honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

EQL: Change request parameter query to filter and rule to query (#52971) (#53006) 

Related to https://github.com/elastic/elasticsearch/issues/52911
This commit is contained in:
Aleksandr Maus 2020-03-02 09:26:23 -05:00 committed by GitHub
parent d336faa0b0
commit 89ed857c79
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 103 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java
View File

@ -36,32 +36,32 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
private String[] indices;
private IndicesOptions indicesOptions = IndicesOptions.fromOptions(false, false, true, false);
private QueryBuilder query = null;
private QueryBuilder filter = null;
private String timestampField = "@timestamp";
private String eventTypeField = "event_type";
private String implicitJoinKeyField = "agent.id";
private int fetchSize = 50;
private SearchAfterBuilder searchAfterBuilder;
private String rule;
private String query;
static final String KEY_QUERY = "query";
static final String KEY_FILTER = "filter";
static final String KEY_TIMESTAMP_FIELD = "timestamp_field";
static final String KEY_EVENT_TYPE_FIELD = "event_type_field";
static final String KEY_IMPLICIT_JOIN_KEY_FIELD = "implicit_join_key_field";
static final String KEY_SIZE = "size";
static final String KEY_SEARCH_AFTER = "search_after";
static final String KEY_RULE = "rule";
static final String KEY_QUERY = "query";
public EqlSearchRequest(String indices, String rule) {
public EqlSearchRequest(String indices, String query) {
indices(indices);
rule(rule);
query(query);
}
@Override
public XContentBuilder toXContent(XContentBuilder builder, ToXContent.Params params) throws IOException {
builder.startObject();
if (query != null) {
builder.field(KEY_QUERY, query);
if (filter != null) {
builder.field(KEY_FILTER, filter);
}
builder.field(KEY_TIMESTAMP_FIELD, timestampField());
builder.field(KEY_EVENT_TYPE_FIELD, eventTypeField());
@ -74,7 +74,7 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
builder.array(KEY_SEARCH_AFTER, searchAfterBuilder.getSortValues());
}
builder.field(KEY_RULE, rule);
builder.field(KEY_QUERY, query);
builder.endObject();
return builder;
}
@ -88,12 +88,12 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
return this;
}
public QueryBuilder query() {
return this.query;
public QueryBuilder filter() {
return this.filter;
}
public EqlSearchRequest query(QueryBuilder query) {
this.query = query;
public EqlSearchRequest filter(QueryBuilder filter) {
this.filter = filter;
return this;
}
@ -156,13 +156,13 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
return this;
}
public String rule() {
return this.rule;
public String query() {
return this.query;
}
public EqlSearchRequest rule(String rule) {
Objects.requireNonNull(rule, "rule must not be null");
this.rule = rule;
public EqlSearchRequest query(String query) {
Objects.requireNonNull(query, "query must not be null");
this.query = query;
return this;
}
@ -175,16 +175,15 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
return false;
}
EqlSearchRequest that = (EqlSearchRequest) o;
return
fetchSize == that.fetchSize &&
return fetchSize == that.fetchSize &&
Arrays.equals(indices, that.indices) &&
Objects.equals(indicesOptions, that.indicesOptions) &&
Objects.equals(query, that.query) &&
Objects.equals(filter, that.filter) &&
Objects.equals(timestampField, that.timestampField) &&
Objects.equals(eventTypeField, that.eventTypeField) &&
Objects.equals(implicitJoinKeyField, that.implicitJoinKeyField) &&
Objects.equals(searchAfterBuilder, that.searchAfterBuilder) &&
Objects.equals(rule, that.rule);
Objects.equals(query, that.query);
}
@Override
@ -192,13 +191,13 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
return Objects.hash(
Arrays.hashCode(indices),
indicesOptions,
query,
filter,
fetchSize,
timestampField,
eventTypeField,
implicitJoinKeyField,
searchAfterBuilder,
rule);
query);
}
public String[] indices() {

8
client/rest-high-level/src/test/java/org/elasticsearch/client/eql/EqlSearchRequestTests.java
View File

@ -46,7 +46,7 @@ public class EqlSearchRequestTests extends AbstractRequestTestCase<EqlSearchRequ
EqlSearchRequest.eventTypeField(randomAlphaOfLength(10));
}
if (randomBoolean()) {
EqlSearchRequest.rule(randomAlphaOfLength(10));
EqlSearchRequest.query(randomAlphaOfLength(10));
}
if (randomBoolean()) {
EqlSearchRequest.timestampField(randomAlphaOfLength(10));
@ -56,9 +56,9 @@ public class EqlSearchRequestTests extends AbstractRequestTestCase<EqlSearchRequ
}
if (randomBoolean()) {
if (randomBoolean()) {
EqlSearchRequest.query(QueryBuilders.matchAllQuery());
EqlSearchRequest.filter(QueryBuilders.matchAllQuery());
} else {
EqlSearchRequest.query(QueryBuilders.termQuery(randomAlphaOfLength(10), randomInt(100)));
EqlSearchRequest.filter(QueryBuilders.termQuery(randomAlphaOfLength(10), randomInt(100)));
}
}
return EqlSearchRequest;
@ -75,8 +75,8 @@ public class EqlSearchRequestTests extends AbstractRequestTestCase<EqlSearchRequ
assertThat(serverInstance.eventTypeField(), equalTo(clientTestInstance.eventTypeField()));
assertThat(serverInstance.implicitJoinKeyField(), equalTo(clientTestInstance.implicitJoinKeyField()));
assertThat(serverInstance.timestampField(), equalTo(clientTestInstance.timestampField()));
assertThat(serverInstance.filter(), equalTo(clientTestInstance.filter()));
assertThat(serverInstance.query(), equalTo(clientTestInstance.query()));
assertThat(serverInstance.rule(), equalTo(clientTestInstance.rule()));
assertThat(serverInstance.searchAfter(), equalTo(clientTestInstance.searchAfter()));
assertThat(serverInstance.indicesOptions(), equalTo(clientTestInstance.indicesOptions()));
assertThat(serverInstance.indices(), equalTo(clientTestInstance.indices()));

4
docs/reference/eql/search.asciidoc
View File

@ -27,7 +27,7 @@ PUT sec_logs/_bulk?refresh
You can now use the EQL search API to search this index using an EQL query.
The following request searches the `sec_logs` index using the EQL query
specified in the `rule` parameter. The EQL query matches events with an
specified in the `query` parameter. The EQL query matches events with an
`event.category` of `process` that have a `process.name` of `cmd.exe`.
[source,console]
@ -35,7 +35,7 @@ specified in the `rule` parameter. The EQL query matches events with an
GET sec_logs/_eql/search
{
"event_type_field": "event.category",
"rule": """
"query": """
process where process.name == "cmd.exe"
"""
}

26
x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java
View File

@ -36,31 +36,31 @@ public abstract class CommonEqlRestTestCase extends ESRestTestCase {
}
public static final String defaultValidationIndexName = "eql_search_validation_test";
private static final String validRule = "process where user = 'SYSTEM'";
private static final String validQuery = "process where user = 'SYSTEM'";
public static final ArrayList<SearchTestConfiguration> searchValidationTests;
static {
searchValidationTests = new ArrayList<>();
searchValidationTests.add(new SearchTestConfiguration(null, 400, "request body or source parameter is required"));
searchValidationTests.add(new SearchTestConfiguration("{}", 400, "rule is null or empty"));
searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"\"}", 400, "rule is null or empty"));
searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"timestamp_field\": \"\"}",
searchValidationTests.add(new SearchTestConfiguration("{}", 400, "query is null or empty"));
searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"\"}", 400, "query is null or empty"));
searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"timestamp_field\": \"\"}",
400, "timestamp field is null or empty"));
searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"event_type_field\": \"\"}",
searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"event_type_field\": \"\"}",
400, "event type field is null or empty"));
searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"implicit_join_key_field\": \"\"}",
searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"implicit_join_key_field\": \"\"}",
400, "implicit join key field is null or empty"));
searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"size\": 0}",
searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"size\": 0}",
400, "size must be greater than 0"));
searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"size\": -1}",
searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"size\": -1}",
400, "size must be greater than 0"));
searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"search_after\": null}",
searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"search_after\": null}",
400, "search_after doesn't support values of type: VALUE_NULL"));
searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"search_after\": []}",
searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"search_after\": []}",
400, "must contains at least one value"));
searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"query\": null}",
400, "query doesn't support values of type: VALUE_NULL"));
searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"query\": {}}",
searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"filter\": null}",
400, "filter doesn't support values of type: VALUE_NULL"));
searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"filter\": {}}",
400, "query malformed, empty clause found"));
}

2
x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml
View File

@ -17,7 +17,7 @@ setup:
eql.search:
index: eql_test
body:
rule: "process where user = 'SYSTEM'"
query: "process where user = 'SYSTEM'"
- match: {timed_out: false}
- match: {hits.total.value: 1}

71
x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java
View File

@ -37,29 +37,29 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
private IndicesOptions indicesOptions = IndicesOptions.fromOptions(false,
false, true, false);
private QueryBuilder query = null;
private QueryBuilder filter = null;
private String timestampField = FIELD_TIMESTAMP;
private String eventTypeField = FIELD_EVENT_TYPE;
private String implicitJoinKeyField = IMPLICIT_JOIN_KEY;
private int fetchSize = FETCH_SIZE;
private SearchAfterBuilder searchAfterBuilder;
private String rule;
private String query;
static final String KEY_QUERY = "query";
static final String KEY_FILTER = "filter";
static final String KEY_TIMESTAMP_FIELD = "timestamp_field";
static final String KEY_EVENT_TYPE_FIELD = "event_type_field";
static final String KEY_IMPLICIT_JOIN_KEY_FIELD = "implicit_join_key_field";
static final String KEY_SIZE = "size";
static final String KEY_SEARCH_AFTER = "search_after";
static final String KEY_RULE = "rule";
static final String KEY_QUERY = "query";
static final ParseField QUERY = new ParseField(KEY_QUERY);
static final ParseField FILTER = new ParseField(KEY_FILTER);
static final ParseField TIMESTAMP_FIELD = new ParseField(KEY_TIMESTAMP_FIELD);
static final ParseField EVENT_TYPE_FIELD = new ParseField(KEY_EVENT_TYPE_FIELD);
static final ParseField IMPLICIT_JOIN_KEY_FIELD = new ParseField(KEY_IMPLICIT_JOIN_KEY_FIELD);
static final ParseField SIZE = new ParseField(KEY_SIZE);
static final ParseField SEARCH_AFTER = new ParseField(KEY_SEARCH_AFTER);
static final ParseField RULE = new ParseField(KEY_RULE);
static final ParseField QUERY = new ParseField(KEY_QUERY);
private static final ObjectParser<EqlSearchRequest, Void> PARSER = objectParser(EqlSearchRequest::new);
@ -71,13 +71,13 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
super(in);
indices = in.readStringArray();
indicesOptions = IndicesOptions.readIndicesOptions(in);
query = in.readOptionalNamedWriteable(QueryBuilder.class);
filter = in.readOptionalNamedWriteable(QueryBuilder.class);
timestampField = in.readString();
eventTypeField = in.readString();
implicitJoinKeyField = in.readString();
fetchSize = in.readVInt();
searchAfterBuilder = in.readOptionalWriteable(SearchAfterBuilder::new);
rule = in.readString();
query = in.readString();
}
@Override
@ -99,8 +99,8 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
validationException = addValidationError("indicesOptions is null", validationException);
}
if (rule == null || rule.isEmpty()) {
validationException = addValidationError("rule is null or empty", validationException);
if (query == null || query.isEmpty()) {
validationException = addValidationError("query is null or empty", validationException);
}
if (timestampField == null || timestampField.isEmpty()) {
@ -124,8 +124,8 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
@Override
public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
if (query != null) {
builder.field(KEY_QUERY, query);
if (filter != null) {
builder.field(KEY_FILTER, filter);
}
builder.field(KEY_TIMESTAMP_FIELD, timestampField());
builder.field(KEY_EVENT_TYPE_FIELD, eventTypeField());
@ -138,7 +138,7 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
builder.array(SEARCH_AFTER.getPreferredName(), searchAfterBuilder.getSortValues());
}
builder.field(KEY_RULE, rule);
builder.field(KEY_QUERY, query);
return builder;
}
@ -149,15 +149,15 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
protected static <R extends EqlSearchRequest> ObjectParser<R, Void> objectParser(Supplier<R> supplier) {
ObjectParser<R, Void> parser = new ObjectParser<>("eql/search", false, supplier);
parser.declareObject(EqlSearchRequest::query,
(p, c) -> AbstractQueryBuilder.parseInnerQueryBuilder(p), QUERY);
parser.declareObject(EqlSearchRequest::filter,
(p, c) -> AbstractQueryBuilder.parseInnerQueryBuilder(p), FILTER);
parser.declareString(EqlSearchRequest::timestampField, TIMESTAMP_FIELD);
parser.declareString(EqlSearchRequest::eventTypeField, EVENT_TYPE_FIELD);
parser.declareString(EqlSearchRequest::implicitJoinKeyField, IMPLICIT_JOIN_KEY_FIELD);
parser.declareInt(EqlSearchRequest::fetchSize, SIZE);
parser.declareField(EqlSearchRequest::setSearchAfter, SearchAfterBuilder::fromXContent, SEARCH_AFTER,
ObjectParser.ValueType.OBJECT_ARRAY);
parser.declareString(EqlSearchRequest::rule, RULE);
parser.declareString(EqlSearchRequest::query, QUERY);
return parser;
}
@ -167,10 +167,10 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
return this;
}
public QueryBuilder query() { return this.query; }
public QueryBuilder filter() { return this.filter; }
public EqlSearchRequest query(QueryBuilder query) {
this.query = query;
public EqlSearchRequest filter(QueryBuilder filter) {
this.filter = filter;
return this;
}
@ -219,10 +219,10 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
return this;
}
public String rule() { return this.rule; }
public String query() { return this.query; }
public EqlSearchRequest rule(String rule) {
this.rule = rule;
public EqlSearchRequest query(String query) {
this.query = query;
return this;
}
@ -231,13 +231,13 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
super.writeTo(out);
out.writeStringArrayNullable(indices);
indicesOptions.writeIndicesOptions(out);
out.writeOptionalNamedWriteable(query);
out.writeOptionalNamedWriteable(filter);
out.writeString(timestampField);
out.writeString(eventTypeField);
out.writeString(implicitJoinKeyField);
out.writeVInt(fetchSize);
out.writeOptionalWriteable(searchAfterBuilder);
out.writeString(rule);
out.writeString(query);
}
@Override
@ -249,16 +249,15 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
return false;
}
EqlSearchRequest that = (EqlSearchRequest) o;
return
fetchSize == that.fetchSize &&
Arrays.equals(indices, that.indices) &&
Objects.equals(indicesOptions, that.indicesOptions) &&
Objects.equals(query, that.query) &&
Objects.equals(timestampField, that.timestampField) &&
Objects.equals(eventTypeField, that.eventTypeField) &&
Objects.equals(implicitJoinKeyField, that.implicitJoinKeyField) &&
Objects.equals(searchAfterBuilder, that.searchAfterBuilder) &&
Objects.equals(rule, that.rule);
return fetchSize == that.fetchSize &&
Arrays.equals(indices, that.indices) &&
Objects.equals(indicesOptions, that.indicesOptions) &&
Objects.equals(filter, that.filter) &&
Objects.equals(timestampField, that.timestampField) &&
Objects.equals(eventTypeField, that.eventTypeField) &&
Objects.equals(implicitJoinKeyField, that.implicitJoinKeyField) &&
Objects.equals(searchAfterBuilder, that.searchAfterBuilder) &&
Objects.equals(query, that.query);
}
@Override
@ -266,13 +265,13 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
return Objects.hash(
Arrays.hashCode(indices),
indicesOptions,
query,
filter,
fetchSize,
timestampField,
eventTypeField,
implicitJoinKeyField,
searchAfterBuilder,
rule);
query);
}
@Override

8
x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java
View File

@ -20,8 +20,8 @@ public class EqlSearchRequestBuilder extends ActionRequestBuilder<EqlSearchReque
return this;
}
public EqlSearchRequestBuilder query(QueryBuilder query) {
request.query(query);
public EqlSearchRequestBuilder filter(QueryBuilder filter) {
request.filter(filter);
return this;
}
@ -50,8 +50,8 @@ public class EqlSearchRequestBuilder extends ActionRequestBuilder<EqlSearchReque
return this;
}
public EqlSearchRequestBuilder rule(String rule) {
request.rule(rule);
public EqlSearchRequestBuilder query(String query) {
request.query(query);
return this;
}

4
x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java
View File

@ -56,7 +56,7 @@ public class TransportEqlSearchAction extends HandledTransportAction<EqlSearchRe
String clusterName, ActionListener<EqlSearchResponse> listener) {
// TODO: these should be sent by the client
ZoneId zoneId = DateUtils.of("Z");
QueryBuilder filter = request.query();
QueryBuilder filter = request.filter();
TimeValue timeout = TimeValue.timeValueSeconds(30);
boolean includeFrozen = request.indicesOptions().ignoreThrottled() == false;
String clientId = null;
@ -68,7 +68,7 @@ public class TransportEqlSearchAction extends HandledTransportAction<EqlSearchRe
Configuration cfg = new Configuration(request.indices(), zoneId, username, clusterName, filter, timeout, request.fetchSize(),
includeFrozen, clientId);
planExecutor.eql(cfg, request.rule(), params, wrap(r -> listener.onResponse(createResponse(r)), listener::onFailure));
planExecutor.eql(cfg, request.query(), params, wrap(r -> listener.onResponse(createResponse(r)), listener::onFailure));
}
static EqlSearchResponse createResponse(Results results) {

2
x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java
View File

@ -98,7 +98,7 @@ public class EqlActionIT extends AbstractEqlIntegTestCase {
public final void test() {
EqlSearchResponse response = new EqlSearchRequestBuilder(client(), EqlSearchAction.INSTANCE)
.indices(testIndexName).rule(spec.query()).get();
.indices(testIndexName).query(spec.query()).get();
List<SearchHit> events = response.hits().events();
assertNotNull(events);

20
x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlRequestParserTests.java
View File

@ -31,7 +31,7 @@ public class EqlRequestParserTests extends ESTestCase {
}
public void testSearchRequestParser() throws IOException {
assertParsingErrorMessage("{\"query\" : 123}", "query doesn't support values of type: VALUE_NUMBER",
assertParsingErrorMessage("{\"filter\" : 123}", "filter doesn't support values of type: VALUE_NUMBER",
EqlSearchRequest::fromXContent);
assertParsingErrorMessage("{\"timestamp_field\" : 123}", "timestamp_field doesn't support values of type: VALUE_NUMBER",
EqlSearchRequest::fromXContent);
@ -43,32 +43,32 @@ public class EqlRequestParserTests extends ESTestCase {
assertParsingErrorMessage("{\"search_after\" : 123}", "search_after doesn't support values of type: VALUE_NUMBER",
EqlSearchRequest::fromXContent);
assertParsingErrorMessage("{\"size\" : \"foo\"}", "failed to parse field [size]", EqlSearchRequest::fromXContent);
assertParsingErrorMessage("{\"rule\" : 123}", "rule doesn't support values of type: VALUE_NUMBER",
assertParsingErrorMessage("{\"query\" : 123}", "query doesn't support values of type: VALUE_NUMBER",
EqlSearchRequest::fromXContent);
assertParsingErrorMessage("{\"rule\" : \"whatever\", \"size\":\"abc\"}", "failed to parse field [size]",
assertParsingErrorMessage("{\"query\" : \"whatever\", \"size\":\"abc\"}", "failed to parse field [size]",
EqlSearchRequest::fromXContent);
EqlSearchRequest request = generateRequest("endgame-*", "{\"query\" : {\"match\" : {\"foo\":\"bar\"}}, "
EqlSearchRequest request = generateRequest("endgame-*", "{\"filter\" : {\"match\" : {\"foo\":\"bar\"}}, "
+ "\"timestamp_field\" : \"tsf\", "
+ "\"event_type_field\" : \"etf\","
+ "\"implicit_join_key_field\" : \"imjf\","
+ "\"search_after\" : [ 12345678, \"device-20184\", \"/user/local/foo.exe\", \"2019-11-26T00:45:43.542\" ],"
+ "\"size\" : \"101\","
+ "\"rule\" : \"file where user != 'SYSTEM' by file_path\""
+ "\"query\" : \"file where user != 'SYSTEM' by file_path\""
+ "}", EqlSearchRequest::fromXContent);
assertArrayEquals(new String[]{"endgame-*"}, request.indices());
assertNotNull(request.query());
assertTrue(request.query() instanceof MatchQueryBuilder);
MatchQueryBuilder query = (MatchQueryBuilder)request.query();
assertEquals("foo", query.fieldName());
assertEquals("bar", query.value());
assertTrue(request.filter() instanceof MatchQueryBuilder);
MatchQueryBuilder filter = (MatchQueryBuilder)request.filter();
assertEquals("foo", filter.fieldName());
assertEquals("bar", filter.value());
assertEquals("tsf", request.timestampField());
assertEquals("etf", request.eventTypeField());
assertEquals("imjf", request.implicitJoinKeyField());
assertArrayEquals(new Object[]{12345678, "device-20184", "/user/local/foo.exe", "2019-11-26T00:45:43.542"}, request.searchAfter());
assertEquals(101, request.fetchSize());
assertEquals("file where user != 'SYSTEM' by file_path", request.rule());
assertEquals("file where user != 'SYSTEM' by file_path", request.query());
}
private EqlSearchRequest generateRequest(String index, String json, Function<XContentParser, EqlSearchRequest> fromXContent)

16
x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestTests.java
View File

@ -32,7 +32,7 @@ import static org.elasticsearch.index.query.AbstractQueryBuilder.parseInnerQuery
public class EqlSearchRequestTests extends AbstractSerializingTestCase<EqlSearchRequest> {
// TODO: possibly add mutations
static String defaultTestQuery = "{\n" +
static String defaultTestFilter = "{\n" +
" \"match\" : {\n" +
" \"foo\": \"bar\"\n" +
" }" +
@ -59,15 +59,15 @@ public class EqlSearchRequestTests extends AbstractSerializingTestCase<EqlSearch
@Override
protected EqlSearchRequest createTestInstance() {
try {
QueryBuilder query = parseQuery(defaultTestQuery);
QueryBuilder filter = parseFilter(defaultTestFilter);
EqlSearchRequest request = new EqlSearchRequest()
.indices(new String[]{defaultTestIndex})
.query(query)
.filter(filter)
.timestampField(randomAlphaOfLength(10))
.eventTypeField(randomAlphaOfLength(10))
.implicitJoinKeyField(randomAlphaOfLength(10))
.fetchSize(randomIntBetween(1, 50))
.rule(randomAlphaOfLength(10));
.query(randomAlphaOfLength(10));
if (randomBoolean()) {
request.searchAfter(randomJsonSearchFromBuilder());
@ -79,12 +79,12 @@ public class EqlSearchRequestTests extends AbstractSerializingTestCase<EqlSearch
return null;
}
protected QueryBuilder parseQuery(String queryAsString) throws IOException {
XContentParser parser = createParser(JsonXContent.jsonXContent, queryAsString);
return parseQuery(parser);
protected QueryBuilder parseFilter(String filter) throws IOException {
XContentParser parser = createParser(JsonXContent.jsonXContent, filter);
return parseFilter(parser);
}
protected QueryBuilder parseQuery(XContentParser parser) throws IOException {
protected QueryBuilder parseFilter(XContentParser parser) throws IOException {
QueryBuilder parseInnerQueryBuilder = parseInnerQueryBuilder(parser);
assertNull(parser.nextToken());
return parseInnerQueryBuilder;