 13, 15]
[[queries]]
name = "nestedChildOf1"
query = '''
process where process_name=="lsass.exe"
process where process_name:"lsass.exe"
and child of [
process where process_name=="python.exe"
and child of [process where process_name=="cmd.exe"]
process where process_name:"python.exe"
and child of [process where process_name:"cmd.exe"]
]
'''
expected_event_ids = [62, 64]
@ -622,7 +622,7 @@ name = "nestedChildOf2"
query = '''
file where child of [
process where child of [
process where child of [process where process_name=="*wsmprovhost.exe"]
process where child of [process where process_name:"*wsmprovhost.exe"]
]
]
| tail 1
@ -632,7 +632,7 @@ expected_event_ids = [91]
[[queries]]
name = "fileByUniquePid1"
query = '''
file where process_name == "python.exe"
file where process_name : "python.exe"
| unique unique_pid
'''
expected_event_ids = [55, 95]
@ -640,7 +640,7 @@ expected_event_ids = [55, 95]
[[queries]]
name = "fileByUniquePid2"
query = '''
file where event of [process where process_name == "python.exe" ]
file where event of [process where process_name : "python.exe" ]
| unique unique_pid
'''
expected_event_ids = [55, 95]
@ -648,13 +648,13 @@ expected_event_ids = [55, 95]
[[queries]]
name = "simpleStringEquality"
query = '''
process where process_name == "python.exe"
process where process_name : "python.exe"
'''
expected_event_ids = [48, 50, 51, 54, 93]
[[queries]]
name = "eventOfProcess"
query = 'process where event of [process where process_name == "python.exe" ]'
query = 'process where event of [process where process_name : "python.exe" ]'
expected_event_ids = [48, 50, 51, 54, 93]
[[queries]]
@ -682,7 +682,7 @@ expected_event_ids = [54, 55, 56, 54, 61, 62, 54, 67, 68, 54, 72, 73]
name = "uniqueCount1"
expected_event_ids = [11, 60, 63]
query = '''
any where process_name == "svchost.exe"
any where process_name : "svchost.exe"
| unique_count event_type_full process_name
'''
@ -690,7 +690,7 @@ any where process_name == "svchost.exe"
name = "uniqueCount2"
expected_event_ids = [63, 60, 11]
query = '''
any where process_name == "svchost.exe"
any where process_name : "svchost.exe"
| sort event_type_full serial_event_id
| unique_count event_type_full process_name
'''
@ -699,7 +699,7 @@ any where process_name == "svchost.exe"
name = "uniqueCount3"
expected_event_ids = [60]
query = '''
any where process_name == "svchost.exe"
any where process_name : "svchost.exe"
| unique_count event_type_full opcode
| filter count == 7
'''
@ -708,7 +708,7 @@ any where process_name == "svchost.exe"
name = "uniqueCountAndFilter"
expected_event_ids = [11]
query = '''
any where process_name == "svchost.exe"
any where process_name : "svchost.exe"
| unique_count event_type_full opcode
| filter percent >= .5
'''
@ -735,7 +735,7 @@ name = "lengthCaseInsensitive"
case_insensitive = true
expected_event_ids = [57]
query = '''
registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == "EN-us"
registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] : "EN-us"
'''
[[queries]]
@ -743,7 +743,7 @@ name = "arrayCaseInsensitive1"
case_insensitive = true
expected_event_ids = [57]
query = '''
registry where bytes_written_string_list[0] == "EN-us"
registry where bytes_written_string_list[0] : "EN-us"
'''
[[queries]]
@ -751,7 +751,7 @@ name = "arrayCaseInsensitive2"
case_insensitive = true
expected_event_ids = [57]
query = '''
registry where bytes_written_string_list[1] == "EN"
registry where bytes_written_string_list[1] : "EN"
'''
@ -776,21 +776,21 @@ name = "arrayCaseInsensitive3"
case_insensitive = true
expected_event_ids = [57]
query = '''
registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == "en-US"
registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] : "en-US"
'''
[[queries]]
name = "arrayEquality1"
expected_event_ids = [57]
query = '''
registry where bytes_written_string_list[0] == "en-US"
registry where bytes_written_string_list[0] : "en-US"
'''
[[queries]]
name = "arrayEquality2"
expected_event_ids = [57]
query = '''
registry where bytes_written_string_list[1] == "en"
registry where bytes_written_string_list[1] : "en"
'''
# character classes aren't supported. custom tests made in test_queries_supported.toml
@ -834,7 +834,7 @@ name = "stringEqualsCaseInsensitive1"
case_insensitive = true
query = '''
process where "net.EXE" == original_file_name
| filter process_name=="net*.exe"
| filter process_name:"net*.exe"
'''
expected_event_ids = [97]
note = "check that case insensitive comparisons are performed even for lhs strings."
@ -843,7 +843,7 @@ note = "check that case insensitive comparisons are performed even for lhs strin
name = "stringEqualsCaseInsensitive2"
case_insensitive = true
query = '''
process where process_name == original_file_name and process_name=="net*.exe"
process where process_name == original_file_name and process_name:"net*.exe"
'''
expected_event_ids = [97, 98]
note = "check that case insensitive comparisons are performed for fields."
@ -861,7 +861,7 @@ description = "check that case insensitive comparisons are performed for fields.
name = "substring3"
case_insensitive = true
query = '''
file where substring(file_name, 1, 3) == "xp"
file where substring(file_name, 1, 3) : "xp"
'''
expected_event_ids = [88, 91, 92]
description = "check substring ranges"
@ -878,7 +878,7 @@ description = "test built-in math functions"
name = "concatCaseInsensitive"
case_insensitive = true
query = '''
process where concat(serial_event_id, ":", process_name, opcode) == "5:winINIT.exe3"
process where concat(serial_event_id, ":", process_name, opcode) : "5:winINIT.exe3"
'''
expected_event_ids = [5]
description = "test string concatenation"
@ -898,7 +898,7 @@ name = "arraySearch1"
expected_event_ids = [57]
description = "test arraySearch functionality for lists of strings, and lists of objects"
query = '''
registry where arraySearch(bytes_written_string_list, a, a == "en-US")
registry where arraySearch(bytes_written_string_list, a, a : "en-US")
'''
[[queries]]
@ -907,7 +907,7 @@ case_sensitive = true
expected_event_ids = []
description = "test arraySearch functionality for lists of strings, and lists of objects"
query = '''
registry where arraySearch(bytes_written_string_list, a, a == "EN-US")
registry where arraySearch(bytes_written_string_list, a, a : "EN-US")
'''
[[queries]]
@ -916,7 +916,7 @@ case_insensitive = true
expected_event_ids = [57]
description = "test arraySearch functionality for lists of strings, and lists of objects"
query = '''
registry where arraySearch(bytes_written_string_list, a, a == "en-us")
registry where arraySearch(bytes_written_string_list, a, a : "en-us")
'''
[[queries]]
@ -950,7 +950,7 @@ name = "arraySearchWithMysteriousField3"
expected_event_ids = [75305]
description = "test arraySearch - conditional"
query = '''
network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == "s0-*")
network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a : "s0-*")
'''
[[queries]]
@ -968,7 +968,7 @@ description = "test arraySearch - nested"
query = '''
network where mysterious_field
and arraySearch(mysterious_field.subarray, sub1,
arraySearch(sub1.c, nested, nested.x.y == "*"))
arraySearch(sub1.c, nested, nested.x.y : "*"))
'''
[[queries]]
@ -978,7 +978,7 @@ description = "test arraySearch - nested with cross-check pass"
query = '''
network where mysterious_field
and arraySearch(mysterious_field.subarray, sub1,
sub1.a == "s0-a" and arraySearch(sub1.c, nested, nested.z == "s0-c1-x-z"))
sub1.a : "s0-a" and arraySearch(sub1.c, nested, nested.z : "s0-c1-x-z"))
'''
[[queries]]
@ -988,7 +988,7 @@ description = "test arraySearch - nested with cross-check pass"
query = '''
network where mysterious_field
and arraySearch(mysterious_field.subarray, sub1,
sub1.a == "s0-a" and arraySearch(sub1.c, nested, nested.z == sub1.cross_match))
sub1.a : "s0-a" and arraySearch(sub1.c, nested, nested.z == sub1.cross_match))
'''
[[queries]]
@ -1023,7 +1023,7 @@ name = "arrayCount1"
case_insensitive = true
expected_event_ids = [57]
query = '''
registry where arrayCount(bytes_written_string_list, s, s == "*-us") == 1
registry where arrayCount(bytes_written_string_list, s, s : "*-us") == 1
'''
[[queries]]
@ -1031,7 +1031,7 @@ name = "arrayCount2"
case_insensitive = true
expected_event_ids = [57]
query = '''
registry where arrayCount(bytes_written_string_list, s, s == "*en*") == 2
registry where arrayCount(bytes_written_string_list, s, s : "*en*") == 2
'''
[[queries]]
@ -1072,7 +1072,7 @@ name = "betweenCaseSensitive"
case_sensitive = true
expected_event_ids = [1, 2, 42]
query = '''
process where between(process_name, "s", "e", false) == "t"
process where between(process_name, "s", "e", false) : "t"
'''
# TODO: add toggles to this function so it's not always insensitive

5
x-pack/plugin/eql/src/main/antlr/EqlBase.g4
View File

@ -121,7 +121,7 @@ constant
;
comparisonOperator
: EQ | NEQ | LT | LTE | GT | GTE
: SEQ | EQ | NEQ | LT | LTE | GT | GTE
;
booleanValue
@ -168,6 +168,9 @@ WHERE: 'where';
WITH: 'with';
// Operators
// dedicated string equality - case-insensitive and supporting * operator
SEQ : ':';
// regular operators
ASGN : '=';
EQ : '==';
NEQ : '!=';

94
x-pack/plugin/eql/src/main/antlr/EqlBase.tokens
View File

@ -14,33 +14,34 @@ TRUE=13
UNTIL=14
WHERE=15
WITH=16
ASGN=17
EQ=18
NEQ=19
LT=20
LTE=21
GT=22
GTE=23
PLUS=24
MINUS=25
ASTERISK=26
SLASH=27
PERCENT=28
DOT=29
COMMA=30
LB=31
RB=32
LP=33
RP=34
PIPE=35
ESCAPED_IDENTIFIER=36
STRING=37
INTEGER_VALUE=38
DECIMAL_VALUE=39
IDENTIFIER=40
LINE_COMMENT=41
BRACKETED_COMMENT=42
WS=43
SEQ=17
ASGN=18
EQ=19
NEQ=20
LT=21
LTE=22
GT=23
GTE=24
PLUS=25
MINUS=26
ASTERISK=27
SLASH=28
PERCENT=29
DOT=30
COMMA=31
LB=32
RB=33
LP=34
RP=35
PIPE=36
ESCAPED_IDENTIFIER=37
STRING=38
INTEGER_VALUE=39
DECIMAL_VALUE=40
IDENTIFIER=41
LINE_COMMENT=42
BRACKETED_COMMENT=43
WS=44
'and'=1
'any'=2
'by'=3
@ -57,22 +58,23 @@ WS=43
'until'=14
'where'=15
'with'=16
'='=17
'=='=18
'!='=19
'<'=20
'<='=21
'>'=22
'>='=23
'+'=24
'-'=25
'*'=26
'/'=27
'%'=28
'.'=29
','=30
'['=31
']'=32
'('=33
')'=34
'|'=35
':'=17
'='=18
'=='=19
'!='=20
'<'=21
'<='=22
'>'=23
'>='=24
'+'=25
'-'=26
'*'=27
'/'=28
'%'=29
'.'=30
','=31
'['=32
']'=33
'('=34
')'=35
'|'=36

94
x-pack/plugin/eql/src/main/antlr/EqlBaseLexer.tokens
View File

@ -14,33 +14,34 @@ TRUE=13
UNTIL=14
WHERE=15
WITH=16
ASGN=17
EQ=18
NEQ=19
LT=20
LTE=21
GT=22
GTE=23
PLUS=24
MINUS=25
ASTERISK=26
SLASH=27
PERCENT=28
DOT=29
COMMA=30
LB=31
RB=32
LP=33
RP=34
PIPE=35
ESCAPED_IDENTIFIER=36
STRING=37
INTEGER_VALUE=38
DECIMAL_VALUE=39
IDENTIFIER=40
LINE_COMMENT=41
BRACKETED_COMMENT=42
WS=43
SEQ=17
ASGN=18
EQ=19
NEQ=20
LT=21
LTE=22
GT=23
GTE=24
PLUS=25
MINUS=26
ASTERISK=27
SLASH=28
PERCENT=29
DOT=30
COMMA=31
LB=32
RB=33
LP=34
RP=35
PIPE=36
ESCAPED_IDENTIFIER=37
STRING=38
INTEGER_VALUE=39
DECIMAL_VALUE=40
IDENTIFIER=41
LINE_COMMENT=42
BRACKETED_COMMENT=43
WS=44
'and'=1
'any'=2
'by'=3
@ -57,22 +58,23 @@ WS=43
'until'=14
'where'=15
'with'=16
'='=17
'=='=18
'!='=19
'<'=20
'<='=21
'>'=22
'>='=23
'+'=24
'-'=25
'*'=26
'/'=27
'%'=28
'.'=29
','=30
'['=31
']'=32
'('=33
')'=34
'|'=35
':'=17
'='=18
'=='=19
'!='=20
'<'=21
'<='=22
'>'=23
'>='=24
'+'=25
'-'=26
'*'=27
'/'=28
'%'=29
'.'=30
','=31
'['=32
']'=33
'('=34
')'=35
'|'=36

12
x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/function/scalar/whitelist/InternalEqlScriptUtils.java
View File

@ -6,6 +6,7 @@
package org.elasticsearch.xpack.eql.expression.function.scalar.whitelist;
import org.elasticsearch.xpack.eql.expression.function.scalar.math.ToNumberFunctionProcessor;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.BetweenFunctionProcessor;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.CIDRMatchFunctionProcessor;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.ConcatFunctionProcessor;
@ -14,12 +15,13 @@ import org.elasticsearch.xpack.eql.expression.function.scalar.string.IndexOfFunc
import org.elasticsearch.xpack.eql.expression.function.scalar.string.LengthFunctionProcessor;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.StringContainsFunctionProcessor;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.SubstringFunctionProcessor;
import org.elasticsearch.xpack.eql.expression.function.scalar.math.ToNumberFunctionProcessor;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.ToStringFunctionProcessor;
import org.elasticsearch.xpack.ql.expression.function.scalar.whitelist.InternalQlScriptUtils;
import java.util.List;
import static org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveBinaryComparisonProcessor.InsensitiveBinaryComparisonOperation;
/*
* Whitelisted class for EQL scripts.
* Acts as a registry of the various static methods used <b>internally</b> by the scalar functions
@ -29,6 +31,14 @@ public class InternalEqlScriptUtils extends InternalQlScriptUtils {
InternalEqlScriptUtils() {}
public static Boolean seq(Object left, Object right) {
return InsensitiveBinaryComparisonOperation.SEQ.apply(left, right);
}
public static Boolean sneq(Object left, Object right) {
return InsensitiveBinaryComparisonOperation.SNEQ.apply(left, right);
}
public static String between(String s, String left, String right, Boolean greedy, Boolean caseSensitive) {
return (String) BetweenFunctionProcessor.doProcess(s, left, right, greedy, caseSensitive);
}

68
x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparison.java Normal file
View File

@ -0,0 +1,68 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.eql.expression.predicate.operator.comparison;
import org.elasticsearch.common.logging.LoggerMessageFormat;
import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveBinaryComparisonProcessor.InsensitiveBinaryComparisonOperation;
import org.elasticsearch.xpack.ql.expression.Expression;
import org.elasticsearch.xpack.ql.expression.Expressions;
import org.elasticsearch.xpack.ql.expression.Expressions.ParamOrdinal;
import org.elasticsearch.xpack.ql.expression.TypeResolutions;
import org.elasticsearch.xpack.ql.expression.gen.pipeline.Pipe;
import org.elasticsearch.xpack.ql.expression.predicate.BinaryOperator;
import org.elasticsearch.xpack.ql.tree.Source;
import org.elasticsearch.xpack.ql.type.DataType;
import org.elasticsearch.xpack.ql.type.DataTypes;
import java.time.ZoneId;
// marker class to indicate operations that rely on values
public abstract class InsensitiveBinaryComparison extends BinaryOperator<Object, Object, Boolean, InsensitiveBinaryComparisonOperation> {
private final ZoneId zoneId;
protected InsensitiveBinaryComparison(Source source, Expression left, Expression right, InsensitiveBinaryComparisonOperation operation,
ZoneId zoneId) {
super(source, left, right, operation);
this.zoneId = zoneId;
}
public ZoneId zoneId() {
return zoneId;
}
@Override
protected TypeResolution resolveInputType(Expression e, ParamOrdinal paramOrdinal) {
String op = function().symbol();
TypeResolution resolution = TypeResolutions.isString(e, op, paramOrdinal);
if (resolution.unresolved()) {
String message = LoggerMessageFormat.format(null, "{}; consider using [{}] instead", resolution.message(),
regularOperatorSymbol());
resolution = new TypeResolution(message);
}
return resolution;
}
/**
* Symbol of the regular
*/
protected abstract String regularOperatorSymbol();
@Override
protected Expression canonicalize() {
return left().hashCode() > right().hashCode() ? swapLeftAndRight() : this;
}
@Override
public DataType dataType() {
return DataTypes.BOOLEAN;
}
@Override
protected Pipe makePipe() {
return new InsensitiveBinaryComparisonPipe(source(), this, Expressions.pipe(left()), Expressions.pipe(right()), function());
}
}

55
x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparisonPipe.java Normal file
View File

@ -0,0 +1,55 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.eql.expression.predicate.operator.comparison;
import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveBinaryComparisonProcessor.InsensitiveBinaryComparisonOperation;
import org.elasticsearch.xpack.ql.expression.Expression;
import org.elasticsearch.xpack.ql.expression.gen.pipeline.BinaryPipe;
import org.elasticsearch.xpack.ql.expression.gen.pipeline.Pipe;
import org.elasticsearch.xpack.ql.tree.NodeInfo;
import org.elasticsearch.xpack.ql.tree.Source;
import java.util.Objects;
public class InsensitiveBinaryComparisonPipe extends BinaryPipe {
private final InsensitiveBinaryComparisonOperation operation;
public InsensitiveBinaryComparisonPipe(Source source, Expression expression, Pipe left, Pipe right,
InsensitiveBinaryComparisonOperation operation) {
super(source, expression, left, right);
this.operation = operation;
}
@Override
protected NodeInfo<InsensitiveBinaryComparisonPipe> info() {
return NodeInfo.create(this, InsensitiveBinaryComparisonPipe::new, expression(), left(), right(), operation);
}
@Override
protected InsensitiveBinaryComparisonPipe replaceChildren(Pipe left, Pipe right) {
return new InsensitiveBinaryComparisonPipe(source(), expression(), left, right, operation);
}
@Override
public InsensitiveBinaryComparisonProcessor asProcessor() {
return new InsensitiveBinaryComparisonProcessor(left().asProcessor(), right().asProcessor(), operation);
}
@Override
public int hashCode() {
return Objects.hash(super.hashCode(), operation);
}
@Override
public boolean equals(Object obj) {
if (super.equals(obj)) {
InsensitiveBinaryComparisonPipe other = (InsensitiveBinaryComparisonPipe) obj;
return Objects.equals(operation, other.operation);
}
return false;
}
}

72
x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparisonProcessor.java Normal file
View File

@ -0,0 +1,72 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.eql.expression.predicate.operator.comparison;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.xpack.ql.expression.gen.processor.FunctionalEnumBinaryProcessor;
import org.elasticsearch.xpack.ql.expression.gen.processor.Processor;
import org.elasticsearch.xpack.ql.expression.predicate.PredicateBiFunction;
import java.io.IOException;
import java.util.function.BiFunction;
public class InsensitiveBinaryComparisonProcessor extends
FunctionalEnumBinaryProcessor<Object, Object, Boolean, InsensitiveBinaryComparisonProcessor.InsensitiveBinaryComparisonOperation> {
public enum InsensitiveBinaryComparisonOperation implements PredicateBiFunction<Object, Object, Boolean> {
SEQ(StringComparisons::insensitiveEquals, ":"),
SNEQ(StringComparisons::insensitiveNotEquals, "!:");
private final BiFunction<Object, Object, Boolean> process;
private final String symbol;
InsensitiveBinaryComparisonOperation(BiFunction<Object, Object, Boolean> process, String symbol) {
this.process = process;
this.symbol = symbol;
}
@Override
public String symbol() {
return symbol;
}
@Override
public Boolean apply(Object left, Object right) {
return doApply(left, right);
}
@Override
public final Boolean doApply(Object left, Object right) {
return process.apply(left, right);
}
@Override
public String toString() {
return symbol;
}
}
public static final String NAME = "cscb";
public InsensitiveBinaryComparisonProcessor(Processor left, Processor right, InsensitiveBinaryComparisonOperation operation) {
super(left, right, operation);
}
public InsensitiveBinaryComparisonProcessor(StreamInput in) throws IOException {
super(in, i -> i.readEnum(InsensitiveBinaryComparisonOperation.class));
}
@Override
public String getWriteableName() {
return NAME;
}
@Override
public Object process(Object input) {
return doProcess(left().process(input), right().process(input));
}
}

51
x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveEquals.java Normal file
View File

@ -0,0 +1,51 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.eql.expression.predicate.operator.comparison;
import org.elasticsearch.xpack.ql.expression.Expression;
import org.elasticsearch.xpack.ql.expression.predicate.Negatable;
import org.elasticsearch.xpack.ql.expression.predicate.operator.comparison.BinaryComparisonProcessor.BinaryComparisonOperation;
import org.elasticsearch.xpack.ql.tree.NodeInfo;
import org.elasticsearch.xpack.ql.tree.Source;
import java.time.ZoneId;
public class InsensitiveEquals extends InsensitiveBinaryComparison implements Negatable<InsensitiveBinaryComparison> {
public InsensitiveEquals(Source source, Expression left, Expression right) {
this(source, left, right, null);
}
public InsensitiveEquals(Source source, Expression left, Expression right, ZoneId zoneId) {
super(source, left, right, InsensitiveBinaryComparisonProcessor.InsensitiveBinaryComparisonOperation.SEQ, zoneId);
}
@Override
protected NodeInfo<InsensitiveEquals> info() {
return NodeInfo.create(this, InsensitiveEquals::new, left(), right(), zoneId());
}
@Override
protected InsensitiveEquals replaceChildren(Expression newLeft, Expression newRight) {
return new InsensitiveEquals(source(), newLeft, newRight, zoneId());
}
@Override
public InsensitiveEquals swapLeftAndRight() {
return new InsensitiveEquals(source(), right(), left(), zoneId());
}
@Override
public InsensitiveBinaryComparison negate() {
return new InsensitiveNotEquals(source(), left(), right(), zoneId());
}
@Override
protected String regularOperatorSymbol() {
return BinaryComparisonOperation.EQ.symbol();
}
}

53
x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveNotEquals.java Normal file
View File

@ -0,0 +1,53 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.eql.expression.predicate.operator.comparison;
import org.elasticsearch.xpack.ql.expression.Expression;
import org.elasticsearch.xpack.ql.expression.predicate.Negatable;
import org.elasticsearch.xpack.ql.expression.predicate.operator.comparison.BinaryComparisonProcessor.BinaryComparisonOperation;
import org.elasticsearch.xpack.ql.tree.NodeInfo;
import org.elasticsearch.xpack.ql.tree.Source;
import java.time.ZoneId;
;
public class InsensitiveNotEquals extends InsensitiveBinaryComparison implements Negatable<InsensitiveBinaryComparison> {
public InsensitiveNotEquals(Source source, Expression left, Expression right, ZoneId zoneId) {
super(source, left, right, InsensitiveBinaryComparisonProcessor.InsensitiveBinaryComparisonOperation.SNEQ, zoneId);
}
@Override
protected NodeInfo<InsensitiveNotEquals> info() {
return NodeInfo.create(this, InsensitiveNotEquals::new, left(), right(), zoneId());
}
@Override
protected InsensitiveNotEquals replaceChildren(Expression newLeft, Expression newRight) {
return new InsensitiveNotEquals(source(), newLeft, newRight, zoneId());
}
@Override
public InsensitiveNotEquals swapLeftAndRight() {
return new InsensitiveNotEquals(source(), right(), left(), zoneId());
}
@Override
public InsensitiveBinaryComparison negate() {
return new InsensitiveEquals(source(), left(), right(), zoneId());
}
@Override
protected String regularOperatorSymbol() {
return BinaryComparisonOperation.NEQ.symbol();
}
}

31
x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/StringComparisons.java Normal file
View File

@ -0,0 +1,31 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.eql.expression.predicate.operator.comparison;
import org.elasticsearch.xpack.eql.EqlIllegalArgumentException;
/**
* EQL specific string comparison utilities.
*/
public final class StringComparisons {
private StringComparisons() {}
static Boolean insensitiveEquals(Object l, Object r) {
if (l instanceof String && r instanceof String) {
return ((String)l).compareToIgnoreCase((String) r) == 0;
}
if (l == null || r == null) {
return null;
}
throw new EqlIllegalArgumentException("Insensitive comparison can be applied only on strings");
}
static Boolean insensitiveNotEquals(Object l, Object r) {
Boolean equal = insensitiveEquals(l, r);
return equal == null ? null : (equal == Boolean.TRUE ? Boolean.FALSE : Boolean.TRUE);
}
}

52
x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/optimizer/Optimizer.java
View File

@ -7,6 +7,8 @@
package org.elasticsearch.xpack.eql.optimizer;
import org.elasticsearch.xpack.eql.EqlIllegalArgumentException;
import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveBinaryComparison;
import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveNotEquals;
import org.elasticsearch.xpack.eql.plan.logical.Join;
import org.elasticsearch.xpack.eql.plan.logical.KeyedFilter;
import org.elasticsearch.xpack.eql.plan.logical.LimitWithOffset;
@ -38,8 +40,8 @@ import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.ConstantFolding;
import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.OptimizerRule;
import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.PropagateEquals;
import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.PruneLiteralsInOrderBy;
import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.ReplaceSurrogateFunction;
import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.ReplaceMatchAll;
import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.ReplaceSurrogateFunction;
import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.SetAsOptimized;
import org.elasticsearch.xpack.ql.optimizer.OptimizerRules.TransformDirection;
import org.elasticsearch.xpack.ql.plan.logical.Filter;
@ -54,6 +56,7 @@ import org.elasticsearch.xpack.ql.type.DataTypes;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import static java.util.Collections.singletonList;
import static java.util.stream.Collectors.toList;
@ -67,8 +70,6 @@ public class Optimizer extends RuleExecutor<LogicalPlan> {
@Override
protected Iterable<RuleExecutor<LogicalPlan>.Batch> batches() {
Batch substitutions = new Batch("Substitution", Limiter.ONCE,
// needed for replace wildcards
new BooleanLiteralsOnTheRight(),
new ReplaceWildcards(),
new ReplaceSurrogateFunction(),
new ReplaceMatchAll());
@ -109,26 +110,29 @@ public class Optimizer extends RuleExecutor<LogicalPlan> {
private static class ReplaceWildcards extends OptimizerRule<Filter> {
private static boolean isWildcard(Expression expr) {
if (expr instanceof Literal) {
Object value = expr.fold();
return value instanceof String && value.toString().contains("*");
}
return false;
}
@Override
protected LogicalPlan rule(Filter filter) {
return filter.transformExpressionsUp(e -> {
// expr == "wildcard*phrase" || expr != "wildcard*phrase"
if (e instanceof Equals || e instanceof NotEquals) {
BinaryComparison cmp = (BinaryComparison) e;
// expr : "wildcard*phrase" || expr !: "wildcard*phrase"
if (e instanceof InsensitiveBinaryComparison) {
InsensitiveBinaryComparison cmp = (InsensitiveBinaryComparison) e;
if (isWildcard(cmp.right())) {
String wcString = cmp.right().fold().toString();
Expression like = new Like(e.source(), cmp.left(), StringUtils.toLikePattern(wcString));
Expression target = null;
String wildString = null;
if (e instanceof NotEquals) {
// check either side since the literals can be on both sides
// "a" : "*" is the same as "*" : "a"
if (isWildcard(cmp.left())) {
wildString = (String) cmp.left().fold();
target = cmp.right();
} else if (isWildcard(cmp.right())) {
wildString = (String) cmp.right().fold();
target = cmp.left();
}
if (target != null) {
Expression like = new Like(e.source(), target, StringUtils.toLikePattern(wildString));
if (e instanceof InsensitiveNotEquals) {
like = new Not(e.source(), like);
}
@ -139,6 +143,14 @@ public class Optimizer extends RuleExecutor<LogicalPlan> {
return e;
});
}
private static boolean isWildcard(Expression expr) {
if (expr instanceof Literal) {
Object value = expr.fold();
return value instanceof String && ((String) value).contains("*");
}
return false;
}
}
private static class ReplaceNullChecks extends OptimizerRule<Filter> {
@ -275,7 +287,7 @@ public class Optimizer extends RuleExecutor<LogicalPlan> {
*/
static class PropagateJoinKeyConstraints extends OptimizerRule<Join> {
class Constraint {
static class Constraint {
private final Expression condition;
private final KeyedFilter keyedFilter;
private final int keyPosition;
@ -354,7 +366,7 @@ public class Optimizer extends RuleExecutor<LogicalPlan> {
private KeyedFilter addConstraint(KeyedFilter k, List<Constraint> constraints) {
Expression constraint = Predicates.combineAnd(constraints.stream()
.map(c -> c.constraintFor(k))
.filter(c -> c != null)
.filter(Objects::nonNull)
.collect(toList()));
return constraint != null

284
x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseLexer.java
View File

@ -18,20 +18,20 @@ class EqlBaseLexer extends Lexer {
new PredictionContextCache();
public static final int
AND=1, ANY=2, BY=3, FALSE=4, IN=5, JOIN=6, MAXSPAN=7, NOT=8, NULL=9, OF=10,
OR=11, SEQUENCE=12, TRUE=13, UNTIL=14, WHERE=15, WITH=16, ASGN=17, EQ=18,
NEQ=19, LT=20, LTE=21, GT=22, GTE=23, PLUS=24, MINUS=25, ASTERISK=26,
SLASH=27, PERCENT=28, DOT=29, COMMA=30, LB=31, RB=32, LP=33, RP=34, PIPE=35,
ESCAPED_IDENTIFIER=36, STRING=37, INTEGER_VALUE=38, DECIMAL_VALUE=39,
IDENTIFIER=40, LINE_COMMENT=41, BRACKETED_COMMENT=42, WS=43;
OR=11, SEQUENCE=12, TRUE=13, UNTIL=14, WHERE=15, WITH=16, SEQ=17, ASGN=18,
EQ=19, NEQ=20, LT=21, LTE=22, GT=23, GTE=24, PLUS=25, MINUS=26, ASTERISK=27,
SLASH=28, PERCENT=29, DOT=30, COMMA=31, LB=32, RB=33, LP=34, RP=35, PIPE=36,
ESCAPED_IDENTIFIER=37, STRING=38, INTEGER_VALUE=39, DECIMAL_VALUE=40,
IDENTIFIER=41, LINE_COMMENT=42, BRACKETED_COMMENT=43, WS=44;
public static String[] modeNames = {
"DEFAULT_MODE"
};
public static final String[] ruleNames = {
"AND", "ANY", "BY", "FALSE", "IN", "JOIN", "MAXSPAN", "NOT", "NULL", "OF",
"OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "ASGN", "EQ", "NEQ",
"LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH", "PERCENT",
"DOT", "COMMA", "LB", "RB", "LP", "RP", "PIPE", "ESCAPED_IDENTIFIER",
"OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "SEQ", "ASGN", "EQ",
"NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH",
"PERCENT", "DOT", "COMMA", "LB", "RB", "LP", "RP", "PIPE", "ESCAPED_IDENTIFIER",
"STRING", "INTEGER_VALUE", "DECIMAL_VALUE", "IDENTIFIER", "EXPONENT",
"DIGIT", "LETTER", "LINE_COMMENT", "BRACKETED_COMMENT", "WS"
};
@ -39,14 +39,14 @@ class EqlBaseLexer extends Lexer {
private static final String[] _LITERAL_NAMES = {
null, "'and'", "'any'", "'by'", "'false'", "'in'", "'join'", "'maxspan'",
"'not'", "'null'", "'of'", "'or'", "'sequence'", "'true'", "'until'",
"'where'", "'with'", "'='", "'=='", "'!='", "'<'", "'<='", "'>'", "'>='",
"'+'", "'-'", "'*'", "'/'", "'%'", "'.'", "','", "'['", "']'", "'('",
"')'", "'|'"
"'where'", "'with'", "':'", "'='", "'=='", "'!='", "'<'", "'<='", "'>'",
"'>='", "'+'", "'-'", "'*'", "'/'", "'%'", "'.'", "','", "'['", "']'",
"'('", "')'", "'|'"
};
private static final String[] _SYMBOLIC_NAMES = {
null, "AND", "ANY", "BY", "FALSE", "IN", "JOIN", "MAXSPAN", "NOT", "NULL",
"OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "ASGN", "EQ",
"NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH",
"OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "SEQ", "ASGN",
"EQ", "NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH",
"PERCENT", "DOT", "COMMA", "LB", "RB", "LP", "RP", "PIPE", "ESCAPED_IDENTIFIER",
"STRING", "INTEGER_VALUE", "DECIMAL_VALUE", "IDENTIFIER", "LINE_COMMENT",
"BRACKETED_COMMENT", "WS"
@ -106,140 +106,142 @@ class EqlBaseLexer extends Lexer {
public ATN getATN() { return _ATN; }
public static final String _serializedATN =
"\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\2-\u0182\b\1\4\2\t"+
"\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\2.\u0186\b\1\4\2\t"+
"\2\4\3\t\3\4\4\t\4\4\5\t\5\4\6\t\6\4\7\t\7\4\b\t\b\4\t\t\t\4\n\t\n\4\13"+
"\t\13\4\f\t\f\4\r\t\r\4\16\t\16\4\17\t\17\4\20\t\20\4\21\t\21\4\22\t\22"+
"\4\23\t\23\4\24\t\24\4\25\t\25\4\26\t\26\4\27\t\27\4\30\t\30\4\31\t\31"+
"\4\32\t\32\4\33\t\33\4\34\t\34\4\35\t\35\4\36\t\36\4\37\t\37\4 \t \4!"+
"\t!\4\"\t\"\4#\t#\4$\t$\4%\t%\4&\t&\4\'\t\'\4(\t(\4)\t)\4*\t*\4+\t+\4"+
",\t,\4-\t-\4.\t.\4/\t/\3\2\3\2\3\2\3\2\3\3\3\3\3\3\3\3\3\4\3\4\3\4\3\5"+
"\3\5\3\5\3\5\3\5\3\5\3\6\3\6\3\6\3\7\3\7\3\7\3\7\3\7\3\b\3\b\3\b\3\b\3"+
"\b\3\b\3\b\3\b\3\t\3\t\3\t\3\t\3\n\3\n\3\n\3\n\3\n\3\13\3\13\3\13\3\f"+
"\3\f\3\f\3\r\3\r\3\r\3\r\3\r\3\r\3\r\3\r\3\r\3\16\3\16\3\16\3\16\3\16"+
"\3\17\3\17\3\17\3\17\3\17\3\17\3\20\3\20\3\20\3\20\3\20\3\20\3\21\3\21"+
"\3\21\3\21\3\21\3\22\3\22\3\23\3\23\3\23\3\24\3\24\3\24\3\25\3\25\3\26"+
"\3\26\3\26\3\27\3\27\3\30\3\30\3\30\3\31\3\31\3\32\3\32\3\33\3\33\3\34"+
"\3\34\3\35\3\35\3\36\3\36\3\37\3\37\3 \3 \3!\3!\3\"\3\"\3#\3#\3$\3$\3"+
"%\3%\3%\3%\7%\u00dd\n%\f%\16%\u00e0\13%\3%\3%\3&\3&\3&\3&\7&\u00e8\n&"+
"\f&\16&\u00eb\13&\3&\3&\3&\3&\3&\7&\u00f2\n&\f&\16&\u00f5\13&\3&\3&\3"+
"&\3&\3&\3&\3&\7&\u00fe\n&\f&\16&\u0101\13&\3&\3&\3&\3&\3&\3&\3&\7&\u010a"+
"\n&\f&\16&\u010d\13&\3&\5&\u0110\n&\3\'\6\'\u0113\n\'\r\'\16\'\u0114\3"+
"(\6(\u0118\n(\r(\16(\u0119\3(\3(\7(\u011e\n(\f(\16(\u0121\13(\3(\3(\6"+
"(\u0125\n(\r(\16(\u0126\3(\6(\u012a\n(\r(\16(\u012b\3(\3(\7(\u0130\n("+
"\f(\16(\u0133\13(\5(\u0135\n(\3(\3(\3(\3(\6(\u013b\n(\r(\16(\u013c\3("+
"\3(\5(\u0141\n(\3)\3)\5)\u0145\n)\3)\3)\3)\7)\u014a\n)\f)\16)\u014d\13"+
")\3*\3*\5*\u0151\n*\3*\6*\u0154\n*\r*\16*\u0155\3+\3+\3,\3,\3-\3-\3-\3"+
"-\7-\u0160\n-\f-\16-\u0163\13-\3-\5-\u0166\n-\3-\5-\u0169\n-\3-\3-\3."+
"\3.\3.\3.\3.\7.\u0172\n.\f.\16.\u0175\13.\3.\3.\3.\3.\3.\3/\6/\u017d\n"+
"/\r/\16/\u017e\3/\3/\3\u0173\2\60\3\3\5\4\7\5\t\6\13\7\r\b\17\t\21\n\23"+
",\t,\4-\t-\4.\t.\4/\t/\4\60\t\60\3\2\3\2\3\2\3\2\3\3\3\3\3\3\3\3\3\4\3"+
"\4\3\4\3\5\3\5\3\5\3\5\3\5\3\5\3\6\3\6\3\6\3\7\3\7\3\7\3\7\3\7\3\b\3\b"+
"\3\b\3\b\3\b\3\b\3\b\3\b\3\t\3\t\3\t\3\t\3\n\3\n\3\n\3\n\3\n\3\13\3\13"+
"\3\13\3\f\3\f\3\f\3\r\3\r\3\r\3\r\3\r\3\r\3\r\3\r\3\r\3\16\3\16\3\16\3"+
"\16\3\16\3\17\3\17\3\17\3\17\3\17\3\17\3\20\3\20\3\20\3\20\3\20\3\20\3"+
"\21\3\21\3\21\3\21\3\21\3\22\3\22\3\23\3\23\3\24\3\24\3\24\3\25\3\25\3"+
"\25\3\26\3\26\3\27\3\27\3\27\3\30\3\30\3\31\3\31\3\31\3\32\3\32\3\33\3"+
"\33\3\34\3\34\3\35\3\35\3\36\3\36\3\37\3\37\3 \3 \3!\3!\3\"\3\"\3#\3#"+
"\3$\3$\3%\3%\3&\3&\3&\3&\7&\u00e1\n&\f&\16&\u00e4\13&\3&\3&\3\'\3\'\3"+
"\'\3\'\7\'\u00ec\n\'\f\'\16\'\u00ef\13\'\3\'\3\'\3\'\3\'\3\'\7\'\u00f6"+
"\n\'\f\'\16\'\u00f9\13\'\3\'\3\'\3\'\3\'\3\'\3\'\3\'\7\'\u0102\n\'\f\'"+
"\16\'\u0105\13\'\3\'\3\'\3\'\3\'\3\'\3\'\3\'\7\'\u010e\n\'\f\'\16\'\u0111"+
"\13\'\3\'\5\'\u0114\n\'\3(\6(\u0117\n(\r(\16(\u0118\3)\6)\u011c\n)\r)"+
"\16)\u011d\3)\3)\7)\u0122\n)\f)\16)\u0125\13)\3)\3)\6)\u0129\n)\r)\16"+
")\u012a\3)\6)\u012e\n)\r)\16)\u012f\3)\3)\7)\u0134\n)\f)\16)\u0137\13"+
")\5)\u0139\n)\3)\3)\3)\3)\6)\u013f\n)\r)\16)\u0140\3)\3)\5)\u0145\n)\3"+
"*\3*\5*\u0149\n*\3*\3*\3*\7*\u014e\n*\f*\16*\u0151\13*\3+\3+\5+\u0155"+
"\n+\3+\6+\u0158\n+\r+\16+\u0159\3,\3,\3-\3-\3.\3.\3.\3.\7.\u0164\n.\f"+
".\16.\u0167\13.\3.\5.\u016a\n.\3.\5.\u016d\n.\3.\3.\3/\3/\3/\3/\3/\7/"+
"\u0176\n/\f/\16/\u0179\13/\3/\3/\3/\3/\3/\3\60\6\60\u0181\n\60\r\60\16"+
"\60\u0182\3\60\3\60\3\u0177\2\61\3\3\5\4\7\5\t\6\13\7\r\b\17\t\21\n\23"+
"\13\25\f\27\r\31\16\33\17\35\20\37\21!\22#\23%\24\'\25)\26+\27-\30/\31"+
"\61\32\63\33\65\34\67\359\36;\37= ?!A\"C#E$G%I&K\'M(O)Q*S\2U\2W\2Y+[,"+
"]-\3\2\17\3\2bb\n\2$$))^^ddhhppttvv\6\2\f\f\17\17))^^\6\2\f\f\17\17$$"+
"^^\5\2\f\f\17\17$$\5\2\f\f\17\17))\4\2BBaa\4\2GGgg\4\2--//\3\2\62;\4\2"+
"C\\c|\4\2\f\f\17\17\5\2\13\f\17\17\"\"\u01a2\2\3\3\2\2\2\2\5\3\2\2\2\2"+
"\7\3\2\2\2\2\t\3\2\2\2\2\13\3\2\2\2\2\r\3\2\2\2\2\17\3\2\2\2\2\21\3\2"+
"\2\2\2\23\3\2\2\2\2\25\3\2\2\2\2\27\3\2\2\2\2\31\3\2\2\2\2\33\3\2\2\2"+
"\2\35\3\2\2\2\2\37\3\2\2\2\2!\3\2\2\2\2#\3\2\2\2\2%\3\2\2\2\2\'\3\2\2"+
"\2\2)\3\2\2\2\2+\3\2\2\2\2-\3\2\2\2\2/\3\2\2\2\2\61\3\2\2\2\2\63\3\2\2"+
"\2\2\65\3\2\2\2\2\67\3\2\2\2\29\3\2\2\2\2;\3\2\2\2\2=\3\2\2\2\2?\3\2\2"+
"\2\2A\3\2\2\2\2C\3\2\2\2\2E\3\2\2\2\2G\3\2\2\2\2I\3\2\2\2\2K\3\2\2\2\2"+
"M\3\2\2\2\2O\3\2\2\2\2Q\3\2\2\2\2Y\3\2\2\2\2[\3\2\2\2\2]\3\2\2\2\3_\3"+
"\2\2\2\5c\3\2\2\2\7g\3\2\2\2\tj\3\2\2\2\13p\3\2\2\2\rs\3\2\2\2\17x\3\2"+
"\2\2\21\u0080\3\2\2\2\23\u0084\3\2\2\2\25\u0089\3\2\2\2\27\u008c\3\2\2"+
"\2\31\u008f\3\2\2\2\33\u0098\3\2\2\2\35\u009d\3\2\2\2\37\u00a3\3\2\2\2"+
"!\u00a9\3\2\2\2#\u00ae\3\2\2\2%\u00b0\3\2\2\2\'\u00b3\3\2\2\2)\u00b6\3"+
"\2\2\2+\u00b8\3\2\2\2-\u00bb\3\2\2\2/\u00bd\3\2\2\2\61\u00c0\3\2\2\2\63"+
"\u00c2\3\2\2\2\65\u00c4\3\2\2\2\67\u00c6\3\2\2\29\u00c8\3\2\2\2;\u00ca"+
"\3\2\2\2=\u00cc\3\2\2\2?\u00ce\3\2\2\2A\u00d0\3\2\2\2C\u00d2\3\2\2\2E"+
"\u00d4\3\2\2\2G\u00d6\3\2\2\2I\u00d8\3\2\2\2K\u010f\3\2\2\2M\u0112\3\2"+
"\2\2O\u0140\3\2\2\2Q\u0144\3\2\2\2S\u014e\3\2\2\2U\u0157\3\2\2\2W\u0159"+
"\3\2\2\2Y\u015b\3\2\2\2[\u016c\3\2\2\2]\u017c\3\2\2\2_`\7c\2\2`a\7p\2"+
"\2ab\7f\2\2b\4\3\2\2\2cd\7c\2\2de\7p\2\2ef\7{\2\2f\6\3\2\2\2gh\7d\2\2"+
"hi\7{\2\2i\b\3\2\2\2jk\7h\2\2kl\7c\2\2lm\7n\2\2mn\7u\2\2no\7g\2\2o\n\3"+
"\2\2\2pq\7k\2\2qr\7p\2\2r\f\3\2\2\2st\7l\2\2tu\7q\2\2uv\7k\2\2vw\7p\2"+
"\2w\16\3\2\2\2xy\7o\2\2yz\7c\2\2z{\7z\2\2{|\7u\2\2|}\7r\2\2}~\7c\2\2~"+
"\177\7p\2\2\177\20\3\2\2\2\u0080\u0081\7p\2\2\u0081\u0082\7q\2\2\u0082"+
"\u0083\7v\2\2\u0083\22\3\2\2\2\u0084\u0085\7p\2\2\u0085\u0086\7w\2\2\u0086"+
"\u0087\7n\2\2\u0087\u0088\7n\2\2\u0088\24\3\2\2\2\u0089\u008a\7q\2\2\u008a"+
"\u008b\7h\2\2\u008b\26\3\2\2\2\u008c\u008d\7q\2\2\u008d\u008e\7t\2\2\u008e"+
"\30\3\2\2\2\u008f\u0090\7u\2\2\u0090\u0091\7g\2\2\u0091\u0092\7s\2\2\u0092"+
"\u0093\7w\2\2\u0093\u0094\7g\2\2\u0094\u0095\7p\2\2\u0095\u0096\7e\2\2"+
"\u0096\u0097\7g\2\2\u0097\32\3\2\2\2\u0098\u0099\7v\2\2\u0099\u009a\7"+
"t\2\2\u009a\u009b\7w\2\2\u009b\u009c\7g\2\2\u009c\34\3\2\2\2\u009d\u009e"+
"\7w\2\2\u009e\u009f\7p\2\2\u009f\u00a0\7v\2\2\u00a0\u00a1\7k\2\2\u00a1"+
"\u00a2\7n\2\2\u00a2\36\3\2\2\2\u00a3\u00a4\7y\2\2\u00a4\u00a5\7j\2\2\u00a5"+
"\u00a6\7g\2\2\u00a6\u00a7\7t\2\2\u00a7\u00a8\7g\2\2\u00a8 \3\2\2\2\u00a9"+
"\u00aa\7y\2\2\u00aa\u00ab\7k\2\2\u00ab\u00ac\7v\2\2\u00ac\u00ad\7j\2\2"+
"\u00ad\"\3\2\2\2\u00ae\u00af\7?\2\2\u00af$\3\2\2\2\u00b0\u00b1\7?\2\2"+
"\u00b1\u00b2\7?\2\2\u00b2&\3\2\2\2\u00b3\u00b4\7#\2\2\u00b4\u00b5\7?\2"+
"\2\u00b5(\3\2\2\2\u00b6\u00b7\7>\2\2\u00b7*\3\2\2\2\u00b8\u00b9\7>\2\2"+
"\u00b9\u00ba\7?\2\2\u00ba,\3\2\2\2\u00bb\u00bc\7@\2\2\u00bc.\3\2\2\2\u00bd"+
"\u00be\7@\2\2\u00be\u00bf\7?\2\2\u00bf\60\3\2\2\2\u00c0\u00c1\7-\2\2\u00c1"+
"\62\3\2\2\2\u00c2\u00c3\7/\2\2\u00c3\64\3\2\2\2\u00c4\u00c5\7,\2\2\u00c5"+
"\66\3\2\2\2\u00c6\u00c7\7\61\2\2\u00c78\3\2\2\2\u00c8\u00c9\7\'\2\2\u00c9"+
":\3\2\2\2\u00ca\u00cb\7\60\2\2\u00cb<\3\2\2\2\u00cc\u00cd\7.\2\2\u00cd"+
">\3\2\2\2\u00ce\u00cf\7]\2\2\u00cf@\3\2\2\2\u00d0\u00d1\7_\2\2\u00d1B"+
"\3\2\2\2\u00d2\u00d3\7*\2\2\u00d3D\3\2\2\2\u00d4\u00d5\7+\2\2\u00d5F\3"+
"\2\2\2\u00d6\u00d7\7~\2\2\u00d7H\3\2\2\2\u00d8\u00de\7b\2\2\u00d9\u00dd"+
"\n\2\2\2\u00da\u00db\7b\2\2\u00db\u00dd\7b\2\2\u00dc\u00d9\3\2\2\2\u00dc"+
"\u00da\3\2\2\2\u00dd\u00e0\3\2\2\2\u00de\u00dc\3\2\2\2\u00de\u00df\3\2"+
"\2\2\u00df\u00e1\3\2\2\2\u00e0\u00de\3\2\2\2\u00e1\u00e2\7b\2\2\u00e2"+
"J\3\2\2\2\u00e3\u00e9\7)\2\2\u00e4\u00e5\7^\2\2\u00e5\u00e8\t\3\2\2\u00e6"+
"\u00e8\n\4\2\2\u00e7\u00e4\3\2\2\2\u00e7\u00e6\3\2\2\2\u00e8\u00eb\3\2"+
"\2\2\u00e9\u00e7\3\2\2\2\u00e9\u00ea\3\2\2\2\u00ea\u00ec\3\2\2\2\u00eb"+
"\u00e9\3\2\2\2\u00ec\u0110\7)\2\2\u00ed\u00f3\7$\2\2\u00ee\u00ef\7^\2"+
"\2\u00ef\u00f2\t\3\2\2\u00f0\u00f2\n\5\2\2\u00f1\u00ee\3\2\2\2\u00f1\u00f0"+
"\3\2\2\2\u00f2\u00f5\3\2\2\2\u00f3\u00f1\3\2\2\2\u00f3\u00f4\3\2\2\2\u00f4"+
"\u00f6\3\2\2\2\u00f5\u00f3\3\2\2\2\u00f6\u0110\7$\2\2\u00f7\u00f8\7A\2"+
"\2\u00f8\u00f9\7$\2\2\u00f9\u00ff\3\2\2\2\u00fa\u00fb\7^\2\2\u00fb\u00fe"+
"\7$\2\2\u00fc\u00fe\n\6\2\2\u00fd\u00fa\3\2\2\2\u00fd\u00fc\3\2\2\2\u00fe"+
"\u0101\3\2\2\2\u00ff\u00fd\3\2\2\2\u00ff\u0100\3\2\2\2\u0100\u0102\3\2"+
"\2\2\u0101\u00ff\3\2\2\2\u0102\u0110\7$\2\2\u0103\u0104\7A\2\2\u0104\u0105"+
"\7)\2\2\u0105\u010b\3\2\2\2\u0106\u0107\7^\2\2\u0107\u010a\7)\2\2\u0108"+
"\u010a\n\7\2\2\u0109\u0106\3\2\2\2\u0109\u0108\3\2\2\2\u010a\u010d\3\2"+
"\2\2\u010b\u0109\3\2\2\2\u010b\u010c\3\2\2\2\u010c\u010e\3\2\2\2\u010d"+
"\u010b\3\2\2\2\u010e\u0110\7)\2\2\u010f\u00e3\3\2\2\2\u010f\u00ed\3\2"+
"\2\2\u010f\u00f7\3\2\2\2\u010f\u0103\3\2\2\2\u0110L\3\2\2\2\u0111\u0113"+
"\5U+\2\u0112\u0111\3\2\2\2\u0113\u0114\3\2\2\2\u0114\u0112\3\2\2\2\u0114"+
"\u0115\3\2\2\2\u0115N\3\2\2\2\u0116\u0118\5U+\2\u0117\u0116\3\2\2\2\u0118"+
"\u0119\3\2\2\2\u0119\u0117\3\2\2\2\u0119\u011a\3\2\2\2\u011a\u011b\3\2"+
"\2\2\u011b\u011f\5;\36\2\u011c\u011e\5U+\2\u011d\u011c\3\2\2\2\u011e\u0121"+
"\3\2\2\2\u011f\u011d\3\2\2\2\u011f\u0120\3\2\2\2\u0120\u0141\3\2\2\2\u0121"+
"\u011f\3\2\2\2\u0122\u0124\5;\36\2\u0123\u0125\5U+\2\u0124\u0123\3\2\2"+
"\2\u0125\u0126\3\2\2\2\u0126\u0124\3\2\2\2\u0126\u0127\3\2\2\2\u0127\u0141"+
"\3\2\2\2\u0128\u012a\5U+\2\u0129\u0128\3\2\2\2\u012a\u012b\3\2\2\2\u012b"+
"\u0129\3\2\2\2\u012b\u012c\3\2\2\2\u012c\u0134\3\2\2\2\u012d\u0131\5;"+
"\36\2\u012e\u0130\5U+\2\u012f\u012e\3\2\2\2\u0130\u0133\3\2\2\2\u0131"+
"\u012f\3\2\2\2\u0131\u0132\3\2\2\2\u0132\u0135\3\2\2\2\u0133\u0131\3\2"+
"\2\2\u0134\u012d\3\2\2\2\u0134\u0135\3\2\2\2\u0135\u0136\3\2\2\2\u0136"+
"\u0137\5S*\2\u0137\u0141\3\2\2\2\u0138\u013a\5;\36\2\u0139\u013b\5U+\2"+
"\u013a\u0139\3\2\2\2\u013b\u013c\3\2\2\2\u013c\u013a\3\2\2\2\u013c\u013d"+
"\3\2\2\2\u013d\u013e\3\2\2\2\u013e\u013f\5S*\2\u013f\u0141\3\2\2\2\u0140"+
"\u0117\3\2\2\2\u0140\u0122\3\2\2\2\u0140\u0129\3\2\2\2\u0140\u0138\3\2"+
"\2\2\u0141P\3\2\2\2\u0142\u0145\5W,\2\u0143\u0145\t\b\2\2\u0144\u0142"+
"\3\2\2\2\u0144\u0143\3\2\2\2\u0145\u014b\3\2\2\2\u0146\u014a\5W,\2\u0147"+
"\u014a\5U+\2\u0148\u014a\7a\2\2\u0149\u0146\3\2\2\2\u0149\u0147\3\2\2"+
"\2\u0149\u0148\3\2\2\2\u014a\u014d\3\2\2\2\u014b\u0149\3\2\2\2\u014b\u014c"+
"\3\2\2\2\u014cR\3\2\2\2\u014d\u014b\3\2\2\2\u014e\u0150\t\t\2\2\u014f"+
"\u0151\t\n\2\2\u0150\u014f\3\2\2\2\u0150\u0151\3\2\2\2\u0151\u0153\3\2"+
"\2\2\u0152\u0154\5U+\2\u0153\u0152\3\2\2\2\u0154\u0155\3\2\2\2\u0155\u0153"+
"\3\2\2\2\u0155\u0156\3\2\2\2\u0156T\3\2\2\2\u0157\u0158\t\13\2\2\u0158"+
"V\3\2\2\2\u0159\u015a\t\f\2\2\u015aX\3\2\2\2\u015b\u015c\7\61\2\2\u015c"+
"\u015d\7\61\2\2\u015d\u0161\3\2\2\2\u015e\u0160\n\r\2\2\u015f\u015e\3"+
"\2\2\2\u0160\u0163\3\2\2\2\u0161\u015f\3\2\2\2\u0161\u0162\3\2\2\2\u0162"+
"\u0165\3\2\2\2\u0163\u0161\3\2\2\2\u0164\u0166\7\17\2\2\u0165\u0164\3"+
"\2\2\2\u0165\u0166\3\2\2\2\u0166\u0168\3\2\2\2\u0167\u0169\7\f\2\2\u0168"+
"\u0167\3\2\2\2\u0168\u0169\3\2\2\2\u0169\u016a\3\2\2\2\u016a\u016b\b-"+
"\2\2\u016bZ\3\2\2\2\u016c\u016d\7\61\2\2\u016d\u016e\7,\2\2\u016e\u0173"+
"\3\2\2\2\u016f\u0172\5[.\2\u0170\u0172\13\2\2\2\u0171\u016f\3\2\2\2\u0171"+
"\u0170\3\2\2\2\u0172\u0175\3\2\2\2\u0173\u0174\3\2\2\2\u0173\u0171\3\2"+
"\2\2\u0174\u0176\3\2\2\2\u0175\u0173\3\2\2\2\u0176\u0177\7,\2\2\u0177"+
"\u0178\7\61\2\2\u0178\u0179\3\2\2\2\u0179\u017a\b.\2\2\u017a\\\3\2\2\2"+
"\u017b\u017d\t\16\2\2\u017c\u017b\3\2\2\2\u017d\u017e\3\2\2\2\u017e\u017c"+
"\3\2\2\2\u017e\u017f\3\2\2\2\u017f\u0180\3\2\2\2\u0180\u0181\b/\2\2\u0181"+
"^\3\2\2\2\"\2\u00dc\u00de\u00e7\u00e9\u00f1\u00f3\u00fd\u00ff\u0109\u010b"+
"\u010f\u0114\u0119\u011f\u0126\u012b\u0131\u0134\u013c\u0140\u0144\u0149"+
"\u014b\u0150\u0155\u0161\u0165\u0168\u0171\u0173\u017e\3\2\3\2";
"\61\32\63\33\65\34\67\359\36;\37= ?!A\"C#E$G%I&K\'M(O)Q*S+U\2W\2Y\2[,"+
"]-_.\3\2\17\3\2bb\n\2$$))^^ddhhppttvv\6\2\f\f\17\17))^^\6\2\f\f\17\17"+
"$$^^\5\2\f\f\17\17$$\5\2\f\f\17\17))\4\2BBaa\4\2GGgg\4\2--//\3\2\62;\4"+
"\2C\\c|\4\2\f\f\17\17\5\2\13\f\17\17\"\"\u01a6\2\3\3\2\2\2\2\5\3\2\2\2"+
"\2\7\3\2\2\2\2\t\3\2\2\2\2\13\3\2\2\2\2\r\3\2\2\2\2\17\3\2\2\2\2\21\3"+
"\2\2\2\2\23\3\2\2\2\2\25\3\2\2\2\2\27\3\2\2\2\2\31\3\2\2\2\2\33\3\2\2"+
"\2\2\35\3\2\2\2\2\37\3\2\2\2\2!\3\2\2\2\2#\3\2\2\2\2%\3\2\2\2\2\'\3\2"+
"\2\2\2)\3\2\2\2\2+\3\2\2\2\2-\3\2\2\2\2/\3\2\2\2\2\61\3\2\2\2\2\63\3\2"+
"\2\2\2\65\3\2\2\2\2\67\3\2\2\2\29\3\2\2\2\2;\3\2\2\2\2=\3\2\2\2\2?\3\2"+
"\2\2\2A\3\2\2\2\2C\3\2\2\2\2E\3\2\2\2\2G\3\2\2\2\2I\3\2\2\2\2K\3\2\2\2"+
"\2M\3\2\2\2\2O\3\2\2\2\2Q\3\2\2\2\2S\3\2\2\2\2[\3\2\2\2\2]\3\2\2\2\2_"+
"\3\2\2\2\3a\3\2\2\2\5e\3\2\2\2\7i\3\2\2\2\tl\3\2\2\2\13r\3\2\2\2\ru\3"+
"\2\2\2\17z\3\2\2\2\21\u0082\3\2\2\2\23\u0086\3\2\2\2\25\u008b\3\2\2\2"+
"\27\u008e\3\2\2\2\31\u0091\3\2\2\2\33\u009a\3\2\2\2\35\u009f\3\2\2\2\37"+
"\u00a5\3\2\2\2!\u00ab\3\2\2\2#\u00b0\3\2\2\2%\u00b2\3\2\2\2\'\u00b4\3"+
"\2\2\2)\u00b7\3\2\2\2+\u00ba\3\2\2\2-\u00bc\3\2\2\2/\u00bf\3\2\2\2\61"+
"\u00c1\3\2\2\2\63\u00c4\3\2\2\2\65\u00c6\3\2\2\2\67\u00c8\3\2\2\29\u00ca"+
"\3\2\2\2;\u00cc\3\2\2\2=\u00ce\3\2\2\2?\u00d0\3\2\2\2A\u00d2\3\2\2\2C"+
"\u00d4\3\2\2\2E\u00d6\3\2\2\2G\u00d8\3\2\2\2I\u00da\3\2\2\2K\u00dc\3\2"+
"\2\2M\u0113\3\2\2\2O\u0116\3\2\2\2Q\u0144\3\2\2\2S\u0148\3\2\2\2U\u0152"+
"\3\2\2\2W\u015b\3\2\2\2Y\u015d\3\2\2\2[\u015f\3\2\2\2]\u0170\3\2\2\2_"+
"\u0180\3\2\2\2ab\7c\2\2bc\7p\2\2cd\7f\2\2d\4\3\2\2\2ef\7c\2\2fg\7p\2\2"+
"gh\7{\2\2h\6\3\2\2\2ij\7d\2\2jk\7{\2\2k\b\3\2\2\2lm\7h\2\2mn\7c\2\2no"+
"\7n\2\2op\7u\2\2pq\7g\2\2q\n\3\2\2\2rs\7k\2\2st\7p\2\2t\f\3\2\2\2uv\7"+
"l\2\2vw\7q\2\2wx\7k\2\2xy\7p\2\2y\16\3\2\2\2z{\7o\2\2{|\7c\2\2|}\7z\2"+
"\2}~\7u\2\2~\177\7r\2\2\177\u0080\7c\2\2\u0080\u0081\7p\2\2\u0081\20\3"+
"\2\2\2\u0082\u0083\7p\2\2\u0083\u0084\7q\2\2\u0084\u0085\7v\2\2\u0085"+
"\22\3\2\2\2\u0086\u0087\7p\2\2\u0087\u0088\7w\2\2\u0088\u0089\7n\2\2\u0089"+
"\u008a\7n\2\2\u008a\24\3\2\2\2\u008b\u008c\7q\2\2\u008c\u008d\7h\2\2\u008d"+
"\26\3\2\2\2\u008e\u008f\7q\2\2\u008f\u0090\7t\2\2\u0090\30\3\2\2\2\u0091"+
"\u0092\7u\2\2\u0092\u0093\7g\2\2\u0093\u0094\7s\2\2\u0094\u0095\7w\2\2"+
"\u0095\u0096\7g\2\2\u0096\u0097\7p\2\2\u0097\u0098\7e\2\2\u0098\u0099"+
"\7g\2\2\u0099\32\3\2\2\2\u009a\u009b\7v\2\2\u009b\u009c\7t\2\2\u009c\u009d"+
"\7w\2\2\u009d\u009e\7g\2\2\u009e\34\3\2\2\2\u009f\u00a0\7w\2\2\u00a0\u00a1"+
"\7p\2\2\u00a1\u00a2\7v\2\2\u00a2\u00a3\7k\2\2\u00a3\u00a4\7n\2\2\u00a4"+
"\36\3\2\2\2\u00a5\u00a6\7y\2\2\u00a6\u00a7\7j\2\2\u00a7\u00a8\7g\2\2\u00a8"+
"\u00a9\7t\2\2\u00a9\u00aa\7g\2\2\u00aa \3\2\2\2\u00ab\u00ac\7y\2\2\u00ac"+
"\u00ad\7k\2\2\u00ad\u00ae\7v\2\2\u00ae\u00af\7j\2\2\u00af\"\3\2\2\2\u00b0"+
"\u00b1\7<\2\2\u00b1$\3\2\2\2\u00b2\u00b3\7?\2\2\u00b3&\3\2\2\2\u00b4\u00b5"+
"\7?\2\2\u00b5\u00b6\7?\2\2\u00b6(\3\2\2\2\u00b7\u00b8\7#\2\2\u00b8\u00b9"+
"\7?\2\2\u00b9*\3\2\2\2\u00ba\u00bb\7>\2\2\u00bb,\3\2\2\2\u00bc\u00bd\7"+
">\2\2\u00bd\u00be\7?\2\2\u00be.\3\2\2\2\u00bf\u00c0\7@\2\2\u00c0\60\3"+
"\2\2\2\u00c1\u00c2\7@\2\2\u00c2\u00c3\7?\2\2\u00c3\62\3\2\2\2\u00c4\u00c5"+
"\7-\2\2\u00c5\64\3\2\2\2\u00c6\u00c7\7/\2\2\u00c7\66\3\2\2\2\u00c8\u00c9"+
"\7,\2\2\u00c98\3\2\2\2\u00ca\u00cb\7\61\2\2\u00cb:\3\2\2\2\u00cc\u00cd"+
"\7\'\2\2\u00cd<\3\2\2\2\u00ce\u00cf\7\60\2\2\u00cf>\3\2\2\2\u00d0\u00d1"+
"\7.\2\2\u00d1@\3\2\2\2\u00d2\u00d3\7]\2\2\u00d3B\3\2\2\2\u00d4\u00d5\7"+
"_\2\2\u00d5D\3\2\2\2\u00d6\u00d7\7*\2\2\u00d7F\3\2\2\2\u00d8\u00d9\7+"+
"\2\2\u00d9H\3\2\2\2\u00da\u00db\7~\2\2\u00dbJ\3\2\2\2\u00dc\u00e2\7b\2"+
"\2\u00dd\u00e1\n\2\2\2\u00de\u00df\7b\2\2\u00df\u00e1\7b\2\2\u00e0\u00dd"+
"\3\2\2\2\u00e0\u00de\3\2\2\2\u00e1\u00e4\3\2\2\2\u00e2\u00e0\3\2\2\2\u00e2"+
"\u00e3\3\2\2\2\u00e3\u00e5\3\2\2\2\u00e4\u00e2\3\2\2\2\u00e5\u00e6\7b"+
"\2\2\u00e6L\3\2\2\2\u00e7\u00ed\7)\2\2\u00e8\u00e9\7^\2\2\u00e9\u00ec"+
"\t\3\2\2\u00ea\u00ec\n\4\2\2\u00eb\u00e8\3\2\2\2\u00eb\u00ea\3\2\2\2\u00ec"+
"\u00ef\3\2\2\2\u00ed\u00eb\3\2\2\2\u00ed\u00ee\3\2\2\2\u00ee\u00f0\3\2"+
"\2\2\u00ef\u00ed\3\2\2\2\u00f0\u0114\7)\2\2\u00f1\u00f7\7$\2\2\u00f2\u00f3"+
"\7^\2\2\u00f3\u00f6\t\3\2\2\u00f4\u00f6\n\5\2\2\u00f5\u00f2\3\2\2\2\u00f5"+
"\u00f4\3\2\2\2\u00f6\u00f9\3\2\2\2\u00f7\u00f5\3\2\2\2\u00f7\u00f8\3\2"+
"\2\2\u00f8\u00fa\3\2\2\2\u00f9\u00f7\3\2\2\2\u00fa\u0114\7$\2\2\u00fb"+
"\u00fc\7A\2\2\u00fc\u00fd\7$\2\2\u00fd\u0103\3\2\2\2\u00fe\u00ff\7^\2"+
"\2\u00ff\u0102\7$\2\2\u0100\u0102\n\6\2\2\u0101\u00fe\3\2\2\2\u0101\u0100"+
"\3\2\2\2\u0102\u0105\3\2\2\2\u0103\u0101\3\2\2\2\u0103\u0104\3\2\2\2\u0104"+
"\u0106\3\2\2\2\u0105\u0103\3\2\2\2\u0106\u0114\7$\2\2\u0107\u0108\7A\2"+
"\2\u0108\u0109\7)\2\2\u0109\u010f\3\2\2\2\u010a\u010b\7^\2\2\u010b\u010e"+
"\7)\2\2\u010c\u010e\n\7\2\2\u010d\u010a\3\2\2\2\u010d\u010c\3\2\2\2\u010e"+
"\u0111\3\2\2\2\u010f\u010d\3\2\2\2\u010f\u0110\3\2\2\2\u0110\u0112\3\2"+
"\2\2\u0111\u010f\3\2\2\2\u0112\u0114\7)\2\2\u0113\u00e7\3\2\2\2\u0113"+
"\u00f1\3\2\2\2\u0113\u00fb\3\2\2\2\u0113\u0107\3\2\2\2\u0114N\3\2\2\2"+
"\u0115\u0117\5W,\2\u0116\u0115\3\2\2\2\u0117\u0118\3\2\2\2\u0118\u0116"+
"\3\2\2\2\u0118\u0119\3\2\2\2\u0119P\3\2\2\2\u011a\u011c\5W,\2\u011b\u011a"+
"\3\2\2\2\u011c\u011d\3\2\2\2\u011d\u011b\3\2\2\2\u011d\u011e\3\2\2\2\u011e"+
"\u011f\3\2\2\2\u011f\u0123\5=\37\2\u0120\u0122\5W,\2\u0121\u0120\3\2\2"+
"\2\u0122\u0125\3\2\2\2\u0123\u0121\3\2\2\2\u0123\u0124\3\2\2\2\u0124\u0145"+
"\3\2\2\2\u0125\u0123\3\2\2\2\u0126\u0128\5=\37\2\u0127\u0129\5W,\2\u0128"+
"\u0127\3\2\2\2\u0129\u012a\3\2\2\2\u012a\u0128\3\2\2\2\u012a\u012b\3\2"+
"\2\2\u012b\u0145\3\2\2\2\u012c\u012e\5W,\2\u012d\u012c\3\2\2\2\u012e\u012f"+
"\3\2\2\2\u012f\u012d\3\2\2\2\u012f\u0130\3\2\2\2\u0130\u0138\3\2\2\2\u0131"+
"\u0135\5=\37\2\u0132\u0134\5W,\2\u0133\u0132\3\2\2\2\u0134\u0137\3\2\2"+
"\2\u0135\u0133\3\2\2\2\u0135\u0136\3\2\2\2\u0136\u0139\3\2\2\2\u0137\u0135"+
"\3\2\2\2\u0138\u0131\3\2\2\2\u0138\u0139\3\2\2\2\u0139\u013a\3\2\2\2\u013a"+
"\u013b\5U+\2\u013b\u0145\3\2\2\2\u013c\u013e\5=\37\2\u013d\u013f\5W,\2"+
"\u013e\u013d\3\2\2\2\u013f\u0140\3\2\2\2\u0140\u013e\3\2\2\2\u0140\u0141"+
"\3\2\2\2\u0141\u0142\3\2\2\2\u0142\u0143\5U+\2\u0143\u0145\3\2\2\2\u0144"+
"\u011b\3\2\2\2\u0144\u0126\3\2\2\2\u0144\u012d\3\2\2\2\u0144\u013c\3\2"+
"\2\2\u0145R\3\2\2\2\u0146\u0149\5Y-\2\u0147\u0149\t\b\2\2\u0148\u0146"+
"\3\2\2\2\u0148\u0147\3\2\2\2\u0149\u014f\3\2\2\2\u014a\u014e\5Y-\2\u014b"+
"\u014e\5W,\2\u014c\u014e\7a\2\2\u014d\u014a\3\2\2\2\u014d\u014b\3\2\2"+
"\2\u014d\u014c\3\2\2\2\u014e\u0151\3\2\2\2\u014f\u014d\3\2\2\2\u014f\u0150"+
"\3\2\2\2\u0150T\3\2\2\2\u0151\u014f\3\2\2\2\u0152\u0154\t\t\2\2\u0153"+
"\u0155\t\n\2\2\u0154\u0153\3\2\2\2\u0154\u0155\3\2\2\2\u0155\u0157\3\2"+
"\2\2\u0156\u0158\5W,\2\u0157\u0156\3\2\2\2\u0158\u0159\3\2\2\2\u0159\u0157"+
"\3\2\2\2\u0159\u015a\3\2\2\2\u015aV\3\2\2\2\u015b\u015c\t\13\2\2\u015c"+
"X\3\2\2\2\u015d\u015e\t\f\2\2\u015eZ\3\2\2\2\u015f\u0160\7\61\2\2\u0160"+
"\u0161\7\61\2\2\u0161\u0165\3\2\2\2\u0162\u0164\n\r\2\2\u0163\u0162\3"+
"\2\2\2\u0164\u0167\3\2\2\2\u0165\u0163\3\2\2\2\u0165\u0166\3\2\2\2\u0166"+
"\u0169\3\2\2\2\u0167\u0165\3\2\2\2\u0168\u016a\7\17\2\2\u0169\u0168\3"+
"\2\2\2\u0169\u016a\3\2\2\2\u016a\u016c\3\2\2\2\u016b\u016d\7\f\2\2\u016c"+
"\u016b\3\2\2\2\u016c\u016d\3\2\2\2\u016d\u016e\3\2\2\2\u016e\u016f\b."+
"\2\2\u016f\\\3\2\2\2\u0170\u0171\7\61\2\2\u0171\u0172\7,\2\2\u0172\u0177"+
"\3\2\2\2\u0173\u0176\5]/\2\u0174\u0176\13\2\2\2\u0175\u0173\3\2\2\2\u0175"+
"\u0174\3\2\2\2\u0176\u0179\3\2\2\2\u0177\u0178\3\2\2\2\u0177\u0175\3\2"+
"\2\2\u0178\u017a\3\2\2\2\u0179\u0177\3\2\2\2\u017a\u017b\7,\2\2\u017b"+
"\u017c\7\61\2\2\u017c\u017d\3\2\2\2\u017d\u017e\b/\2\2\u017e^\3\2\2\2"+
"\u017f\u0181\t\16\2\2\u0180\u017f\3\2\2\2\u0181\u0182\3\2\2\2\u0182\u0180"+
"\3\2\2\2\u0182\u0183\3\2\2\2\u0183\u0184\3\2\2\2\u0184\u0185\b\60\2\2"+
"\u0185`\3\2\2\2\"\2\u00e0\u00e2\u00eb\u00ed\u00f5\u00f7\u0101\u0103\u010d"+
"\u010f\u0113\u0118\u011d\u0123\u012a\u012f\u0135\u0138\u0140\u0144\u0148"+
"\u014d\u014f\u0154\u0159\u0165\u0169\u016c\u0175\u0177\u0182\3\2\3\2";
public static final ATN _ATN =
new ATNDeserializer().deserialize(_serializedATN.toCharArray());
static {

173
x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseParser.java
View File

@ -18,11 +18,11 @@ class EqlBaseParser extends Parser {
new PredictionContextCache();
public static final int
AND=1, ANY=2, BY=3, FALSE=4, IN=5, JOIN=6, MAXSPAN=7, NOT=8, NULL=9, OF=10,
OR=11, SEQUENCE=12, TRUE=13, UNTIL=14, WHERE=15, WITH=16, ASGN=17, EQ=18,
NEQ=19, LT=20, LTE=21, GT=22, GTE=23, PLUS=24, MINUS=25, ASTERISK=26,
SLASH=27, PERCENT=28, DOT=29, COMMA=30, LB=31, RB=32, LP=33, RP=34, PIPE=35,
ESCAPED_IDENTIFIER=36, STRING=37, INTEGER_VALUE=38, DECIMAL_VALUE=39,
IDENTIFIER=40, LINE_COMMENT=41, BRACKETED_COMMENT=42, WS=43;
OR=11, SEQUENCE=12, TRUE=13, UNTIL=14, WHERE=15, WITH=16, SEQ=17, ASGN=18,
EQ=19, NEQ=20, LT=21, LTE=22, GT=23, GTE=24, PLUS=25, MINUS=26, ASTERISK=27,
SLASH=28, PERCENT=29, DOT=30, COMMA=31, LB=32, RB=33, LP=34, RP=35, PIPE=36,
ESCAPED_IDENTIFIER=37, STRING=38, INTEGER_VALUE=39, DECIMAL_VALUE=40,
IDENTIFIER=41, LINE_COMMENT=42, BRACKETED_COMMENT=43, WS=44;
public static final int
RULE_singleStatement = 0, RULE_singleExpression = 1, RULE_statement = 2,
RULE_query = 3, RULE_sequenceParams = 4, RULE_sequence = 5, RULE_join = 6,
@ -45,14 +45,14 @@ class EqlBaseParser extends Parser {
private static final String[] _LITERAL_NAMES = {
null, "'and'", "'any'", "'by'", "'false'", "'in'", "'join'", "'maxspan'",
"'not'", "'null'", "'of'", "'or'", "'sequence'", "'true'", "'until'",
"'where'", "'with'", "'='", "'=='", "'!='", "'<'", "'<='", "'>'", "'>='",
"'+'", "'-'", "'*'", "'/'", "'%'", "'.'", "','", "'['", "']'", "'('",
"')'", "'|'"
"'where'", "'with'", "':'", "'='", "'=='", "'!='", "'<'", "'<='", "'>'",
"'>='", "'+'", "'-'", "'*'", "'/'", "'%'", "'.'", "','", "'['", "']'",
"'('", "')'", "'|'"
};
private static final String[] _SYMBOLIC_NAMES = {
null, "AND", "ANY", "BY", "FALSE", "IN", "JOIN", "MAXSPAN", "NOT", "NULL",
"OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "ASGN", "EQ",
"NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH",
"OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "SEQ", "ASGN",
"EQ", "NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH",
"PERCENT", "DOT", "COMMA", "LB", "RB", "LP", "RP", "PIPE", "ESCAPED_IDENTIFIER",
"STRING", "INTEGER_VALUE", "DECIMAL_VALUE", "IDENTIFIER", "LINE_COMMENT",
"BRACKETED_COMMENT", "WS"
@ -2077,6 +2077,7 @@ class EqlBaseParser extends Parser {
}
public static class ComparisonOperatorContext extends ParserRuleContext {
public TerminalNode SEQ() { return getToken(EqlBaseParser.SEQ, 0); }
public TerminalNode EQ() { return getToken(EqlBaseParser.EQ, 0); }
public TerminalNode NEQ() { return getToken(EqlBaseParser.NEQ, 0); }
public TerminalNode LT() { return getToken(EqlBaseParser.LT, 0); }
@ -2111,7 +2112,7 @@ class EqlBaseParser extends Parser {
{
setState(251);
_la = _input.LA(1);
if ( !((((_la) & ~0x3f) == 0 && ((1L << _la) & ((1L << EQ) | (1L << NEQ) | (1L << LT) | (1L << LTE) | (1L << GT) | (1L << GTE))) != 0)) ) {
if ( !((((_la) & ~0x3f) == 0 && ((1L << _la) & ((1L << SEQ) | (1L << EQ) | (1L << NEQ) | (1L << LT) | (1L << LTE) | (1L << GT) | (1L << GTE))) != 0)) ) {
_errHandler.recoverInline(this);
} else {
consume();
@ -2549,7 +2550,7 @@ class EqlBaseParser extends Parser {
}
public static final String _serializedATN =
"\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\3-\u011d\4\2\t\2\4"+
"\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\3.\u011d\4\2\t\2\4"+
"\3\t\3\4\4\t\4\4\5\t\5\4\6\t\6\4\7\t\7\4\b\t\b\4\t\t\t\4\n\t\n\4\13\t"+
"\13\4\f\t\f\4\r\t\r\4\16\t\16\4\17\t\17\4\20\t\20\4\21\t\21\4\22\t\22"+
"\4\23\t\23\4\24\t\24\4\25\t\25\4\26\t\26\4\27\t\27\4\30\t\30\4\31\t\31"+
@ -2572,80 +2573,80 @@ class EqlBaseParser extends Parser {
"\3\32\3\32\3\32\3\32\6\32\u0107\n\32\r\32\16\32\u0108\3\32\7\32\u010c"+
"\n\32\f\32\16\32\u010f\13\32\3\33\3\33\3\34\3\34\5\34\u0115\n\34\3\35"+
"\3\35\5\35\u0119\n\35\3\36\3\36\3\36\2\4 $\37\2\4\6\b\n\f\16\20\22\24"+
"\26\30\32\34\36 \"$&(*,.\60\62\64\668:\2\7\3\2\32\33\3\2\34\36\3\2\24"+
"\31\4\2\6\6\17\17\4\2&&**\u0129\2<\3\2\2\2\4?\3\2\2\2\6B\3\2\2\2\bL\3"+
"\2\2\2\nN\3\2\2\2\fS\3\2\2\2\16h\3\2\2\2\20v\3\2\2\2\22\u0082\3\2\2\2"+
"\24\u008b\3\2\2\2\26\u008f\3\2\2\2\30\u0093\3\2\2\2\32\u0097\3\2\2\2\34"+
"\u009b\3\2\2\2\36\u00a0\3\2\2\2 \u00a9\3\2\2\2\"\u00bb\3\2\2\2$\u00c4"+
"\3\2\2\2&\u00d2\3\2\2\2(\u00e7\3\2\2\2*\u00e9\3\2\2\2,\u00fb\3\2\2\2."+
"\u00fd\3\2\2\2\60\u00ff\3\2\2\2\62\u0101\3\2\2\2\64\u0110\3\2\2\2\66\u0112"+
"\3\2\2\28\u0118\3\2\2\2:\u011a\3\2\2\2<=\5\6\4\2=>\7\2\2\3>\3\3\2\2\2"+
"?@\5\36\20\2@A\7\2\2\3A\5\3\2\2\2BF\5\b\5\2CE\5\20\t\2DC\3\2\2\2EH\3\2"+
"\2\2FD\3\2\2\2FG\3\2\2\2G\7\3\2\2\2HF\3\2\2\2IM\5\f\7\2JM\5\16\b\2KM\5"+
"\32\16\2LI\3\2\2\2LJ\3\2\2\2LK\3\2\2\2M\t\3\2\2\2NO\7\22\2\2OP\7\t\2\2"+
"PQ\7\23\2\2QR\5\66\34\2R\13\3\2\2\2S\\\7\16\2\2TV\5\22\n\2UW\5\n\6\2V"+
"U\3\2\2\2VW\3\2\2\2W]\3\2\2\2XZ\5\n\6\2Y[\5\22\n\2ZY\3\2\2\2Z[\3\2\2\2"+
"[]\3\2\2\2\\T\3\2\2\2\\X\3\2\2\2\\]\3\2\2\2]^\3\2\2\2^`\5\26\f\2_a\5\26"+
"\f\2`_\3\2\2\2ab\3\2\2\2b`\3\2\2\2bc\3\2\2\2cf\3\2\2\2de\7\20\2\2eg\5"+
"\26\f\2fd\3\2\2\2fg\3\2\2\2g\r\3\2\2\2hj\7\b\2\2ik\5\22\n\2ji\3\2\2\2"+
"jk\3\2\2\2kl\3\2\2\2ln\5\24\13\2mo\5\24\13\2nm\3\2\2\2op\3\2\2\2pn\3\2"+
"\2\2pq\3\2\2\2qt\3\2\2\2rs\7\20\2\2su\5\24\13\2tr\3\2\2\2tu\3\2\2\2u\17"+
"\3\2\2\2vw\7%\2\2w\u0080\7*\2\2x}\5 \21\2yz\7 \2\2z|\5 \21\2{y\3\2\2\2"+
"|\177\3\2\2\2}{\3\2\2\2}~\3\2\2\2~\u0081\3\2\2\2\177}\3\2\2\2\u0080x\3"+
"\2\2\2\u0080\u0081\3\2\2\2\u0081\21\3\2\2\2\u0082\u0083\7\5\2\2\u0083"+
"\u0088\5\36\20\2\u0084\u0085\7 \2\2\u0085\u0087\5\36\20\2\u0086\u0084"+
"\3\2\2\2\u0087\u008a\3\2\2\2\u0088\u0086\3\2\2\2\u0088\u0089\3\2\2\2\u0089"+
"\23\3\2\2\2\u008a\u0088\3\2\2\2\u008b\u008d\5\30\r\2\u008c\u008e\5\22"+
"\n\2\u008d\u008c\3\2\2\2\u008d\u008e\3\2\2\2\u008e\25\3\2\2\2\u008f\u0091"+
"\5\30\r\2\u0090\u0092\5\22\n\2\u0091\u0090\3\2\2\2\u0091\u0092\3\2\2\2"+
"\u0092\27\3\2\2\2\u0093\u0094\7!\2\2\u0094\u0095\5\34\17\2\u0095\u0096"+
"\7\"\2\2\u0096\31\3\2\2\2\u0097\u0098\5\34\17\2\u0098\33\3\2\2\2\u0099"+
"\u009c\7\4\2\2\u009a\u009c\5\64\33\2\u009b\u0099\3\2\2\2\u009b\u009a\3"+
"\2\2\2\u009c\u009d\3\2\2\2\u009d\u009e\7\21\2\2\u009e\u009f\5\36\20\2"+
"\u009f\35\3\2\2\2\u00a0\u00a1\5 \21\2\u00a1\37\3\2\2\2\u00a2\u00a3\b\21"+
"\1\2\u00a3\u00a4\7\n\2\2\u00a4\u00aa\5 \21\7\u00a5\u00a6\7*\2\2\u00a6"+
"\u00a7\7\f\2\2\u00a7\u00aa\5\30\r\2\u00a8\u00aa\5\"\22\2\u00a9\u00a2\3"+
"\2\2\2\u00a9\u00a5\3\2\2\2\u00a9\u00a8\3\2\2\2\u00aa\u00b3\3\2\2\2\u00ab"+
"\u00ac\f\4\2\2\u00ac\u00ad\7\3\2\2\u00ad\u00b2\5 \21\5\u00ae\u00af\f\3"+
"\2\2\u00af\u00b0\7\r\2\2\u00b0\u00b2\5 \21\4\u00b1\u00ab\3\2\2\2\u00b1"+
"\u00ae\3\2\2\2\u00b2\u00b5\3\2\2\2\u00b3\u00b1\3\2\2\2\u00b3\u00b4\3\2"+
"\2\2\u00b4!\3\2\2\2\u00b5\u00b3\3\2\2\2\u00b6\u00bc\5$\23\2\u00b7\u00b8"+
"\5$\23\2\u00b8\u00b9\5.\30\2\u00b9\u00ba\5$\23\2\u00ba\u00bc\3\2\2\2\u00bb"+
"\u00b6\3\2\2\2\u00bb\u00b7\3\2\2\2\u00bc#\3\2\2\2\u00bd\u00be\b\23\1\2"+
"\u00be\u00c0\5(\25\2\u00bf\u00c1\5&\24\2\u00c0\u00bf\3\2\2\2\u00c0\u00c1"+
"\3\2\2\2\u00c1\u00c5\3\2\2\2\u00c2\u00c3\t\2\2\2\u00c3\u00c5\5$\23\5\u00c4"+
"\u00bd\3\2\2\2\u00c4\u00c2\3\2\2\2\u00c5\u00ce\3\2\2\2\u00c6\u00c7\f\4"+
"\2\2\u00c7\u00c8\t\3\2\2\u00c8\u00cd\5$\23\5\u00c9\u00ca\f\3\2\2\u00ca"+
"\u00cb\t\2\2\2\u00cb\u00cd\5$\23\4\u00cc\u00c6\3\2\2\2\u00cc\u00c9\3\2"+
"\2\2\u00cd\u00d0\3\2\2\2\u00ce\u00cc\3\2\2\2\u00ce\u00cf\3\2\2\2\u00cf"+
"%\3\2\2\2\u00d0\u00ce\3\2\2\2\u00d1\u00d3\7\n\2\2\u00d2\u00d1\3\2\2\2"+
"\u00d2\u00d3\3\2\2\2\u00d3\u00d4\3\2\2\2\u00d4\u00d5\7\7\2\2\u00d5\u00d6"+
"\7#\2\2\u00d6\u00db\5\36\20\2\u00d7\u00d8\7 \2\2\u00d8\u00da\5\36\20\2"+
"\u00d9\u00d7\3\2\2\2\u00da\u00dd\3\2\2\2\u00db\u00d9\3\2\2\2\u00db\u00dc"+
"\3\2\2\2\u00dc\u00de\3\2\2\2\u00dd\u00db\3\2\2\2\u00de\u00df\7$\2\2\u00df"+
"\'\3\2\2\2\u00e0\u00e8\5,\27\2\u00e1\u00e8\5*\26\2\u00e2\u00e8\5\62\32"+
"\2\u00e3\u00e4\7#\2\2\u00e4\u00e5\5\36\20\2\u00e5\u00e6\7$\2\2\u00e6\u00e8"+
"\3\2\2\2\u00e7\u00e0\3\2\2\2\u00e7\u00e1\3\2\2\2\u00e7\u00e2\3\2\2\2\u00e7"+
"\u00e3\3\2\2\2\u00e8)\3\2\2\2\u00e9\u00ea\7*\2\2\u00ea\u00f3\7#\2\2\u00eb"+
"\u00f0\5\36\20\2\u00ec\u00ed\7 \2\2\u00ed\u00ef\5\36\20\2\u00ee\u00ec"+
"\3\2\2\2\u00ef\u00f2\3\2\2\2\u00f0\u00ee\3\2\2\2\u00f0\u00f1\3\2\2\2\u00f1"+
"\u00f4\3\2\2\2\u00f2\u00f0\3\2\2\2\u00f3\u00eb\3\2\2\2\u00f3\u00f4\3\2"+
"\2\2\u00f4\u00f5\3\2\2\2\u00f5\u00f6\7$\2\2\u00f6+\3\2\2\2\u00f7\u00fc"+
"\7\13\2\2\u00f8\u00fc\58\35\2\u00f9\u00fc\5\60\31\2\u00fa\u00fc\5:\36"+
"\2\u00fb\u00f7\3\2\2\2\u00fb\u00f8\3\2\2\2\u00fb\u00f9\3\2\2\2\u00fb\u00fa"+
"\3\2\2\2\u00fc-\3\2\2\2\u00fd\u00fe\t\4\2\2\u00fe/\3\2\2\2\u00ff\u0100"+
"\t\5\2\2\u0100\61\3\2\2\2\u0101\u010d\5\64\33\2\u0102\u0103\7\37\2\2\u0103"+
"\u010c\5\64\33\2\u0104\u0106\7!\2\2\u0105\u0107\7(\2\2\u0106\u0105\3\2"+
"\2\2\u0107\u0108\3\2\2\2\u0108\u0106\3\2\2\2\u0108\u0109\3\2\2\2\u0109"+
"\u010a\3\2\2\2\u010a\u010c\7\"\2\2\u010b\u0102\3\2\2\2\u010b\u0104\3\2"+
"\2\2\u010c\u010f\3\2\2\2\u010d\u010b\3\2\2\2\u010d\u010e\3\2\2\2\u010e"+
"\63\3\2\2\2\u010f\u010d\3\2\2\2\u0110\u0111\t\6\2\2\u0111\65\3\2\2\2\u0112"+
"\u0114\58\35\2\u0113\u0115\7*\2\2\u0114\u0113\3\2\2\2\u0114\u0115\3\2"+
"\2\2\u0115\67\3\2\2\2\u0116\u0119\7)\2\2\u0117\u0119\7(\2\2\u0118\u0116"+
"\3\2\2\2\u0118\u0117\3\2\2\2\u01199\3\2\2\2\u011a\u011b\7\'\2\2\u011b"+
";\3\2\2\2%FLVZ\\bfjpt}\u0080\u0088\u008d\u0091\u009b\u00a9\u00b1\u00b3"+
"\u00bb\u00c0\u00c4\u00cc\u00ce\u00d2\u00db\u00e7\u00f0\u00f3\u00fb\u0108"+
"\u010b\u010d\u0114\u0118";
"\26\30\32\34\36 \"$&(*,.\60\62\64\668:\2\7\3\2\33\34\3\2\35\37\4\2\23"+
"\23\25\32\4\2\6\6\17\17\4\2\'\'++\u0129\2<\3\2\2\2\4?\3\2\2\2\6B\3\2\2"+
"\2\bL\3\2\2\2\nN\3\2\2\2\fS\3\2\2\2\16h\3\2\2\2\20v\3\2\2\2\22\u0082\3"+
"\2\2\2\24\u008b\3\2\2\2\26\u008f\3\2\2\2\30\u0093\3\2\2\2\32\u0097\3\2"+
"\2\2\34\u009b\3\2\2\2\36\u00a0\3\2\2\2 \u00a9\3\2\2\2\"\u00bb\3\2\2\2"+
"$\u00c4\3\2\2\2&\u00d2\3\2\2\2(\u00e7\3\2\2\2*\u00e9\3\2\2\2,\u00fb\3"+
"\2\2\2.\u00fd\3\2\2\2\60\u00ff\3\2\2\2\62\u0101\3\2\2\2\64\u0110\3\2\2"+
"\2\66\u0112\3\2\2\28\u0118\3\2\2\2:\u011a\3\2\2\2<=\5\6\4\2=>\7\2\2\3"+
">\3\3\2\2\2?@\5\36\20\2@A\7\2\2\3A\5\3\2\2\2BF\5\b\5\2CE\5\20\t\2DC\3"+
"\2\2\2EH\3\2\2\2FD\3\2\2\2FG\3\2\2\2G\7\3\2\2\2HF\3\2\2\2IM\5\f\7\2JM"+
"\5\16\b\2KM\5\32\16\2LI\3\2\2\2LJ\3\2\2\2LK\3\2\2\2M\t\3\2\2\2NO\7\22"+
"\2\2OP\7\t\2\2PQ\7\24\2\2QR\5\66\34\2R\13\3\2\2\2S\\\7\16\2\2TV\5\22\n"+
"\2UW\5\n\6\2VU\3\2\2\2VW\3\2\2\2W]\3\2\2\2XZ\5\n\6\2Y[\5\22\n\2ZY\3\2"+
"\2\2Z[\3\2\2\2[]\3\2\2\2\\T\3\2\2\2\\X\3\2\2\2\\]\3\2\2\2]^\3\2\2\2^`"+
"\5\26\f\2_a\5\26\f\2`_\3\2\2\2ab\3\2\2\2b`\3\2\2\2bc\3\2\2\2cf\3\2\2\2"+
"de\7\20\2\2eg\5\26\f\2fd\3\2\2\2fg\3\2\2\2g\r\3\2\2\2hj\7\b\2\2ik\5\22"+
"\n\2ji\3\2\2\2jk\3\2\2\2kl\3\2\2\2ln\5\24\13\2mo\5\24\13\2nm\3\2\2\2o"+
"p\3\2\2\2pn\3\2\2\2pq\3\2\2\2qt\3\2\2\2rs\7\20\2\2su\5\24\13\2tr\3\2\2"+
"\2tu\3\2\2\2u\17\3\2\2\2vw\7&\2\2w\u0080\7+\2\2x}\5 \21\2yz\7!\2\2z|\5"+
" \21\2{y\3\2\2\2|\177\3\2\2\2}{\3\2\2\2}~\3\2\2\2~\u0081\3\2\2\2\177}"+
"\3\2\2\2\u0080x\3\2\2\2\u0080\u0081\3\2\2\2\u0081\21\3\2\2\2\u0082\u0083"+
"\7\5\2\2\u0083\u0088\5\36\20\2\u0084\u0085\7!\2\2\u0085\u0087\5\36\20"+
"\2\u0086\u0084\3\2\2\2\u0087\u008a\3\2\2\2\u0088\u0086\3\2\2\2\u0088\u0089"+
"\3\2\2\2\u0089\23\3\2\2\2\u008a\u0088\3\2\2\2\u008b\u008d\5\30\r\2\u008c"+
"\u008e\5\22\n\2\u008d\u008c\3\2\2\2\u008d\u008e\3\2\2\2\u008e\25\3\2\2"+
"\2\u008f\u0091\5\30\r\2\u0090\u0092\5\22\n\2\u0091\u0090\3\2\2\2\u0091"+
"\u0092\3\2\2\2\u0092\27\3\2\2\2\u0093\u0094\7\"\2\2\u0094\u0095\5\34\17"+
"\2\u0095\u0096\7#\2\2\u0096\31\3\2\2\2\u0097\u0098\5\34\17\2\u0098\33"+
"\3\2\2\2\u0099\u009c\7\4\2\2\u009a\u009c\5\64\33\2\u009b\u0099\3\2\2\2"+
"\u009b\u009a\3\2\2\2\u009c\u009d\3\2\2\2\u009d\u009e\7\21\2\2\u009e\u009f"+
"\5\36\20\2\u009f\35\3\2\2\2\u00a0\u00a1\5 \21\2\u00a1\37\3\2\2\2\u00a2"+
"\u00a3\b\21\1\2\u00a3\u00a4\7\n\2\2\u00a4\u00aa\5 \21\7\u00a5\u00a6\7"+
"+\2\2\u00a6\u00a7\7\f\2\2\u00a7\u00aa\5\30\r\2\u00a8\u00aa\5\"\22\2\u00a9"+
"\u00a2\3\2\2\2\u00a9\u00a5\3\2\2\2\u00a9\u00a8\3\2\2\2\u00aa\u00b3\3\2"+
"\2\2\u00ab\u00ac\f\4\2\2\u00ac\u00ad\7\3\2\2\u00ad\u00b2\5 \21\5\u00ae"+
"\u00af\f\3\2\2\u00af\u00b0\7\r\2\2\u00b0\u00b2\5 \21\4\u00b1\u00ab\3\2"+
"\2\2\u00b1\u00ae\3\2\2\2\u00b2\u00b5\3\2\2\2\u00b3\u00b1\3\2\2\2\u00b3"+
"\u00b4\3\2\2\2\u00b4!\3\2\2\2\u00b5\u00b3\3\2\2\2\u00b6\u00bc\5$\23\2"+
"\u00b7\u00b8\5$\23\2\u00b8\u00b9\5.\30\2\u00b9\u00ba\5$\23\2\u00ba\u00bc"+
"\3\2\2\2\u00bb\u00b6\3\2\2\2\u00bb\u00b7\3\2\2\2\u00bc#\3\2\2\2\u00bd"+
"\u00be\b\23\1\2\u00be\u00c0\5(\25\2\u00bf\u00c1\5&\24\2\u00c0\u00bf\3"+
"\2\2\2\u00c0\u00c1\3\2\2\2\u00c1\u00c5\3\2\2\2\u00c2\u00c3\t\2\2\2\u00c3"+
"\u00c5\5$\23\5\u00c4\u00bd\3\2\2\2\u00c4\u00c2\3\2\2\2\u00c5\u00ce\3\2"+
"\2\2\u00c6\u00c7\f\4\2\2\u00c7\u00c8\t\3\2\2\u00c8\u00cd\5$\23\5\u00c9"+
"\u00ca\f\3\2\2\u00ca\u00cb\t\2\2\2\u00cb\u00cd\5$\23\4\u00cc\u00c6\3\2"+
"\2\2\u00cc\u00c9\3\2\2\2\u00cd\u00d0\3\2\2\2\u00ce\u00cc\3\2\2\2\u00ce"+
"\u00cf\3\2\2\2\u00cf%\3\2\2\2\u00d0\u00ce\3\2\2\2\u00d1\u00d3\7\n\2\2"+
"\u00d2\u00d1\3\2\2\2\u00d2\u00d3\3\2\2\2\u00d3\u00d4\3\2\2\2\u00d4\u00d5"+
"\7\7\2\2\u00d5\u00d6\7$\2\2\u00d6\u00db\5\36\20\2\u00d7\u00d8\7!\2\2\u00d8"+
"\u00da\5\36\20\2\u00d9\u00d7\3\2\2\2\u00da\u00dd\3\2\2\2\u00db\u00d9\3"+
"\2\2\2\u00db\u00dc\3\2\2\2\u00dc\u00de\3\2\2\2\u00dd\u00db\3\2\2\2\u00de"+
"\u00df\7%\2\2\u00df\'\3\2\2\2\u00e0\u00e8\5,\27\2\u00e1\u00e8\5*\26\2"+
"\u00e2\u00e8\5\62\32\2\u00e3\u00e4\7$\2\2\u00e4\u00e5\5\36\20\2\u00e5"+
"\u00e6\7%\2\2\u00e6\u00e8\3\2\2\2\u00e7\u00e0\3\2\2\2\u00e7\u00e1\3\2"+
"\2\2\u00e7\u00e2\3\2\2\2\u00e7\u00e3\3\2\2\2\u00e8)\3\2\2\2\u00e9\u00ea"+
"\7+\2\2\u00ea\u00f3\7$\2\2\u00eb\u00f0\5\36\20\2\u00ec\u00ed\7!\2\2\u00ed"+
"\u00ef\5\36\20\2\u00ee\u00ec\3\2\2\2\u00ef\u00f2\3\2\2\2\u00f0\u00ee\3"+
"\2\2\2\u00f0\u00f1\3\2\2\2\u00f1\u00f4\3\2\2\2\u00f2\u00f0\3\2\2\2\u00f3"+
"\u00eb\3\2\2\2\u00f3\u00f4\3\2\2\2\u00f4\u00f5\3\2\2\2\u00f5\u00f6\7%"+
"\2\2\u00f6+\3\2\2\2\u00f7\u00fc\7\13\2\2\u00f8\u00fc\58\35\2\u00f9\u00fc"+
"\5\60\31\2\u00fa\u00fc\5:\36\2\u00fb\u00f7\3\2\2\2\u00fb\u00f8\3\2\2\2"+
"\u00fb\u00f9\3\2\2\2\u00fb\u00fa\3\2\2\2\u00fc-\3\2\2\2\u00fd\u00fe\t"+
"\4\2\2\u00fe/\3\2\2\2\u00ff\u0100\t\5\2\2\u0100\61\3\2\2\2\u0101\u010d"+
"\5\64\33\2\u0102\u0103\7 \2\2\u0103\u010c\5\64\33\2\u0104\u0106\7\"\2"+
"\2\u0105\u0107\7)\2\2\u0106\u0105\3\2\2\2\u0107\u0108\3\2\2\2\u0108\u0106"+
"\3\2\2\2\u0108\u0109\3\2\2\2\u0109\u010a\3\2\2\2\u010a\u010c\7#\2\2\u010b"+
"\u0102\3\2\2\2\u010b\u0104\3\2\2\2\u010c\u010f\3\2\2\2\u010d\u010b\3\2"+
"\2\2\u010d\u010e\3\2\2\2\u010e\63\3\2\2\2\u010f\u010d\3\2\2\2\u0110\u0111"+
"\t\6\2\2\u0111\65\3\2\2\2\u0112\u0114\58\35\2\u0113\u0115\7+\2\2\u0114"+
"\u0113\3\2\2\2\u0114\u0115\3\2\2\2\u0115\67\3\2\2\2\u0116\u0119\7*\2\2"+
"\u0117\u0119\7)\2\2\u0118\u0116\3\2\2\2\u0118\u0117\3\2\2\2\u01199\3\2"+
"\2\2\u011a\u011b\7(\2\2\u011b;\3\2\2\2%FLVZ\\bfjpt}\u0080\u0088\u008d"+
"\u0091\u009b\u00a9\u00b1\u00b3\u00bb\u00c0\u00c4\u00cc\u00ce\u00d2\u00db"+
"\u00e7\u00f0\u00f3\u00fb\u0108\u010b\u010d\u0114\u0118";
public static final ATN _ATN =
new ATNDeserializer().deserialize(_serializedATN.toCharArray());
static {

3
x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/ExpressionBuilder.java
View File

@ -9,6 +9,7 @@ package org.elasticsearch.xpack.eql.parser;
import org.antlr.v4.runtime.ParserRuleContext;
import org.antlr.v4.runtime.tree.ParseTree;
import org.antlr.v4.runtime.tree.TerminalNode;
import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveEquals;
import org.elasticsearch.xpack.eql.parser.EqlBaseParser.ArithmeticUnaryContext;
import org.elasticsearch.xpack.eql.parser.EqlBaseParser.ComparisonContext;
import org.elasticsearch.xpack.eql.parser.EqlBaseParser.DereferenceContext;
@ -130,6 +131,8 @@ public class ExpressionBuilder extends IdentifierBuilder {
ZoneId zoneId = params.zoneId();
switch (op.getSymbol().getType()) {
case EqlBaseParser.SEQ:
return new InsensitiveEquals(source, left, right, zoneId);
case EqlBaseParser.EQ:
return new Equals(source, left, right, zoneId);
case EqlBaseParser.NEQ:

51
x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/planner/QueryTranslator.java
View File

@ -9,6 +9,9 @@ package org.elasticsearch.xpack.eql.planner;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.CIDRMatch;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.EndsWith;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.StringContains;
import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveBinaryComparison;
import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveEquals;
import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveNotEquals;
import org.elasticsearch.xpack.ql.QlIllegalArgumentException;
import org.elasticsearch.xpack.ql.expression.Expression;
import org.elasticsearch.xpack.ql.expression.Expressions;
@ -20,10 +23,14 @@ import org.elasticsearch.xpack.ql.expression.predicate.logical.Or;
import org.elasticsearch.xpack.ql.planner.ExpressionTranslator;
import org.elasticsearch.xpack.ql.planner.ExpressionTranslators;
import org.elasticsearch.xpack.ql.planner.TranslatorHandler;
import org.elasticsearch.xpack.ql.querydsl.query.NotQuery;
import org.elasticsearch.xpack.ql.querydsl.query.Query;
import org.elasticsearch.xpack.ql.querydsl.query.ScriptQuery;
import org.elasticsearch.xpack.ql.querydsl.query.TermQuery;
import org.elasticsearch.xpack.ql.querydsl.query.TermsQuery;
import org.elasticsearch.xpack.ql.querydsl.query.WildcardQuery;
import org.elasticsearch.xpack.ql.tree.Source;
import org.elasticsearch.xpack.ql.util.Check;
import org.elasticsearch.xpack.ql.util.CollectionUtils;
import java.util.Arrays;
@ -37,6 +44,7 @@ import static org.elasticsearch.xpack.ql.planner.ExpressionTranslators.or;
final class QueryTranslator {
public static final List<ExpressionTranslator<?>> QUERY_TRANSLATORS = Arrays.asList(
new InsensitiveBinaryComparisons(),
new ExpressionTranslators.BinaryComparisons(),
new ExpressionTranslators.Ranges(),
new BinaryLogic(),
@ -65,6 +73,49 @@ final class QueryTranslator {
throw new QlIllegalArgumentException("Don't know how to translate {} {}", e.nodeName(), e);
}
public static class InsensitiveBinaryComparisons extends ExpressionTranslator<InsensitiveBinaryComparison> {
@Override
protected Query asQuery(InsensitiveBinaryComparison bc, TranslatorHandler handler) {
return doTranslate(bc, handler);
}
public static Query doTranslate(InsensitiveBinaryComparison bc, TranslatorHandler handler) {
checkInsensitiveComparison(bc);
return handler.wrapFunctionQuery(bc, bc.left(), translate(bc, handler));
}
public static void checkInsensitiveComparison(InsensitiveBinaryComparison bc) {
Check.isTrue(bc.right().foldable(),
"Line {}:{}: Comparisons against fields are not (currently) supported; offender [{}] in [{}]",
bc.right().sourceLocation().getLineNumber(), bc.right().sourceLocation().getColumnNumber(),
Expressions.name(bc.right()), bc.symbol());
}
private static Query translate(InsensitiveBinaryComparison bc, TranslatorHandler handler) {
Source source = bc.source();
String name = handler.nameOf(bc.left());
Object value = valueOf(bc.right());
if (bc instanceof InsensitiveEquals || bc instanceof InsensitiveNotEquals) {
if (bc.left() instanceof FieldAttribute) {
// equality should always be against an exact match
// (which is important for strings)
name = ((FieldAttribute) bc.left()).exactAttribute().name();
}
Query query = new TermQuery(source, name, value);
if (bc instanceof InsensitiveNotEquals) {
query = new NotQuery(source, query);
}
return query;
}
throw new QlIllegalArgumentException("Don't know how to translate binary comparison [{}] in [{}]", bc.right().nodeString(), bc);
}
}
public static class BinaryLogic extends ExpressionTranslator<org.elasticsearch.xpack.ql.expression.predicate.logical.BinaryLogic> {
@Override

6
x-pack/plugin/eql/src/main/resources/org/elasticsearch/xpack/eql/plugin/eql_whitelist.txt
View File

@ -75,4 +75,10 @@ class org.elasticsearch.xpack.eql.expression.function.scalar.whitelist.InternalE
String string(Object)
Boolean stringContains(String, String, Boolean)
String substring(String, Number, Number)
#
# Comparison
#
Boolean seq(Object, Object)
Boolean sneq(Object, Object)
}

13
x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java
View File

@ -11,7 +11,10 @@ import org.elasticsearch.tasks.TaskId;
import org.elasticsearch.xpack.core.async.AsyncExecutionId;
import org.elasticsearch.xpack.eql.action.EqlSearchAction;
import org.elasticsearch.xpack.eql.action.EqlSearchTask;
import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveEquals;
import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveNotEquals;
import org.elasticsearch.xpack.eql.session.EqlConfiguration;
import org.elasticsearch.xpack.ql.expression.Expression;
import java.util.Collections;
@ -21,6 +24,7 @@ import static org.elasticsearch.test.ESTestCase.randomIntBetween;
import static org.elasticsearch.test.ESTestCase.randomLong;
import static org.elasticsearch.test.ESTestCase.randomNonNegativeLong;
import static org.elasticsearch.test.ESTestCase.randomZone;
import static org.elasticsearch.xpack.ql.tree.Source.EMPTY;
public final class EqlTestUtils {
@ -62,4 +66,13 @@ public final class EqlTestUtils {
return new EqlSearchTask(randomLong(), "transport", EqlSearchAction.NAME, "", null, Collections.emptyMap(), Collections.emptyMap(),
new AsyncExecutionId("", new TaskId(randomAlphaOfLength(10), 1)), TimeValue.timeValueDays(5));
}
public static InsensitiveEquals seq(Expression left, Expression right) {
return new InsensitiveEquals(EMPTY, left, right, randomZone());
}
public static InsensitiveNotEquals sneq(Expression left, Expression right) {
return new InsensitiveNotEquals(EMPTY, left, right, randomZone());
}
}

7
x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java
View File

@ -332,4 +332,11 @@ public class VerifierTests extends ESTestCase {
"define one or use MATCH/QUERY instead",
error(idxr, "process where string(multi_field.english) == \"foo\""));
}
public void testIncorrectUsageOfStringEquals() {
final IndexResolution idxr = loadIndexResolution("mapping-default.json");
assertEquals("1:11: first argument of [:] must be [string], found value [pid] type [long]; consider using [==] instead",
error(idxr, "foo where pid : 123"));
}
}

129
x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparisonPipeTests.java Normal file
View File

@ -0,0 +1,129 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.eql.expression.predicate.operator.comparison;
import org.elasticsearch.xpack.ql.TestUtils;
import org.elasticsearch.xpack.ql.expression.Expression;
import org.elasticsearch.xpack.ql.expression.function.scalar.FunctionTestUtils;
import org.elasticsearch.xpack.ql.expression.gen.pipeline.Pipe;
import org.elasticsearch.xpack.ql.tree.AbstractNodeTestCase;
import org.elasticsearch.xpack.ql.tree.Source;
import org.elasticsearch.xpack.ql.tree.SourceTests;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.function.Function;
import static org.elasticsearch.xpack.ql.expression.Expressions.pipe;
import static org.elasticsearch.xpack.ql.expression.function.scalar.FunctionTestUtils.randomStringLiteral;
import static org.elasticsearch.xpack.ql.tree.SourceTests.randomSource;
public class InsensitiveBinaryComparisonPipeTests extends AbstractNodeTestCase<InsensitiveBinaryComparisonPipe, Pipe> {
@Override
protected InsensitiveBinaryComparisonPipe randomInstance() {
return randomInsensitiveBinaryComparisonPipe();
}
private Expression randomInsensitiveBinaryComparisonExpression() {
return randomInsensitiveBinaryComparisonPipe().expression();
}
public static InsensitiveBinaryComparisonPipe randomInsensitiveBinaryComparisonPipe() {
return (InsensitiveBinaryComparisonPipe) (new InsensitiveEquals(randomSource(),
randomStringLiteral(),
randomStringLiteral(),
TestUtils.UTC).
makePipe());
}
@Override
public void testTransform() {
// test transforming only the properties (source, expression),
// skipping the children (string and substring) which are tested separately
InsensitiveBinaryComparisonPipe pipe = randomInstance();
Expression newExpression = randomValueOtherThan(pipe.expression(), this::randomInsensitiveBinaryComparisonExpression);
InsensitiveBinaryComparisonPipe newPipe = new InsensitiveBinaryComparisonPipe(
pipe.source(),
newExpression,
pipe.left(),
pipe.right(),
pipe.asProcessor().function());
assertEquals(newPipe,
pipe.transformPropertiesOnly(v -> Objects.equals(v, pipe.expression()) ? newExpression : v, Expression.class));
InsensitiveBinaryComparisonPipe anotherPipe = randomInstance();
Source newLoc = randomValueOtherThan(anotherPipe.source(), SourceTests::randomSource);
newPipe = new InsensitiveBinaryComparisonPipe(
newLoc,
anotherPipe.expression(),
anotherPipe.left(),
anotherPipe.right(),
anotherPipe.asProcessor().function());
assertEquals(newPipe,
anotherPipe.transformPropertiesOnly(v -> Objects.equals(v, anotherPipe.source()) ? newLoc : v, Source.class));
}
@Override
public void testReplaceChildren() {
InsensitiveBinaryComparisonPipe pipe = randomInstance();
Pipe newLeft = pipe(((Expression) randomValueOtherThan(pipe.left(), FunctionTestUtils::randomStringLiteral)));
Pipe newRight = pipe(((Expression) randomValueOtherThan(pipe.right(), FunctionTestUtils::randomStringLiteral)));
InsensitiveBinaryComparisonPipe newPipe =
new InsensitiveBinaryComparisonPipe(pipe.source(), pipe.expression(), pipe.left(), pipe.right(), pipe.asProcessor().function());
InsensitiveBinaryComparisonPipe transformed = newPipe.replaceChildren(newLeft, pipe.right());
assertEquals(transformed.source(), pipe.source());
assertEquals(transformed.expression(), pipe.expression());
assertEquals(transformed.left(), newLeft);
assertEquals(transformed.right(), pipe.right());
transformed = newPipe.replaceChildren(pipe.left(), newRight);
assertEquals(transformed.source(), pipe.source());
assertEquals(transformed.expression(), pipe.expression());
assertEquals(transformed.left(), pipe.left());
assertEquals(transformed.right(), newRight);
transformed = newPipe.replaceChildren(newLeft, newRight);
assertEquals(transformed.source(), pipe.source());
assertEquals(transformed.expression(), pipe.expression());
assertEquals(transformed.left(), newLeft);
assertEquals(transformed.right(), newRight);
}
@Override
protected InsensitiveBinaryComparisonPipe mutate(InsensitiveBinaryComparisonPipe instance) {
List<Function<InsensitiveBinaryComparisonPipe, InsensitiveBinaryComparisonPipe>> randoms = new ArrayList<>();
randoms.add(f -> new InsensitiveBinaryComparisonPipe(f.source(),
f.expression(),
pipe(((Expression) randomValueOtherThan(f.left(), FunctionTestUtils::randomStringLiteral))),
f.right(),
f.asProcessor().function()));
randoms.add(f -> new InsensitiveBinaryComparisonPipe(f.source(),
f.expression(),
f.left(),
pipe(((Expression) randomValueOtherThan(f.right(), FunctionTestUtils::randomStringLiteral))),
f.asProcessor().function()));
randoms.add(f -> new InsensitiveBinaryComparisonPipe(f.source(),
f.expression(),
pipe(((Expression) randomValueOtherThan(f.left(), FunctionTestUtils::randomStringLiteral))),
pipe(((Expression) randomValueOtherThan(f.right(), FunctionTestUtils::randomStringLiteral))),
f.asProcessor().function()));
return randomFrom(randoms).apply(instance);
}
@Override
protected InsensitiveBinaryComparisonPipe copy(InsensitiveBinaryComparisonPipe instance) {
return new InsensitiveBinaryComparisonPipe(instance.source(),
instance.expression(),
instance.left(),
instance.right(),
instance.asProcessor().function());
}
}

93
x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/expression/predicate/operator/comparison/InsensitiveBinaryComparisonProcessorTests.java Normal file
View File

@ -0,0 +1,93 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.xpack.eql.expression.predicate.operator.comparison;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.io.stream.Writeable.Reader;
import org.elasticsearch.test.AbstractWireSerializingTestCase;
import org.elasticsearch.xpack.eql.EqlIllegalArgumentException;
import org.elasticsearch.xpack.ql.TestUtils;
import org.elasticsearch.xpack.ql.expression.Literal;
import org.elasticsearch.xpack.ql.expression.gen.processor.ConstantProcessor;
import org.elasticsearch.xpack.ql.expression.processor.Processors;
import static org.elasticsearch.xpack.eql.EqlTestUtils.seq;
import static org.elasticsearch.xpack.eql.EqlTestUtils.sneq;
import static org.elasticsearch.xpack.ql.tree.Source.EMPTY;
public class InsensitiveBinaryComparisonProcessorTests extends AbstractWireSerializingTestCase<InsensitiveBinaryComparisonProcessor> {
public static InsensitiveBinaryComparisonProcessor randomProcessor() {
return new InsensitiveBinaryComparisonProcessor(
new ConstantProcessor(randomLong()),
new ConstantProcessor(randomLong()),
randomFrom(InsensitiveBinaryComparisonProcessor.InsensitiveBinaryComparisonOperation.values()));
}
@Override
protected InsensitiveBinaryComparisonProcessor createTestInstance() {
return randomProcessor();
}
@Override
protected Reader<InsensitiveBinaryComparisonProcessor> instanceReader() {
return InsensitiveBinaryComparisonProcessor::new;
}
@Override
protected NamedWriteableRegistry getNamedWriteableRegistry() {
return new NamedWriteableRegistry(Processors.getNamedWriteables());
}
public void testStringEq() {
assertEquals(true, p(seq(l("a"), l("a"))));
assertEquals(true, p(seq(l("A"), l("a"))));
assertEquals(true, p(seq(l("aBcD"), l("AbCd"))));
assertEquals(true, p(seq(l("abc"), l("abc"))));
assertEquals(false, p(seq(l("abc"), l("cba"))));
}
public void testNonStringArguments() {
expectThrows(EqlIllegalArgumentException.class, () -> p(seq(l(12), l(12))));
expectThrows(EqlIllegalArgumentException.class, () -> p(seq(l(12), l("12"))));
expectThrows(EqlIllegalArgumentException.class, () -> p(seq(l("12"), l(12))));
}
public void testNullStringEquals() {
assertNull(p(seq(l(null), l(null))));
assertNull(p(seq(l("a"), l(null))));
assertNull(p(seq(l(null), l("a"))));
}
public void testStringNotEquals() {
assertEquals(false, p(sneq(l("a"), l("a"))));
assertEquals(false, p(sneq(l("A"), l("a"))));
assertEquals(false, p(sneq(l("aBcD"), l("AbCd"))));
assertEquals(false, p(sneq(l("abc"), l("abc"))));
assertEquals(true, p(sneq(l("abc"), l("cba"))));
}
public void testNullStringNotEquals() {
assertNull(p(sneq(l(null), l(null))));
assertNull(p(sneq(l("a"), l(null))));
assertNull(p(sneq(l(null), l("a"))));
}
public void testRegularNotEquals() {
expectThrows(EqlIllegalArgumentException.class, () -> p(sneq(l(12), l(12))));
expectThrows(EqlIllegalArgumentException.class, () -> p(sneq(l(12), l("12"))));
expectThrows(EqlIllegalArgumentException.class, () -> p(sneq(l("12"), l(12))));
}
private static Literal l(Object value) {
return TestUtils.of(EMPTY, value);
}
private static Object p(InsensitiveBinaryComparison ibc) {
return ibc.makePipe().asProcessor().process(null);
}
}

28
x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/optimizer/OptimizerTests.java
View File

@ -30,7 +30,6 @@ import org.elasticsearch.xpack.ql.expression.Order;
import org.elasticsearch.xpack.ql.expression.Order.NullsPosition;
import org.elasticsearch.xpack.ql.expression.Order.OrderDirection;
import org.elasticsearch.xpack.ql.expression.predicate.logical.And;
import org.elasticsearch.xpack.ql.expression.predicate.logical.Not;
import org.elasticsearch.xpack.ql.expression.predicate.logical.Or;
import org.elasticsearch.xpack.ql.expression.predicate.nulls.IsNotNull;
import org.elasticsearch.xpack.ql.expression.predicate.nulls.IsNull;
@ -134,8 +133,8 @@ public class OptimizerTests extends ESTestCase {
public void testEqualsWildcard() {
List<String> tests = Arrays.asList(
"foo where command_line == \"* bar *\"",
"foo where \"* bar *\" == command_line"
"foo where command_line : \"* bar *\"",
"foo where \"* bar *\" : command_line"
);
for (String q : tests) {
@ -154,32 +153,25 @@ public class OptimizerTests extends ESTestCase {
}
}
public void testNotEqualsWildcard() {
// test wildcard gets applied for literals as well regardless of the side used
public void testEqualsWildcardWithLiterals() {
List<String> tests = Arrays.asList(
"foo where command_line != \"* baz *\"",
"foo where \"* baz *\" != command_line"
"foo where \"abc\": \"*b*\"",
"foo where \"*b*\" : \"abc\""
);
for (String q : tests) {
LogicalPlan plan = defaultPipes(accept(q));
assertTrue(plan instanceof Filter);
// check the optimizer kicked in and folding was applied
Filter filter = (Filter) plan;
And condition = (And) filter.condition();
assertTrue(condition.right() instanceof Not);
Not not = (Not) condition.right();
Like like = (Like) not.field();
assertEquals(((FieldAttribute) like.field()).name(), "command_line");
assertEquals(like.pattern().asJavaRegex(), "^.* baz .*$");
assertEquals(like.pattern().asLuceneWildcard(), "* baz *");
assertEquals(like.pattern().asIndexNameWildcard(), "* baz *");
Equals condition = (Equals) filter.condition();
assertEquals("foo", condition.right().fold());
}
}
public void testWildcardEscapes() {
LogicalPlan plan = defaultPipes(accept("foo where command_line == \"* %bar_ * \\\\ \\n \\r \\t\""));
LogicalPlan plan = defaultPipes(accept("foo where command_line : \"* %bar_ * \\\\ \\n \\r \\t\""));
assertTrue(plan instanceof Filter);
Filter filter = (Filter) plan;

1
x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/planner/QueryFolderOkTests.java
View File

@ -7,7 +7,6 @@
package org.elasticsearch.xpack.eql.planner;
import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
import org.elasticsearch.common.Strings;
import org.elasticsearch.xpack.eql.plan.physical.EsQueryExec;
import org.elasticsearch.xpack.eql.plan.physical.PhysicalPlan;

7
x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/planner/QueryTranslationTests.java
View File

@ -12,8 +12,13 @@ import static org.hamcrest.Matchers.containsString;
public class QueryTranslationTests extends AbstractQueryFolderTestCase {
public void testLikeOptimization() throws Exception {
public void testLikeExactEqualsNoOptimization() throws Exception {
PhysicalPlan plan = plan("process where process_name == \"*\" ");
assertThat(asQuery(plan), containsString("\"term\":{\"process_name\""));
}
public void testLikeOptimization() throws Exception {
PhysicalPlan plan = plan("process where process_name : \"*\" ");
assertThat(asQuery(plan), containsString("\"exists\":{\"field\":\"process_name\""));
}

398
x-pack/plugin/eql/src/test/resources/queries-supported.eql
View File

@ -1,13 +1,13 @@
process where process_name == "svchost.exe" and command_line != "* -k *";
process where process_name : "svchost.exe" and command_line != "* -k *";
process where process_name in ("ipconfig.exe", "netstat.exe", "systeminfo.exe", "route.exe");
process where subtype.create and wildcard(command_line, "*.ost *", "*.pst *")
;
process where subtype.create and
process_name == "attrib.exe" and command_line == "* +h*"
process_name : "attrib.exe" and command_line : "* +h*"
;
file where file_name == "*Library/Preferences/*.plist";
file where file_name : "*Library/Preferences/*.plist";
/* UNIT TESTS FROM
* https://github.com/endgameinc/eql/blob/master/tests/test_parser.py
@ -21,25 +21,25 @@ file where false or true;
registry where not pid;
process where process_name == "net.exe" and command_line == "* user*.exe";
process where process_name : "net.exe" and command_line : "* user*.exe";
process where command_line == "~!@#$%^&*();'[]{}\\|<>?,./:\"-= ' ";
process where command_line : "~!@#$%^&*();'[]{}\\|<>?,./:\"-= ' ";
process where
pid == 4;
pid : 4;
process where process_name in ("net.exe", "cmd.exe", "at.exe");
process where command_line == "*.exe *admin*" or command_line == "* a b*";
process where command_line : "*.exe *admin*" or command_line : "* a b*";
process where pid in (1,2,3,4,5,6,7,8) and abc == 100 and def == 200 and ghi == 300 and jkl == x;
process where pid in (1,2,3,4,5,6,7,8) and abc : 100 and def : 200 and ghi : 300 and jkl : x;
process where ppid != pid;
image_load where not x != y;
image_load where not x == y;
image_load where not x : y;
image_load where not not not not x < y;
@ -49,9 +49,9 @@ image_load where not x >= y;
image_load where not x > y;
process where _leadingUnderscore == 100;
process where _leadingUnderscore : 100;
network where 1 * 2 + 3 * 4 + 10 / 2 == 2 + 12 + 5;
network where 1 * 2 + 3 * 4 + 10 / 2 : 2 + 12 + 5;
file where 1 - -2;
@ -61,15 +61,15 @@ file where 1 * (-2);
file where 3 * -length(file_path);
network where a * b + c * d + e / f == g + h + i;
network where a * b + c * d + e / f : g + h + i;
network where a * (b + c * d) + e / f == g + h + i;
network where a * (b + c * d) + e / f : g + h + i;
process where pid == 4 or pid == 5 or pid == 6 or pid == 7 or pid == 8;
process where pid : 4 or pid : 5 or pid : 6 or pid : 7 or pid : 8;
network where pid == 0 or pid == 4 or (ppid == 0 or ppid == 4) or (abc == defgh) and process_name == "*" ;
network where pid : 0 or pid : 4 or (ppid : 0 or ppid : 4) or (abc : defgh) and process_name : "*" ;
network where pid == 4;
network where pid : 4;
registry where a.b;
@ -86,7 +86,7 @@ process where a > 100000000000000000000000000000000;
/* TESTS FROM
* https://raw.githubusercontent.com/endgameinc/eql/master/eql/etc/test_queries.toml
*/
process where serial_event_id == 1;
process where serial_event_id : 1;
process where serial_event_id < 4;
@ -95,7 +95,7 @@ process where false;
process where missing_field != null;
process where process_name == "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1)
process where process_name : "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1)
;
@ -122,30 +122,30 @@ process where 0 < exit_code;
process where 0 > exit_code;
process where (serial_event_id<=8 and serial_event_id > 7) and (opcode==3 and opcode>2);
process where (serial_event_id<=8 and serial_event_id > 7) and (opcode:3 and opcode>2);
process where (serial_event_id<9 and serial_event_id >= 7) or (opcode == pid);
process where (serial_event_id<9 and serial_event_id >= 7) or (opcode : pid);
registry where key_path == "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F";
registry where key_path : "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F";
process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4);
process where process_path : "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4);
file where file_path=="*\\red_ttp\\winin*.*"
and opcode in (0,1,2) and user_name=="vagrant"
file where file_path:"*\\red_ttp\\winin*.*"
and opcode in (0,1,2) and user_name:"vagrant"
;
file where file_path=="*\\red_ttp\\winin*.*"
and opcode not in (0,1,2) and user_name=="vagrant"
file where file_path:"*\\red_ttp\\winin*.*"
and opcode not in (0,1,2) and user_name:"vagrant"
;
file where file_path=="*\\red_ttp\\winin*.*"
and opcode not in (3, 4, 5, 6 ,7) and user_name=="vagrant"
file where file_path:"*\\red_ttp\\winin*.*"
and opcode not in (3, 4, 5, 6 ,7) and user_name:"vagrant"
;
file where file_name in ("wininit.exe", "lsass.exe") and opcode == 2
file where file_name in ("wininit.exe", "lsass.exe") and opcode : 2
;
@ -153,7 +153,7 @@ process where opcode in (1,3) and process_name in (parent_process_name, "SYSTEM"
;
process where fake_field == "*";
process where fake_field : "*";
registry where invalid_field_name != null;
@ -161,21 +161,21 @@ registry where invalid_field_name != null;
registry where length(bad_field) > 0
;
process where opcode == 1
process where opcode : 1
and process_name in ("net.exe", "net1.exe")
and not (parent_process_name == "net.exe"
and process_name == "net1.exe")
and command_line == "*group *admin*" and command_line != "* /add*";
and not (parent_process_name : "net.exe"
and process_name : "net1.exe")
and command_line : "*group *admin*" and command_line != "* /add*";
process where process_name == "python.exe";
process where process_name : "python.exe";
process where command_line == "*%*" ;
process where command_line : "*%*" ;
process where command_line == "*%*%*" ;
process where command_line : "*%*%*" ;
process where command_line == "%*%*" ;
process where command_line : "%*%*" ;
process where match(?".*?net1\s+localgroup\s+.*?", command_line)
@ -193,70 +193,70 @@ process where match(?".*?net1\s+\w{4,15}\s+.*?", command_line)
process where match(?".*?net1\s+[localgrup]{4,15}\s+.*?", command_line)
;
file where opcode==0 and startsWith(file_name, "exploRER.")
file where opcode:0 and startsWith(file_name, "exploRER.")
;
file where opcode==0 and startsWith(file_name, "expLORER.exe")
file where opcode:0 and startsWith(file_name, "expLORER.exe")
;
file where opcode==0 and endsWith(file_name, "loREr.exe");
file where opcode:0 and endsWith(file_name, "loREr.exe");
file where opcode==0 and startsWith(file_name, "explORER.EXE");
file where opcode:0 and startsWith(file_name, "explORER.EXE");
file where opcode==0 and startsWith("explorer.exeaaaaaaaa", file_name);
file where opcode:0 and startsWith("explorer.exeaaaaaaaa", file_name);
file where opcode==0 and serial_event_id == 88 and startsWith("explorer.exeaAAAA", "EXPLORER.exe");
file where opcode:0 and serial_event_id : 88 and startsWith("explorer.exeaAAAA", "EXPLORER.exe");
file where opcode==0 and stringContains("ABCDEFGHIexplorer.exeJKLMNOP", file_name)
file where opcode:0 and stringContains("ABCDEFGHIexplorer.exeJKLMNOP", file_name)
;
file where opcode==0 and indexOf(file_name, "plore") == 2 and not indexOf(file_name, ".pf")
file where opcode:0 and indexOf(file_name, "plore") : 2 and not indexOf(file_name, ".pf")
;
file where opcode==0 and indexOf(file_name, "explorer.") and indexOf(file_name, "plore", 100)
file where opcode:0 and indexOf(file_name, "explorer.") and indexOf(file_name, "plore", 100)
;
file where opcode==0 and indexOf(file_name, "plorer.", 0) == 2;
file where opcode:0 and indexOf(file_name, "plorer.", 0) : 2;
file where opcode==0 and indexOf(file_name, "plorer.", 2);
file where opcode:0 and indexOf(file_name, "plorer.", 2);
file where opcode==0 and indexOf(file_name, "plorer.", 4);
file where opcode:0 and indexOf(file_name, "plorer.", 4);
file where opcode==0 and indexOf(file_name, "thing that never happened");
file where opcode:0 and indexOf(file_name, "thing that never happened");
file where opcode==0 and indexOf(file_name, "plorer.", 2) == 2;
file where opcode:0 and indexOf(file_name, "plorer.", 2) : 2;
file where opcode==0 and indexOf(file_name, "explorer.", 0) == 0;
file where opcode:0 and indexOf(file_name, "explorer.", 0) : 0;
file where serial_event_id==88 and substring(file_name, 0, 4) == "expl"
file where serial_event_id:88 and substring(file_name, 0, 4) : "expl"
;
file where serial_event_id==88 and substring(file_name, 1, 3) == "xp"
file where serial_event_id:88 and substring(file_name, 1, 3) : "xp"
;
file where serial_event_id==88 and substring(file_name, -4) == ".exe"
file where serial_event_id:88 and substring(file_name, -4) : ".exe"
;
file where serial_event_id==88 and substring(file_name, -4, -1) == ".ex"
file where serial_event_id:88 and substring(file_name, -4, -1) : ".ex"
;
process where add(serial_event_id, 0) == 1 and add(0, 1) == serial_event_id;
process where add(serial_event_id, 0) : 1 and add(0, 1) : serial_event_id;
process where subtract(serial_event_id, -5) == 6;
process where subtract(serial_event_id, -5) : 6;
process where multiply(6, serial_event_id) == 30 and divide(30, 4.0) == 7.5;
process where multiply(6, serial_event_id) : 30 and divide(30, 4.0) : 7.5;
process where modulo(11, add(serial_event_id, 1)) == serial_event_id;
process where modulo(11, add(serial_event_id, 1)) : serial_event_id;
process where serial_event_id == number("5");
process where serial_event_id : number("5");
process where serial_event_id == number("0x32", 16);
process where serial_event_id : number("0x32", 16);
process where serial_event_id == number("32", 16);
process where serial_event_id : number("32", 16);
process where number(serial_event_id) == number(5);
process where number(serial_event_id) : number(5);
process where concat(serial_event_id, ":", process_name, opcode) == "5:winINIT.exe3"
process where concat(serial_event_id, ":", process_name, opcode) : "5:winINIT.exe3"
;
@ -264,42 +264,42 @@ process where concat(serial_event_id, ":", process_name, opcode) == "5:winINIT.e
// network where safe(divide(process_name, process_name))
//;
file where serial_event_id == 82 and (true == (process_name in ("svchost.EXE", "bad.exe", "bad2.exe")))
file where serial_event_id : 82 and (true : (process_name in ("svchost.EXE", "bad.exe", "bad2.exe")))
;
file where serial_event_id - 1 == 81;
file where serial_event_id - 1 : 81;
file where serial_event_id + 1 == 83;
file where serial_event_id + 1 : 83;
file where serial_event_id * 2 == 164;
file where serial_event_id * 2 : 164;
file where serial_event_id / 2 == 41;
file where serial_event_id / 2 : 41;
file where serial_event_id % 40 == 2;
file where serial_event_id % 40 : 2;
process where between(process_name, "s", "e") == "yst"
process where between(process_name, "s", "e") : "yst"
;
process where between(process_name, "s", "e", false) == "yst"
process where between(process_name, "s", "e", false) : "yst"
;
process where between(process_name, "s", "e", false, true) == "yst"
process where between(process_name, "s", "e", false, true) : "yst"
;
process where between(process_name, "s", "e", false, true) == "t"
process where between(process_name, "s", "e", false, true) : "t"
;
process where between(process_name, "S", "e", false, true) == "yst"
process where between(process_name, "S", "e", false, true) : "yst"
;
process where between(process_name, "s", "e", true) == "ystem Idle Proc"
process where between(process_name, "s", "e", true) : "ystem Idle Proc"
;
file where between(file_path, "dev", ".json", false) == "\\testlogs\\something"
file where between(file_path, "dev", ".json", false) : "\\testlogs\\something"
;
file where between(file_path, "dev", ".json", true) == "\\testlogs\\something"
file where between(file_path, "dev", ".json", true) : "\\testlogs\\something"
;
network where cidrMatch(source_address, "10.6.48.157/8")
@ -324,12 +324,12 @@ process where length(between(process_name, "g", "z")) > 0
// additional queries added for the elasticsearch specific implementation
// dots will still be interpreted by ES per usual
something where `my-hyphenated-field` == "value";
something where `my-hyphenated-field.with.nested.dots` == "value";
something where `@timestamp` == "2020-01-01 00:00:00";
something where `some escaped identifier` == "blah";
something where `some escaped identifier` == "blah";
something where `some.escaped.identifier` == "blah";
something where `my-hyphenated-field` : "value";
something where `my-hyphenated-field.with.nested.dots` : "value";
something where `@timestamp` : "2020-01-01 00:00:00";
something where `some escaped identifier` : "blah";
something where `some escaped identifier` : "blah";
something where `some.escaped.identifier` : "blah";
//
@ -344,9 +344,9 @@ something where `some.escaped.identifier` == "blah";
// docs
join by source_ip, destination_ip
[network where destination_port == 3389] // RDP
[network where destination_port == 135] // RPC
[network where destination_port == 445] // SMB
[network where destination_port : 3389] // RDP
[network where destination_port : 135] // RPC
[network where destination_port : 445] // SMB
;
join by pid
@ -355,61 +355,61 @@ join by pid
[registry where true]
[file where true]
until [process where event_subtype_full == "termination_event"]
until [process where event_subtype_full : "termination_event"]
;
///
join
[process where process_name == "*"]
[file where file_path == "*"]
[process where process_name : "*"]
[file where file_path : "*"]
;
join by pid
[process where name == "*"]
[file where path == "*"]
until [process where opcode == 2]
[process where name : "*"]
[file where path : "*"]
until [process where opcode : 2]
;
join
[process where process_name == "*"] by process_path
[file where file_path == "*"] by image_path
[process where process_name : "*"] by process_path
[file where file_path : "*"] by image_path
;
join by user_name
[process where opcode in (1,3) and process_name=="smss.exe"]
[process where opcode in (1,3) and process_name == "python.exe"]
[process where opcode in (1,3) and process_name:"smss.exe"]
[process where opcode in (1,3) and process_name : "python.exe"]
;
join by unique_pid
[process where opcode==1]
[file where opcode==0 and file_name=="svchost.exe"]
[file where opcode == 0 and file_name == "lsass.exe"]
[process where opcode:1]
[file where opcode:0 and file_name:"svchost.exe"]
[file where opcode : 0 and file_name : "lsass.exe"]
;
join by unique_pid
[process where opcode==1]
[file where opcode==0 and file_name=="svchost.exe"]
[file where opcode == 0 and file_name == "lsass.exe"]
until [file where opcode == 2];
[process where opcode:1]
[file where opcode:0 and file_name:"svchost.exe"]
[file where opcode : 0 and file_name : "lsass.exe"]
until [file where opcode : 2];
join
[file where opcode==0 and file_name=="svchost.exe"] by unique_pid
[process where opcode == 1] by unique_ppid
[file where opcode:0 and file_name:"svchost.exe"] by unique_pid
[process where opcode : 1] by unique_ppid
;
join by unique_pid
[process where opcode in (1,3) and process_name=="python.exe"]
[file where file_name == "*.exe"];
[process where opcode in (1,3) and process_name:"python.exe"]
[file where file_name : "*.exe"];
join by user_name
[process where opcode in (1,3) and process_name=="python.exe"]
[process where opcode in (1,3) and process_name == "smss.exe"]
[process where opcode in (1,3) and process_name:"python.exe"]
[process where opcode in (1,3) and process_name : "smss.exe"]
;
join
[process where opcode in (1,3) and process_name=="python.exe"]
[process where opcode in (1,3) and process_name == "smss.exe"]
[process where opcode in (1,3) and process_name:"python.exe"]
[process where opcode in (1,3) and process_name : "smss.exe"]
;
@ -419,54 +419,54 @@ join
// docs
sequence by user_name
[process where process_name == "whoami"]
[process where process_name == "hostname"]
[process where process_name == "ifconfig"]
[process where process_name : "whoami"]
[process where process_name : "hostname"]
[process where process_name : "ifconfig"]
;
sequence with maxspan=30s
[network where destination_port==3389 and event_subtype_full=="*_accept_event*"]
[security where event_id in (4624, 4625) and logon_type == 10]
[network where destination_port:3389 and event_subtype_full:"*_accept_event*"]
[security where event_id in (4624, 4625) and logon_type : 10]
;
sequence with maxspan=30s
[network where destination_port==3389 and event_subtype_full=="*_accept_event"] by source_address
[security where event_id in (4624, 4625) and logon_type == 10] by ip_address
[network where destination_port:3389 and event_subtype_full:"*_accept_event"] by source_address
[security where event_id in (4624, 4625) and logon_type : 10] by ip_address
;
sequence with maxspan=5m
[file where file_name == "*.exe"] by user_name, file_path
[file where file_name : "*.exe"] by user_name, file_path
[process where true] by user_name, process_path
;
sequence by user_name with maxspan=5m
[file where file_name == "*.exe"] by file_path
[file where file_name : "*.exe"] by file_path
[process where true] by process_path
;
//
sequence
[process where name == "*"]
[file where path == "*"]
until [process where opcode == 2]
[process where name : "*"]
[file where path : "*"]
until [process where opcode : 2]
;
sequence by pid
[process where name == "*"]
[file where path == "*"]
until [process where opcode == 2]
[process where name : "*"]
[file where path : "*"]
until [process where opcode : 2]
;
sequence
[process where process_name == "*"] by process_path
[file where file_path == "*"] by image_path
[process where process_name : "*"] by process_path
[file where file_path : "*"] by image_path
;
sequence by pid
[process where process_name == "*"]
[file where file_path == "*"]
[process where process_name : "*"]
[file where file_path : "*"]
;
sequence by field1
@ -492,17 +492,17 @@ until [process where 1] by e,f
;
sequence
[process where serial_event_id == 1]
[process where serial_event_id == 2]
[process where serial_event_id : 1]
[process where serial_event_id : 2]
;
sequence
[process where serial_event_id < 5]
[process where serial_event_id == 5]
[process where serial_event_id : 5]
;
sequence
[process where serial_event_id==1] by unique_pid
[process where serial_event_id:1] by unique_pid
[process where true] by unique_ppid;
sequence
@ -516,54 +516,54 @@ sequence
;
sequence
[file where opcode==0 and file_name=="svchost.exe"] by unique_pid
[process where opcode == 1] by unique_ppid
[file where opcode:0 and file_name:"svchost.exe"] by unique_pid
[process where opcode : 1] by unique_ppid
;
sequence
[file where file_name=="lsass.exe"] by file_path,process_path
[file where file_name:"lsass.exe"] by file_path,process_path
[process where true] by process_path,parent_process_path
;
sequence by user_name
[file where file_name=="lsass.exe"] by file_path, process_path
[file where file_name:"lsass.exe"] by file_path, process_path
[process where true] by process_path, parent_process_path
;
sequence by pid
[file where file_name=="lsass.exe"] by file_path,process_path
[file where file_name:"lsass.exe"] by file_path,process_path
[process where true] by process_path,parent_process_path
;
sequence by user_name
[file where opcode==0] by pid,file_path
[file where opcode==2] by pid,file_path
until [process where opcode==2] by ppid,process_path
[file where opcode:0] by pid,file_path
[file where opcode:2] by pid,file_path
until [process where opcode:2] by ppid,process_path
;
sequence by unique_pid
[process where opcode==1 and process_name == "msbuild.exe"]
[process where opcode:1 and process_name : "msbuild.exe"]
[network where true]
;
sequence by pid with maxspan=200s
[process where process_name == "*" ]
[file where file_path == "*"]
[process where process_name : "*" ]
[file where file_path : "*"]
;
sequence by pid with maxspan=2s
[process where process_name == "*" ]
[file where file_path == "*"]
[process where process_name : "*" ]
[file where file_path : "*"]
;
sequence by pid with maxspan=500ms
[process where process_name == "*" ]
[file where file_path == "*"]
[process where process_name : "*" ]
[file where file_path : "*"]
;
sequence by pid with maxspan=2h
[process where process_name == "*" ]
[file where file_path == "*"]
[process where process_name : "*" ]
[file where file_path : "*"]
;
//
@ -571,12 +571,12 @@ sequence by pid with maxspan=2h
//
security where event_id == 4624
security where event_id : 4624
| tail 10
;
process where true | head 6;
process where bad_field == null | head 5;
process where bad_field : null | head 5;
process where not (exit_code > -1)
and serial_event_id in (58, 64, 69, 74, 80, 85, 90, 93, 94)
@ -593,88 +593,88 @@ file where true
| tail 3;
sequence
[file where event_subtype_full == "file_create_event"] by file_path
[process where opcode == 1] by process_path
[process where opcode == 2] by process_path
[file where event_subtype_full == "file_delete_event"] by file_path
[file where event_subtype_full : "file_create_event"] by file_path
[process where opcode : 1] by process_path
[process where opcode : 2] by process_path
[file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2;
sequence
[file where opcode==0] by unique_pid
[file where opcode==0] by unique_pid
[file where opcode:0] by unique_pid
[file where opcode:0] by unique_pid
| head 1;
sequence with maxspan=1d
[file where event_subtype_full == "file_create_event"] by file_path
[process where opcode == 1] by process_path
[process where opcode == 2] by process_path
[file where event_subtype_full == "file_delete_event"] by file_path
[file where event_subtype_full : "file_create_event"] by file_path
[process where opcode : 1] by process_path
[process where opcode : 2] by process_path
[file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2;
sequence with maxspan=1h
[file where event_subtype_full == "file_create_event"] by file_path
[process where opcode == 1] by process_path
[process where opcode == 2] by process_path
[file where event_subtype_full == "file_delete_event"] by file_path
[file where event_subtype_full : "file_create_event"] by file_path
[process where opcode : 1] by process_path
[process where opcode : 2] by process_path
[file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2;
sequence with maxspan=1m
[file where event_subtype_full == "file_create_event"] by file_path
[process where opcode == 1] by process_path
[process where opcode == 2] by process_path
[file where event_subtype_full == "file_delete_event"] by file_path
[file where event_subtype_full : "file_create_event"] by file_path
[process where opcode : 1] by process_path
[process where opcode : 2] by process_path
[file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2;
sequence with maxspan=10s
[file where event_subtype_full == "file_create_event"] by file_path
[process where opcode == 1] by process_path
[process where opcode == 2] by process_path
[file where event_subtype_full == "file_delete_event"] by file_path
[file where event_subtype_full : "file_create_event"] by file_path
[process where opcode : 1] by process_path
[process where opcode : 2] by process_path
[file where event_subtype_full : "file_delete_event"] by file_path
| head 4
| tail 2;
sequence
[file where opcode==0 and file_name=="*.exe"] by unique_pid
[file where opcode==0 and file_name=="*.exe"] by unique_pid
until [process where opcode==5000] by unique_ppid
[file where opcode:0 and file_name:"*.exe"] by unique_pid
[file where opcode:0 and file_name:"*.exe"] by unique_pid
until [process where opcode:5000] by unique_ppid
| head 1;
sequence
[file where opcode==0 and file_name=="*.exe"] by unique_pid
[file where opcode==0 and file_name=="*.exe"] by unique_pid
until [process where opcode==1] by unique_ppid
[file where opcode:0 and file_name:"*.exe"] by unique_pid
[file where opcode:0 and file_name:"*.exe"] by unique_pid
until [process where opcode:1] by unique_ppid
| head 1;
join
[file where opcode==0 and file_name=="*.exe"] by unique_pid
[file where opcode==2 and file_name=="*.exe"] by unique_pid
until [process where opcode==1] by unique_ppid
[file where opcode:0 and file_name:"*.exe"] by unique_pid
[file where opcode:2 and file_name:"*.exe"] by unique_pid
until [process where opcode:1] by unique_ppid
| head 1;
sequence by user_name
[file where opcode==0] by file_path
[process where opcode==1] by process_path
[process where opcode==2] by process_path
[file where opcode==2] by file_path
[file where opcode:0] by file_path
[process where opcode:1] by process_path
[process where opcode:2] by process_path
[file where opcode:2] by file_path
| tail 1;
sequence by user_name
[file where opcode==0] by pid,file_path
[file where opcode==2] by pid,file_path
until [process where opcode==5] by ppid,process_path
[file where opcode:0] by pid,file_path
[file where opcode:2] by pid,file_path
until [process where opcode:5] by ppid,process_path
| head 2;
sequence by pid
[file where opcode==0] by file_path
[process where opcode==1] by process_path
[process where opcode==2] by process_path
[file where opcode==2] by file_path
[file where opcode:0] by file_path
[process where opcode:1] by process_path
[process where opcode:2] by process_path
[file where opcode:2] by file_path
| tail 1;
join by user_name
@ -685,5 +685,5 @@ join by user_name
process where fake_field != "*"
| head 4;
process where not (fake_field == "*")
process where not (fake_field : "*")
| head 4;

28
x-pack/plugin/eql/src/test/resources/queryfolder_tests.txt
View File

@ -49,7 +49,7 @@ process where serial_event_id >= 4
;
mixedTypeFilter
process where process_name == "notepad.exe" or (serial_event_id < 4.5 and serial_event_id >= 3.1)
process where process_name : "notepad.exe" or (serial_event_id < 4.5 and serial_event_id >= 3.1)
;
"term":{"process_name":{"value":"notepad.exe"
"range":{"serial_event_id":{"from":3.1,"to":4.5,"include_lower":true,"include_upper":false
@ -68,7 +68,7 @@ process where process_name in ("python.exe", "SMSS.exe", "explorer.exe")
;
equalsAndInFilter
process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3)
process where process_path : "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3)
;
"wildcard":{"process_path":{"wildcard":"*\\\\red_ttp\\\\wininit.*"
{"terms":{"opcode":[0,1,2,3]
@ -103,14 +103,14 @@ process where cidrMatch(source_address, "10.0.0.0/8") != false
;
twoFunctionsEqualsBooleanLiterals-caseSensitive
process where endsWith(process_path, "x") == true and endsWith(process_path, "yx") == false
process where endsWith(process_path, "x") == true and endsWith(process_path, "yx") != true
;
{"bool":{"must":[{"wildcard":{"process_path":{"wildcard":"*x","boost":1.0}}},
{"bool":{"must_not":[{"wildcard":{"process_path":{"wildcard":"*yx","boost":1.0}}}],"adjust_pure_negative":true,"boost":1.0}}],"adjust_pure_negative":true,"boost":1.0}}
;
twoFunctionsEqualsBooleanLiterals-caseInsensitive
process where endsWith(process_path, "x") == true and endsWith(process_path, "yx") == false
process where endsWith(process_path, "x") == true and endsWith(process_path, "yx") != true
;
"bool":{"must":[{"term":{"event.category":{"value":"process"
"must":[{"script":{"script":{"source":"InternalQlScriptUtils.nullSafeFilter(
@ -214,9 +214,9 @@ InternalQlScriptUtils.docValue(doc,params.v0),params.v1,params.v2))"
stringFunction
process where string(pid) == "123"
process where string(pid) : "123"
;
"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(
"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(
InternalEqlScriptUtils.string(InternalQlScriptUtils.docValue(doc,params.v0)),params.v1))",
"params":{"v0":"pid","v1":"123"}
;
@ -238,25 +238,25 @@ InternalEqlScriptUtils.indexOf(InternalQlScriptUtils.docValue(doc,params.v0),par
;
substringFunction
process where substring(file_name, -4) == ".exe"
process where substring(file_name, -4) : ".exe"
;
"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(
"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(
InternalEqlScriptUtils.substring(InternalQlScriptUtils.docValue(doc,params.v0),params.v1,params.v2),params.v3))",
"params":{"v0":"file_name.keyword","v1":-4,"v2":null,"v3":".exe"}
;
betweenFunction
process where between(process_name, "s", "e") == "yst"
process where between(process_name, "s", "e") : "yst"
;
"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(
"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(
InternalEqlScriptUtils.between(InternalQlScriptUtils.docValue(doc,params.v0),params.v1,params.v2,params.v3,params.v4),params.v5))",
"params":{"v0":"process_name","v1":"s","v2":"e","v3":false,"v4":false,"v5":"yst"}
;
concatFunction
process where concat(process_name, "::foo::", null, 1) == "net.exe::foo::1"
process where concat(process_name, "::foo::", null, 1) : "net.exe::foo::1"
;
"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(
"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(
InternalEqlScriptUtils.concat([InternalQlScriptUtils.docValue(doc,params.v0),params.v1,params.v2,params.v3]),params.v4))",
"params":{"v0":"process_name","v1":"::foo::","v2":null,"v3":1,"v4":"net.exe::foo::1"}
;
@ -297,9 +297,9 @@ process where cidrMatch(source_address, "10.0.0.0/8", "192.168.0.0/16", "2001:db
;
cidrMatchFunctionWrapped
process where string(cidrMatch(source_address, "10.6.48.157/8")) == "true"
process where string(cidrMatch(source_address, "10.6.48.157/8")) : "true"
;
{"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalEqlScriptUtils.string(
{"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.seq(InternalEqlScriptUtils.string(
InternalEqlScriptUtils.cidrMatch(InternalQlScriptUtils.docValue(doc,params.v0),params.v1)),params.v2))"
"params":{"v0":"source_address","v1":["10.6.48.157/8"],"v2":"true"}
;