Done with parsing, need to improve the test suite.

elastic · Apr 2, 2020 · adfa27c · adfa27c
1 parent 96550c1
commit adfa27c
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 22 deletions.
diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java
@@ -99,18 +99,6 @@ public void testProcessRelationshipsUnsupported() {
                         "  and child of [file where file_name=\"svchost.exe\" and opcode=0]"));
     }
 
-    public void testSequencesUnsupported() {
-        assertEquals("1:1: Sequence is not supported", errorParsing("sequence\n" +
-                "  [process where serial_event_id = 1]\n" +
-                "  [process where serial_event_id = 2]"));
-    }
-
-    public void testJoinUnsupported() {
-        assertEquals("1:1: Join is not supported", errorParsing("join by user_name\n" +
-                "  [process where opcode in (1,3) and process_name=\"smss.exe\"]\n" +
-                "  [process where opcode in (1,3) and process_name == \"python.exe\"]"));
-    }
-
     // Some functions fail with "Unsupported" message at the parse stage
     public void testArrayFunctionsUnsupported() {
         assertEquals("1:16: Unknown function [arrayContains]",

diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/parser/LogicalPlanTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/parser/LogicalPlanTests.java
@@ -62,13 +62,13 @@ public void testParameterizedEventQuery() {
 
     public void testQueryPlan() {
         LogicalPlan plan = parser.createStatement(
-                "join by pid " + 
-                "  [process where true] " + 
-                "  [network where true] " + 
-                "  [registry where true] " + 
-                "  [file where true] " + 
-                " " + 
+                "join by pid " +
+                "  [process where true] " +
+                "  [network where true] " +
+                "  [registry where true] " +
+                "  [file where true] " +
+                " " +
                 "until [process where event_subtype_full == \"termination_event\"]");
-        System.out.println(plan);
+        //        System.out.println(plan);
     }
 }
diff --git a/x-pack/plugin/eql/src/test/resources/queries-unsupported.eql b/x-pack/plugin/eql/src/test/resources/queries-unsupported.eql
@@ -317,18 +317,23 @@ join
   [file where opcode=0 and file_name="*.exe"] by unique_pid
   [file where opcode=2 and file_name="*.exe"] by unique_pid
 until [process where opcode=1] by unique_ppid
-| head 1;
+| head 1
+;
 
 join by string(unique_pid)
   [process where opcode=1]
   [file where opcode=0 and file_name="svchost.exe"]
-  [file where opcode == 0 and file_name == "lsass.exe"];
+  [file where opcode == 0 and file_name == "lsass.exe"]
+| head 1
+; 
 
 join by string(unique_pid), unique_pid, unique_pid * 2
   [process where opcode=1]
   [file where opcode=0 and file_name="svchost.exe"]
   [file where opcode == 0 and file_name == "lsass.exe"]
-until [file where opcode == 2];
+until [file where opcode == 2]
+: tail 1
+;
 
 any where true
 | unique event_type_full;
@@ -378,11 +383,13 @@ process where event of [process where process_name = "python.exe" ];
 sequence
   [process where serial_event_id<3] by unique_pid * 2
   [process where true] by unique_ppid * 2
+| tail 1
 ;
 
 sequence
   [process where serial_event_id<3] by unique_pid * 2, length(unique_pid), string(unique_pid)
   [process where true] by unique_ppid * 2, length(unique_ppid), string(unique_ppid)
+| tail 1
 ;
 
 sequence by user_name