diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java index 4c97191d6f82f..99d83b7adea7e 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java @@ -99,18 +99,6 @@ public void testProcessRelationshipsUnsupported() { " and child of [file where file_name=\"svchost.exe\" and opcode=0]")); } - public void testSequencesUnsupported() { - assertEquals("1:1: Sequence is not supported", errorParsing("sequence\n" + - " [process where serial_event_id = 1]\n" + - " [process where serial_event_id = 2]")); - } - - public void testJoinUnsupported() { - assertEquals("1:1: Join is not supported", errorParsing("join by user_name\n" + - " [process where opcode in (1,3) and process_name=\"smss.exe\"]\n" + - " [process where opcode in (1,3) and process_name == \"python.exe\"]")); - } - // Some functions fail with "Unsupported" message at the parse stage public void testArrayFunctionsUnsupported() { assertEquals("1:16: Unknown function [arrayContains]", diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/parser/LogicalPlanTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/parser/LogicalPlanTests.java index 4ed5d46844634..46af69c1af9a6 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/parser/LogicalPlanTests.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/parser/LogicalPlanTests.java @@ -62,13 +62,13 @@ public void testParameterizedEventQuery() { public void testQueryPlan() { LogicalPlan plan = parser.createStatement( - "join by pid " + - " [process where true] " + - " [network where true] " + - " [registry where true] " + - " [file where true] " + - " " + + "join by pid " + + " [process where true] " + + " [network where true] " + + " [registry where true] " + + " [file where true] " + + " " + "until [process where event_subtype_full == \"termination_event\"]"); - System.out.println(plan); + // System.out.println(plan); } } diff --git a/x-pack/plugin/eql/src/test/resources/queries-unsupported.eql b/x-pack/plugin/eql/src/test/resources/queries-unsupported.eql index ba619f8092da2..46bbd6d02eee1 100644 --- a/x-pack/plugin/eql/src/test/resources/queries-unsupported.eql +++ b/x-pack/plugin/eql/src/test/resources/queries-unsupported.eql @@ -317,18 +317,23 @@ join [file where opcode=0 and file_name="*.exe"] by unique_pid [file where opcode=2 and file_name="*.exe"] by unique_pid until [process where opcode=1] by unique_ppid -| head 1; +| head 1 +; join by string(unique_pid) [process where opcode=1] [file where opcode=0 and file_name="svchost.exe"] - [file where opcode == 0 and file_name == "lsass.exe"]; + [file where opcode == 0 and file_name == "lsass.exe"] +| head 1 +; join by string(unique_pid), unique_pid, unique_pid * 2 [process where opcode=1] [file where opcode=0 and file_name="svchost.exe"] [file where opcode == 0 and file_name == "lsass.exe"] -until [file where opcode == 2]; +until [file where opcode == 2] +: tail 1 +; any where true | unique event_type_full; @@ -378,11 +383,13 @@ process where event of [process where process_name = "python.exe" ]; sequence [process where serial_event_id<3] by unique_pid * 2 [process where true] by unique_ppid * 2 +| tail 1 ; sequence [process where serial_event_id<3] by unique_pid * 2, length(unique_pid), string(unique_pid) [process where true] by unique_ppid * 2, length(unique_ppid), string(unique_ppid) +| tail 1 ; sequence by user_name