Change ~ from prefix to suffix

Author: costin

x-pack/plugin/eql/qa/common/src/main/resources/test_queries.toml

@@ -1445,7 +1445,7 @@ description = "check built-in string functions"
 [[queries]]
 name = "startsWithCaseInsensitive1"
 query = '''
-file where opcode==0 and ~startsWith(file_name, "explorer.")
+file where opcode==0 and startsWith~(file_name, "explorer.")
 '''
 expected_event_ids  = [88, 92]
 description = "check built-in string functions"
@@ -1454,15 +1454,15 @@ description = "check built-in string functions"
 [[queries]]
 name = "startsWithCaseInsensitive2"
 query = '''
-file where opcode==0 and ~startsWith(file_name, "exploRER.")
+file where opcode==0 and startsWith~(file_name, "exploRER.")
 '''
 expected_event_ids  = [88, 92]
 description = "check built-in string functions"
 
 [[queries]]
 name = "startsWithCaseInsensitive3"
 query = '''
-file where opcode==0 and ~startsWith(file_name, "expLORER.exe")
+file where opcode==0 and startsWith~(file_name, "expLORER.exe")
 '''
 expected_event_ids  = [88, 92]
 description = "check built-in string functions"
@@ -1479,7 +1479,7 @@ description = "check built-in string functions"
 [[queries]]
 name = "endsWithCaseInsensitive"
 query = '''
-file where opcode==0 and ~endsWith(file_name, "loREr.exe")
+file where opcode==0 and endsWith~(file_name, "loREr.exe")
 '''
 expected_event_ids  = [88]
 description = "check built-in string functions"
@@ -1495,7 +1495,7 @@ description = "check built-in string functions"
 [[queries]]
 name = "endsWithAndCondition"
 query = '''
-file where opcode==0 and serial_event_id == 88 and ~startsWith("explorer.exeaAAAA", "EXPLORER.exe")
+file where opcode==0 and serial_event_id == 88 and startsWith~("explorer.exeaAAAA", "EXPLORER.exe")
 '''
 expected_event_ids  = [88]
 description = "check built-in string functions"
@@ -1511,7 +1511,7 @@ description = "check built-in string functions"
 [[queries]]
 name = "indexOfCaseInsensitive"
 query = '''
-file where opcode==0 and ~indexOf(file_name, "plore") == 2 and ~indexOf(file_name, ".pf") == null
+file where opcode==0 and indexOf~(file_name, "plore") == 2 and indexOf~(file_name, ".pf") == null
 '''
 expected_event_ids  = [88]
 description = "check built-in string functions"
@@ -1535,7 +1535,7 @@ description = "check built-in string functions"
 [[queries]]
 name = "indexOf3"
 query = '''
-file where opcode==0 and ~indexOf(file_name, "plorer.", 0) == 2
+file where opcode==0 and indexOf~(file_name, "plorer.", 0) == 2
 '''
 expected_event_ids  = [88, 92]
 description = "check built-in string functions"
@@ -1551,7 +1551,7 @@ description = "check built-in string functions"
 [[queries]]
 name = "indexOf5"
 query = '''
-file where opcode==0 and ~indexOf(file_name, "plorer.", 2) != null
+file where opcode==0 and indexOf~(file_name, "plorer.", 2) != null
 '''
 expected_event_ids  = [88, 92]
 description = "check built-in string functions"
@@ -1575,7 +1575,7 @@ description = "check built-in string functions"
 [[queries]]
 name = "indexOf8"
 query = '''
-file where opcode==0 and ~indexOf(file_name, "pLOrer.", 2) == 2
+file where opcode==0 and indexOf~(file_name, "pLOrer.", 2) == 2
 '''
 expected_event_ids  = [88, 92]
 description = "check substring ranges"
@@ -1599,7 +1599,7 @@ description = "check substring ranges"
 [[queries]]
 name = "indexOf11"
 query = '''
-file where opcode==0 and ~indexOf(file_name, "explorer.", 0) == 0
+file where opcode==0 and indexOf~(file_name, "explorer.", 0) == 0
 '''
 expected_event_ids  = [88, 92]
 description = "check substring ranges"
@@ -1901,14 +1901,14 @@ query = "file where serial_event_id % 40 == 2"
 name = "betweenCaseInsensitive1"
 expected_event_ids = [1, 2]
 query = '''
-process where ~between(process_name, "s", "E") : "yst"
+process where between~(process_name, "s", "E") : "yst"
 '''
 
 [[queries]]
 name = "betweenCaseInsensitive2"
 expected_event_ids = [1, 2]
 query = '''
-process where ~between(process_name, "s", "E", false) : "yst"
+process where between~(process_name, "s", "E", false) : "yst"
 '''
 
 [[queries]]
@@ -1929,7 +1929,7 @@ process where between(process_name, "S", "e", true) : "ystem Idle Proc"
 name = "betweenCaseInsensitive3"
 expected_event_ids = [1]
 query = '''
-process where ~between(process_name, "s", "e", true) : "ystem Idle Proc"
+process where between~(process_name, "s", "e", true) : "ystem Idle Proc"
 '''
 
 [[queries]]

x-pack/plugin/eql/src/main/antlr/EqlBase.g4

@@ -228,7 +228,7 @@ QUOTED_IDENTIFIER
     ;
 
 TILDE_IDENTIFIER
-    : '~' LETTER (LETTER | DIGIT | '_')*
+    : LETTER (LETTER | DIGIT | '_')* '~'
     ;
 
 eventValue

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseLexer.java

@@ -106,7 +106,7 @@ public EqlBaseLexer(CharStream input) {
   public ATN getATN() { return _ATN; }
 
   public static final String _serializedATN =
-    "\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\2/\u01a6\b\1\4\2\t"+
+    "\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\2/\u01a7\b\1\4\2\t"+
     "\2\4\3\t\3\4\4\t\4\4\5\t\5\4\6\t\6\4\7\t\7\4\b\t\b\4\t\t\t\4\n\t\n\4\13"+
     "\t\13\4\f\t\f\4\r\t\r\4\16\t\16\4\17\t\17\4\20\t\20\4\21\t\21\4\22\t\22"+
     "\4\23\t\23\4\24\t\24\4\25\t\25\4\26\t\26\4\27\t\27\4\30\t\30\4\31\t\31"+
@@ -129,17 +129,17 @@ public EqlBaseLexer(CharStream input) {
     "\n(\r(\16(\u0135\3(\6(\u0139\n(\r(\16(\u013a\3(\3(\7(\u013f\n(\f(\16("+
     "\u0142\13(\5(\u0144\n(\3(\3(\3(\3(\6(\u014a\n(\r(\16(\u014b\3(\3(\5(\u0150"+
     "\n(\3)\3)\5)\u0154\n)\3)\3)\3)\7)\u0159\n)\f)\16)\u015c\13)\3*\3*\3*\3"+
-    "*\7*\u0162\n*\f*\16*\u0165\13*\3*\3*\3+\3+\3+\3+\3+\7+\u016e\n+\f+\16"+
-    "+\u0171\13+\3,\3,\5,\u0175\n,\3,\6,\u0178\n,\r,\16,\u0179\3-\3-\3.\3."+
-    "\3/\3/\3/\3/\7/\u0184\n/\f/\16/\u0187\13/\3/\5/\u018a\n/\3/\5/\u018d\n"+
-    "/\3/\3/\3\60\3\60\3\60\3\60\3\60\7\60\u0196\n\60\f\60\16\60\u0199\13\60"+
-    "\3\60\3\60\3\60\3\60\3\60\3\61\6\61\u01a1\n\61\r\61\16\61\u01a2\3\61\3"+
-    "\61\4\u0111\u0197\2\62\3\3\5\4\7\5\t\6\13\7\r\b\17\t\21\n\23\13\25\f\27"+
+    "*\7*\u0162\n*\f*\16*\u0165\13*\3*\3*\3+\3+\3+\3+\7+\u016d\n+\f+\16+\u0170"+
+    "\13+\3+\3+\3,\3,\5,\u0176\n,\3,\6,\u0179\n,\r,\16,\u017a\3-\3-\3.\3.\3"+
+    "/\3/\3/\3/\7/\u0185\n/\f/\16/\u0188\13/\3/\5/\u018b\n/\3/\5/\u018e\n/"+
+    "\3/\3/\3\60\3\60\3\60\3\60\3\60\7\60\u0197\n\60\f\60\16\60\u019a\13\60"+
+    "\3\60\3\60\3\60\3\60\3\60\3\61\6\61\u01a2\n\61\r\61\16\61\u01a3\3\61\3"+
+    "\61\4\u0111\u0198\2\62\3\3\5\4\7\5\t\6\13\7\r\b\17\t\21\n\23\13\25\f\27"+
     "\r\31\16\33\17\35\20\37\21!\22#\23%\24\'\25)\26+\27-\30/\31\61\32\63\33"+
     "\65\34\67\359\36;\37= ?!A\"C#E$G%I&K\'M(O)Q*S+U,W\2Y\2[\2]-_.a/\3\2\17"+
     "\n\2$$))^^ddhhppttvv\6\2\f\f\17\17))^^\6\2\f\f\17\17$$^^\5\2\f\f\17\17"+
     "$$\5\2\f\f\17\17))\4\2\f\f\17\17\4\2BBaa\3\2bb\4\2GGgg\4\2--//\3\2\62"+
-    ";\4\2C\\c|\5\2\13\f\17\17\"\"\u01cd\2\3\3\2\2\2\2\5\3\2\2\2\2\7\3\2\2"+
+    ";\4\2C\\c|\5\2\13\f\17\17\"\"\u01ce\2\3\3\2\2\2\2\5\3\2\2\2\2\7\3\2\2"+
     "\2\2\t\3\2\2\2\2\13\3\2\2\2\2\r\3\2\2\2\2\17\3\2\2\2\2\21\3\2\2\2\2\23"+
     "\3\2\2\2\2\25\3\2\2\2\2\27\3\2\2\2\2\31\3\2\2\2\2\33\3\2\2\2\2\35\3\2"+
     "\2\2\2\37\3\2\2\2\2!\3\2\2\2\2#\3\2\2\2\2%\3\2\2\2\2\'\3\2\2\2\2)\3\2"+
@@ -156,8 +156,8 @@ public EqlBaseLexer(CharStream input) {
     "\3\2\2\2;\u00ce\3\2\2\2=\u00d0\3\2\2\2?\u00d2\3\2\2\2A\u00d4\3\2\2\2C"+
     "\u00d6\3\2\2\2E\u00d8\3\2\2\2G\u00da\3\2\2\2I\u00dc\3\2\2\2K\u011e\3\2"+
     "\2\2M\u0121\3\2\2\2O\u014f\3\2\2\2Q\u0153\3\2\2\2S\u015d\3\2\2\2U\u0168"+
-    "\3\2\2\2W\u0172\3\2\2\2Y\u017b\3\2\2\2[\u017d\3\2\2\2]\u017f\3\2\2\2_"+
-    "\u0190\3\2\2\2a\u01a0\3\2\2\2cd\7c\2\2de\7p\2\2ef\7f\2\2f\4\3\2\2\2gh"+
+    "\3\2\2\2W\u0173\3\2\2\2Y\u017c\3\2\2\2[\u017e\3\2\2\2]\u0180\3\2\2\2_"+
+    "\u0191\3\2\2\2a\u01a1\3\2\2\2cd\7c\2\2de\7p\2\2ef\7f\2\2f\4\3\2\2\2gh"+
     "\7c\2\2hi\7p\2\2ij\7{\2\2j\6\3\2\2\2kl\7d\2\2lm\7{\2\2m\b\3\2\2\2no\7"+
     "h\2\2op\7c\2\2pq\7n\2\2qr\7u\2\2rs\7g\2\2s\n\3\2\2\2tu\7k\2\2uv\7p\2\2"+
     "v\f\3\2\2\2wx\7l\2\2xy\7q\2\2yz\7k\2\2z{\7p\2\2{\16\3\2\2\2|}\7o\2\2}"+
@@ -231,31 +231,31 @@ public EqlBaseLexer(CharStream input) {
     "\u015c\u015a\3\2\2\2\u015d\u0163\7b\2\2\u015e\u0162\n\t\2\2\u015f\u0160"+
     "\7b\2\2\u0160\u0162\7b\2\2\u0161\u015e\3\2\2\2\u0161\u015f\3\2\2\2\u0162"+
     "\u0165\3\2\2\2\u0163\u0161\3\2\2\2\u0163\u0164\3\2\2\2\u0164\u0166\3\2"+
-    "\2\2\u0165\u0163\3\2\2\2\u0166\u0167\7b\2\2\u0167T\3\2\2\2\u0168\u0169"+
-    "\7\u0080\2\2\u0169\u016f\5[.\2\u016a\u016e\5[.\2\u016b\u016e\5Y-\2\u016c"+
-    "\u016e\7a\2\2\u016d\u016a\3\2\2\2\u016d\u016b\3\2\2\2\u016d\u016c\3\2"+
-    "\2\2\u016e\u0171\3\2\2\2\u016f\u016d\3\2\2\2\u016f\u0170\3\2\2\2\u0170"+
-    "V\3\2\2\2\u0171\u016f\3\2\2\2\u0172\u0174\t\n\2\2\u0173\u0175\t\13\2\2"+
-    "\u0174\u0173\3\2\2\2\u0174\u0175\3\2\2\2\u0175\u0177\3\2\2\2\u0176\u0178"+
-    "\5Y-\2\u0177\u0176\3\2\2\2\u0178\u0179\3\2\2\2\u0179\u0177\3\2\2\2\u0179"+
-    "\u017a\3\2\2\2\u017aX\3\2\2\2\u017b\u017c\t\f\2\2\u017cZ\3\2\2\2\u017d"+
-    "\u017e\t\r\2\2\u017e\\\3\2\2\2\u017f\u0180\7\61\2\2\u0180\u0181\7\61\2"+
-    "\2\u0181\u0185\3\2\2\2\u0182\u0184\n\7\2\2\u0183\u0182\3\2\2\2\u0184\u0187"+
-    "\3\2\2\2\u0185\u0183\3\2\2\2\u0185\u0186\3\2\2\2\u0186\u0189\3\2\2\2\u0187"+
-    "\u0185\3\2\2\2\u0188\u018a\7\17\2\2\u0189\u0188\3\2\2\2\u0189\u018a\3"+
-    "\2\2\2\u018a\u018c\3\2\2\2\u018b\u018d\7\f\2\2\u018c\u018b\3\2\2\2\u018c"+
-    "\u018d\3\2\2\2\u018d\u018e\3\2\2\2\u018e\u018f\b/\2\2\u018f^\3\2\2\2\u0190"+
-    "\u0191\7\61\2\2\u0191\u0192\7,\2\2\u0192\u0197\3\2\2\2\u0193\u0196\5_"+
-    "\60\2\u0194\u0196\13\2\2\2\u0195\u0193\3\2\2\2\u0195\u0194\3\2\2\2\u0196"+
-    "\u0199\3\2\2\2\u0197\u0198\3\2\2\2\u0197\u0195\3\2\2\2\u0198\u019a\3\2"+
-    "\2\2\u0199\u0197\3\2\2\2\u019a\u019b\7,\2\2\u019b\u019c\7\61\2\2\u019c"+
-    "\u019d\3\2\2\2\u019d\u019e\b\60\2\2\u019e`\3\2\2\2\u019f\u01a1\t\16\2"+
-    "\2\u01a0\u019f\3\2\2\2\u01a1\u01a2\3\2\2\2\u01a2\u01a0\3\2\2\2\u01a2\u01a3"+
-    "\3\2\2\2\u01a3\u01a4\3\2\2\2\u01a4\u01a5\b\61\2\2\u01a5b\3\2\2\2\'\2\u00e2"+
-    "\u00e4\u00ec\u00ee\u00f8\u00fa\u0104\u0106\u0111\u0119\u011c\u011e\u0123"+
-    "\u0128\u012e\u0135\u013a\u0140\u0143\u014b\u014f\u0153\u0158\u015a\u0161"+
-    "\u0163\u016d\u016f\u0174\u0179\u0185\u0189\u018c\u0195\u0197\u01a2\3\2"+
-    "\3\2";
+    "\2\2\u0165\u0163\3\2\2\2\u0166\u0167\7b\2\2\u0167T\3\2\2\2\u0168\u016e"+
+    "\5[.\2\u0169\u016d\5[.\2\u016a\u016d\5Y-\2\u016b\u016d\7a\2\2\u016c\u0169"+
+    "\3\2\2\2\u016c\u016a\3\2\2\2\u016c\u016b\3\2\2\2\u016d\u0170\3\2\2\2\u016e"+
+    "\u016c\3\2\2\2\u016e\u016f\3\2\2\2\u016f\u0171\3\2\2\2\u0170\u016e\3\2"+
+    "\2\2\u0171\u0172\7\u0080\2\2\u0172V\3\2\2\2\u0173\u0175\t\n\2\2\u0174"+
+    "\u0176\t\13\2\2\u0175\u0174\3\2\2\2\u0175\u0176\3\2\2\2\u0176\u0178\3"+
+    "\2\2\2\u0177\u0179\5Y-\2\u0178\u0177\3\2\2\2\u0179\u017a\3\2\2\2\u017a"+
+    "\u0178\3\2\2\2\u017a\u017b\3\2\2\2\u017bX\3\2\2\2\u017c\u017d\t\f\2\2"+
+    "\u017dZ\3\2\2\2\u017e\u017f\t\r\2\2\u017f\\\3\2\2\2\u0180\u0181\7\61\2"+
+    "\2\u0181\u0182\7\61\2\2\u0182\u0186\3\2\2\2\u0183\u0185\n\7\2\2\u0184"+
+    "\u0183\3\2\2\2\u0185\u0188\3\2\2\2\u0186\u0184\3\2\2\2\u0186\u0187\3\2"+
+    "\2\2\u0187\u018a\3\2\2\2\u0188\u0186\3\2\2\2\u0189\u018b\7\17\2\2\u018a"+
+    "\u0189\3\2\2\2\u018a\u018b\3\2\2\2\u018b\u018d\3\2\2\2\u018c\u018e\7\f"+
+    "\2\2\u018d\u018c\3\2\2\2\u018d\u018e\3\2\2\2\u018e\u018f\3\2\2\2\u018f"+
+    "\u0190\b/\2\2\u0190^\3\2\2\2\u0191\u0192\7\61\2\2\u0192\u0193\7,\2\2\u0193"+
+    "\u0198\3\2\2\2\u0194\u0197\5_\60\2\u0195\u0197\13\2\2\2\u0196\u0194\3"+
+    "\2\2\2\u0196\u0195\3\2\2\2\u0197\u019a\3\2\2\2\u0198\u0199\3\2\2\2\u0198"+
+    "\u0196\3\2\2\2\u0199\u019b\3\2\2\2\u019a\u0198\3\2\2\2\u019b\u019c\7,"+
+    "\2\2\u019c\u019d\7\61\2\2\u019d\u019e\3\2\2\2\u019e\u019f\b\60\2\2\u019f"+
+    "`\3\2\2\2\u01a0\u01a2\t\16\2\2\u01a1\u01a0\3\2\2\2\u01a2\u01a3\3\2\2\2"+
+    "\u01a3\u01a1\3\2\2\2\u01a3\u01a4\3\2\2\2\u01a4\u01a5\3\2\2\2\u01a5\u01a6"+
+    "\b\61\2\2\u01a6b\3\2\2\2\'\2\u00e2\u00e4\u00ec\u00ee\u00f8\u00fa\u0104"+
+    "\u0106\u0111\u0119\u011c\u011e\u0123\u0128\u012e\u0135\u013a\u0140\u0143"+
+    "\u014b\u014f\u0153\u0158\u015a\u0161\u0163\u016c\u016e\u0175\u017a\u0186"+
+    "\u018a\u018d\u0196\u0198\u01a3\3\2\3\2";
   public static final ATN _ATN =
     new ATNDeserializer().deserialize(_serializedATN.toCharArray());
   static {