Skip to content

Commit

Permalink
EQL: Remove support for = for comparisons
Browse files Browse the repository at this point in the history
Since `=` is rarely used and is undocumented we its support for
equality comparisons keeping `==` as the only option. `=` is now only
used for assignements like in `maxspan=10m`.

Closes: elastic#62650
  • Loading branch information
matriv committed Sep 22, 2020
1 parent 3a9b657 commit 6f00553
Show file tree
Hide file tree
Showing 22 changed files with 596 additions and 584 deletions.
2 changes: 1 addition & 1 deletion docs/reference/eql/functions.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -1086,7 +1086,7 @@ expressions.
process.name == "*regsvr32*" or process.name == "*explorer*"
wildcard(process.name, "*regsvr32*", "*explorer*")
// process.name = "regsvr32.exe"
// process.name == "regsvr32.exe"
wildcard(process.name, "*regsvr32*") // returns true
wildcard(process.name, "*regsvr32*", "*explorer*") // returns true
wildcard(process.name, "*explorer*") // returns false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ public void testEqlRestUsage() throws IOException {
int randomSequenceExecutions = randomIntBetween(1, 15);
allTotalQueries += randomSequenceExecutions;
for (int i = 0; i < randomSequenceExecutions; i++) {
runEql("sequence [process where serial_event_id = 1] [process where serial_event_id = 2]");
runEql("sequence [process where serial_event_id == 1] [process where serial_event_id == 2]");
}
responseAsMap = getStats();
metricsToCheck = Set.of("sequence", "sequence_queries_two", "pipe_head");
Expand Down Expand Up @@ -179,7 +179,7 @@ public void testEqlRestUsage() throws IOException {
" [process where opcode == 1] by user" +
" [process where opcode == 2] by user" +
" [file where parent_process_name == \\\"file_delete_event\\\"] by exit_code" +
" until [process where opcode=1] by ppid" +
" until [process where opcode==1] by ppid" +
" | head 4" +
" | tail 2");
}
Expand Down Expand Up @@ -271,8 +271,8 @@ public void testEqlRestUsage() throws IOException {
runEql(
randomFrom(
"process where missing_field < 4 | tail 2",
"sequence abc [process where serial_event_id = 1]",
"sequence with maxspan=1x [process where serial_event_id = 1]",
"sequence abc [process where serial_event_id == 1]",
"sequence with maxspan=1x [process where serial_event_id == 1]",
"sequence by exit_code, user [process where serial_event_id < 4] by ppid",
"sequence by"
)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ expected_event_ids = [5]

[[queries]]
name = "concatEquals2"
query = 'process where concat(serial_event_id) = "1"'
query = 'process where concat(serial_event_id) == "1"'
expected_event_ids = [1]

[[queries]]
Expand Down Expand Up @@ -98,7 +98,7 @@ expected_event_ids = [1, 2, 3, 4]

[[queries]]
name = "numberStringConversion1"
query = 'process where string(serial_event_id) = "1"'
query = 'process where string(serial_event_id) == "1"'
expected_event_ids = [1]


Expand Down Expand Up @@ -223,16 +223,16 @@ query = "process where serial_event_id + ((1 + 3) * 2 / (3 - 1)) * 2 == 54 or 70
name = "twoSequencesAdditional1"
query = '''
sequence
[process where serial_event_id = 1]
[process where serial_event_id = 2]
[process where serial_event_id == 1]
[process where serial_event_id == 2]
'''
expected_event_ids = [1, 2]

[[queries]]
name = "twoSequencesAdditional2"
query = '''
sequence
[process where serial_event_id=1] by unique_pid
[process where serial_event_id==1] by unique_pid
[process where true] by unique_ppid'''
expected_event_ids = [1, 2]

Expand Down
Loading

0 comments on commit 6f00553

Please sign in to comment.