From b47bffba24cb3bc8533ddc53f1c88bfb6fb5a159 Mon Sep 17 00:00:00 2001 From: Aleksandr Maus Date: Wed, 4 Mar 2020 08:02:38 -0500 Subject: [PATCH] EQL: consistent naming for event type vs event category (#53073) (#53090) Related to https://github.com/elastic/elasticsearch/issues/52941 --- .../client/eql/EqlSearchRequest.java | 22 +++++------ .../java/org/elasticsearch/client/EqlIT.java | 10 +++-- .../client/eql/EqlSearchRequestTests.java | 4 +- docs/reference/eql/search.asciidoc | 14 +++---- docs/reference/eql/syntax.asciidoc | 2 +- .../test/eql/CommonEqlRestTestCase.java | 4 +- .../rest-api-spec/test/eql/10_basic.yml | 5 ++- .../xpack/eql/action/EqlSearchRequest.java | 37 +++++++++---------- .../eql/action/EqlSearchRequestBuilder.java | 4 +- .../xpack/eql/action/RequestDefaults.java | 6 +-- .../xpack/eql/parser/LogicalPlanBuilder.java | 2 +- .../xpack/eql/parser/ParserParams.java | 16 ++++---- .../eql/plugin/TransportEqlSearchAction.java | 4 +- .../xpack/eql/action/EqlActionIT.java | 12 ++++++ .../eql/action/EqlRequestParserTests.java | 6 +-- .../eql/action/EqlSearchRequestTests.java | 2 +- .../xpack/eql/analysis/VerifierTests.java | 10 ++--- .../xpack/eql/parser/LogicalPlanTests.java | 8 ++-- .../xpack/eql/planner/QueryFolderTests.java | 4 +- .../eql/src/test/resources/mapping-alias.json | 10 +++-- .../src/test/resources/mapping-binary.json | 10 +++-- .../src/test/resources/mapping-boolean.json | 10 +++-- .../eql/src/test/resources/mapping-date.json | 10 +++-- .../src/test/resources/mapping-default.json | 12 ++++-- .../eql/src/test/resources/mapping-geo.json | 8 +++- .../eql/src/test/resources/mapping-ip.json | 10 +++-- .../eql/src/test/resources/mapping-join.json | 10 +++-- ...on => mapping-missing-event-category.json} | 0 .../test/resources/mapping-multi-field.json | 10 +++-- .../src/test/resources/mapping-nested.json | 12 ++++-- .../eql/src/test/resources/mapping-nodoc.json | 10 +++-- .../src/test/resources/mapping-numeric.json | 12 ++++-- .../src/test/resources/mapping-object.json | 10 +++-- .../eql/src/test/resources/mapping-range.json | 8 +++- 34 files changed, 192 insertions(+), 122 deletions(-) rename x-pack/plugin/eql/src/test/resources/{mapping-missing-event-type.json => mapping-missing-event-category.json} (100%) diff --git a/client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java b/client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java index 1e6bfafee0c..8eb27b30596 100644 --- a/client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java +++ b/client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java @@ -37,8 +37,8 @@ public class EqlSearchRequest implements Validatable, ToXContentObject { private IndicesOptions indicesOptions = IndicesOptions.fromOptions(false, false, true, false); private QueryBuilder filter = null; - private String timestampField = "timestamp"; - private String eventTypeField = "event_type"; + private String timestampField = "@timestamp"; + private String eventCategoryField = "event.category"; private String implicitJoinKeyField = "agent.id"; private int fetchSize = 50; private SearchAfterBuilder searchAfterBuilder; @@ -46,7 +46,7 @@ public class EqlSearchRequest implements Validatable, ToXContentObject { static final String KEY_FILTER = "filter"; static final String KEY_TIMESTAMP_FIELD = "timestamp_field"; - static final String KEY_EVENT_TYPE_FIELD = "event_type_field"; + static final String KEY_EVENT_CATEGORY_FIELD = "event_category_field"; static final String KEY_IMPLICIT_JOIN_KEY_FIELD = "implicit_join_key_field"; static final String KEY_SIZE = "size"; static final String KEY_SEARCH_AFTER = "search_after"; @@ -64,7 +64,7 @@ public class EqlSearchRequest implements Validatable, ToXContentObject { builder.field(KEY_FILTER, filter); } builder.field(KEY_TIMESTAMP_FIELD, timestampField()); - builder.field(KEY_EVENT_TYPE_FIELD, eventTypeField()); + builder.field(KEY_EVENT_CATEGORY_FIELD, eventCategoryField()); if (implicitJoinKeyField != null) { builder.field(KEY_IMPLICIT_JOIN_KEY_FIELD, implicitJoinKeyField()); } @@ -107,13 +107,13 @@ public class EqlSearchRequest implements Validatable, ToXContentObject { return this; } - public String eventTypeField() { - return this.eventTypeField; + public String eventCategoryField() { + return this.eventCategoryField; } - public EqlSearchRequest eventTypeField(String eventTypeField) { - Objects.requireNonNull(eventTypeField, "event type field must not be null"); - this.eventTypeField = eventTypeField; + public EqlSearchRequest eventCategoryField(String eventCategoryField) { + Objects.requireNonNull(eventCategoryField, "event category field must not be null"); + this.eventCategoryField = eventCategoryField; return this; } @@ -180,7 +180,7 @@ public class EqlSearchRequest implements Validatable, ToXContentObject { Objects.equals(indicesOptions, that.indicesOptions) && Objects.equals(filter, that.filter) && Objects.equals(timestampField, that.timestampField) && - Objects.equals(eventTypeField, that.eventTypeField) && + Objects.equals(eventCategoryField, that.eventCategoryField) && Objects.equals(implicitJoinKeyField, that.implicitJoinKeyField) && Objects.equals(searchAfterBuilder, that.searchAfterBuilder) && Objects.equals(query, that.query); @@ -194,7 +194,7 @@ public class EqlSearchRequest implements Validatable, ToXContentObject { filter, fetchSize, timestampField, - eventTypeField, + eventCategoryField, implicitJoinKeyField, searchAfterBuilder, query); diff --git a/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java b/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java index 9b5206e6920..c45fe35be9f 100644 --- a/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java +++ b/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java @@ -42,14 +42,16 @@ public class EqlIT extends ESRestHighLevelClientTestCase { public void testBasicSearch() throws Exception { Request doc1 = new Request(HttpPut.METHOD_NAME, "/index/_doc/1"); doc1.setJsonEntity("{\"event_subtype_full\": \"already_running\", " + - "\"event_type\": \"process\", " + + "\"event\": {" + + "\"category\": \"process\"" + + "}," + "\"event_type_full\": \"process_event\", " + "\"opcode\": 3," + "\"pid\": 0," + "\"process_name\": \"System Idle Process\"," + "\"serial_event_id\": 1," + "\"subtype\": \"create\"," + - "\"timestamp\": 116444736000000000," + + "\"@timestamp\": 116444736000000000," + "\"unique_pid\": 1}"); client().performRequest(doc1); client().performRequest(new Request(HttpPost.METHOD_NAME, "/_refresh")); @@ -78,8 +80,8 @@ public class EqlIT extends ESRestHighLevelClientTestCase { sb.append("\"datetime" + i + "\":\"" + now + "\""); sb.append(","); } - sb.append("\"event_type\": \"process\","); - sb.append("\"timestamp\": \"2020-02-03T12:34:56Z\","); + sb.append("\"event\": {\"category\": \"process\"},"); + sb.append("\"@timestamp\": \"2020-02-03T12:34:56Z\","); sb.append("\"serial_event_id\": 1"); sb.append("}"); doc1.setJsonEntity(sb.toString()); diff --git a/client/rest-high-level/src/test/java/org/elasticsearch/client/eql/EqlSearchRequestTests.java b/client/rest-high-level/src/test/java/org/elasticsearch/client/eql/EqlSearchRequestTests.java index 19d2c7bb7e6..4af6abbb583 100644 --- a/client/rest-high-level/src/test/java/org/elasticsearch/client/eql/EqlSearchRequestTests.java +++ b/client/rest-high-level/src/test/java/org/elasticsearch/client/eql/EqlSearchRequestTests.java @@ -43,7 +43,7 @@ public class EqlSearchRequestTests extends AbstractRequestTestCase> by default. You can use the `event_type_field` parameter to specify -another event type field. +The EQL search API uses `event.category` as the required <> by default. You can use the `event_category_field` parameter to specify +another event category field. For example, the following request specifies `file.type` as the event type field. @@ -100,7 +100,7 @@ field. ---- GET sec_logs/_eql/search { - "event_type_field": "file.type", + "event_category_field": "file.type", "timestamp_field": "@timestamp", "query": """ file where agent.id == "8a4f500d" @@ -124,7 +124,7 @@ timestamp field. GET sec_logs/_eql/search { "timestamp_field": "file.accessed", - "event_type_field": "event.category", + "event_category_field": "event.category", "query": """ file where (file.size > 1 and file.type == "file") """ @@ -148,7 +148,7 @@ filtered documents. ---- GET sec_logs/_eql/search { - "event_type_field": "event.category", + "event_category_field": "event.category", "timestamp_field": "@timestamp", "filter": { "range" : { diff --git a/docs/reference/eql/syntax.asciidoc b/docs/reference/eql/syntax.asciidoc index d4753ff7d77..9f50fadb67f 100644 --- a/docs/reference/eql/syntax.asciidoc +++ b/docs/reference/eql/syntax.asciidoc @@ -18,7 +18,7 @@ EQL queries require an event type and a matching condition. The `where` keyword [source,eql] ---- -event_type where condition +event.category where condition ---- For example, the following EQL query matches `process` events with a `process.name` diff --git a/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java b/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java index be89d3ee9c2..f857232c7e9 100644 --- a/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java +++ b/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java @@ -46,8 +46,8 @@ public abstract class CommonEqlRestTestCase extends ESRestTestCase { searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"\"}", 400, "query is null or empty")); searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"timestamp_field\": \"\"}", 400, "timestamp field is null or empty")); - searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"event_type_field\": \"\"}", - 400, "event type field is null or empty")); + searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"event_category_field\": \"\"}", + 400, "event category field is null or empty")); searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"implicit_join_key_field\": \"\"}", 400, "implicit join key field is null or empty")); searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"size\": 0}", diff --git a/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml b/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml index af82017faa8..79610f784c6 100644 --- a/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml +++ b/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml @@ -7,8 +7,9 @@ setup: - index: _index: eql_test _id: 1 - - event_type: process - timestamp: 2020-02-03T12:34:56Z + - event: + - category: process + "@timestamp": 2020-02-03T12:34:56Z user: SYSTEM --- diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java index 89cacf44e71..6dc5933828b 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java @@ -27,9 +27,9 @@ import java.util.function.Supplier; import static org.elasticsearch.action.ValidateActions.addValidationError; import static org.elasticsearch.xpack.eql.action.RequestDefaults.FETCH_SIZE; -import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_EVENT_TYPE; +import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_EVENT_CATEGORY; import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_TIMESTAMP; -import static org.elasticsearch.xpack.eql.action.RequestDefaults.IMPLICIT_JOIN_KEY; +import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_IMPLICIT_JOIN_KEY; public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Replaceable, ToXContent { @@ -39,15 +39,15 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re private QueryBuilder filter = null; private String timestampField = FIELD_TIMESTAMP; - private String eventTypeField = FIELD_EVENT_TYPE; - private String implicitJoinKeyField = IMPLICIT_JOIN_KEY; + private String eventCategoryField = FIELD_EVENT_CATEGORY; + private String implicitJoinKeyField = FIELD_IMPLICIT_JOIN_KEY; private int fetchSize = FETCH_SIZE; private SearchAfterBuilder searchAfterBuilder; private String query; static final String KEY_FILTER = "filter"; static final String KEY_TIMESTAMP_FIELD = "timestamp_field"; - static final String KEY_EVENT_TYPE_FIELD = "event_type_field"; + static final String KEY_EVENT_CATEGORY_FIELD = "event_category_field"; static final String KEY_IMPLICIT_JOIN_KEY_FIELD = "implicit_join_key_field"; static final String KEY_SIZE = "size"; static final String KEY_SEARCH_AFTER = "search_after"; @@ -55,7 +55,7 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re static final ParseField FILTER = new ParseField(KEY_FILTER); static final ParseField TIMESTAMP_FIELD = new ParseField(KEY_TIMESTAMP_FIELD); - static final ParseField EVENT_TYPE_FIELD = new ParseField(KEY_EVENT_TYPE_FIELD); + static final ParseField EVENT_CATEGORY_FIELD = new ParseField(KEY_EVENT_CATEGORY_FIELD); static final ParseField IMPLICIT_JOIN_KEY_FIELD = new ParseField(KEY_IMPLICIT_JOIN_KEY_FIELD); static final ParseField SIZE = new ParseField(KEY_SIZE); static final ParseField SEARCH_AFTER = new ParseField(KEY_SEARCH_AFTER); @@ -73,7 +73,7 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re indicesOptions = IndicesOptions.readIndicesOptions(in); filter = in.readOptionalNamedWriteable(QueryBuilder.class); timestampField = in.readString(); - eventTypeField = in.readString(); + eventCategoryField = in.readString(); implicitJoinKeyField = in.readString(); fetchSize = in.readVInt(); searchAfterBuilder = in.readOptionalWriteable(SearchAfterBuilder::new); @@ -104,11 +104,11 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re } if (timestampField == null || timestampField.isEmpty()) { - validationException = addValidationError("timestamp field is null or empty", validationException); + validationException = addValidationError("@timestamp field is null or empty", validationException); } - if (eventTypeField == null || eventTypeField.isEmpty()) { - validationException = addValidationError("event type field is null or empty", validationException); + if (eventCategoryField == null || eventCategoryField.isEmpty()) { + validationException = addValidationError("event category field is null or empty", validationException); } if (implicitJoinKeyField == null || implicitJoinKeyField.isEmpty()) { @@ -128,7 +128,7 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re builder.field(KEY_FILTER, filter); } builder.field(KEY_TIMESTAMP_FIELD, timestampField()); - builder.field(KEY_EVENT_TYPE_FIELD, eventTypeField()); + builder.field(KEY_EVENT_CATEGORY_FIELD, eventCategoryField()); if (implicitJoinKeyField != null) { builder.field(KEY_IMPLICIT_JOIN_KEY_FIELD, implicitJoinKeyField()); } @@ -152,7 +152,7 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re parser.declareObject(EqlSearchRequest::filter, (p, c) -> AbstractQueryBuilder.parseInnerQueryBuilder(p), FILTER); parser.declareString(EqlSearchRequest::timestampField, TIMESTAMP_FIELD); - parser.declareString(EqlSearchRequest::eventTypeField, EVENT_TYPE_FIELD); + parser.declareString(EqlSearchRequest::eventCategoryField, EVENT_CATEGORY_FIELD); parser.declareString(EqlSearchRequest::implicitJoinKeyField, IMPLICIT_JOIN_KEY_FIELD); parser.declareInt(EqlSearchRequest::fetchSize, SIZE); parser.declareField(EqlSearchRequest::setSearchAfter, SearchAfterBuilder::fromXContent, SEARCH_AFTER, @@ -181,10 +181,10 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re return this; } - public String eventTypeField() { return this.eventTypeField; } + public String eventCategoryField() { return this.eventCategoryField; } - public EqlSearchRequest eventTypeField(String eventTypeField) { - this.eventTypeField = eventTypeField; + public EqlSearchRequest eventCategoryField(String eventCategoryField) { + this.eventCategoryField = eventCategoryField; return this; } @@ -233,7 +233,7 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re indicesOptions.writeIndicesOptions(out); out.writeOptionalNamedWriteable(filter); out.writeString(timestampField); - out.writeString(eventTypeField); + out.writeString(eventCategoryField); out.writeString(implicitJoinKeyField); out.writeVInt(fetchSize); out.writeOptionalWriteable(searchAfterBuilder); @@ -254,7 +254,7 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re Objects.equals(indicesOptions, that.indicesOptions) && Objects.equals(filter, that.filter) && Objects.equals(timestampField, that.timestampField) && - Objects.equals(eventTypeField, that.eventTypeField) && + Objects.equals(eventCategoryField, that.eventCategoryField) && Objects.equals(implicitJoinKeyField, that.implicitJoinKeyField) && Objects.equals(searchAfterBuilder, that.searchAfterBuilder) && Objects.equals(query, that.query); @@ -267,8 +267,7 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re indicesOptions, filter, fetchSize, - timestampField, - eventTypeField, + timestampField, eventCategoryField, implicitJoinKeyField, searchAfterBuilder, query); diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java index 743b297a58a..7123e0bc09d 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java @@ -30,8 +30,8 @@ public class EqlSearchRequestBuilder extends ActionRequestBuilder queryParams = emptyList(); - public String fieldEventType() { - return fieldEventType; + public String fieldEventCategory() { + return fieldEventCategory; } - public ParserParams fieldEventType(String fieldEventType) { - this.fieldEventType = fieldEventType; + public ParserParams fieldEventCategory(String fieldEventCategory) { + this.fieldEventCategory = fieldEventCategory; return this; } diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java index 24a3cda7b8f..469f570d0dc 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java @@ -62,7 +62,7 @@ public class TransportEqlSearchAction extends HandledTransportAction entries = rootNode.elements(); while (entries.hasNext()) { JsonNode entry = entries.next(); + + // Adjust the structure of the document with additional event.category and @timestamp fields + // Add event.category field + ObjectNode objEvent = ((ObjectNode)entry).putObject("event"); + JsonNode objEventType = entry.get("event_type"); + objEvent.put("category", objEventType.asText()); + + // Add @timestamp field + JsonNode objTimestamp = entry.get("timestamp"); + ((ObjectNode)entry).put("@timestamp", objTimestamp.asLong()); + bulkBuilder.add(new IndexRequest(testIndexName).source(entry.toString(), XContentType.JSON)); } BulkResponse bulkResponse = bulkBuilder.setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).get(); diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlRequestParserTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlRequestParserTests.java index 0ba6ed71e0c..258145dbf69 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlRequestParserTests.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlRequestParserTests.java @@ -35,7 +35,7 @@ public class EqlRequestParserTests extends ESTestCase { EqlSearchRequest::fromXContent); assertParsingErrorMessage("{\"timestamp_field\" : 123}", "timestamp_field doesn't support values of type: VALUE_NUMBER", EqlSearchRequest::fromXContent); - assertParsingErrorMessage("{\"event_type_field\" : 123}", "event_type_field doesn't support values of type: VALUE_NUMBER", + assertParsingErrorMessage("{\"event_category_field\" : 123}", "event_category_field doesn't support values of type: VALUE_NUMBER", EqlSearchRequest::fromXContent); assertParsingErrorMessage("{\"implicit_join_key_field\" : 123}", "implicit_join_key_field doesn't support values of type: VALUE_NUMBER", @@ -51,7 +51,7 @@ public class EqlRequestParserTests extends ESTestCase { EqlSearchRequest request = generateRequest("endgame-*", "{\"filter\" : {\"match\" : {\"foo\":\"bar\"}}, " + "\"timestamp_field\" : \"tsf\", " - + "\"event_type_field\" : \"etf\"," + + "\"event_category_field\" : \"etf\"," + "\"implicit_join_key_field\" : \"imjf\"," + "\"search_after\" : [ 12345678, \"device-20184\", \"/user/local/foo.exe\", \"2019-11-26T00:45:43.542\" ]," + "\"size\" : \"101\"," @@ -64,7 +64,7 @@ public class EqlRequestParserTests extends ESTestCase { assertEquals("foo", filter.fieldName()); assertEquals("bar", filter.value()); assertEquals("tsf", request.timestampField()); - assertEquals("etf", request.eventTypeField()); + assertEquals("etf", request.eventCategoryField()); assertEquals("imjf", request.implicitJoinKeyField()); assertArrayEquals(new Object[]{12345678, "device-20184", "/user/local/foo.exe", "2019-11-26T00:45:43.542"}, request.searchAfter()); assertEquals(101, request.fetchSize()); diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestTests.java index 98567a03d4f..f4f0c241061 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestTests.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestTests.java @@ -64,7 +64,7 @@ public class EqlSearchRequestTests extends AbstractSerializingTestCase