EQL: make endsWith function use a wildcard ES query wherever possible (#61160)

Author: astefan

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/function/scalar/string/EndsWith.java

@@ -64,6 +64,14 @@ protected TypeResolution resolveType() {
         return isStringAndExact(pattern, sourceText(), ParamOrdinal.SECOND);
     }
 
+    public Expression input() {
+        return input;
+    }
+
+    public Expression pattern() {
+        return pattern;
+    }
+
     @Override
     protected Pipe makePipe() {
         return new EndsWithFunctionPipe(source(), this, Expressions.pipe(input), Expressions.pipe(pattern), isCaseSensitive());

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/planner/QueryTranslator.java

@@ -7,6 +7,7 @@
 package org.elasticsearch.xpack.eql.planner;
 
 import org.elasticsearch.xpack.eql.expression.function.scalar.string.CIDRMatch;
+import org.elasticsearch.xpack.eql.expression.function.scalar.string.EndsWith;
 import org.elasticsearch.xpack.eql.expression.function.scalar.string.StringContains;
 import org.elasticsearch.xpack.ql.QlIllegalArgumentException;
 import org.elasticsearch.xpack.ql.expression.Expression;
@@ -41,9 +42,6 @@ final class QueryTranslator {
             new ExpressionTranslators.Nots(),
             new ExpressionTranslators.Likes(),
             new ExpressionTranslators.InComparisons(),
-            new ExpressionTranslators.StringQueries(),
-            new ExpressionTranslators.Matches(),
-            new ExpressionTranslators.MultiMatches(),
             new CaseSensitiveScalarFunctions(),
             new Scalars()
     );
@@ -132,15 +130,20 @@ public static Query doTranslate(CaseSensitiveScalarFunction f, TranslatorHandler
                 StringContains sc = (StringContains) f;
                 field = sc.string();
                 constant = sc.substring();
+            } else if (f instanceof EndsWith) {
+                EndsWith ew = (EndsWith) f;
+                field = ew.input();
+                constant = ew.pattern();
             } else {
                 return null;
             }
 
             if (field instanceof FieldAttribute && constant.foldable()) {
                 String targetFieldName = handler.nameOf(((FieldAttribute) field).exactAttribute());
                 String substring = (String) constant.fold();
+                String query = "*" + substring + (f instanceof StringContains ? "*" : "");
 
-                return new WildcardQuery(f.source(), targetFieldName, "*" + substring + "*");
+                return new WildcardQuery(f.source(), targetFieldName, query);
             }
 
             return null;

x-pack/plugin/eql/src/test/resources/queryfolder_tests.txt

@@ -105,13 +105,8 @@ process where cidrMatch(source_address, "10.0.0.0/8") != false
 twoFunctionsEqualsBooleanLiterals-caseSensitive
 process where endsWith(process_path, 'x') == true and endsWith(process_path, 'yx') == false
 ;
-"bool":{"must":[{"term":{"event.category":{"value":"process"
-"must":[{"script":{"script":{"source":"InternalQlScriptUtils.nullSafeFilter(
-InternalEqlScriptUtils.endsWith(InternalQlScriptUtils.docValue(doc,params.v0),params.v1,params.v2))","lang":"painless",
-"params":{"v0":"process_path","v1":"x","v2":true}}
-"script":{"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.not(
-InternalEqlScriptUtils.endsWith(InternalQlScriptUtils.docValue(doc,params.v0),params.v1,params.v2)))","lang":"painless",
-"params":{"v0":"process_path","v1":"yx","v2":true}}
+{"bool":{"must":[{"wildcard":{"process_path":{"wildcard":"*x","boost":1.0}}},
+{"bool":{"must_not":[{"wildcard":{"process_path":{"wildcard":"*yx","boost":1.0}}}],"boost":1.0}}],"boost":1.0}}
 ;
 
 twoFunctionsEqualsBooleanLiterals-caseInsensitive
@@ -126,12 +121,18 @@ InternalEqlScriptUtils.endsWith(InternalQlScriptUtils.docValue(doc,params.v0),pa
 "params":{"v0":"process_path","v1":"yx","v2":false}}
 ;
 
-endsWithFunction-caseSensitive
+endsWithKeywordFieldFunction-caseSensitive
 process where endsWith(user_name, 'c')
 ;
-"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalEqlScriptUtils.endsWith(
-InternalQlScriptUtils.docValue(doc,params.v0),params.v1,params.v2))",
-"params":{"v0":"user_name","v1":"c","v2":true}}
+{"bool":{"must":[{"term":{"event.category":{"value":"process","boost":1.0}}},
+{"wildcard":{"user_name":{"wildcard":"*c","boost":1.0}}}],"boost":1.0}}
+;
+
+endsWithWildcardSubFieldFunction-caseSensitive
+process where endsWith(hostname, 'c')
+;
+{"bool":{"must":[{"term":{"event.category":{"value":"process","boost":1.0}}},
+{"wildcard":{"hostname.keyword":{"wildcard":"*c","boost":1.0}}}],"boost":1.0}}
 ;
 
 endsWithFunction-caseInsensitive