From ad5ae4d887b5c2feca2d0e874d7bdf738e3fd54e Mon Sep 17 00:00:00 2001 From: Marios Trivyzas Date: Tue, 22 Sep 2020 17:37:37 +0200 Subject: [PATCH] EQL: Remove support for `=` for comparisons (#62756) Since `=` is rarely used and is undocumented we its support for equality comparisons keeping `==` as the only option. `=` is now only used for assignments like in `maxspan=10m`. Closes: #62650 --- .../java/org/elasticsearch/client/EqlIT.java | 2 +- docs/reference/eql/eql-search-api.asciidoc | 2 +- .../test/eql/stats/RestEqlUsageTestCase.java | 8 +- .../resources/additional_test_queries.toml | 10 +- .../src/main/resources/test_queries.toml | 200 ++++++------ .../resources/test_queries_unsupported.toml | 82 ++--- .../rest-api-spec/test/eql/10_basic.yml | 10 +- .../xpack/eql/AsyncEqlSecurityIT.java | 2 +- .../eql/action/AsyncEqlSearchActionIT.java | 8 +- .../xpack/eql/action/EqlCancellationIT.java | 2 +- .../eql/action/RestEqlCancellationIT.java | 2 +- x-pack/plugin/eql/src/main/antlr/EqlBase.g4 | 5 +- .../plugin/eql/src/main/antlr/EqlBase.tokens | 89 +++--- .../eql/src/main/antlr/EqlBaseLexer.tokens | 89 +++--- .../xpack/eql/parser/EqlBaseLexer.java | 287 +++++++++--------- .../xpack/eql/parser/EqlBaseParser.java | 136 ++++----- .../xpack/eql/analysis/VerifierTests.java | 14 +- .../xpack/eql/parser/ExpressionTests.java | 13 +- .../xpack/eql/parser/GrammarTests.java | 1 + .../xpack/eql/stats/VerifierMetricsTests.java | 10 +- .../src/test/resources/queries-supported.eql | 150 ++++----- .../test/resources/queries-unsupported.eql | 58 ++-- .../src/test/resources/queryfolder_tests.txt | 2 +- .../10_data_stream_resolvability.yml | 4 +- 24 files changed, 599 insertions(+), 587 deletions(-) diff --git a/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java b/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java index 146788fa26a66..4bcc8b3cdefce 100644 --- a/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java +++ b/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java @@ -141,7 +141,7 @@ public void testEqualsInFilterConditionSearch() throws Exception { EqlClient eql = highLevelClient().eql(); EqlSearchRequest request = new EqlSearchRequest("index", - "process where event_type_full = \"process_event\" and serial_event_id in (1,3,5)"); + "process where event_type_full == \"process_event\" and serial_event_id in (1,3,5)"); EqlSearchResponse response = execute(request, eql::search, eql::searchAsync); assertResponse(response, 3); diff --git a/docs/reference/eql/eql-search-api.asciidoc b/docs/reference/eql/eql-search-api.asciidoc index 76a672d944c19..22b8efc8afab3 100644 --- a/docs/reference/eql/eql-search-api.asciidoc +++ b/docs/reference/eql/eql-search-api.asciidoc @@ -19,7 +19,7 @@ event. GET /my-index-000001/_eql/search { "query": """ - process where process.name = "regsvr32.exe" + process where process.name == "regsvr32.exe" """ } ---- diff --git a/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/RestEqlUsageTestCase.java b/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/RestEqlUsageTestCase.java index d7cab363e4eea..eb326fcdc98e4 100644 --- a/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/RestEqlUsageTestCase.java +++ b/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/RestEqlUsageTestCase.java @@ -146,7 +146,7 @@ public void testEqlRestUsage() throws IOException { int randomSequenceExecutions = randomIntBetween(1, 15); allTotalQueries += randomSequenceExecutions; for (int i = 0; i < randomSequenceExecutions; i++) { - runEql("sequence [process where serial_event_id = 1] [process where serial_event_id = 2]"); + runEql("sequence [process where serial_event_id == 1] [process where serial_event_id == 2]"); } responseAsMap = getStats(); metricsToCheck = Set.of("sequence", "sequence_queries_two", "pipe_head"); @@ -179,7 +179,7 @@ public void testEqlRestUsage() throws IOException { " [process where opcode == 1] by user" + " [process where opcode == 2] by user" + " [file where parent_process_name == \\\"file_delete_event\\\"] by exit_code" + - " until [process where opcode=1] by ppid" + + " until [process where opcode==1] by ppid" + " | head 4" + " | tail 2"); } @@ -271,8 +271,8 @@ public void testEqlRestUsage() throws IOException { runEql( randomFrom( "process where missing_field < 4 | tail 2", - "sequence abc [process where serial_event_id = 1]", - "sequence with maxspan=1x [process where serial_event_id = 1]", + "sequence abc [process where serial_event_id == 1]", + "sequence with maxspan=1x [process where serial_event_id == 1]", "sequence by exit_code, user [process where serial_event_id < 4] by ppid", "sequence by" ) diff --git a/x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml b/x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml index 1588d1b2d08f1..e9f6595955b17 100644 --- a/x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml +++ b/x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml @@ -69,7 +69,7 @@ expected_event_ids = [5] [[queries]] name = "concatEquals2" -query = 'process where concat(serial_event_id) = "1"' +query = 'process where concat(serial_event_id) == "1"' expected_event_ids = [1] [[queries]] @@ -98,7 +98,7 @@ expected_event_ids = [1, 2, 3, 4] [[queries]] name = "numberStringConversion1" -query = 'process where string(serial_event_id) = "1"' +query = 'process where string(serial_event_id) == "1"' expected_event_ids = [1] @@ -223,8 +223,8 @@ query = "process where serial_event_id + ((1 + 3) * 2 / (3 - 1)) * 2 == 54 or 70 name = "twoSequencesAdditional1" query = ''' sequence - [process where serial_event_id = 1] - [process where serial_event_id = 2] + [process where serial_event_id == 1] + [process where serial_event_id == 2] ''' expected_event_ids = [1, 2] @@ -232,7 +232,7 @@ expected_event_ids = [1, 2] name = "twoSequencesAdditional2" query = ''' sequence - [process where serial_event_id=1] by unique_pid + [process where serial_event_id==1] by unique_pid [process where true] by unique_ppid''' expected_event_ids = [1, 2] diff --git a/x-pack/plugin/eql/qa/common/src/main/resources/test_queries.toml b/x-pack/plugin/eql/qa/common/src/main/resources/test_queries.toml index e9b2df6baedf9..c57ffb9dfe588 100644 --- a/x-pack/plugin/eql/qa/common/src/main/resources/test_queries.toml +++ b/x-pack/plugin/eql/qa/common/src/main/resources/test_queries.toml @@ -1,6 +1,6 @@ [[queries]] name = "simpleQueryEqual" -query = 'process where serial_event_id = 1' +query = 'process where serial_event_id == 1' expected_event_ids = [1] [[queries]] @@ -161,7 +161,7 @@ expected_event_ids = [] [[queries]] name = "processWithMultipleConditions1" -query = 'process where (serial_event_id<=8 and serial_event_id > 7) and (opcode=3 and opcode>2)' +query = 'process where (serial_event_id<=8 and serial_event_id > 7) and (opcode==3 and opcode>2)' expected_event_ids = [8] [[queries]] @@ -371,27 +371,27 @@ expected_event_ids = [84, 85] [[queries]] name = "descendant1" query = ''' -file where file_name == "csrss.exe" and opcode=0 - and descendant of [process where opcode in (1,3) and process_name="cmd.exe"] +file where file_name == "csrss.exe" and opcode==0 + and descendant of [process where opcode in (1,3) and process_name=="cmd.exe"] ''' expected_event_ids = [72] [[queries]] name = "descendant2" query = ''' -process where opcode=1 and process_name == "csrss.exe" - and descendant of [file where file_name == "csrss.exe" and opcode=0] +process where opcode==1 and process_name == "csrss.exe" + and descendant of [file where file_name == "csrss.exe" and opcode==0] ''' expected_event_ids = [73] [[queries]] name = "descendant3" query = ''' -process where opcode=1 and process_name == "smss.exe" +process where opcode==1 and process_name == "smss.exe" and descendant of [ - file where file_name == "csrss.exe" and opcode=0 + file where file_name == "csrss.exe" and opcode==0 and descendant of [ - process where opcode in(1,3) and process_name="cmd.exe" + process where opcode in(1,3) and process_name=="cmd.exe" ] ] ''' @@ -400,24 +400,24 @@ expected_event_ids = [78] [[queries]] name = "wildcardAndMultipleConditions1" query = ''' -file where file_path="*\\red_ttp\\winin*.*" - and opcode in (0,1,2) and user_name="vagrant" +file where file_path=="*\\red_ttp\\winin*.*" + and opcode in (0,1,2) and user_name=="vagrant" ''' expected_event_ids = [83, 86] [[queries]] name = "wildcardAndMultipleConditions2" query = ''' -file where file_path="*\\red_ttp\\winin*.*" - and opcode not in (0,1,2) and user_name="vagrant" +file where file_path=="*\\red_ttp\\winin*.*" + and opcode not in (0,1,2) and user_name=="vagrant" ''' expected_event_ids = [] [[queries]] name = "wildcardAndMultipleConditions3" query = ''' -file where file_path="*\\red_ttp\\winin*.*" - and opcode not in (3, 4, 5, 6 ,7) and user_name="vagrant" +file where file_path=="*\\red_ttp\\winin*.*" + and opcode not in (3, 4, 5, 6 ,7) and user_name=="vagrant" ''' expected_event_ids = [83, 86] @@ -513,8 +513,8 @@ process where true name = "sequenceOneOneMatch" query = ''' sequence - [process where serial_event_id = 1] - [process where serial_event_id = 2] + [process where serial_event_id == 1] + [process where serial_event_id == 2] ''' expected_event_ids = [1, 2] @@ -523,7 +523,7 @@ name = "sequenceManyOneMatch" query = ''' sequence [process where serial_event_id < 5] - [process where serial_event_id = 5] + [process where serial_event_id == 5] ''' expected_event_ids = [4, 5] @@ -720,7 +720,7 @@ expected_event_ids = [54, 55, 61, 67] name = "sequenceOneManyWithJoin" query = ''' sequence - [process where serial_event_id=1] by unique_pid + [process where serial_event_id==1] by unique_pid [process where true] by unique_ppid ''' expected_event_ids = [1, 2] @@ -762,7 +762,7 @@ expected_event_ids = [1, 2, name = "sequencesOnDifferentEventTypes1" query = ''' sequence by unique_pid - [process where opcode=1 and process_name == "MSBuild.exe"] + [process where opcode==1 and process_name == "MSBuild.exe"] [network where true] ''' expected_event_ids = [75273, 75304] @@ -867,7 +867,7 @@ expected_event_ids = [1, 2, name = "sequencesOnDifferentEventTypesWithBy" query = ''' sequence - [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [file where opcode==0 and file_name=="svchost.exe"] by unique_pid [process where opcode == 1] by unique_ppid ''' expected_event_ids = [55, 56] @@ -876,8 +876,8 @@ expected_event_ids = [55, 56] name = "doubleSameSequenceWithBy" query = ''' sequence - [file where opcode=0] by unique_pid - [file where opcode=0] by unique_pid + [file where opcode==0] by unique_pid + [file where opcode==0] by unique_pid | head 1 ''' expected_event_ids = [55, 61] @@ -886,8 +886,8 @@ expected_event_ids = [55, 61] name = "doubleSameSequenceWithByAndFilter" query = ''' sequence - [file where opcode=0] by unique_pid - [file where opcode=0] by unique_pid + [file where opcode==0] by unique_pid + [file where opcode==0] by unique_pid | filter events[1].serial_event_id == 92 ''' expected_event_ids = [87, 92] @@ -896,9 +896,9 @@ expected_event_ids = [87, 92] name = "doubleSameSequenceWithByUntilAndHead1" query = ''' sequence - [file where opcode=0 and file_name="*.exe"] by unique_pid - [file where opcode=0 and file_name="*.exe"] by unique_pid -until [process where opcode=5000] by unique_ppid + [file where opcode==0 and file_name=="*.exe"] by unique_pid + [file where opcode==0 and file_name=="*.exe"] by unique_pid +until [process where opcode==5000] by unique_ppid | head 1 ''' expected_event_ids = [55, 61] @@ -907,9 +907,9 @@ expected_event_ids = [55, 61] name = "doubleSameSequenceWithByUntilAndHead2" query = ''' sequence - [file where opcode=0 and file_name="*.exe"] by unique_pid - [file where opcode=0 and file_name="*.exe"] by unique_pid -until [process where opcode=1] by unique_ppid + [file where opcode==0 and file_name=="*.exe"] by unique_pid + [file where opcode==0 and file_name=="*.exe"] by unique_pid +until [process where opcode==1] by unique_ppid | head 1 ''' expected_event_ids = [] @@ -918,9 +918,9 @@ expected_event_ids = [] name = "doubleJoinWithByUntilAndHead" query = ''' join - [file where opcode=0 and file_name="*.exe"] by unique_pid - [file where opcode=2 and file_name="*.exe"] by unique_pid -until [process where opcode=1] by unique_ppid + [file where opcode==0 and file_name=="*.exe"] by unique_pid + [file where opcode==2 and file_name=="*.exe"] by unique_pid +until [process where opcode==1] by unique_ppid | head 1 ''' expected_event_ids = [61, 59] @@ -929,7 +929,7 @@ expected_event_ids = [61, 59] name = "twoJoins1" query = ''' join by user_name - [process where opcode in (1,3) and process_name="smss.exe"] + [process where opcode in (1,3) and process_name=="smss.exe"] [process where opcode in (1,3) and process_name == "python.exe"] ''' expected_event_ids = [78, 48] @@ -938,8 +938,8 @@ expected_event_ids = [78, 48] name = "threeJoins1" query = ''' join by unique_pid - [process where opcode=1] - [file where opcode=0 and file_name="svchost.exe"] + [process where opcode==1] + [file where opcode==0 and file_name=="svchost.exe"] [file where opcode == 0 and file_name == "lsass.exe"] ''' expected_event_ids = [54, 55, 61] @@ -948,8 +948,8 @@ expected_event_ids = [54, 55, 61] name = "threeJoins2" query = ''' join by string(unique_pid) - [process where opcode=1] - [file where opcode=0 and file_name="svchost.exe"] + [process where opcode==1] + [file where opcode==0 and file_name=="svchost.exe"] [file where opcode == 0 and file_name == "lsass.exe"] ''' expected_event_ids = [54, 55, 61] @@ -958,8 +958,8 @@ expected_event_ids = [54, 55, 61] name = "threeJoinsWithUntil1" query = ''' join by unique_pid - [process where opcode=1] - [file where opcode=0 and file_name="svchost.exe"] + [process where opcode==1] + [file where opcode==0 and file_name=="svchost.exe"] [file where opcode == 0 and file_name == "lsass.exe"] until [file where opcode == 2] ''' @@ -969,8 +969,8 @@ expected_event_ids = [] name = "threeJoinsWithUntil2" query = ''' join by string(unique_pid), unique_pid, unique_pid * 2 - [process where opcode=1] - [file where opcode=0 and file_name="svchost.exe"] + [process where opcode==1] + [file where opcode==0 and file_name=="svchost.exe"] [file where opcode == 0 and file_name == "lsass.exe"] until [file where opcode == 2] ''' @@ -980,7 +980,7 @@ expected_event_ids = [] name = "twoJoins2" query = ''' join - [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [file where opcode==0 and file_name=="svchost.exe"] by unique_pid [process where opcode == 1] by unique_ppid ''' expected_event_ids = [55, 56] @@ -989,7 +989,7 @@ expected_event_ids = [55, 56] name = "twoJoins3" query = ''' join by unique_pid - [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name=="python.exe"] [file where file_name == "*.exe"] ''' expected_event_ids = [54, 55] @@ -998,7 +998,7 @@ expected_event_ids = [54, 55] name = "twoJoins4" query = ''' join by user_name - [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name=="python.exe"] [process where opcode in (1,3) and process_name == "smss.exe"] ''' expected_event_ids = [48, 78] @@ -1007,7 +1007,7 @@ expected_event_ids = [48, 78] name = "twoJoins5" query = ''' join - [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name=="python.exe"] [process where opcode in (1,3) and process_name == "smss.exe"] ''' expected_event_ids = [48, 3, 50, 78] @@ -1076,7 +1076,7 @@ any where true [[queries]] name = "multipleConditionsWithDescendant1" query = ''' -process where opcode=1 and process_name in ("services.exe", "smss.exe", "lsass.exe") +process where opcode==1 and process_name in ("services.exe", "smss.exe", "lsass.exe") and descendant of [process where process_name == "cmd.exe" ] ''' expected_event_ids = [62, 68, 78] @@ -1092,7 +1092,7 @@ expected_event_ids = [62, 64, 68, 69, 78, 80] [[queries]] name = "multipleConditionsWithDescendant2" query = ''' -process where opcode=2 and process_name in ("services.exe", "smss.exe", "lsass.exe") +process where opcode==2 and process_name in ("services.exe", "smss.exe", "lsass.exe") and descendant of [process where process_name == "cmd.exe" ] ''' expected_event_ids = [64, 69, 80] @@ -1100,16 +1100,16 @@ expected_event_ids = [64, 69, 80] [[queries]] name = "childOf1" query = ''' -process where process_name="svchost.exe" - and child of [file where file_name="svchost.exe" and opcode=0] +process where process_name=="svchost.exe" + and child of [file where file_name=="svchost.exe" and opcode==0] ''' expected_event_ids = [56, 58] [[queries]] name = "childOf2" query = ''' -process where process_name="svchost.exe" - and not child of [file where file_name="svchost.exe" and opcode=0] +process where process_name=="svchost.exe" + and not child of [file where file_name=="svchost.exe" and opcode==0] | head 3 ''' expected_event_ids = [11, 13, 15] @@ -1117,10 +1117,10 @@ expected_event_ids = [11, 13, 15] [[queries]] name = "nestedChildOf1" query = ''' -process where process_name="lsass.exe" +process where process_name=="lsass.exe" and child of [ - process where process_name="python.exe" - and child of [process where process_name="cmd.exe"] + process where process_name=="python.exe" + and child of [process where process_name=="cmd.exe"] ] ''' expected_event_ids = [62, 64] @@ -1130,7 +1130,7 @@ name = "nestedChildOf2" query = ''' file where child of [ process where child of [ - process where child of [process where process_name="*wsmprovhost.exe"] + process where child of [process where process_name=="*wsmprovhost.exe"] ] ] | tail 1 @@ -1140,7 +1140,7 @@ expected_event_ids = [91] [[queries]] name = "fileByUniquePid1" query = ''' -file where process_name = "python.exe" +file where process_name == "python.exe" | unique unique_pid ''' expected_event_ids = [55, 95] @@ -1148,7 +1148,7 @@ expected_event_ids = [55, 95] [[queries]] name = "fileByUniquePid2" query = ''' -file where event of [process where process_name = "python.exe" ] +file where event of [process where process_name == "python.exe" ] | unique unique_pid ''' expected_event_ids = [55, 95] @@ -1156,20 +1156,20 @@ expected_event_ids = [55, 95] [[queries]] name = "simpleStringEquality" query = ''' -process where process_name = "python.exe" +process where process_name == "python.exe" ''' expected_event_ids = [48, 50, 51, 54, 93] [[queries]] name = "eventOfProcess" -query = 'process where event of [process where process_name = "python.exe" ]' +query = 'process where event of [process where process_name == "python.exe" ]' expected_event_ids = [48, 50, 51, 54, 93] [[queries]] name = "twoSequencesWithKeys2" query = ''' sequence - [file where file_name="lsass.exe"] by file_path,process_path + [file where file_name=="lsass.exe"] by file_path,process_path [process where true] by process_path,parent_process_path ''' expected_event_ids = [61, 62] @@ -1178,7 +1178,7 @@ expected_event_ids = [61, 62] name = "twoSequencesWithKeys3" query = ''' sequence by user_name - [file where file_name="lsass.exe"] by file_path, process_path + [file where file_name=="lsass.exe"] by file_path, process_path [process where true] by process_path, parent_process_path ''' expected_event_ids = [61, 62] @@ -1187,7 +1187,7 @@ expected_event_ids = [61, 62] name = "twoSequencesWithKeys4" query = ''' sequence by pid - [file where file_name="lsass.exe"] by file_path,process_path + [file where file_name=="lsass.exe"] by file_path,process_path [process where true] by process_path,parent_process_path ''' expected_event_ids = [] @@ -1196,10 +1196,10 @@ expected_event_ids = [] name = "fourSequencesByMixedFields" query = ''' sequence by user_name - [file where opcode=0] by file_path - [process where opcode=1] by process_path - [process where opcode=2] by process_path - [file where opcode=2] by file_path + [file where opcode==0] by file_path + [process where opcode==1] by process_path + [process where opcode==2] by process_path + [file where opcode==2] by file_path | tail 1 ''' expected_event_ids = [88, 89, 90, 91] @@ -1208,8 +1208,8 @@ expected_event_ids = [88, 89, 90, 91] name = "twoSequencesWithTwoKeysAndUntil" query = ''' sequence by user_name - [file where opcode=0] by pid,file_path - [file where opcode=2] by pid,file_path + [file where opcode==0] by pid,file_path + [file where opcode==2] by pid,file_path until [process where opcode == 2] by ppid,process_path ''' @@ -1219,8 +1219,8 @@ expected_event_ids = [] name = "twoSequencesWithUntil" query = ''' sequence by user_name - [file where opcode=0] by pid,file_path - [file where opcode=2] by pid,file_path + [file where opcode==0] by pid,file_path + [file where opcode==2] by pid,file_path until [process where opcode == 5] by ppid,process_path | head 2 @@ -1231,10 +1231,10 @@ expected_event_ids = [55, 59, 61, 65] name = "fourSequencesWithTail" query = ''' sequence by pid - [file where opcode=0] by file_path - [process where opcode=1] by process_path - [process where opcode=2] by process_path - [file where opcode=2] by file_path + [file where opcode==0] by file_path + [process where opcode==1] by process_path + [process where opcode==2] by process_path + [file where opcode==2] by file_path | tail 1 ''' expected_event_ids = [] @@ -1436,7 +1436,7 @@ name = "stringEqualsCaseInsensitive1" case_insensitive = true query = ''' process where "net.EXE" == original_file_name -| filter process_name="net*.exe" +| filter process_name=="net*.exe" ''' expected_event_ids = [97] note = "check that case insensitive comparisons are performed even for lhs strings." @@ -1445,7 +1445,7 @@ note = "check that case insensitive comparisons are performed even for lhs strin name = "stringEqualsCaseInsensitive2" case_insensitive = true query = ''' -process where process_name == original_file_name and process_name="net*.exe" +process where process_name == original_file_name and process_name=="net*.exe" ''' expected_event_ids = [97, 98] note = "check that case insensitive comparisons are performed for fields." @@ -1463,7 +1463,7 @@ description = "check that case insensitive comparisons are performed for fields. name = "startsWithCaseSensitive" case_sensitive = true query = ''' -file where opcode=0 and startsWith(file_name, "explorer.") +file where opcode==0 and startsWith(file_name, "explorer.") ''' expected_event_ids = [88] description = "check built-in string functions" @@ -1473,7 +1473,7 @@ description = "check built-in string functions" name = "startsWithCaseInsensitive1" case_insensitive = true query = ''' -file where opcode=0 and startsWith(file_name, "explorer.") +file where opcode==0 and startsWith(file_name, "explorer.") ''' expected_event_ids = [88, 92] description = "check built-in string functions" @@ -1483,7 +1483,7 @@ description = "check built-in string functions" name = "startsWithCaseInsensitive2" case_insensitive = true query = ''' -file where opcode=0 and startsWith(file_name, "exploRER.") +file where opcode==0 and startsWith(file_name, "exploRER.") ''' expected_event_ids = [88, 92] description = "check built-in string functions" @@ -1492,7 +1492,7 @@ description = "check built-in string functions" name = "startsWithCaseInsensitive3" case_insensitive = true query = ''' -file where opcode=0 and startsWith(file_name, "expLORER.exe") +file where opcode==0 and startsWith(file_name, "expLORER.exe") ''' expected_event_ids = [88, 92] description = "check built-in string functions" @@ -1500,7 +1500,7 @@ description = "check built-in string functions" [[queries]] name = "endsWith1" query = ''' -file where opcode=0 and endsWith(file_name, "lorer.exe") +file where opcode==0 and endsWith(file_name, "lorer.exe") ''' expected_event_ids = [88] description = "check built-in string functions" @@ -1510,7 +1510,7 @@ description = "check built-in string functions" name = "endsWithCaseInsensitive" case_insensitive = true query = ''' -file where opcode=0 and endsWith(file_name, "loREr.exe") +file where opcode==0 and endsWith(file_name, "loREr.exe") ''' expected_event_ids = [88] description = "check built-in string functions" @@ -1518,7 +1518,7 @@ description = "check built-in string functions" [[queries]] name = "endsWith2" query = ''' -file where opcode=0 and startsWith("explorer.exeaaaaaaaa", file_name) +file where opcode==0 and startsWith("explorer.exeaaaaaaaa", file_name) ''' expected_event_ids = [88] description = "check built-in string functions" @@ -1527,7 +1527,7 @@ description = "check built-in string functions" name = "endsWithAndCondition" case_insensitive = true query = ''' -file where opcode=0 and serial_event_id = 88 and startsWith("explorer.exeaAAAA", "EXPLORER.exe") +file where opcode==0 and serial_event_id == 88 and startsWith("explorer.exeaAAAA", "EXPLORER.exe") ''' expected_event_ids = [88] description = "check built-in string functions" @@ -1535,7 +1535,7 @@ description = "check built-in string functions" [[queries]] name = "stringContains2" query = ''' -file where opcode=0 and stringContains("ABCDEFGHIexplorer.exeJKLMNOP", file_name) +file where opcode==0 and stringContains("ABCDEFGHIexplorer.exeJKLMNOP", file_name) ''' expected_event_ids = [88] description = "check built-in string functions" @@ -1544,7 +1544,7 @@ description = "check built-in string functions" name = "indexOfCaseInsensitive" case_insensitive = true query = ''' -file where opcode=0 and indexOf(file_name, "plore") == 2 and indexOf(file_name, ".pf") == null +file where opcode==0 and indexOf(file_name, "plore") == 2 and indexOf(file_name, ".pf") == null ''' expected_event_ids = [88] description = "check built-in string functions" @@ -1552,7 +1552,7 @@ description = "check built-in string functions" [[queries]] name = "indexOf1" query = ''' -file where opcode=0 and indexOf(file_name, "explorer.") > 0 and indexOf(file_name, "plore", 100) > 0 +file where opcode==0 and indexOf(file_name, "explorer.") > 0 and indexOf(file_name, "plore", 100) > 0 ''' expected_event_ids = [] description = "check built-in string functions" @@ -1561,7 +1561,7 @@ description = "check built-in string functions" name = "indexOf2" case_sensitive = true query = ''' -file where opcode=0 and indexOf(file_name, "plorer.", 0) == 2 +file where opcode==0 and indexOf(file_name, "plorer.", 0) == 2 ''' expected_event_ids = [88] description = "check built-in string functions" @@ -1570,7 +1570,7 @@ description = "check built-in string functions" name = "indexOf3" case_insensitive = true query = ''' -file where opcode=0 and indexOf(file_name, "plorer.", 0) == 2 +file where opcode==0 and indexOf(file_name, "plorer.", 0) == 2 ''' expected_event_ids = [88, 92] description = "check built-in string functions" @@ -1579,7 +1579,7 @@ description = "check built-in string functions" name = "indexOf4" case_sensitive = true query = ''' -file where opcode=0 and indexOf(file_name, "plorer.", 2) != null +file where opcode==0 and indexOf(file_name, "plorer.", 2) != null ''' expected_event_ids = [88] description = "check built-in string functions" @@ -1588,7 +1588,7 @@ description = "check built-in string functions" name = "indexOf5" case_insensitive = true query = ''' -file where opcode=0 and indexOf(file_name, "plorer.", 2) != null +file where opcode==0 and indexOf(file_name, "plorer.", 2) != null ''' expected_event_ids = [88, 92] description = "check built-in string functions" @@ -1596,7 +1596,7 @@ description = "check built-in string functions" [[queries]] name = "indexOf6" query = ''' -file where opcode=0 and indexOf(file_name, "plorer.", 4) != null +file where opcode==0 and indexOf(file_name, "plorer.", 4) != null ''' expected_event_ids = [] description = "check built-in string functions" @@ -1604,7 +1604,7 @@ description = "check built-in string functions" [[queries]] name = "indexOf7" query = ''' -file where opcode=0 and indexOf(file_name, "thing that never happened") != null +file where opcode==0 and indexOf(file_name, "thing that never happened") != null ''' expected_event_ids = [] description = "check built-in string functions" @@ -1613,7 +1613,7 @@ description = "check built-in string functions" name = "indexOf8" case_insensitive = true query = ''' -file where opcode=0 and indexOf(file_name, "plorer.", 2) == 2 +file where opcode==0 and indexOf(file_name, "plorer.", 2) == 2 ''' expected_event_ids = [88, 92] description = "check substring ranges" @@ -1622,7 +1622,7 @@ description = "check substring ranges" name = "indexOf9" case_sensitive = true query = ''' -file where opcode=0 and indexOf(file_name, "plorer.", 2) == 2 +file where opcode==0 and indexOf(file_name, "plorer.", 2) == 2 ''' expected_event_ids = [88] description = "check substring ranges" @@ -1631,7 +1631,7 @@ description = "check substring ranges" name = "indexOf10" case_sensitive = true query = ''' -file where opcode=0 and indexOf(file_name, "explorer.", 0) == 0 +file where opcode==0 and indexOf(file_name, "explorer.", 0) == 0 ''' expected_event_ids = [88] description = "check substring ranges" @@ -1640,7 +1640,7 @@ description = "check substring ranges" name = "indexOf11" case_insensitive = true query = ''' -file where opcode=0 and indexOf(file_name, "explorer.", 0) == 0 +file where opcode==0 and indexOf(file_name, "explorer.", 0) == 0 ''' expected_event_ids = [88, 92] description = "check substring ranges" @@ -1649,7 +1649,7 @@ description = "check substring ranges" name = "substring1" case_insensitive = true query = ''' -file where serial_event_id=88 and substring(file_name, 0, 4) == "expl" +file where serial_event_id==88 and substring(file_name, 0, 4) == "expl" ''' expected_event_ids = [88] description = "check substring ranges" diff --git a/x-pack/plugin/eql/qa/common/src/main/resources/test_queries_unsupported.toml b/x-pack/plugin/eql/qa/common/src/main/resources/test_queries_unsupported.toml index bcfa2a9549b16..e9fef03a99535 100644 --- a/x-pack/plugin/eql/qa/common/src/main/resources/test_queries_unsupported.toml +++ b/x-pack/plugin/eql/qa/common/src/main/resources/test_queries_unsupported.toml @@ -238,27 +238,27 @@ registry where length(bytes_written_string_list) == 2 and bytes_written_string_l [[queries]] name = "descendant1" query = ''' -file where file_name == "csrss.exe" and opcode=0 - and descendant of [process where opcode in (1,3) and process_name="cmd.exe"] +file where file_name == "csrss.exe" and opcode==0 + and descendant of [process where opcode in (1,3) and process_name=="cmd.exe"] ''' expected_event_ids = [72] [[queries]] name = "descendant2" query = ''' -process where opcode=1 and process_name == "csrss.exe" - and descendant of [file where file_name == "csrss.exe" and opcode=0] +process where opcode==1 and process_name == "csrss.exe" + and descendant of [file where file_name == "csrss.exe" and opcode==0] ''' expected_event_ids = [73] [[queries]] name = "descendant3" query = ''' -process where opcode=1 and process_name == "smss.exe" +process where opcode==1 and process_name == "smss.exe" and descendant of [ - file where file_name == "csrss.exe" and opcode=0 + file where file_name == "csrss.exe" and opcode==0 and descendant of [ - process where opcode in(1,3) and process_name="cmd.exe" + process where opcode in(1,3) and process_name=="cmd.exe" ] ] ''' @@ -349,8 +349,8 @@ process where true name = "fourSequencesByPidWithUntil1" query = ''' sequence - [file where opcode=0] by unique_pid - [file where opcode=0] by unique_pid + [file where opcode==0] by unique_pid + [file where opcode==0] by unique_pid | filter events[1].serial_event_id == 92 ''' expected_event_ids = [87, 92] @@ -359,9 +359,9 @@ expected_event_ids = [87, 92] name = "doubleSameSequenceWithByUntilAndHead2" query = ''' join - [file where opcode=0 and file_name="*.exe"] by unique_pid - [file where opcode=2 and file_name="*.exe"] by unique_pid -until [process where opcode=1] by unique_ppid + [file where opcode==0 and file_name=="*.exe"] by unique_pid + [file where opcode==2 and file_name=="*.exe"] by unique_pid +until [process where opcode==1] by unique_ppid | head 1 ''' expected_event_ids = [61, 59] @@ -370,7 +370,7 @@ expected_event_ids = [61, 59] name = "twoJoins1" query = ''' join by user_name - [process where opcode in (1,3) and process_name="smss.exe"] + [process where opcode in (1,3) and process_name=="smss.exe"] [process where opcode in (1,3) and process_name == "python.exe"] ''' expected_event_ids = [78, 48] @@ -379,8 +379,8 @@ expected_event_ids = [78, 48] name = "threeJoins1" query = ''' join by unique_pid - [process where opcode=1] - [file where opcode=0 and file_name="svchost.exe"] + [process where opcode==1] + [file where opcode==0 and file_name=="svchost.exe"] [file where opcode == 0 and file_name == "lsass.exe"] ''' expected_event_ids = [54, 55, 61] @@ -389,8 +389,8 @@ expected_event_ids = [54, 55, 61] name = "threeJoins2" query = ''' join by string(unique_pid) - [process where opcode=1] - [file where opcode=0 and file_name="svchost.exe"] + [process where opcode==1] + [file where opcode==0 and file_name=="svchost.exe"] [file where opcode == 0 and file_name == "lsass.exe"] ''' expected_event_ids = [54, 55, 61] @@ -399,8 +399,8 @@ expected_event_ids = [54, 55, 61] name = "threeJoinsWithUntil1" query = ''' join by unique_pid - [process where opcode=1] - [file where opcode=0 and file_name="svchost.exe"] + [process where opcode==1] + [file where opcode==0 and file_name=="svchost.exe"] [file where opcode == 0 and file_name == "lsass.exe"] until [file where opcode == 2] ''' @@ -410,8 +410,8 @@ expected_event_ids = [] name = "threeJoinsWithUntil1" query = ''' join by string(unique_pid), unique_pid, unique_pid * 2 - [process where opcode=1] - [file where opcode=0 and file_name="svchost.exe"] + [process where opcode==1] + [file where opcode==0 and file_name=="svchost.exe"] [file where opcode == 0 and file_name == "lsass.exe"] until [file where opcode == 2] ''' @@ -421,7 +421,7 @@ expected_event_ids = [] name = "twoJoins2" query = ''' join - [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [file where opcode==0 and file_name=="svchost.exe"] by unique_pid [process where opcode == 1] by unique_ppid ''' expected_event_ids = [55, 56] @@ -430,7 +430,7 @@ expected_event_ids = [55, 56] name = "twoJoins3" query = ''' join by unique_pid - [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name=="python.exe"] [file where file_name == "*.exe"] ''' expected_event_ids = [54, 55] @@ -439,7 +439,7 @@ expected_event_ids = [54, 55] name = "twoJoins4" query = ''' join by user_name - [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name=="python.exe"] [process where opcode in (1,3) and process_name == "smss.exe"] ''' expected_event_ids = [48, 78] @@ -448,7 +448,7 @@ expected_event_ids = [48, 78] name = "twoJoins5" query = ''' join - [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name=="python.exe"] [process where opcode in (1,3) and process_name == "smss.exe"] ''' expected_event_ids = [48, 3, 50, 78] @@ -568,7 +568,7 @@ any where true [[queries]] name = "multipleConditionsWithDescendant1" query = ''' -process where opcode=1 and process_name in ("services.exe", "smss.exe", "lsass.exe") +process where opcode==1 and process_name in ("services.exe", "smss.exe", "lsass.exe") and descendant of [process where process_name == "cmd.exe" ] ''' expected_event_ids = [62, 68, 78] @@ -584,7 +584,7 @@ expected_event_ids = [62, 64, 68, 69, 78, 80] [[queries]] name = "multipleConditionsWithDescendant2" query = ''' -process where opcode=2 and process_name in ("services.exe", "smss.exe", "lsass.exe") +process where opcode==2 and process_name in ("services.exe", "smss.exe", "lsass.exe") and descendant of [process where process_name == "cmd.exe" ] ''' expected_event_ids = [64, 69, 80] @@ -592,16 +592,16 @@ expected_event_ids = [64, 69, 80] [[queries]] name = "childOf1" query = ''' -process where process_name="svchost.exe" - and child of [file where file_name="svchost.exe" and opcode=0] +process where process_name=="svchost.exe" + and child of [file where file_name=="svchost.exe" and opcode==0] ''' expected_event_ids = [56, 58] [[queries]] name = "childOf2" query = ''' -process where process_name="svchost.exe" - and not child of [file where file_name="svchost.exe" and opcode=0] +process where process_name=="svchost.exe" + and not child of [file where file_name=="svchost.exe" and opcode==0] | head 3 ''' expected_event_ids = [11, 13, 15] @@ -609,10 +609,10 @@ expected_event_ids = [11, 13, 15] [[queries]] name = "nestedChildOf1" query = ''' -process where process_name="lsass.exe" +process where process_name=="lsass.exe" and child of [ - process where process_name="python.exe" - and child of [process where process_name="cmd.exe"] + process where process_name=="python.exe" + and child of [process where process_name=="cmd.exe"] ] ''' expected_event_ids = [62, 64] @@ -622,7 +622,7 @@ name = "nestedChildOf2" query = ''' file where child of [ process where child of [ - process where child of [process where process_name="*wsmprovhost.exe"] + process where child of [process where process_name=="*wsmprovhost.exe"] ] ] | tail 1 @@ -632,7 +632,7 @@ expected_event_ids = [91] [[queries]] name = "fileByUniquePid1" query = ''' -file where process_name = "python.exe" +file where process_name == "python.exe" | unique unique_pid ''' expected_event_ids = [55, 95] @@ -640,7 +640,7 @@ expected_event_ids = [55, 95] [[queries]] name = "fileByUniquePid2" query = ''' -file where event of [process where process_name = "python.exe" ] +file where event of [process where process_name == "python.exe" ] | unique unique_pid ''' expected_event_ids = [55, 95] @@ -648,13 +648,13 @@ expected_event_ids = [55, 95] [[queries]] name = "simpleStringEquality" query = ''' -process where process_name = "python.exe" +process where process_name == "python.exe" ''' expected_event_ids = [48, 50, 51, 54, 93] [[queries]] name = "eventOfProcess" -query = 'process where event of [process where process_name = "python.exe" ]' +query = 'process where event of [process where process_name == "python.exe" ]' expected_event_ids = [48, 50, 51, 54, 93] [[queries]] @@ -834,7 +834,7 @@ name = "stringEqualsCaseInsensitive1" case_insensitive = true query = ''' process where "net.EXE" == original_file_name -| filter process_name="net*.exe" +| filter process_name=="net*.exe" ''' expected_event_ids = [97] note = "check that case insensitive comparisons are performed even for lhs strings." @@ -843,7 +843,7 @@ note = "check that case insensitive comparisons are performed even for lhs strin name = "stringEqualsCaseInsensitive2" case_insensitive = true query = ''' -process where process_name == original_file_name and process_name="net*.exe" +process where process_name == original_file_name and process_name=="net*.exe" ''' expected_event_ids = [97, 98] note = "check that case insensitive comparisons are performed for fields." diff --git a/x-pack/plugin/eql/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/eql/10_basic.yml b/x-pack/plugin/eql/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/eql/10_basic.yml index fd74fa282cc9b..b0aefa1ea9d9b 100644 --- a/x-pack/plugin/eql/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/eql/10_basic.yml +++ b/x-pack/plugin/eql/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/eql/10_basic.yml @@ -39,7 +39,7 @@ setup: eql.search: index: eql_test body: - query: 'process where user = "SYSTEM"' + query: 'process where user == "SYSTEM"' - match: {timed_out: false} - match: {hits.total.value: 3} @@ -55,7 +55,7 @@ setup: eql.search: index: eql_test body: - query: 'sequence by user [process where user = "SYSTEM"] [process where true]' + query: 'sequence by user [process where user == "SYSTEM"] [process where true]' - match: {timed_out: false} - match: {hits.total.value: 2} - match: {hits.total.relation: "eq"} @@ -72,7 +72,7 @@ setup: eql.search: index: eql_test body: - query: 'sequence by id [process where user = "SYSTEM"] [process where true]' + query: 'sequence by id [process where user == "SYSTEM"] [process where true]' - match: {timed_out: false} - match: {hits.total.value: 2} - match: {hits.total.relation: "eq"} @@ -89,7 +89,7 @@ setup: eql.search: index: eql_test body: - query: 'sequence by valid [process where user = "SYSTEM"] [process where true]' + query: 'sequence by valid [process where user == "SYSTEM"] [process where true]' - match: {timed_out: false} - match: {hits.total.value: 1} - match: {hits.total.relation: "eq"} @@ -105,7 +105,7 @@ setup: wait_for_completion_timeout: "0ms" keep_on_completion: true body: - query: 'process where user = "SYSTEM"' + query: 'process where user == "SYSTEM"' - is_true: id - set: {id: id} diff --git a/x-pack/plugin/eql/qa/security/src/javaRestTest/java/org/elasticsearch/xpack/eql/AsyncEqlSecurityIT.java b/x-pack/plugin/eql/qa/security/src/javaRestTest/java/org/elasticsearch/xpack/eql/AsyncEqlSecurityIT.java index 34d1e09db9cb9..3295cdcd422b3 100644 --- a/x-pack/plugin/eql/qa/security/src/javaRestTest/java/org/elasticsearch/xpack/eql/AsyncEqlSecurityIT.java +++ b/x-pack/plugin/eql/qa/security/src/javaRestTest/java/org/elasticsearch/xpack/eql/AsyncEqlSecurityIT.java @@ -75,7 +75,7 @@ public void testWithUsers() throws Exception { private void testCase(String user, String other) throws Exception { for (String indexName : new String[] {"index", "index-" + user}) { - Response submitResp = submitAsyncEqlSearch(indexName, "my_event where val=0", TimeValue.timeValueSeconds(10), user); + Response submitResp = submitAsyncEqlSearch(indexName, "my_event where val==0", TimeValue.timeValueSeconds(10), user); assertOK(submitResp); String id = extractResponseId(submitResp); Response getResp = getAsyncEqlSearch(id, user); diff --git a/x-pack/plugin/eql/src/internalClusterTest/java/org/elasticsearch/xpack/eql/action/AsyncEqlSearchActionIT.java b/x-pack/plugin/eql/src/internalClusterTest/java/org/elasticsearch/xpack/eql/action/AsyncEqlSearchActionIT.java index 10d59ecce49ed..58c7b5608eb8c 100644 --- a/x-pack/plugin/eql/src/internalClusterTest/java/org/elasticsearch/xpack/eql/action/AsyncEqlSearchActionIT.java +++ b/x-pack/plugin/eql/src/internalClusterTest/java/org/elasticsearch/xpack/eql/action/AsyncEqlSearchActionIT.java @@ -102,7 +102,7 @@ public void testBasicAsyncExecution() throws Exception { prepareIndex(); boolean success = randomBoolean(); - String query = success ? "my_event where i=1" : "my_event where 10/i=1"; + String query = success ? "my_event where i==1" : "my_event where 10/i==1"; EqlSearchRequest request = new EqlSearchRequest().indices("test").query(query).eventCategoryField("event_type") .waitForCompletionTimeout(TimeValue.timeValueMillis(1)); @@ -151,7 +151,7 @@ public void testGoingAsync() throws Exception { prepareIndex(); boolean success = randomBoolean(); - String query = success ? "my_event where i=1" : "my_event where 10/i=1"; + String query = success ? "my_event where i==1" : "my_event where 10/i==1"; EqlSearchRequest request = new EqlSearchRequest().indices("test").query(query).eventCategoryField("event_type") .waitForCompletionTimeout(TimeValue.timeValueMillis(1)); @@ -204,7 +204,7 @@ public void testAsyncCancellation() throws Exception { prepareIndex(); boolean success = randomBoolean(); - String query = success ? "my_event where i=1" : "my_event where 10/i=1"; + String query = success ? "my_event where i==1" : "my_event where 10/i==1"; EqlSearchRequest request = new EqlSearchRequest().indices("test").query(query).eventCategoryField("event_type") .waitForCompletionTimeout(TimeValue.timeValueMillis(1)); @@ -243,7 +243,7 @@ public void testFinishingBeforeTimeout() throws Exception { boolean success = randomBoolean(); boolean keepOnCompletion = randomBoolean(); - String query = success ? "my_event where i=1" : "my_event where 10/i=1"; + String query = success ? "my_event where i==1" : "my_event where 10/i==1"; EqlSearchRequest request = new EqlSearchRequest().indices("test").query(query).eventCategoryField("event_type") .waitForCompletionTimeout(TimeValue.timeValueSeconds(10)); if (keepOnCompletion || randomBoolean()) { diff --git a/x-pack/plugin/eql/src/internalClusterTest/java/org/elasticsearch/xpack/eql/action/EqlCancellationIT.java b/x-pack/plugin/eql/src/internalClusterTest/java/org/elasticsearch/xpack/eql/action/EqlCancellationIT.java index abe3dd0929535..2dd151c98f17d 100644 --- a/x-pack/plugin/eql/src/internalClusterTest/java/org/elasticsearch/xpack/eql/action/EqlCancellationIT.java +++ b/x-pack/plugin/eql/src/internalClusterTest/java/org/elasticsearch/xpack/eql/action/EqlCancellationIT.java @@ -58,7 +58,7 @@ public void testCancellation() throws Exception { indexRandom(true, builders); boolean cancelDuringSearch = randomBoolean(); List plugins = initBlockFactory(cancelDuringSearch, cancelDuringSearch == false); - EqlSearchRequest request = new EqlSearchRequest().indices("test").query("my_event where val=1").eventCategoryField("event_type"); + EqlSearchRequest request = new EqlSearchRequest().indices("test").query("my_event where val==1").eventCategoryField("event_type"); String id = randomAlphaOfLength(10); logger.trace("Preparing search"); // We might perform field caps on the same thread if it is local client, so we cannot use the standard mechanism diff --git a/x-pack/plugin/eql/src/internalClusterTest/java/org/elasticsearch/xpack/eql/action/RestEqlCancellationIT.java b/x-pack/plugin/eql/src/internalClusterTest/java/org/elasticsearch/xpack/eql/action/RestEqlCancellationIT.java index f1a6588affee7..5523f99e76df6 100644 --- a/x-pack/plugin/eql/src/internalClusterTest/java/org/elasticsearch/xpack/eql/action/RestEqlCancellationIT.java +++ b/x-pack/plugin/eql/src/internalClusterTest/java/org/elasticsearch/xpack/eql/action/RestEqlCancellationIT.java @@ -100,7 +100,7 @@ public void testRestCancellation() throws Exception { // We are cancelling during both mapping and searching but we cancel during mapping so we should never reach the second block List plugins = initBlockFactory(true, true); org.elasticsearch.client.eql.EqlSearchRequest eqlSearchRequest = - new org.elasticsearch.client.eql.EqlSearchRequest("test", "my_event where val=1").eventCategoryField("event_type"); + new org.elasticsearch.client.eql.EqlSearchRequest("test", "my_event where val==1").eventCategoryField("event_type"); String id = randomAlphaOfLength(10); Request request = new Request("GET", "/test/_eql/search"); diff --git a/x-pack/plugin/eql/src/main/antlr/EqlBase.g4 b/x-pack/plugin/eql/src/main/antlr/EqlBase.g4 index 3b93cbc6e2c11..69eb6aceedf9f 100644 --- a/x-pack/plugin/eql/src/main/antlr/EqlBase.g4 +++ b/x-pack/plugin/eql/src/main/antlr/EqlBase.g4 @@ -26,7 +26,7 @@ query ; sequenceParams - : WITH (MAXSPAN EQ timeUnit) + : WITH (MAXSPAN ASGN timeUnit) ; sequence @@ -169,7 +169,8 @@ WHERE: 'where'; WITH: 'with'; // Operators -EQ : '=' | '=='; +ASGN : '='; +EQ : '=='; NEQ : '!='; LT : '<'; LTE : '<='; diff --git a/x-pack/plugin/eql/src/main/antlr/EqlBase.tokens b/x-pack/plugin/eql/src/main/antlr/EqlBase.tokens index c5e847ffadb90..326bb0dbfa835 100644 --- a/x-pack/plugin/eql/src/main/antlr/EqlBase.tokens +++ b/x-pack/plugin/eql/src/main/antlr/EqlBase.tokens @@ -15,32 +15,33 @@ TRUE=14 UNTIL=15 WHERE=16 WITH=17 -EQ=18 -NEQ=19 -LT=20 -LTE=21 -GT=22 -GTE=23 -PLUS=24 -MINUS=25 -ASTERISK=26 -SLASH=27 -PERCENT=28 -DOT=29 -COMMA=30 -LB=31 -RB=32 -LP=33 -RP=34 -PIPE=35 -ESCAPED_IDENTIFIER=36 -STRING=37 -INTEGER_VALUE=38 -DECIMAL_VALUE=39 -IDENTIFIER=40 -LINE_COMMENT=41 -BRACKETED_COMMENT=42 -WS=43 +ASGN=18 +EQ=19 +NEQ=20 +LT=21 +LTE=22 +GT=23 +GTE=24 +PLUS=25 +MINUS=26 +ASTERISK=27 +SLASH=28 +PERCENT=29 +DOT=30 +COMMA=31 +LB=32 +RB=33 +LP=34 +RP=35 +PIPE=36 +ESCAPED_IDENTIFIER=37 +STRING=38 +INTEGER_VALUE=39 +DECIMAL_VALUE=40 +IDENTIFIER=41 +LINE_COMMENT=42 +BRACKETED_COMMENT=43 +WS=44 'and'=1 'any'=2 'by'=3 @@ -58,20 +59,22 @@ WS=43 'until'=15 'where'=16 'with'=17 -'!='=19 -'<'=20 -'<='=21 -'>'=22 -'>='=23 -'+'=24 -'-'=25 -'*'=26 -'/'=27 -'%'=28 -'.'=29 -','=30 -'['=31 -']'=32 -'('=33 -')'=34 -'|'=35 +'='=18 +'=='=19 +'!='=20 +'<'=21 +'<='=22 +'>'=23 +'>='=24 +'+'=25 +'-'=26 +'*'=27 +'/'=28 +'%'=29 +'.'=30 +','=31 +'['=32 +']'=33 +'('=34 +')'=35 +'|'=36 diff --git a/x-pack/plugin/eql/src/main/antlr/EqlBaseLexer.tokens b/x-pack/plugin/eql/src/main/antlr/EqlBaseLexer.tokens index c5e847ffadb90..326bb0dbfa835 100644 --- a/x-pack/plugin/eql/src/main/antlr/EqlBaseLexer.tokens +++ b/x-pack/plugin/eql/src/main/antlr/EqlBaseLexer.tokens @@ -15,32 +15,33 @@ TRUE=14 UNTIL=15 WHERE=16 WITH=17 -EQ=18 -NEQ=19 -LT=20 -LTE=21 -GT=22 -GTE=23 -PLUS=24 -MINUS=25 -ASTERISK=26 -SLASH=27 -PERCENT=28 -DOT=29 -COMMA=30 -LB=31 -RB=32 -LP=33 -RP=34 -PIPE=35 -ESCAPED_IDENTIFIER=36 -STRING=37 -INTEGER_VALUE=38 -DECIMAL_VALUE=39 -IDENTIFIER=40 -LINE_COMMENT=41 -BRACKETED_COMMENT=42 -WS=43 +ASGN=18 +EQ=19 +NEQ=20 +LT=21 +LTE=22 +GT=23 +GTE=24 +PLUS=25 +MINUS=26 +ASTERISK=27 +SLASH=28 +PERCENT=29 +DOT=30 +COMMA=31 +LB=32 +RB=33 +LP=34 +RP=35 +PIPE=36 +ESCAPED_IDENTIFIER=37 +STRING=38 +INTEGER_VALUE=39 +DECIMAL_VALUE=40 +IDENTIFIER=41 +LINE_COMMENT=42 +BRACKETED_COMMENT=43 +WS=44 'and'=1 'any'=2 'by'=3 @@ -58,20 +59,22 @@ WS=43 'until'=15 'where'=16 'with'=17 -'!='=19 -'<'=20 -'<='=21 -'>'=22 -'>='=23 -'+'=24 -'-'=25 -'*'=26 -'/'=27 -'%'=28 -'.'=29 -','=30 -'['=31 -']'=32 -'('=33 -')'=34 -'|'=35 +'='=18 +'=='=19 +'!='=20 +'<'=21 +'<='=22 +'>'=23 +'>='=24 +'+'=25 +'-'=26 +'*'=27 +'/'=28 +'%'=29 +'.'=30 +','=31 +'['=32 +']'=33 +'('=34 +')'=35 +'|'=36 diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseLexer.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseLexer.java index c030e7480e239..291388d348c13 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseLexer.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseLexer.java @@ -18,20 +18,20 @@ class EqlBaseLexer extends Lexer { new PredictionContextCache(); public static final int AND=1, ANY=2, BY=3, FALSE=4, FORK=5, IN=6, JOIN=7, MAXSPAN=8, NOT=9, NULL=10, - OF=11, OR=12, SEQUENCE=13, TRUE=14, UNTIL=15, WHERE=16, WITH=17, EQ=18, - NEQ=19, LT=20, LTE=21, GT=22, GTE=23, PLUS=24, MINUS=25, ASTERISK=26, - SLASH=27, PERCENT=28, DOT=29, COMMA=30, LB=31, RB=32, LP=33, RP=34, PIPE=35, - ESCAPED_IDENTIFIER=36, STRING=37, INTEGER_VALUE=38, DECIMAL_VALUE=39, - IDENTIFIER=40, LINE_COMMENT=41, BRACKETED_COMMENT=42, WS=43; + OF=11, OR=12, SEQUENCE=13, TRUE=14, UNTIL=15, WHERE=16, WITH=17, ASGN=18, + EQ=19, NEQ=20, LT=21, LTE=22, GT=23, GTE=24, PLUS=25, MINUS=26, ASTERISK=27, + SLASH=28, PERCENT=29, DOT=30, COMMA=31, LB=32, RB=33, LP=34, RP=35, PIPE=36, + ESCAPED_IDENTIFIER=37, STRING=38, INTEGER_VALUE=39, DECIMAL_VALUE=40, + IDENTIFIER=41, LINE_COMMENT=42, BRACKETED_COMMENT=43, WS=44; public static String[] modeNames = { "DEFAULT_MODE" }; public static final String[] ruleNames = { "AND", "ANY", "BY", "FALSE", "FORK", "IN", "JOIN", "MAXSPAN", "NOT", "NULL", - "OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "EQ", "NEQ", - "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH", "PERCENT", - "DOT", "COMMA", "LB", "RB", "LP", "RP", "PIPE", "ESCAPED_IDENTIFIER", + "OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "ASGN", "EQ", + "NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH", + "PERCENT", "DOT", "COMMA", "LB", "RB", "LP", "RP", "PIPE", "ESCAPED_IDENTIFIER", "STRING", "INTEGER_VALUE", "DECIMAL_VALUE", "IDENTIFIER", "EXPONENT", "DIGIT", "LETTER", "LINE_COMMENT", "BRACKETED_COMMENT", "WS" }; @@ -39,14 +39,14 @@ class EqlBaseLexer extends Lexer { private static final String[] _LITERAL_NAMES = { null, "'and'", "'any'", "'by'", "'false'", "'fork'", "'in'", "'join'", "'maxspan'", "'not'", "'null'", "'of'", "'or'", "'sequence'", "'true'", - "'until'", "'where'", "'with'", null, "'!='", "'<'", "'<='", "'>'", "'>='", - "'+'", "'-'", "'*'", "'/'", "'%'", "'.'", "','", "'['", "']'", "'('", - "')'", "'|'" + "'until'", "'where'", "'with'", "'='", "'=='", "'!='", "'<'", "'<='", + "'>'", "'>='", "'+'", "'-'", "'*'", "'/'", "'%'", "'.'", "','", "'['", + "']'", "'('", "')'", "'|'" }; private static final String[] _SYMBOLIC_NAMES = { null, "AND", "ANY", "BY", "FALSE", "FORK", "IN", "JOIN", "MAXSPAN", "NOT", - "NULL", "OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "EQ", - "NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH", + "NULL", "OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "ASGN", + "EQ", "NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH", "PERCENT", "DOT", "COMMA", "LB", "RB", "LP", "RP", "PIPE", "ESCAPED_IDENTIFIER", "STRING", "INTEGER_VALUE", "DECIMAL_VALUE", "IDENTIFIER", "LINE_COMMENT", "BRACKETED_COMMENT", "WS" @@ -106,141 +106,142 @@ public EqlBaseLexer(CharStream input) { public ATN getATN() { return _ATN; } public static final String _serializedATN = - "\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\2-\u0185\b\1\4\2\t"+ + "\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\2.\u0187\b\1\4\2\t"+ "\2\4\3\t\3\4\4\t\4\4\5\t\5\4\6\t\6\4\7\t\7\4\b\t\b\4\t\t\t\4\n\t\n\4\13"+ "\t\13\4\f\t\f\4\r\t\r\4\16\t\16\4\17\t\17\4\20\t\20\4\21\t\21\4\22\t\22"+ "\4\23\t\23\4\24\t\24\4\25\t\25\4\26\t\26\4\27\t\27\4\30\t\30\4\31\t\31"+ "\4\32\t\32\4\33\t\33\4\34\t\34\4\35\t\35\4\36\t\36\4\37\t\37\4 \t \4!"+ "\t!\4\"\t\"\4#\t#\4$\t$\4%\t%\4&\t&\4\'\t\'\4(\t(\4)\t)\4*\t*\4+\t+\4"+ - ",\t,\4-\t-\4.\t.\4/\t/\3\2\3\2\3\2\3\2\3\3\3\3\3\3\3\3\3\4\3\4\3\4\3\5"+ - "\3\5\3\5\3\5\3\5\3\5\3\6\3\6\3\6\3\6\3\6\3\7\3\7\3\7\3\b\3\b\3\b\3\b\3"+ - "\b\3\t\3\t\3\t\3\t\3\t\3\t\3\t\3\t\3\n\3\n\3\n\3\n\3\13\3\13\3\13\3\13"+ - "\3\13\3\f\3\f\3\f\3\r\3\r\3\r\3\16\3\16\3\16\3\16\3\16\3\16\3\16\3\16"+ - "\3\16\3\17\3\17\3\17\3\17\3\17\3\20\3\20\3\20\3\20\3\20\3\20\3\21\3\21"+ - "\3\21\3\21\3\21\3\21\3\22\3\22\3\22\3\22\3\22\3\23\3\23\3\23\5\23\u00b7"+ - "\n\23\3\24\3\24\3\24\3\25\3\25\3\26\3\26\3\26\3\27\3\27\3\30\3\30\3\30"+ - "\3\31\3\31\3\32\3\32\3\33\3\33\3\34\3\34\3\35\3\35\3\36\3\36\3\37\3\37"+ - "\3 \3 \3!\3!\3\"\3\"\3#\3#\3$\3$\3%\3%\7%\u00e0\n%\f%\16%\u00e3\13%\3"+ - "%\3%\3&\3&\3&\3&\7&\u00eb\n&\f&\16&\u00ee\13&\3&\3&\3&\3&\3&\7&\u00f5"+ - "\n&\f&\16&\u00f8\13&\3&\3&\3&\3&\3&\3&\3&\7&\u0101\n&\f&\16&\u0104\13"+ - "&\3&\3&\3&\3&\3&\3&\3&\7&\u010d\n&\f&\16&\u0110\13&\3&\5&\u0113\n&\3\'"+ - "\6\'\u0116\n\'\r\'\16\'\u0117\3(\6(\u011b\n(\r(\16(\u011c\3(\3(\7(\u0121"+ - "\n(\f(\16(\u0124\13(\3(\3(\6(\u0128\n(\r(\16(\u0129\3(\6(\u012d\n(\r("+ - "\16(\u012e\3(\3(\7(\u0133\n(\f(\16(\u0136\13(\5(\u0138\n(\3(\3(\3(\3("+ - "\6(\u013e\n(\r(\16(\u013f\3(\3(\5(\u0144\n(\3)\3)\5)\u0148\n)\3)\3)\3"+ - ")\7)\u014d\n)\f)\16)\u0150\13)\3*\3*\5*\u0154\n*\3*\6*\u0157\n*\r*\16"+ - "*\u0158\3+\3+\3,\3,\3-\3-\3-\3-\7-\u0163\n-\f-\16-\u0166\13-\3-\5-\u0169"+ - "\n-\3-\5-\u016c\n-\3-\3-\3.\3.\3.\3.\3.\7.\u0175\n.\f.\16.\u0178\13.\3"+ - ".\3.\3.\3.\3.\3/\6/\u0180\n/\r/\16/\u0181\3/\3/\3\u0176\2\60\3\3\5\4\7"+ - "\5\t\6\13\7\r\b\17\t\21\n\23\13\25\f\27\r\31\16\33\17\35\20\37\21!\22"+ - "#\23%\24\'\25)\26+\27-\30/\31\61\32\63\33\65\34\67\359\36;\37= ?!A\"C"+ - "#E$G%I&K\'M(O)Q*S\2U\2W\2Y+[,]-\3\2\17\3\2bb\n\2$$))^^ddhhppttvv\6\2\f"+ - "\f\17\17))^^\6\2\f\f\17\17$$^^\5\2\f\f\17\17$$\5\2\f\f\17\17))\4\2BBa"+ - "a\4\2GGgg\4\2--//\3\2\62;\4\2C\\c|\4\2\f\f\17\17\5\2\13\f\17\17\"\"\u01a5"+ - "\2\3\3\2\2\2\2\5\3\2\2\2\2\7\3\2\2\2\2\t\3\2\2\2\2\13\3\2\2\2\2\r\3\2"+ - "\2\2\2\17\3\2\2\2\2\21\3\2\2\2\2\23\3\2\2\2\2\25\3\2\2\2\2\27\3\2\2\2"+ - "\2\31\3\2\2\2\2\33\3\2\2\2\2\35\3\2\2\2\2\37\3\2\2\2\2!\3\2\2\2\2#\3\2"+ - "\2\2\2%\3\2\2\2\2\'\3\2\2\2\2)\3\2\2\2\2+\3\2\2\2\2-\3\2\2\2\2/\3\2\2"+ - "\2\2\61\3\2\2\2\2\63\3\2\2\2\2\65\3\2\2\2\2\67\3\2\2\2\29\3\2\2\2\2;\3"+ - "\2\2\2\2=\3\2\2\2\2?\3\2\2\2\2A\3\2\2\2\2C\3\2\2\2\2E\3\2\2\2\2G\3\2\2"+ - "\2\2I\3\2\2\2\2K\3\2\2\2\2M\3\2\2\2\2O\3\2\2\2\2Q\3\2\2\2\2Y\3\2\2\2\2"+ - "[\3\2\2\2\2]\3\2\2\2\3_\3\2\2\2\5c\3\2\2\2\7g\3\2\2\2\tj\3\2\2\2\13p\3"+ - "\2\2\2\ru\3\2\2\2\17x\3\2\2\2\21}\3\2\2\2\23\u0085\3\2\2\2\25\u0089\3"+ - "\2\2\2\27\u008e\3\2\2\2\31\u0091\3\2\2\2\33\u0094\3\2\2\2\35\u009d\3\2"+ - "\2\2\37\u00a2\3\2\2\2!\u00a8\3\2\2\2#\u00ae\3\2\2\2%\u00b6\3\2\2\2\'\u00b8"+ - "\3\2\2\2)\u00bb\3\2\2\2+\u00bd\3\2\2\2-\u00c0\3\2\2\2/\u00c2\3\2\2\2\61"+ - "\u00c5\3\2\2\2\63\u00c7\3\2\2\2\65\u00c9\3\2\2\2\67\u00cb\3\2\2\29\u00cd"+ - "\3\2\2\2;\u00cf\3\2\2\2=\u00d1\3\2\2\2?\u00d3\3\2\2\2A\u00d5\3\2\2\2C"+ - "\u00d7\3\2\2\2E\u00d9\3\2\2\2G\u00db\3\2\2\2I\u00dd\3\2\2\2K\u0112\3\2"+ - "\2\2M\u0115\3\2\2\2O\u0143\3\2\2\2Q\u0147\3\2\2\2S\u0151\3\2\2\2U\u015a"+ - "\3\2\2\2W\u015c\3\2\2\2Y\u015e\3\2\2\2[\u016f\3\2\2\2]\u017f\3\2\2\2_"+ - "`\7c\2\2`a\7p\2\2ab\7f\2\2b\4\3\2\2\2cd\7c\2\2de\7p\2\2ef\7{\2\2f\6\3"+ - "\2\2\2gh\7d\2\2hi\7{\2\2i\b\3\2\2\2jk\7h\2\2kl\7c\2\2lm\7n\2\2mn\7u\2"+ - "\2no\7g\2\2o\n\3\2\2\2pq\7h\2\2qr\7q\2\2rs\7t\2\2st\7m\2\2t\f\3\2\2\2"+ - "uv\7k\2\2vw\7p\2\2w\16\3\2\2\2xy\7l\2\2yz\7q\2\2z{\7k\2\2{|\7p\2\2|\20"+ - "\3\2\2\2}~\7o\2\2~\177\7c\2\2\177\u0080\7z\2\2\u0080\u0081\7u\2\2\u0081"+ - "\u0082\7r\2\2\u0082\u0083\7c\2\2\u0083\u0084\7p\2\2\u0084\22\3\2\2\2\u0085"+ - "\u0086\7p\2\2\u0086\u0087\7q\2\2\u0087\u0088\7v\2\2\u0088\24\3\2\2\2\u0089"+ - "\u008a\7p\2\2\u008a\u008b\7w\2\2\u008b\u008c\7n\2\2\u008c\u008d\7n\2\2"+ - "\u008d\26\3\2\2\2\u008e\u008f\7q\2\2\u008f\u0090\7h\2\2\u0090\30\3\2\2"+ - "\2\u0091\u0092\7q\2\2\u0092\u0093\7t\2\2\u0093\32\3\2\2\2\u0094\u0095"+ - "\7u\2\2\u0095\u0096\7g\2\2\u0096\u0097\7s\2\2\u0097\u0098\7w\2\2\u0098"+ - "\u0099\7g\2\2\u0099\u009a\7p\2\2\u009a\u009b\7e\2\2\u009b\u009c\7g\2\2"+ - "\u009c\34\3\2\2\2\u009d\u009e\7v\2\2\u009e\u009f\7t\2\2\u009f\u00a0\7"+ - "w\2\2\u00a0\u00a1\7g\2\2\u00a1\36\3\2\2\2\u00a2\u00a3\7w\2\2\u00a3\u00a4"+ - "\7p\2\2\u00a4\u00a5\7v\2\2\u00a5\u00a6\7k\2\2\u00a6\u00a7\7n\2\2\u00a7"+ - " \3\2\2\2\u00a8\u00a9\7y\2\2\u00a9\u00aa\7j\2\2\u00aa\u00ab\7g\2\2\u00ab"+ - "\u00ac\7t\2\2\u00ac\u00ad\7g\2\2\u00ad\"\3\2\2\2\u00ae\u00af\7y\2\2\u00af"+ - "\u00b0\7k\2\2\u00b0\u00b1\7v\2\2\u00b1\u00b2\7j\2\2\u00b2$\3\2\2\2\u00b3"+ - "\u00b7\7?\2\2\u00b4\u00b5\7?\2\2\u00b5\u00b7\7?\2\2\u00b6\u00b3\3\2\2"+ - "\2\u00b6\u00b4\3\2\2\2\u00b7&\3\2\2\2\u00b8\u00b9\7#\2\2\u00b9\u00ba\7"+ - "?\2\2\u00ba(\3\2\2\2\u00bb\u00bc\7>\2\2\u00bc*\3\2\2\2\u00bd\u00be\7>"+ - "\2\2\u00be\u00bf\7?\2\2\u00bf,\3\2\2\2\u00c0\u00c1\7@\2\2\u00c1.\3\2\2"+ - "\2\u00c2\u00c3\7@\2\2\u00c3\u00c4\7?\2\2\u00c4\60\3\2\2\2\u00c5\u00c6"+ - "\7-\2\2\u00c6\62\3\2\2\2\u00c7\u00c8\7/\2\2\u00c8\64\3\2\2\2\u00c9\u00ca"+ - "\7,\2\2\u00ca\66\3\2\2\2\u00cb\u00cc\7\61\2\2\u00cc8\3\2\2\2\u00cd\u00ce"+ - "\7\'\2\2\u00ce:\3\2\2\2\u00cf\u00d0\7\60\2\2\u00d0<\3\2\2\2\u00d1\u00d2"+ - "\7.\2\2\u00d2>\3\2\2\2\u00d3\u00d4\7]\2\2\u00d4@\3\2\2\2\u00d5\u00d6\7"+ - "_\2\2\u00d6B\3\2\2\2\u00d7\u00d8\7*\2\2\u00d8D\3\2\2\2\u00d9\u00da\7+"+ - "\2\2\u00daF\3\2\2\2\u00db\u00dc\7~\2\2\u00dcH\3\2\2\2\u00dd\u00e1\7b\2"+ - "\2\u00de\u00e0\n\2\2\2\u00df\u00de\3\2\2\2\u00e0\u00e3\3\2\2\2\u00e1\u00df"+ - "\3\2\2\2\u00e1\u00e2\3\2\2\2\u00e2\u00e4\3\2\2\2\u00e3\u00e1\3\2\2\2\u00e4"+ - "\u00e5\7b\2\2\u00e5J\3\2\2\2\u00e6\u00ec\7)\2\2\u00e7\u00e8\7^\2\2\u00e8"+ - "\u00eb\t\3\2\2\u00e9\u00eb\n\4\2\2\u00ea\u00e7\3\2\2\2\u00ea\u00e9\3\2"+ - "\2\2\u00eb\u00ee\3\2\2\2\u00ec\u00ea\3\2\2\2\u00ec\u00ed\3\2\2\2\u00ed"+ - "\u00ef\3\2\2\2\u00ee\u00ec\3\2\2\2\u00ef\u0113\7)\2\2\u00f0\u00f6\7$\2"+ - "\2\u00f1\u00f2\7^\2\2\u00f2\u00f5\t\3\2\2\u00f3\u00f5\n\5\2\2\u00f4\u00f1"+ - "\3\2\2\2\u00f4\u00f3\3\2\2\2\u00f5\u00f8\3\2\2\2\u00f6\u00f4\3\2\2\2\u00f6"+ - "\u00f7\3\2\2\2\u00f7\u00f9\3\2\2\2\u00f8\u00f6\3\2\2\2\u00f9\u0113\7$"+ - "\2\2\u00fa\u00fb\7A\2\2\u00fb\u00fc\7$\2\2\u00fc\u0102\3\2\2\2\u00fd\u00fe"+ - "\7^\2\2\u00fe\u0101\7$\2\2\u00ff\u0101\n\6\2\2\u0100\u00fd\3\2\2\2\u0100"+ - "\u00ff\3\2\2\2\u0101\u0104\3\2\2\2\u0102\u0100\3\2\2\2\u0102\u0103\3\2"+ - "\2\2\u0103\u0105\3\2\2\2\u0104\u0102\3\2\2\2\u0105\u0113\7$\2\2\u0106"+ - "\u0107\7A\2\2\u0107\u0108\7)\2\2\u0108\u010e\3\2\2\2\u0109\u010a\7^\2"+ - "\2\u010a\u010d\7)\2\2\u010b\u010d\n\7\2\2\u010c\u0109\3\2\2\2\u010c\u010b"+ - "\3\2\2\2\u010d\u0110\3\2\2\2\u010e\u010c\3\2\2\2\u010e\u010f\3\2\2\2\u010f"+ - "\u0111\3\2\2\2\u0110\u010e\3\2\2\2\u0111\u0113\7)\2\2\u0112\u00e6\3\2"+ - "\2\2\u0112\u00f0\3\2\2\2\u0112\u00fa\3\2\2\2\u0112\u0106\3\2\2\2\u0113"+ - "L\3\2\2\2\u0114\u0116\5U+\2\u0115\u0114\3\2\2\2\u0116\u0117\3\2\2\2\u0117"+ - "\u0115\3\2\2\2\u0117\u0118\3\2\2\2\u0118N\3\2\2\2\u0119\u011b\5U+\2\u011a"+ - "\u0119\3\2\2\2\u011b\u011c\3\2\2\2\u011c\u011a\3\2\2\2\u011c\u011d\3\2"+ - "\2\2\u011d\u011e\3\2\2\2\u011e\u0122\5;\36\2\u011f\u0121\5U+\2\u0120\u011f"+ - "\3\2\2\2\u0121\u0124\3\2\2\2\u0122\u0120\3\2\2\2\u0122\u0123\3\2\2\2\u0123"+ - "\u0144\3\2\2\2\u0124\u0122\3\2\2\2\u0125\u0127\5;\36\2\u0126\u0128\5U"+ - "+\2\u0127\u0126\3\2\2\2\u0128\u0129\3\2\2\2\u0129\u0127\3\2\2\2\u0129"+ - "\u012a\3\2\2\2\u012a\u0144\3\2\2\2\u012b\u012d\5U+\2\u012c\u012b\3\2\2"+ - "\2\u012d\u012e\3\2\2\2\u012e\u012c\3\2\2\2\u012e\u012f\3\2\2\2\u012f\u0137"+ - "\3\2\2\2\u0130\u0134\5;\36\2\u0131\u0133\5U+\2\u0132\u0131\3\2\2\2\u0133"+ - "\u0136\3\2\2\2\u0134\u0132\3\2\2\2\u0134\u0135\3\2\2\2\u0135\u0138\3\2"+ - "\2\2\u0136\u0134\3\2\2\2\u0137\u0130\3\2\2\2\u0137\u0138\3\2\2\2\u0138"+ - "\u0139\3\2\2\2\u0139\u013a\5S*\2\u013a\u0144\3\2\2\2\u013b\u013d\5;\36"+ - "\2\u013c\u013e\5U+\2\u013d\u013c\3\2\2\2\u013e\u013f\3\2\2\2\u013f\u013d"+ - "\3\2\2\2\u013f\u0140\3\2\2\2\u0140\u0141\3\2\2\2\u0141\u0142\5S*\2\u0142"+ - "\u0144\3\2\2\2\u0143\u011a\3\2\2\2\u0143\u0125\3\2\2\2\u0143\u012c\3\2"+ - "\2\2\u0143\u013b\3\2\2\2\u0144P\3\2\2\2\u0145\u0148\5W,\2\u0146\u0148"+ - "\t\b\2\2\u0147\u0145\3\2\2\2\u0147\u0146\3\2\2\2\u0148\u014e\3\2\2\2\u0149"+ - "\u014d\5W,\2\u014a\u014d\5U+\2\u014b\u014d\7a\2\2\u014c\u0149\3\2\2\2"+ - "\u014c\u014a\3\2\2\2\u014c\u014b\3\2\2\2\u014d\u0150\3\2\2\2\u014e\u014c"+ - "\3\2\2\2\u014e\u014f\3\2\2\2\u014fR\3\2\2\2\u0150\u014e\3\2\2\2\u0151"+ - "\u0153\t\t\2\2\u0152\u0154\t\n\2\2\u0153\u0152\3\2\2\2\u0153\u0154\3\2"+ - "\2\2\u0154\u0156\3\2\2\2\u0155\u0157\5U+\2\u0156\u0155\3\2\2\2\u0157\u0158"+ - "\3\2\2\2\u0158\u0156\3\2\2\2\u0158\u0159\3\2\2\2\u0159T\3\2\2\2\u015a"+ - "\u015b\t\13\2\2\u015bV\3\2\2\2\u015c\u015d\t\f\2\2\u015dX\3\2\2\2\u015e"+ - "\u015f\7\61\2\2\u015f\u0160\7\61\2\2\u0160\u0164\3\2\2\2\u0161\u0163\n"+ - "\r\2\2\u0162\u0161\3\2\2\2\u0163\u0166\3\2\2\2\u0164\u0162\3\2\2\2\u0164"+ - "\u0165\3\2\2\2\u0165\u0168\3\2\2\2\u0166\u0164\3\2\2\2\u0167\u0169\7\17"+ - "\2\2\u0168\u0167\3\2\2\2\u0168\u0169\3\2\2\2\u0169\u016b\3\2\2\2\u016a"+ - "\u016c\7\f\2\2\u016b\u016a\3\2\2\2\u016b\u016c\3\2\2\2\u016c\u016d\3\2"+ - "\2\2\u016d\u016e\b-\2\2\u016eZ\3\2\2\2\u016f\u0170\7\61\2\2\u0170\u0171"+ - "\7,\2\2\u0171\u0176\3\2\2\2\u0172\u0175\5[.\2\u0173\u0175\13\2\2\2\u0174"+ - "\u0172\3\2\2\2\u0174\u0173\3\2\2\2\u0175\u0178\3\2\2\2\u0176\u0177\3\2"+ - "\2\2\u0176\u0174\3\2\2\2\u0177\u0179\3\2\2\2\u0178\u0176\3\2\2\2\u0179"+ - "\u017a\7,\2\2\u017a\u017b\7\61\2\2\u017b\u017c\3\2\2\2\u017c\u017d\b."+ - "\2\2\u017d\\\3\2\2\2\u017e\u0180\t\16\2\2\u017f\u017e\3\2\2\2\u0180\u0181"+ - "\3\2\2\2\u0181\u017f\3\2\2\2\u0181\u0182\3\2\2\2\u0182\u0183\3\2\2\2\u0183"+ - "\u0184\b/\2\2\u0184^\3\2\2\2\"\2\u00b6\u00e1\u00ea\u00ec\u00f4\u00f6\u0100"+ - "\u0102\u010c\u010e\u0112\u0117\u011c\u0122\u0129\u012e\u0134\u0137\u013f"+ - "\u0143\u0147\u014c\u014e\u0153\u0158\u0164\u0168\u016b\u0174\u0176\u0181"+ + ",\t,\4-\t-\4.\t.\4/\t/\4\60\t\60\3\2\3\2\3\2\3\2\3\3\3\3\3\3\3\3\3\4\3"+ + "\4\3\4\3\5\3\5\3\5\3\5\3\5\3\5\3\6\3\6\3\6\3\6\3\6\3\7\3\7\3\7\3\b\3\b"+ + "\3\b\3\b\3\b\3\t\3\t\3\t\3\t\3\t\3\t\3\t\3\t\3\n\3\n\3\n\3\n\3\13\3\13"+ + "\3\13\3\13\3\13\3\f\3\f\3\f\3\r\3\r\3\r\3\16\3\16\3\16\3\16\3\16\3\16"+ + "\3\16\3\16\3\16\3\17\3\17\3\17\3\17\3\17\3\20\3\20\3\20\3\20\3\20\3\20"+ + "\3\21\3\21\3\21\3\21\3\21\3\21\3\22\3\22\3\22\3\22\3\22\3\23\3\23\3\24"+ + "\3\24\3\24\3\25\3\25\3\25\3\26\3\26\3\27\3\27\3\27\3\30\3\30\3\31\3\31"+ + "\3\31\3\32\3\32\3\33\3\33\3\34\3\34\3\35\3\35\3\36\3\36\3\37\3\37\3 \3"+ + " \3!\3!\3\"\3\"\3#\3#\3$\3$\3%\3%\3&\3&\7&\u00e2\n&\f&\16&\u00e5\13&\3"+ + "&\3&\3\'\3\'\3\'\3\'\7\'\u00ed\n\'\f\'\16\'\u00f0\13\'\3\'\3\'\3\'\3\'"+ + "\3\'\7\'\u00f7\n\'\f\'\16\'\u00fa\13\'\3\'\3\'\3\'\3\'\3\'\3\'\3\'\7\'"+ + "\u0103\n\'\f\'\16\'\u0106\13\'\3\'\3\'\3\'\3\'\3\'\3\'\3\'\7\'\u010f\n"+ + "\'\f\'\16\'\u0112\13\'\3\'\5\'\u0115\n\'\3(\6(\u0118\n(\r(\16(\u0119\3"+ + ")\6)\u011d\n)\r)\16)\u011e\3)\3)\7)\u0123\n)\f)\16)\u0126\13)\3)\3)\6"+ + ")\u012a\n)\r)\16)\u012b\3)\6)\u012f\n)\r)\16)\u0130\3)\3)\7)\u0135\n)"+ + "\f)\16)\u0138\13)\5)\u013a\n)\3)\3)\3)\3)\6)\u0140\n)\r)\16)\u0141\3)"+ + "\3)\5)\u0146\n)\3*\3*\5*\u014a\n*\3*\3*\3*\7*\u014f\n*\f*\16*\u0152\13"+ + "*\3+\3+\5+\u0156\n+\3+\6+\u0159\n+\r+\16+\u015a\3,\3,\3-\3-\3.\3.\3.\3"+ + ".\7.\u0165\n.\f.\16.\u0168\13.\3.\5.\u016b\n.\3.\5.\u016e\n.\3.\3.\3/"+ + "\3/\3/\3/\3/\7/\u0177\n/\f/\16/\u017a\13/\3/\3/\3/\3/\3/\3\60\6\60\u0182"+ + "\n\60\r\60\16\60\u0183\3\60\3\60\3\u0178\2\61\3\3\5\4\7\5\t\6\13\7\r\b"+ + "\17\t\21\n\23\13\25\f\27\r\31\16\33\17\35\20\37\21!\22#\23%\24\'\25)\26"+ + "+\27-\30/\31\61\32\63\33\65\34\67\359\36;\37= ?!A\"C#E$G%I&K\'M(O)Q*S"+ + "+U\2W\2Y\2[,]-_.\3\2\17\3\2bb\n\2$$))^^ddhhppttvv\6\2\f\f\17\17))^^\6"+ + "\2\f\f\17\17$$^^\5\2\f\f\17\17$$\5\2\f\f\17\17))\4\2BBaa\4\2GGgg\4\2-"+ + "-//\3\2\62;\4\2C\\c|\4\2\f\f\17\17\5\2\13\f\17\17\"\"\u01a6\2\3\3\2\2"+ + "\2\2\5\3\2\2\2\2\7\3\2\2\2\2\t\3\2\2\2\2\13\3\2\2\2\2\r\3\2\2\2\2\17\3"+ + "\2\2\2\2\21\3\2\2\2\2\23\3\2\2\2\2\25\3\2\2\2\2\27\3\2\2\2\2\31\3\2\2"+ + "\2\2\33\3\2\2\2\2\35\3\2\2\2\2\37\3\2\2\2\2!\3\2\2\2\2#\3\2\2\2\2%\3\2"+ + "\2\2\2\'\3\2\2\2\2)\3\2\2\2\2+\3\2\2\2\2-\3\2\2\2\2/\3\2\2\2\2\61\3\2"+ + "\2\2\2\63\3\2\2\2\2\65\3\2\2\2\2\67\3\2\2\2\29\3\2\2\2\2;\3\2\2\2\2=\3"+ + "\2\2\2\2?\3\2\2\2\2A\3\2\2\2\2C\3\2\2\2\2E\3\2\2\2\2G\3\2\2\2\2I\3\2\2"+ + "\2\2K\3\2\2\2\2M\3\2\2\2\2O\3\2\2\2\2Q\3\2\2\2\2S\3\2\2\2\2[\3\2\2\2\2"+ + "]\3\2\2\2\2_\3\2\2\2\3a\3\2\2\2\5e\3\2\2\2\7i\3\2\2\2\tl\3\2\2\2\13r\3"+ + "\2\2\2\rw\3\2\2\2\17z\3\2\2\2\21\177\3\2\2\2\23\u0087\3\2\2\2\25\u008b"+ + "\3\2\2\2\27\u0090\3\2\2\2\31\u0093\3\2\2\2\33\u0096\3\2\2\2\35\u009f\3"+ + "\2\2\2\37\u00a4\3\2\2\2!\u00aa\3\2\2\2#\u00b0\3\2\2\2%\u00b5\3\2\2\2\'"+ + "\u00b7\3\2\2\2)\u00ba\3\2\2\2+\u00bd\3\2\2\2-\u00bf\3\2\2\2/\u00c2\3\2"+ + "\2\2\61\u00c4\3\2\2\2\63\u00c7\3\2\2\2\65\u00c9\3\2\2\2\67\u00cb\3\2\2"+ + "\29\u00cd\3\2\2\2;\u00cf\3\2\2\2=\u00d1\3\2\2\2?\u00d3\3\2\2\2A\u00d5"+ + "\3\2\2\2C\u00d7\3\2\2\2E\u00d9\3\2\2\2G\u00db\3\2\2\2I\u00dd\3\2\2\2K"+ + "\u00df\3\2\2\2M\u0114\3\2\2\2O\u0117\3\2\2\2Q\u0145\3\2\2\2S\u0149\3\2"+ + "\2\2U\u0153\3\2\2\2W\u015c\3\2\2\2Y\u015e\3\2\2\2[\u0160\3\2\2\2]\u0171"+ + "\3\2\2\2_\u0181\3\2\2\2ab\7c\2\2bc\7p\2\2cd\7f\2\2d\4\3\2\2\2ef\7c\2\2"+ + "fg\7p\2\2gh\7{\2\2h\6\3\2\2\2ij\7d\2\2jk\7{\2\2k\b\3\2\2\2lm\7h\2\2mn"+ + "\7c\2\2no\7n\2\2op\7u\2\2pq\7g\2\2q\n\3\2\2\2rs\7h\2\2st\7q\2\2tu\7t\2"+ + "\2uv\7m\2\2v\f\3\2\2\2wx\7k\2\2xy\7p\2\2y\16\3\2\2\2z{\7l\2\2{|\7q\2\2"+ + "|}\7k\2\2}~\7p\2\2~\20\3\2\2\2\177\u0080\7o\2\2\u0080\u0081\7c\2\2\u0081"+ + "\u0082\7z\2\2\u0082\u0083\7u\2\2\u0083\u0084\7r\2\2\u0084\u0085\7c\2\2"+ + "\u0085\u0086\7p\2\2\u0086\22\3\2\2\2\u0087\u0088\7p\2\2\u0088\u0089\7"+ + "q\2\2\u0089\u008a\7v\2\2\u008a\24\3\2\2\2\u008b\u008c\7p\2\2\u008c\u008d"+ + "\7w\2\2\u008d\u008e\7n\2\2\u008e\u008f\7n\2\2\u008f\26\3\2\2\2\u0090\u0091"+ + "\7q\2\2\u0091\u0092\7h\2\2\u0092\30\3\2\2\2\u0093\u0094\7q\2\2\u0094\u0095"+ + "\7t\2\2\u0095\32\3\2\2\2\u0096\u0097\7u\2\2\u0097\u0098\7g\2\2\u0098\u0099"+ + "\7s\2\2\u0099\u009a\7w\2\2\u009a\u009b\7g\2\2\u009b\u009c\7p\2\2\u009c"+ + "\u009d\7e\2\2\u009d\u009e\7g\2\2\u009e\34\3\2\2\2\u009f\u00a0\7v\2\2\u00a0"+ + "\u00a1\7t\2\2\u00a1\u00a2\7w\2\2\u00a2\u00a3\7g\2\2\u00a3\36\3\2\2\2\u00a4"+ + "\u00a5\7w\2\2\u00a5\u00a6\7p\2\2\u00a6\u00a7\7v\2\2\u00a7\u00a8\7k\2\2"+ + "\u00a8\u00a9\7n\2\2\u00a9 \3\2\2\2\u00aa\u00ab\7y\2\2\u00ab\u00ac\7j\2"+ + "\2\u00ac\u00ad\7g\2\2\u00ad\u00ae\7t\2\2\u00ae\u00af\7g\2\2\u00af\"\3"+ + "\2\2\2\u00b0\u00b1\7y\2\2\u00b1\u00b2\7k\2\2\u00b2\u00b3\7v\2\2\u00b3"+ + "\u00b4\7j\2\2\u00b4$\3\2\2\2\u00b5\u00b6\7?\2\2\u00b6&\3\2\2\2\u00b7\u00b8"+ + "\7?\2\2\u00b8\u00b9\7?\2\2\u00b9(\3\2\2\2\u00ba\u00bb\7#\2\2\u00bb\u00bc"+ + "\7?\2\2\u00bc*\3\2\2\2\u00bd\u00be\7>\2\2\u00be,\3\2\2\2\u00bf\u00c0\7"+ + ">\2\2\u00c0\u00c1\7?\2\2\u00c1.\3\2\2\2\u00c2\u00c3\7@\2\2\u00c3\60\3"+ + "\2\2\2\u00c4\u00c5\7@\2\2\u00c5\u00c6\7?\2\2\u00c6\62\3\2\2\2\u00c7\u00c8"+ + "\7-\2\2\u00c8\64\3\2\2\2\u00c9\u00ca\7/\2\2\u00ca\66\3\2\2\2\u00cb\u00cc"+ + "\7,\2\2\u00cc8\3\2\2\2\u00cd\u00ce\7\61\2\2\u00ce:\3\2\2\2\u00cf\u00d0"+ + "\7\'\2\2\u00d0<\3\2\2\2\u00d1\u00d2\7\60\2\2\u00d2>\3\2\2\2\u00d3\u00d4"+ + "\7.\2\2\u00d4@\3\2\2\2\u00d5\u00d6\7]\2\2\u00d6B\3\2\2\2\u00d7\u00d8\7"+ + "_\2\2\u00d8D\3\2\2\2\u00d9\u00da\7*\2\2\u00daF\3\2\2\2\u00db\u00dc\7+"+ + "\2\2\u00dcH\3\2\2\2\u00dd\u00de\7~\2\2\u00deJ\3\2\2\2\u00df\u00e3\7b\2"+ + "\2\u00e0\u00e2\n\2\2\2\u00e1\u00e0\3\2\2\2\u00e2\u00e5\3\2\2\2\u00e3\u00e1"+ + "\3\2\2\2\u00e3\u00e4\3\2\2\2\u00e4\u00e6\3\2\2\2\u00e5\u00e3\3\2\2\2\u00e6"+ + "\u00e7\7b\2\2\u00e7L\3\2\2\2\u00e8\u00ee\7)\2\2\u00e9\u00ea\7^\2\2\u00ea"+ + "\u00ed\t\3\2\2\u00eb\u00ed\n\4\2\2\u00ec\u00e9\3\2\2\2\u00ec\u00eb\3\2"+ + "\2\2\u00ed\u00f0\3\2\2\2\u00ee\u00ec\3\2\2\2\u00ee\u00ef\3\2\2\2\u00ef"+ + "\u00f1\3\2\2\2\u00f0\u00ee\3\2\2\2\u00f1\u0115\7)\2\2\u00f2\u00f8\7$\2"+ + "\2\u00f3\u00f4\7^\2\2\u00f4\u00f7\t\3\2\2\u00f5\u00f7\n\5\2\2\u00f6\u00f3"+ + "\3\2\2\2\u00f6\u00f5\3\2\2\2\u00f7\u00fa\3\2\2\2\u00f8\u00f6\3\2\2\2\u00f8"+ + "\u00f9\3\2\2\2\u00f9\u00fb\3\2\2\2\u00fa\u00f8\3\2\2\2\u00fb\u0115\7$"+ + "\2\2\u00fc\u00fd\7A\2\2\u00fd\u00fe\7$\2\2\u00fe\u0104\3\2\2\2\u00ff\u0100"+ + "\7^\2\2\u0100\u0103\7$\2\2\u0101\u0103\n\6\2\2\u0102\u00ff\3\2\2\2\u0102"+ + "\u0101\3\2\2\2\u0103\u0106\3\2\2\2\u0104\u0102\3\2\2\2\u0104\u0105\3\2"+ + "\2\2\u0105\u0107\3\2\2\2\u0106\u0104\3\2\2\2\u0107\u0115\7$\2\2\u0108"+ + "\u0109\7A\2\2\u0109\u010a\7)\2\2\u010a\u0110\3\2\2\2\u010b\u010c\7^\2"+ + "\2\u010c\u010f\7)\2\2\u010d\u010f\n\7\2\2\u010e\u010b\3\2\2\2\u010e\u010d"+ + "\3\2\2\2\u010f\u0112\3\2\2\2\u0110\u010e\3\2\2\2\u0110\u0111\3\2\2\2\u0111"+ + "\u0113\3\2\2\2\u0112\u0110\3\2\2\2\u0113\u0115\7)\2\2\u0114\u00e8\3\2"+ + "\2\2\u0114\u00f2\3\2\2\2\u0114\u00fc\3\2\2\2\u0114\u0108\3\2\2\2\u0115"+ + "N\3\2\2\2\u0116\u0118\5W,\2\u0117\u0116\3\2\2\2\u0118\u0119\3\2\2\2\u0119"+ + "\u0117\3\2\2\2\u0119\u011a\3\2\2\2\u011aP\3\2\2\2\u011b\u011d\5W,\2\u011c"+ + "\u011b\3\2\2\2\u011d\u011e\3\2\2\2\u011e\u011c\3\2\2\2\u011e\u011f\3\2"+ + "\2\2\u011f\u0120\3\2\2\2\u0120\u0124\5=\37\2\u0121\u0123\5W,\2\u0122\u0121"+ + "\3\2\2\2\u0123\u0126\3\2\2\2\u0124\u0122\3\2\2\2\u0124\u0125\3\2\2\2\u0125"+ + "\u0146\3\2\2\2\u0126\u0124\3\2\2\2\u0127\u0129\5=\37\2\u0128\u012a\5W"+ + ",\2\u0129\u0128\3\2\2\2\u012a\u012b\3\2\2\2\u012b\u0129\3\2\2\2\u012b"+ + "\u012c\3\2\2\2\u012c\u0146\3\2\2\2\u012d\u012f\5W,\2\u012e\u012d\3\2\2"+ + "\2\u012f\u0130\3\2\2\2\u0130\u012e\3\2\2\2\u0130\u0131\3\2\2\2\u0131\u0139"+ + "\3\2\2\2\u0132\u0136\5=\37\2\u0133\u0135\5W,\2\u0134\u0133\3\2\2\2\u0135"+ + "\u0138\3\2\2\2\u0136\u0134\3\2\2\2\u0136\u0137\3\2\2\2\u0137\u013a\3\2"+ + "\2\2\u0138\u0136\3\2\2\2\u0139\u0132\3\2\2\2\u0139\u013a\3\2\2\2\u013a"+ + "\u013b\3\2\2\2\u013b\u013c\5U+\2\u013c\u0146\3\2\2\2\u013d\u013f\5=\37"+ + "\2\u013e\u0140\5W,\2\u013f\u013e\3\2\2\2\u0140\u0141\3\2\2\2\u0141\u013f"+ + "\3\2\2\2\u0141\u0142\3\2\2\2\u0142\u0143\3\2\2\2\u0143\u0144\5U+\2\u0144"+ + "\u0146\3\2\2\2\u0145\u011c\3\2\2\2\u0145\u0127\3\2\2\2\u0145\u012e\3\2"+ + "\2\2\u0145\u013d\3\2\2\2\u0146R\3\2\2\2\u0147\u014a\5Y-\2\u0148\u014a"+ + "\t\b\2\2\u0149\u0147\3\2\2\2\u0149\u0148\3\2\2\2\u014a\u0150\3\2\2\2\u014b"+ + "\u014f\5Y-\2\u014c\u014f\5W,\2\u014d\u014f\7a\2\2\u014e\u014b\3\2\2\2"+ + "\u014e\u014c\3\2\2\2\u014e\u014d\3\2\2\2\u014f\u0152\3\2\2\2\u0150\u014e"+ + "\3\2\2\2\u0150\u0151\3\2\2\2\u0151T\3\2\2\2\u0152\u0150\3\2\2\2\u0153"+ + "\u0155\t\t\2\2\u0154\u0156\t\n\2\2\u0155\u0154\3\2\2\2\u0155\u0156\3\2"+ + "\2\2\u0156\u0158\3\2\2\2\u0157\u0159\5W,\2\u0158\u0157\3\2\2\2\u0159\u015a"+ + "\3\2\2\2\u015a\u0158\3\2\2\2\u015a\u015b\3\2\2\2\u015bV\3\2\2\2\u015c"+ + "\u015d\t\13\2\2\u015dX\3\2\2\2\u015e\u015f\t\f\2\2\u015fZ\3\2\2\2\u0160"+ + "\u0161\7\61\2\2\u0161\u0162\7\61\2\2\u0162\u0166\3\2\2\2\u0163\u0165\n"+ + "\r\2\2\u0164\u0163\3\2\2\2\u0165\u0168\3\2\2\2\u0166\u0164\3\2\2\2\u0166"+ + "\u0167\3\2\2\2\u0167\u016a\3\2\2\2\u0168\u0166\3\2\2\2\u0169\u016b\7\17"+ + "\2\2\u016a\u0169\3\2\2\2\u016a\u016b\3\2\2\2\u016b\u016d\3\2\2\2\u016c"+ + "\u016e\7\f\2\2\u016d\u016c\3\2\2\2\u016d\u016e\3\2\2\2\u016e\u016f\3\2"+ + "\2\2\u016f\u0170\b.\2\2\u0170\\\3\2\2\2\u0171\u0172\7\61\2\2\u0172\u0173"+ + "\7,\2\2\u0173\u0178\3\2\2\2\u0174\u0177\5]/\2\u0175\u0177\13\2\2\2\u0176"+ + "\u0174\3\2\2\2\u0176\u0175\3\2\2\2\u0177\u017a\3\2\2\2\u0178\u0179\3\2"+ + "\2\2\u0178\u0176\3\2\2\2\u0179\u017b\3\2\2\2\u017a\u0178\3\2\2\2\u017b"+ + "\u017c\7,\2\2\u017c\u017d\7\61\2\2\u017d\u017e\3\2\2\2\u017e\u017f\b/"+ + "\2\2\u017f^\3\2\2\2\u0180\u0182\t\16\2\2\u0181\u0180\3\2\2\2\u0182\u0183"+ + "\3\2\2\2\u0183\u0181\3\2\2\2\u0183\u0184\3\2\2\2\u0184\u0185\3\2\2\2\u0185"+ + "\u0186\b\60\2\2\u0186`\3\2\2\2!\2\u00e3\u00ec\u00ee\u00f6\u00f8\u0102"+ + "\u0104\u010e\u0110\u0114\u0119\u011e\u0124\u012b\u0130\u0136\u0139\u0141"+ + "\u0145\u0149\u014e\u0150\u0155\u015a\u0166\u016a\u016d\u0176\u0178\u0183"+ "\3\2\3\2"; public static final ATN _ATN = new ATNDeserializer().deserialize(_serializedATN.toCharArray()); diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseParser.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseParser.java index 4648c04da2a76..4a5b02d6a842a 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseParser.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseParser.java @@ -18,11 +18,11 @@ class EqlBaseParser extends Parser { new PredictionContextCache(); public static final int AND=1, ANY=2, BY=3, FALSE=4, FORK=5, IN=6, JOIN=7, MAXSPAN=8, NOT=9, NULL=10, - OF=11, OR=12, SEQUENCE=13, TRUE=14, UNTIL=15, WHERE=16, WITH=17, EQ=18, - NEQ=19, LT=20, LTE=21, GT=22, GTE=23, PLUS=24, MINUS=25, ASTERISK=26, - SLASH=27, PERCENT=28, DOT=29, COMMA=30, LB=31, RB=32, LP=33, RP=34, PIPE=35, - ESCAPED_IDENTIFIER=36, STRING=37, INTEGER_VALUE=38, DECIMAL_VALUE=39, - IDENTIFIER=40, LINE_COMMENT=41, BRACKETED_COMMENT=42, WS=43; + OF=11, OR=12, SEQUENCE=13, TRUE=14, UNTIL=15, WHERE=16, WITH=17, ASGN=18, + EQ=19, NEQ=20, LT=21, LTE=22, GT=23, GTE=24, PLUS=25, MINUS=26, ASTERISK=27, + SLASH=28, PERCENT=29, DOT=30, COMMA=31, LB=32, RB=33, LP=34, RP=35, PIPE=36, + ESCAPED_IDENTIFIER=37, STRING=38, INTEGER_VALUE=39, DECIMAL_VALUE=40, + IDENTIFIER=41, LINE_COMMENT=42, BRACKETED_COMMENT=43, WS=44; public static final int RULE_singleStatement = 0, RULE_singleExpression = 1, RULE_statement = 2, RULE_query = 3, RULE_sequenceParams = 4, RULE_sequence = 5, RULE_join = 6, @@ -45,14 +45,14 @@ class EqlBaseParser extends Parser { private static final String[] _LITERAL_NAMES = { null, "'and'", "'any'", "'by'", "'false'", "'fork'", "'in'", "'join'", "'maxspan'", "'not'", "'null'", "'of'", "'or'", "'sequence'", "'true'", - "'until'", "'where'", "'with'", null, "'!='", "'<'", "'<='", "'>'", "'>='", - "'+'", "'-'", "'*'", "'/'", "'%'", "'.'", "','", "'['", "']'", "'('", - "')'", "'|'" + "'until'", "'where'", "'with'", "'='", "'=='", "'!='", "'<'", "'<='", + "'>'", "'>='", "'+'", "'-'", "'*'", "'/'", "'%'", "'.'", "','", "'['", + "']'", "'('", "')'", "'|'" }; private static final String[] _SYMBOLIC_NAMES = { null, "AND", "ANY", "BY", "FALSE", "FORK", "IN", "JOIN", "MAXSPAN", "NOT", - "NULL", "OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "EQ", - "NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH", + "NULL", "OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "ASGN", + "EQ", "NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH", "PERCENT", "DOT", "COMMA", "LB", "RB", "LP", "RP", "PIPE", "ESCAPED_IDENTIFIER", "STRING", "INTEGER_VALUE", "DECIMAL_VALUE", "IDENTIFIER", "LINE_COMMENT", "BRACKETED_COMMENT", "WS" @@ -341,7 +341,7 @@ public final QueryContext query() throws RecognitionException { public static class SequenceParamsContext extends ParserRuleContext { public TerminalNode WITH() { return getToken(EqlBaseParser.WITH, 0); } public TerminalNode MAXSPAN() { return getToken(EqlBaseParser.MAXSPAN, 0); } - public TerminalNode EQ() { return getToken(EqlBaseParser.EQ, 0); } + public TerminalNode ASGN() { return getToken(EqlBaseParser.ASGN, 0); } public TimeUnitContext timeUnit() { return getRuleContext(TimeUnitContext.class,0); } @@ -376,7 +376,7 @@ public final SequenceParamsContext sequenceParams() throws RecognitionException setState(77); match(MAXSPAN); setState(78); - match(EQ); + match(ASGN); setState(79); timeUnit(); } @@ -2574,7 +2574,7 @@ private boolean operatorExpression_sempred(OperatorExpressionContext _localctx, } public static final String _serializedATN = - "\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\3-\u0124\4\2\t\2\4"+ + "\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\3.\u0124\4\2\t\2\4"+ "\3\t\3\4\4\t\4\4\5\t\5\4\6\t\6\4\7\t\7\4\b\t\b\4\t\t\t\4\n\t\n\4\13\t"+ "\13\4\f\t\f\4\r\t\r\4\16\t\16\4\17\t\17\4\20\t\20\4\21\t\21\4\22\t\22"+ "\4\23\t\23\4\24\t\24\4\25\t\25\4\26\t\26\4\27\t\27\4\30\t\30\4\31\t\31"+ @@ -2598,13 +2598,13 @@ private boolean operatorExpression_sempred(OperatorExpressionContext _localctx, "\u010e\n\32\r\32\16\32\u010f\3\32\7\32\u0113\n\32\f\32\16\32\u0116\13"+ "\32\3\33\3\33\3\34\3\34\5\34\u011c\n\34\3\35\3\35\5\35\u0120\n\35\3\36"+ "\3\36\3\36\2\4 $\37\2\4\6\b\n\f\16\20\22\24\26\30\32\34\36 \"$&(*,.\60"+ - "\62\64\668:\2\7\3\2\32\33\3\2\34\36\3\2\24\31\4\2\6\6\20\20\4\2&&**\u0132"+ - "\2<\3\2\2\2\4?\3\2\2\2\6B\3\2\2\2\bL\3\2\2\2\nN\3\2\2\2\fS\3\2\2\2\16"+ - "h\3\2\2\2\20v\3\2\2\2\22\u0082\3\2\2\2\24\u008b\3\2\2\2\26\u008f\3\2\2"+ - "\2\30\u009a\3\2\2\2\32\u009e\3\2\2\2\34\u00a2\3\2\2\2\36\u00a7\3\2\2\2"+ - " \u00b0\3\2\2\2\"\u00c2\3\2\2\2$\u00cb\3\2\2\2&\u00d9\3\2\2\2(\u00ee\3"+ - "\2\2\2*\u00f0\3\2\2\2,\u0102\3\2\2\2.\u0104\3\2\2\2\60\u0106\3\2\2\2\62"+ - "\u0108\3\2\2\2\64\u0117\3\2\2\2\66\u0119\3\2\2\28\u011f\3\2\2\2:\u0121"+ + "\62\64\668:\2\7\3\2\33\34\3\2\35\37\3\2\25\32\4\2\6\6\20\20\4\2\'\'++"+ + "\u0132\2<\3\2\2\2\4?\3\2\2\2\6B\3\2\2\2\bL\3\2\2\2\nN\3\2\2\2\fS\3\2\2"+ + "\2\16h\3\2\2\2\20v\3\2\2\2\22\u0082\3\2\2\2\24\u008b\3\2\2\2\26\u008f"+ + "\3\2\2\2\30\u009a\3\2\2\2\32\u009e\3\2\2\2\34\u00a2\3\2\2\2\36\u00a7\3"+ + "\2\2\2 \u00b0\3\2\2\2\"\u00c2\3\2\2\2$\u00cb\3\2\2\2&\u00d9\3\2\2\2(\u00ee"+ + "\3\2\2\2*\u00f0\3\2\2\2,\u0102\3\2\2\2.\u0104\3\2\2\2\60\u0106\3\2\2\2"+ + "\62\u0108\3\2\2\2\64\u0117\3\2\2\2\66\u0119\3\2\2\28\u011f\3\2\2\2:\u0121"+ "\3\2\2\2<=\5\6\4\2=>\7\2\2\3>\3\3\2\2\2?@\5\36\20\2@A\7\2\2\3A\5\3\2\2"+ "\2BF\5\b\5\2CE\5\20\t\2DC\3\2\2\2EH\3\2\2\2FD\3\2\2\2FG\3\2\2\2G\7\3\2"+ "\2\2HF\3\2\2\2IM\5\f\7\2JM\5\16\b\2KM\5\32\16\2LI\3\2\2\2LJ\3\2\2\2LK"+ @@ -2615,63 +2615,63 @@ private boolean operatorExpression_sempred(OperatorExpressionContext _localctx, "\3\2\2\2bc\3\2\2\2cf\3\2\2\2de\7\21\2\2eg\5\26\f\2fd\3\2\2\2fg\3\2\2\2"+ "g\r\3\2\2\2hj\7\t\2\2ik\5\22\n\2ji\3\2\2\2jk\3\2\2\2kl\3\2\2\2ln\5\24"+ "\13\2mo\5\24\13\2nm\3\2\2\2op\3\2\2\2pn\3\2\2\2pq\3\2\2\2qt\3\2\2\2rs"+ - "\7\21\2\2su\5\24\13\2tr\3\2\2\2tu\3\2\2\2u\17\3\2\2\2vw\7%\2\2w\u0080"+ - "\7*\2\2x}\5 \21\2yz\7 \2\2z|\5 \21\2{y\3\2\2\2|\177\3\2\2\2}{\3\2\2\2"+ + "\7\21\2\2su\5\24\13\2tr\3\2\2\2tu\3\2\2\2u\17\3\2\2\2vw\7&\2\2w\u0080"+ + "\7+\2\2x}\5 \21\2yz\7!\2\2z|\5 \21\2{y\3\2\2\2|\177\3\2\2\2}{\3\2\2\2"+ "}~\3\2\2\2~\u0081\3\2\2\2\177}\3\2\2\2\u0080x\3\2\2\2\u0080\u0081\3\2"+ "\2\2\u0081\21\3\2\2\2\u0082\u0083\7\5\2\2\u0083\u0088\5\36\20\2\u0084"+ - "\u0085\7 \2\2\u0085\u0087\5\36\20\2\u0086\u0084\3\2\2\2\u0087\u008a\3"+ + "\u0085\7!\2\2\u0085\u0087\5\36\20\2\u0086\u0084\3\2\2\2\u0087\u008a\3"+ "\2\2\2\u0088\u0086\3\2\2\2\u0088\u0089\3\2\2\2\u0089\23\3\2\2\2\u008a"+ "\u0088\3\2\2\2\u008b\u008d\5\30\r\2\u008c\u008e\5\22\n\2\u008d\u008c\3"+ "\2\2\2\u008d\u008e\3\2\2\2\u008e\25\3\2\2\2\u008f\u0095\5\30\r\2\u0090"+ - "\u0093\7\7\2\2\u0091\u0092\7\24\2\2\u0092\u0094\5\60\31\2\u0093\u0091"+ + "\u0093\7\7\2\2\u0091\u0092\7\25\2\2\u0092\u0094\5\60\31\2\u0093\u0091"+ "\3\2\2\2\u0093\u0094\3\2\2\2\u0094\u0096\3\2\2\2\u0095\u0090\3\2\2\2\u0095"+ "\u0096\3\2\2\2\u0096\u0098\3\2\2\2\u0097\u0099\5\22\n\2\u0098\u0097\3"+ - "\2\2\2\u0098\u0099\3\2\2\2\u0099\27\3\2\2\2\u009a\u009b\7!\2\2\u009b\u009c"+ - "\5\34\17\2\u009c\u009d\7\"\2\2\u009d\31\3\2\2\2\u009e\u009f\5\34\17\2"+ - "\u009f\33\3\2\2\2\u00a0\u00a3\7\4\2\2\u00a1\u00a3\5\64\33\2\u00a2\u00a0"+ - "\3\2\2\2\u00a2\u00a1\3\2\2\2\u00a3\u00a4\3\2\2\2\u00a4\u00a5\7\22\2\2"+ - "\u00a5\u00a6\5\36\20\2\u00a6\35\3\2\2\2\u00a7\u00a8\5 \21\2\u00a8\37\3"+ - "\2\2\2\u00a9\u00aa\b\21\1\2\u00aa\u00ab\7\13\2\2\u00ab\u00b1\5 \21\7\u00ac"+ - "\u00ad\7*\2\2\u00ad\u00ae\7\r\2\2\u00ae\u00b1\5\30\r\2\u00af\u00b1\5\""+ - "\22\2\u00b0\u00a9\3\2\2\2\u00b0\u00ac\3\2\2\2\u00b0\u00af\3\2\2\2\u00b1"+ - "\u00ba\3\2\2\2\u00b2\u00b3\f\4\2\2\u00b3\u00b4\7\3\2\2\u00b4\u00b9\5 "+ - "\21\5\u00b5\u00b6\f\3\2\2\u00b6\u00b7\7\16\2\2\u00b7\u00b9\5 \21\4\u00b8"+ - "\u00b2\3\2\2\2\u00b8\u00b5\3\2\2\2\u00b9\u00bc\3\2\2\2\u00ba\u00b8\3\2"+ - "\2\2\u00ba\u00bb\3\2\2\2\u00bb!\3\2\2\2\u00bc\u00ba\3\2\2\2\u00bd\u00c3"+ - "\5$\23\2\u00be\u00bf\5$\23\2\u00bf\u00c0\5.\30\2\u00c0\u00c1\5$\23\2\u00c1"+ - "\u00c3\3\2\2\2\u00c2\u00bd\3\2\2\2\u00c2\u00be\3\2\2\2\u00c3#\3\2\2\2"+ - "\u00c4\u00c5\b\23\1\2\u00c5\u00c7\5(\25\2\u00c6\u00c8\5&\24\2\u00c7\u00c6"+ - "\3\2\2\2\u00c7\u00c8\3\2\2\2\u00c8\u00cc\3\2\2\2\u00c9\u00ca\t\2\2\2\u00ca"+ - "\u00cc\5$\23\5\u00cb\u00c4\3\2\2\2\u00cb\u00c9\3\2\2\2\u00cc\u00d5\3\2"+ - "\2\2\u00cd\u00ce\f\4\2\2\u00ce\u00cf\t\3\2\2\u00cf\u00d4\5$\23\5\u00d0"+ - "\u00d1\f\3\2\2\u00d1\u00d2\t\2\2\2\u00d2\u00d4\5$\23\4\u00d3\u00cd\3\2"+ - "\2\2\u00d3\u00d0\3\2\2\2\u00d4\u00d7\3\2\2\2\u00d5\u00d3\3\2\2\2\u00d5"+ - "\u00d6\3\2\2\2\u00d6%\3\2\2\2\u00d7\u00d5\3\2\2\2\u00d8\u00da\7\13\2\2"+ - "\u00d9\u00d8\3\2\2\2\u00d9\u00da\3\2\2\2\u00da\u00db\3\2\2\2\u00db\u00dc"+ - "\7\b\2\2\u00dc\u00dd\7#\2\2\u00dd\u00e2\5\36\20\2\u00de\u00df\7 \2\2\u00df"+ - "\u00e1\5\36\20\2\u00e0\u00de\3\2\2\2\u00e1\u00e4\3\2\2\2\u00e2\u00e0\3"+ - "\2\2\2\u00e2\u00e3\3\2\2\2\u00e3\u00e5\3\2\2\2\u00e4\u00e2\3\2\2\2\u00e5"+ - "\u00e6\7$\2\2\u00e6\'\3\2\2\2\u00e7\u00ef\5,\27\2\u00e8\u00ef\5*\26\2"+ - "\u00e9\u00ef\5\62\32\2\u00ea\u00eb\7#\2\2\u00eb\u00ec\5\36\20\2\u00ec"+ - "\u00ed\7$\2\2\u00ed\u00ef\3\2\2\2\u00ee\u00e7\3\2\2\2\u00ee\u00e8\3\2"+ - "\2\2\u00ee\u00e9\3\2\2\2\u00ee\u00ea\3\2\2\2\u00ef)\3\2\2\2\u00f0\u00f1"+ - "\7*\2\2\u00f1\u00fa\7#\2\2\u00f2\u00f7\5\36\20\2\u00f3\u00f4\7 \2\2\u00f4"+ - "\u00f6\5\36\20\2\u00f5\u00f3\3\2\2\2\u00f6\u00f9\3\2\2\2\u00f7\u00f5\3"+ - "\2\2\2\u00f7\u00f8\3\2\2\2\u00f8\u00fb\3\2\2\2\u00f9\u00f7\3\2\2\2\u00fa"+ - "\u00f2\3\2\2\2\u00fa\u00fb\3\2\2\2\u00fb\u00fc\3\2\2\2\u00fc\u00fd\7$"+ - "\2\2\u00fd+\3\2\2\2\u00fe\u0103\7\f\2\2\u00ff\u0103\58\35\2\u0100\u0103"+ - "\5\60\31\2\u0101\u0103\5:\36\2\u0102\u00fe\3\2\2\2\u0102\u00ff\3\2\2\2"+ - "\u0102\u0100\3\2\2\2\u0102\u0101\3\2\2\2\u0103-\3\2\2\2\u0104\u0105\t"+ - "\4\2\2\u0105/\3\2\2\2\u0106\u0107\t\5\2\2\u0107\61\3\2\2\2\u0108\u0114"+ - "\5\64\33\2\u0109\u010a\7\37\2\2\u010a\u0113\5\64\33\2\u010b\u010d\7!\2"+ - "\2\u010c\u010e\7(\2\2\u010d\u010c\3\2\2\2\u010e\u010f\3\2\2\2\u010f\u010d"+ - "\3\2\2\2\u010f\u0110\3\2\2\2\u0110\u0111\3\2\2\2\u0111\u0113\7\"\2\2\u0112"+ + "\2\2\2\u0098\u0099\3\2\2\2\u0099\27\3\2\2\2\u009a\u009b\7\"\2\2\u009b"+ + "\u009c\5\34\17\2\u009c\u009d\7#\2\2\u009d\31\3\2\2\2\u009e\u009f\5\34"+ + "\17\2\u009f\33\3\2\2\2\u00a0\u00a3\7\4\2\2\u00a1\u00a3\5\64\33\2\u00a2"+ + "\u00a0\3\2\2\2\u00a2\u00a1\3\2\2\2\u00a3\u00a4\3\2\2\2\u00a4\u00a5\7\22"+ + "\2\2\u00a5\u00a6\5\36\20\2\u00a6\35\3\2\2\2\u00a7\u00a8\5 \21\2\u00a8"+ + "\37\3\2\2\2\u00a9\u00aa\b\21\1\2\u00aa\u00ab\7\13\2\2\u00ab\u00b1\5 \21"+ + "\7\u00ac\u00ad\7+\2\2\u00ad\u00ae\7\r\2\2\u00ae\u00b1\5\30\r\2\u00af\u00b1"+ + "\5\"\22\2\u00b0\u00a9\3\2\2\2\u00b0\u00ac\3\2\2\2\u00b0\u00af\3\2\2\2"+ + "\u00b1\u00ba\3\2\2\2\u00b2\u00b3\f\4\2\2\u00b3\u00b4\7\3\2\2\u00b4\u00b9"+ + "\5 \21\5\u00b5\u00b6\f\3\2\2\u00b6\u00b7\7\16\2\2\u00b7\u00b9\5 \21\4"+ + "\u00b8\u00b2\3\2\2\2\u00b8\u00b5\3\2\2\2\u00b9\u00bc\3\2\2\2\u00ba\u00b8"+ + "\3\2\2\2\u00ba\u00bb\3\2\2\2\u00bb!\3\2\2\2\u00bc\u00ba\3\2\2\2\u00bd"+ + "\u00c3\5$\23\2\u00be\u00bf\5$\23\2\u00bf\u00c0\5.\30\2\u00c0\u00c1\5$"+ + "\23\2\u00c1\u00c3\3\2\2\2\u00c2\u00bd\3\2\2\2\u00c2\u00be\3\2\2\2\u00c3"+ + "#\3\2\2\2\u00c4\u00c5\b\23\1\2\u00c5\u00c7\5(\25\2\u00c6\u00c8\5&\24\2"+ + "\u00c7\u00c6\3\2\2\2\u00c7\u00c8\3\2\2\2\u00c8\u00cc\3\2\2\2\u00c9\u00ca"+ + "\t\2\2\2\u00ca\u00cc\5$\23\5\u00cb\u00c4\3\2\2\2\u00cb\u00c9\3\2\2\2\u00cc"+ + "\u00d5\3\2\2\2\u00cd\u00ce\f\4\2\2\u00ce\u00cf\t\3\2\2\u00cf\u00d4\5$"+ + "\23\5\u00d0\u00d1\f\3\2\2\u00d1\u00d2\t\2\2\2\u00d2\u00d4\5$\23\4\u00d3"+ + "\u00cd\3\2\2\2\u00d3\u00d0\3\2\2\2\u00d4\u00d7\3\2\2\2\u00d5\u00d3\3\2"+ + "\2\2\u00d5\u00d6\3\2\2\2\u00d6%\3\2\2\2\u00d7\u00d5\3\2\2\2\u00d8\u00da"+ + "\7\13\2\2\u00d9\u00d8\3\2\2\2\u00d9\u00da\3\2\2\2\u00da\u00db\3\2\2\2"+ + "\u00db\u00dc\7\b\2\2\u00dc\u00dd\7$\2\2\u00dd\u00e2\5\36\20\2\u00de\u00df"+ + "\7!\2\2\u00df\u00e1\5\36\20\2\u00e0\u00de\3\2\2\2\u00e1\u00e4\3\2\2\2"+ + "\u00e2\u00e0\3\2\2\2\u00e2\u00e3\3\2\2\2\u00e3\u00e5\3\2\2\2\u00e4\u00e2"+ + "\3\2\2\2\u00e5\u00e6\7%\2\2\u00e6\'\3\2\2\2\u00e7\u00ef\5,\27\2\u00e8"+ + "\u00ef\5*\26\2\u00e9\u00ef\5\62\32\2\u00ea\u00eb\7$\2\2\u00eb\u00ec\5"+ + "\36\20\2\u00ec\u00ed\7%\2\2\u00ed\u00ef\3\2\2\2\u00ee\u00e7\3\2\2\2\u00ee"+ + "\u00e8\3\2\2\2\u00ee\u00e9\3\2\2\2\u00ee\u00ea\3\2\2\2\u00ef)\3\2\2\2"+ + "\u00f0\u00f1\7+\2\2\u00f1\u00fa\7$\2\2\u00f2\u00f7\5\36\20\2\u00f3\u00f4"+ + "\7!\2\2\u00f4\u00f6\5\36\20\2\u00f5\u00f3\3\2\2\2\u00f6\u00f9\3\2\2\2"+ + "\u00f7\u00f5\3\2\2\2\u00f7\u00f8\3\2\2\2\u00f8\u00fb\3\2\2\2\u00f9\u00f7"+ + "\3\2\2\2\u00fa\u00f2\3\2\2\2\u00fa\u00fb\3\2\2\2\u00fb\u00fc\3\2\2\2\u00fc"+ + "\u00fd\7%\2\2\u00fd+\3\2\2\2\u00fe\u0103\7\f\2\2\u00ff\u0103\58\35\2\u0100"+ + "\u0103\5\60\31\2\u0101\u0103\5:\36\2\u0102\u00fe\3\2\2\2\u0102\u00ff\3"+ + "\2\2\2\u0102\u0100\3\2\2\2\u0102\u0101\3\2\2\2\u0103-\3\2\2\2\u0104\u0105"+ + "\t\4\2\2\u0105/\3\2\2\2\u0106\u0107\t\5\2\2\u0107\61\3\2\2\2\u0108\u0114"+ + "\5\64\33\2\u0109\u010a\7 \2\2\u010a\u0113\5\64\33\2\u010b\u010d\7\"\2"+ + "\2\u010c\u010e\7)\2\2\u010d\u010c\3\2\2\2\u010e\u010f\3\2\2\2\u010f\u010d"+ + "\3\2\2\2\u010f\u0110\3\2\2\2\u0110\u0111\3\2\2\2\u0111\u0113\7#\2\2\u0112"+ "\u0109\3\2\2\2\u0112\u010b\3\2\2\2\u0113\u0116\3\2\2\2\u0114\u0112\3\2"+ "\2\2\u0114\u0115\3\2\2\2\u0115\63\3\2\2\2\u0116\u0114\3\2\2\2\u0117\u0118"+ - "\t\6\2\2\u0118\65\3\2\2\2\u0119\u011b\58\35\2\u011a\u011c\7*\2\2\u011b"+ - "\u011a\3\2\2\2\u011b\u011c\3\2\2\2\u011c\67\3\2\2\2\u011d\u0120\7)\2\2"+ - "\u011e\u0120\7(\2\2\u011f\u011d\3\2\2\2\u011f\u011e\3\2\2\2\u01209\3\2"+ - "\2\2\u0121\u0122\7\'\2\2\u0122;\3\2\2\2\'FLVZ\\bfjpt}\u0080\u0088\u008d"+ + "\t\6\2\2\u0118\65\3\2\2\2\u0119\u011b\58\35\2\u011a\u011c\7+\2\2\u011b"+ + "\u011a\3\2\2\2\u011b\u011c\3\2\2\2\u011c\67\3\2\2\2\u011d\u0120\7*\2\2"+ + "\u011e\u0120\7)\2\2\u011f\u011d\3\2\2\2\u011f\u011e\3\2\2\2\u01209\3\2"+ + "\2\2\u0121\u0122\7(\2\2\u0122;\3\2\2\2\'FLVZ\\bfjpt}\u0080\u0088\u008d"+ "\u0093\u0095\u0098\u00a2\u00b0\u00b8\u00ba\u00c2\u00c7\u00cb\u00d3\u00d5"+ "\u00d9\u00e2\u00ee\u00f7\u00fa\u0102\u010f\u0112\u0114\u011b\u011f"; public static final ATN _ATN = diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java index df7d772158da2..474ffbdfd01ef 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java @@ -90,11 +90,11 @@ public void testMisspelledColumnWithMultipleOptions() { public void testProcessRelationshipsUnsupported() { assertEquals("2:7: Process relationships are not supported", - errorParsing("process where opcode=1 and process_name == \"csrss.exe\"\n" + - " and descendant of [file where file_name == \"csrss.exe\" and opcode=0]")); + errorParsing("process where opcode==1 and process_name == \"csrss.exe\"\n" + + " and descendant of [file where file_name == \"csrss.exe\" and opcode==0]")); assertEquals("2:7: Process relationships are not supported", - errorParsing("process where process_name=\"svchost.exe\"\n" + - " and child of [file where file_name=\"svchost.exe\" and opcode=0]")); + errorParsing("process where process_name==\"svchost.exe\"\n" + + " and child of [file where file_name=\"svchost.exe\" and opcode==0]")); } // Some functions fail with "Unsupported" message at the parse stage @@ -122,10 +122,10 @@ public void testArrayIndexesUnsupported() { // Test valid/supported queries public void testQueryOk() { // Mismatched type, still ok - accept("process where serial_event_id = \"abcdef\""); + accept("process where serial_event_id == \"abcdef\""); // Equals condition - accept("process where serial_event_id = 1"); + accept("process where serial_event_id == 1"); // Less then condition accept("process where serial_event_id < 4"); @@ -136,7 +136,7 @@ public void testQueryOk() { // Or and And/And Not accept("process where process_name == \"impossible name\" or (serial_event_id < 4.5 and serial_event_id >= 3.1)"); - accept("process where (serial_event_id<=8 and not serial_event_id > 7) and (opcode=3 and opcode>2)"); + accept("process where (serial_event_id<=8 and not serial_event_id > 7) and (opcode==3 and opcode>2)"); // In statement accept("process where not (exit_code > -1)\n" + diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/parser/ExpressionTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/parser/ExpressionTests.java index b6cc95ea4e2cc..ce610c6b3b2b2 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/parser/ExpressionTests.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/parser/ExpressionTests.java @@ -85,8 +85,8 @@ public void testSingleQuotedStringForbidden() { ParsingException e = expectThrows(ParsingException.class, () -> expr("'hello world'")); assertEquals("line 1:2: Use double quotes [\"] to define string literals, not single quotes [']", e.getMessage()); - e = expectThrows(ParsingException.class, () -> parser.createStatement("process where name='hello world'")); - assertEquals("line 1:21: Use double quotes [\"] to define string literals, not single quotes [']", + e = expectThrows(ParsingException.class, () -> parser.createStatement("process where name=='hello world'")); + assertEquals("line 1:22: Use double quotes [\"] to define string literals, not single quotes [']", e.getMessage()); } @@ -101,8 +101,8 @@ public void testSingleQuotedUnescapedStringDisallowed() { ParsingException e = expectThrows(ParsingException.class, () -> expr("?'hello world'")); assertEquals("line 1:2: Use double quotes [\"] to define string literals, not single quotes [']", e.getMessage()); - e = expectThrows(ParsingException.class, () -> parser.createStatement("process where name=?'hello world'")); - assertEquals("line 1:21: Use double quotes [\"] to define string literals, not single quotes [']", + e = expectThrows(ParsingException.class, () -> parser.createStatement("process where name==?'hello world'")); + assertEquals("line 1:22: Use double quotes [\"] to define string literals, not single quotes [']", e.getMessage()); } @@ -160,6 +160,9 @@ public void testComparison() { assertEquals(new GreaterThanOrEqual(null, field, value, UTC), expr(fieldText + ">=" + valueText)); assertEquals(new GreaterThan(null, field, value, UTC), expr(fieldText + ">" + valueText)); assertEquals(new LessThan(null, field, value, UTC), expr(fieldText + "<" + valueText)); + + expectThrows(ParsingException.class, "Expected syntax error", + () -> expr(fieldText + "=" + valueText)); } public void testBoolean() { @@ -247,7 +250,7 @@ public void testChainedComparisonsDisallowed() { String secondComparator = ""; StringBuilder sb = new StringBuilder("a "); for (int i = 0 ; i < noComparisions; i++) { - String comparator = randomFrom("=", "==", "!=", "<", "<=", ">", ">="); + String comparator = randomFrom("==", "!=", "<", "<=", ">", ">="); sb.append(comparator).append(" a "); if (i == 0) { diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/parser/GrammarTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/parser/GrammarTests.java index 59a0ef86d709a..bc4078b825cdb 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/parser/GrammarTests.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/parser/GrammarTests.java @@ -36,6 +36,7 @@ public void testSupportedQueries() throws Exception { parser.createStatement(q); } } + public void testUnsupportedQueries() throws Exception { EqlParser parser = new EqlParser(); List> lines = readQueries("/queries-unsupported.eql"); diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/stats/VerifierMetricsTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/stats/VerifierMetricsTests.java index 6804a1ef4ef44..ebd4206407719 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/stats/VerifierMetricsTests.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/stats/VerifierMetricsTests.java @@ -52,8 +52,8 @@ public void testEventQuery() { public void testSequenceQuery() { Counters c = eql("sequence\r\n" + - " [process where serial_event_id = 1]\r\n" + - " [process where serial_event_id = 2]"); + " [process where serial_event_id == 1]\r\n" + + " [process where serial_event_id == 2]"); assertCounters(c, Set.of(SEQUENCE, PIPE_HEAD, SEQUENCE_QUERIES_TWO)); } @@ -83,7 +83,7 @@ public void testSequenceMaxSpanQuery() { " [process where opcode == 1] by user\r\n" + " [process where opcode == 2] by user\r\n" + " [file where parent_process_name == \"file_delete_event\"] by exit_code\r\n" + - "until [process where opcode=1] by ppid\r\n" + + "until [process where opcode==1] by ppid\r\n" + "| head 4\r\n" + "| tail 2"); assertCounters(c, Set.of(SEQUENCE, PIPE_HEAD, PIPE_TAIL, SEQUENCE_MAXSPAN, SEQUENCE_UNTIL, SEQUENCE_QUERIES_FOUR, JOIN_KEYS_ONE)); @@ -93,7 +93,7 @@ public void testSequenceWithTwoQueries() { Counters c = eql("sequence with maxspan=1d\r\n" + " [process where serial_event_id < 4] by exit_code\r\n" + " [process where opcode == 1] by user\r\n" + - "until [process where opcode=1] by ppid\r\n" + + "until [process where opcode==1] by ppid\r\n" + "| head 4\r\n" + "| tail 2"); assertCounters(c, Set.of(SEQUENCE, PIPE_HEAD, PIPE_TAIL, SEQUENCE_MAXSPAN, SEQUENCE_UNTIL, SEQUENCE_QUERIES_TWO, JOIN_KEYS_ONE)); @@ -203,4 +203,4 @@ long get(FeatureMetric metric) { return this.metrics[metric.ordinal()]; } } -} \ No newline at end of file +} diff --git a/x-pack/plugin/eql/src/test/resources/queries-supported.eql b/x-pack/plugin/eql/src/test/resources/queries-supported.eql index 02b5fb80f3aa6..775161e46b574 100644 --- a/x-pack/plugin/eql/src/test/resources/queries-supported.eql +++ b/x-pack/plugin/eql/src/test/resources/queries-supported.eql @@ -67,9 +67,9 @@ network where a * (b + c * d) + e / f == g + h + i; process where pid == 4 or pid == 5 or pid == 6 or pid == 7 or pid == 8; -network where pid == 0 or pid == 4 or (ppid == 0 or ppid = 4) or (abc == defgh) and process_name == "*" ; +network where pid == 0 or pid == 4 or (ppid == 0 or ppid == 4) or (abc == defgh) and process_name == "*" ; -network where pid = 4; +network where pid == 4; registry where a.b; @@ -86,7 +86,7 @@ process where a > 100000000000000000000000000000000; /* TESTS FROM * https://raw.githubusercontent.com/endgameinc/eql/master/eql/etc/test_queries.toml */ -process where serial_event_id = 1; +process where serial_event_id == 1; process where serial_event_id < 4; @@ -122,7 +122,7 @@ process where 0 < exit_code; process where 0 > exit_code; -process where (serial_event_id<=8 and serial_event_id > 7) and (opcode=3 and opcode>2); +process where (serial_event_id<=8 and serial_event_id > 7) and (opcode==3 and opcode>2); process where (serial_event_id<9 and serial_event_id >= 7) or (opcode == pid); @@ -133,16 +133,16 @@ registry where key_path == "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4); -file where file_path="*\\red_ttp\\winin*.*" - and opcode in (0,1,2) and user_name="vagrant" +file where file_path=="*\\red_ttp\\winin*.*" + and opcode in (0,1,2) and user_name=="vagrant" ; -file where file_path="*\\red_ttp\\winin*.*" - and opcode not in (0,1,2) and user_name="vagrant" +file where file_path=="*\\red_ttp\\winin*.*" + and opcode not in (0,1,2) and user_name=="vagrant" ; -file where file_path="*\\red_ttp\\winin*.*" - and opcode not in (3, 4, 5, 6 ,7) and user_name="vagrant" +file where file_path=="*\\red_ttp\\winin*.*" + and opcode not in (3, 4, 5, 6 ,7) and user_name=="vagrant" ; file where file_name in ("wininit.exe", "lsass.exe") and opcode == 2 @@ -169,7 +169,7 @@ process where opcode == 1 -process where process_name = "python.exe"; +process where process_name == "python.exe"; process where command_line == "*%*" ; @@ -193,51 +193,51 @@ process where match(?".*?net1\s+\w{4,15}\s+.*?", command_line) process where match(?".*?net1\s+[localgrup]{4,15}\s+.*?", command_line) ; -file where opcode=0 and startsWith(file_name, "exploRER.") +file where opcode==0 and startsWith(file_name, "exploRER.") ; -file where opcode=0 and startsWith(file_name, "expLORER.exe") +file where opcode==0 and startsWith(file_name, "expLORER.exe") ; -file where opcode=0 and endsWith(file_name, "loREr.exe"); +file where opcode==0 and endsWith(file_name, "loREr.exe"); -file where opcode=0 and startsWith(file_name, "explORER.EXE"); +file where opcode==0 and startsWith(file_name, "explORER.EXE"); -file where opcode=0 and startsWith("explorer.exeaaaaaaaa", file_name); +file where opcode==0 and startsWith("explorer.exeaaaaaaaa", file_name); -file where opcode=0 and serial_event_id = 88 and startsWith("explorer.exeaAAAA", "EXPLORER.exe"); +file where opcode==0 and serial_event_id == 88 and startsWith("explorer.exeaAAAA", "EXPLORER.exe"); -file where opcode=0 and stringContains("ABCDEFGHIexplorer.exeJKLMNOP", file_name) +file where opcode==0 and stringContains("ABCDEFGHIexplorer.exeJKLMNOP", file_name) ; -file where opcode=0 and indexOf(file_name, "plore") == 2 and not indexOf(file_name, ".pf") +file where opcode==0 and indexOf(file_name, "plore") == 2 and not indexOf(file_name, ".pf") ; -file where opcode=0 and indexOf(file_name, "explorer.") and indexOf(file_name, "plore", 100) +file where opcode==0 and indexOf(file_name, "explorer.") and indexOf(file_name, "plore", 100) ; -file where opcode=0 and indexOf(file_name, "plorer.", 0) == 2; +file where opcode==0 and indexOf(file_name, "plorer.", 0) == 2; -file where opcode=0 and indexOf(file_name, "plorer.", 2); +file where opcode==0 and indexOf(file_name, "plorer.", 2); -file where opcode=0 and indexOf(file_name, "plorer.", 4); +file where opcode==0 and indexOf(file_name, "plorer.", 4); -file where opcode=0 and indexOf(file_name, "thing that never happened"); +file where opcode==0 and indexOf(file_name, "thing that never happened"); -file where opcode=0 and indexOf(file_name, "plorer.", 2) == 2; +file where opcode==0 and indexOf(file_name, "plorer.", 2) == 2; -file where opcode=0 and indexOf(file_name, "explorer.", 0) == 0; +file where opcode==0 and indexOf(file_name, "explorer.", 0) == 0; -file where serial_event_id=88 and substring(file_name, 0, 4) == "expl" +file where serial_event_id==88 and substring(file_name, 0, 4) == "expl" ; -file where serial_event_id=88 and substring(file_name, 1, 3) == "xp" +file where serial_event_id==88 and substring(file_name, 1, 3) == "xp" ; -file where serial_event_id=88 and substring(file_name, -4) == ".exe" +file where serial_event_id==88 and substring(file_name, -4) == ".exe" ; -file where serial_event_id=88 and substring(file_name, -4, -1) == ".ex" +file where serial_event_id==88 and substring(file_name, -4, -1) == ".ex" ; process where add(serial_event_id, 0) == 1 and add(0, 1) == serial_event_id; @@ -377,38 +377,38 @@ join ; join by user_name - [process where opcode in (1,3) and process_name="smss.exe"] + [process where opcode in (1,3) and process_name=="smss.exe"] [process where opcode in (1,3) and process_name == "python.exe"] ; join by unique_pid - [process where opcode=1] - [file where opcode=0 and file_name="svchost.exe"] + [process where opcode==1] + [file where opcode==0 and file_name=="svchost.exe"] [file where opcode == 0 and file_name == "lsass.exe"] ; join by unique_pid - [process where opcode=1] - [file where opcode=0 and file_name="svchost.exe"] + [process where opcode==1] + [file where opcode==0 and file_name=="svchost.exe"] [file where opcode == 0 and file_name == "lsass.exe"] until [file where opcode == 2]; join - [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [file where opcode==0 and file_name=="svchost.exe"] by unique_pid [process where opcode == 1] by unique_ppid ; join by unique_pid - [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name=="python.exe"] [file where file_name == "*.exe"]; join by user_name - [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name=="python.exe"] [process where opcode in (1,3) and process_name == "smss.exe"] ; join - [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name=="python.exe"] [process where opcode in (1,3) and process_name == "smss.exe"] ; @@ -425,12 +425,12 @@ sequence by user_name ; sequence with maxspan=30s - [network where destination_port==3389 and event_subtype_full="*_accept_event*"] + [network where destination_port==3389 and event_subtype_full=="*_accept_event*"] [security where event_id in (4624, 4625) and logon_type == 10] ; sequence with maxspan=30s - [network where destination_port==3389 and event_subtype_full="*_accept_event"] by source_address + [network where destination_port==3389 and event_subtype_full=="*_accept_event"] by source_address [security where event_id in (4624, 4625) and logon_type == 10] by ip_address ; @@ -492,17 +492,17 @@ until [process where 1] by e,f ; sequence - [process where serial_event_id = 1] - [process where serial_event_id = 2] + [process where serial_event_id == 1] + [process where serial_event_id == 2] ; sequence [process where serial_event_id < 5] - [process where serial_event_id = 5] + [process where serial_event_id == 5] ; sequence - [process where serial_event_id=1] by unique_pid + [process where serial_event_id==1] by unique_pid [process where true] by unique_ppid; sequence @@ -516,33 +516,33 @@ sequence ; sequence - [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [file where opcode==0 and file_name=="svchost.exe"] by unique_pid [process where opcode == 1] by unique_ppid ; sequence - [file where file_name="lsass.exe"] by file_path,process_path + [file where file_name=="lsass.exe"] by file_path,process_path [process where true] by process_path,parent_process_path ; sequence by user_name - [file where file_name="lsass.exe"] by file_path, process_path + [file where file_name=="lsass.exe"] by file_path, process_path [process where true] by process_path, parent_process_path ; sequence by pid - [file where file_name="lsass.exe"] by file_path,process_path + [file where file_name=="lsass.exe"] by file_path,process_path [process where true] by process_path,parent_process_path ; sequence by user_name - [file where opcode=0] by pid,file_path - [file where opcode=2] by pid,file_path -until [process where opcode=2] by ppid,process_path + [file where opcode==0] by pid,file_path + [file where opcode==2] by pid,file_path +until [process where opcode==2] by ppid,process_path ; sequence by unique_pid - [process where opcode=1 and process_name == "msbuild.exe"] + [process where opcode==1 and process_name == "msbuild.exe"] [network where true] ; @@ -602,8 +602,8 @@ sequence sequence - [file where opcode=0] by unique_pid - [file where opcode=0] by unique_pid + [file where opcode==0] by unique_pid + [file where opcode==0] by unique_pid | head 1; @@ -640,41 +640,41 @@ sequence with maxspan=10s | tail 2; sequence - [file where opcode=0 and file_name="*.exe"] by unique_pid - [file where opcode=0 and file_name="*.exe"] by unique_pid -until [process where opcode=5000] by unique_ppid + [file where opcode==0 and file_name=="*.exe"] by unique_pid + [file where opcode==0 and file_name=="*.exe"] by unique_pid +until [process where opcode==5000] by unique_ppid | head 1; sequence - [file where opcode=0 and file_name="*.exe"] by unique_pid - [file where opcode=0 and file_name="*.exe"] by unique_pid -until [process where opcode=1] by unique_ppid + [file where opcode==0 and file_name=="*.exe"] by unique_pid + [file where opcode==0 and file_name=="*.exe"] by unique_pid +until [process where opcode==1] by unique_ppid | head 1; join - [file where opcode=0 and file_name="*.exe"] by unique_pid - [file where opcode=2 and file_name="*.exe"] by unique_pid -until [process where opcode=1] by unique_ppid + [file where opcode==0 and file_name=="*.exe"] by unique_pid + [file where opcode==2 and file_name=="*.exe"] by unique_pid +until [process where opcode==1] by unique_ppid | head 1; sequence by user_name - [file where opcode=0] by file_path - [process where opcode=1] by process_path - [process where opcode=2] by process_path - [file where opcode=2] by file_path + [file where opcode==0] by file_path + [process where opcode==1] by process_path + [process where opcode==2] by process_path + [file where opcode==2] by file_path | tail 1; sequence by user_name - [file where opcode=0] by pid,file_path - [file where opcode=2] by pid,file_path -until [process where opcode=5] by ppid,process_path + [file where opcode==0] by pid,file_path + [file where opcode==2] by pid,file_path +until [process where opcode==5] by ppid,process_path | head 2; sequence by pid - [file where opcode=0] by file_path - [process where opcode=1] by process_path - [process where opcode=2] by process_path - [file where opcode=2] by file_path + [file where opcode==0] by file_path + [process where opcode==1] by process_path + [process where opcode==2] by process_path + [file where opcode==2] by file_path | tail 1; join by user_name diff --git a/x-pack/plugin/eql/src/test/resources/queries-unsupported.eql b/x-pack/plugin/eql/src/test/resources/queries-unsupported.eql index 956007b2b5ff6..ff14103c7397e 100644 --- a/x-pack/plugin/eql/src/test/resources/queries-unsupported.eql +++ b/x-pack/plugin/eql/src/test/resources/queries-unsupported.eql @@ -73,27 +73,27 @@ file where descendant of [registry where true]; //sequence by unique_pid [process where true] [file where true] fork; -sequence by unique_pid [process where true] [file where true] fork=true; +sequence by unique_pid [process where true] [file where true] fork==true; // no longer supported -//sequence by unique_pid [process where true] [file where true] fork=1; +//sequence by unique_pid [process where true] [file where true] fork==1; sequence [process where true] by unique_pid - [file where true] fork=true by unique_pid + [file where true] fork==true by unique_pid [process where true] by unique_ppid | head 4; -sequence by unique_pid [process where true] [file where true] fork=false; +sequence by unique_pid [process where true] [file where true] fork==false; // no longer supported -// sequence by unique_pid [process where true] [file where true] fork=0 [network where true]; +// sequence by unique_pid [process where true] [file where true] fork==0 [network where true]; sequence by unique_pid [process where true] [file where true] fork [network where true]; // no longer supported -// sequence by unique_pid [process where true] [file where true] fork=0; -sequence by unique_pid [process where true] [file where true] fork=true; +// sequence by unique_pid [process where true] [file where true] fork==0; +sequence by unique_pid [process where true] [file where true] fork==true; sequence with maxspan=2.5m @@ -183,19 +183,19 @@ process where process_name in ("python.exe", "smss.exe") -file where file_name == "csrss.exe" and opcode=0 +file where file_name == "csrss.exe" and opcode==0 and descendant of [process where opcode in (1,3) and process_name="cmd.exe"] ; -process where opcode=1 and process_name == "csrss.exe" +process where opcode==1 and process_name == "csrss.exe" and descendant of [file where file_name == "csrss.exe" and opcode=0] ; -process where opcode=1 and process_name == "smss.exe" +process where opcode==1 and process_name == "smss.exe" and descendant of [ - file where file_name == "csrss.exe" and opcode=0 + file where file_name == "csrss.exe" and opcode==0 and descendant of [ - process where opcode in(1,3) and process_name="cmd.exe" + process where opcode in(1,3) and process_name=="cmd.exe" ] ] ; @@ -238,52 +238,52 @@ sequence with maxspan=0.5s | tail 2; sequence - [file where opcode=0] by unique_pid - [file where opcode=0] by unique_pid + [file where opcode==0] by unique_pid + [file where opcode==0] by unique_pid | filter events[1].serial_event_id == 92; any where true | unique event_type_full; -process where opcode=1 and process_name in ("services.exe", "smss.exe", "lsass.exe") +process where opcode==1 and process_name in ("services.exe", "smss.exe", "lsass.exe") and descendant of [process where process_name == "cmd.exe" ]; process where process_name in ("services.exe", "smss.exe", "lsass.exe") and descendant of [process where process_name == "cmd.exe" ]; -process where opcode=2 and process_name in ("services.exe", "smss.exe", "lsass.exe") +process where opcode==2 and process_name in ("services.exe", "smss.exe", "lsass.exe") and descendant of [process where process_name == "cmd.exe" ]; -process where process_name="svchost.exe" - and child of [file where file_name="svchost.exe" and opcode=0]; +process where process_name=="svchost.exe" + and child of [file where file_name=="svchost.exe" and opcode==0]; -process where process_name="svchost.exe" - and not child of [file where file_name="svchost.exe" and opcode=0] +process where process_name=="svchost.exe" + and not child of [file where file_name=="svchost.exe" and opcode==0] | head 3; -process where process_name="lsass.exe" +process where process_name=="lsass.exe" and child of [ - process where process_name="python.exe" - and child of [process where process_name="cmd.exe"] + process where process_name=="python.exe" + and child of [process where process_name=="cmd.exe"] ] ; file where child of [ process where child of [ - process where child of [process where process_name="*wsmprovhost.exe"] + process where child of [process where process_name=="*wsmprovhost.exe"] ] ] | tail 1; -file where process_name = "python.exe" +file where process_name == "python.exe" | unique unique_pid; -file where event of [process where process_name = "python.exe" ] +file where event of [process where process_name == "python.exe" ] | unique unique_pid; -process where event of [process where process_name = "python.exe" ]; +process where event of [process where process_name == "python.exe" ]; sequence [process where serial_event_id<3] by unique_pid * 2 @@ -299,11 +299,11 @@ sequence process where "net.EXE" == original_file_name -| filter process_name="net*.exe" +| filter process_name=="net*.exe" ; process where process_name == original_file_name -| filter process_name='net*.exe' +| filter process_name=='net*.exe' ; process where original_file_name == process_name diff --git a/x-pack/plugin/eql/src/test/resources/queryfolder_tests.txt b/x-pack/plugin/eql/src/test/resources/queryfolder_tests.txt index 5abd9108f1f52..a5ec67cd875c1 100644 --- a/x-pack/plugin/eql/src/test/resources/queryfolder_tests.txt +++ b/x-pack/plugin/eql/src/test/resources/queryfolder_tests.txt @@ -19,7 +19,7 @@ null ; singleNumericFilterEquals -process where serial_event_id = 1 +process where serial_event_id == 1 ; "term":{"serial_event_id":{"value":1 ; diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/data_stream/10_data_stream_resolvability.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/data_stream/10_data_stream_resolvability.yml index d42eb7cb45c6d..fba4d793e0d23 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/data_stream/10_data_stream_resolvability.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/data_stream/10_data_stream_resolvability.yml @@ -516,7 +516,7 @@ eql.search: index: simple-data-stream1 body: - query: 'process where user = "SYSTEM"' + query: 'process where user == "SYSTEM"' - match: {timed_out: false} - match: {hits.total.value: 1} @@ -527,7 +527,7 @@ eql.search: index: simple-data-s* body: - query: 'process where user = "SYSTEM"' + query: 'process where user == "SYSTEM"' - match: {timed_out: false} - match: {hits.total.value: 1}