EQL: revising usage of quote (single or double) for escaping identifiers

[costin]

User feedback when running an EQL query: I cannot escape the event category for the query: system.cpu where cpu.cores = 16

line 1:8: mismatched input '.' expecting 'where'

Tried escaping (with " or "):
"system.cpu" where ...

line 1:1: no viable alternative at input '\"system.cpu\"'"

Finally fixed by using backticks:
`system.cpu` where ...

This is a poor experience from an internal uses, that is interested in EQL and know about it. And yet gets caught off-guard by our use of quotes and escaping.

I'm raising this issue to revisit this topic and improve the current situation.

[elasticmachine]

Pinging @elastic/es-ql (:Query Languages/EQL)

[costin]

For background, see the previous issue on the same topic at #51443

[rw-access]

I think we need a separate pattern for eventType. I think it's fair to allow . and -, and that shouldn't cause any conflicts with the grammar since we still have where as a hard requirement. Or we could handle error conditions in a different way where we can show the recommended syntax.

[costin]

Superseded by #62883 and #62933.