Skip to content

Commit a388f70

Browse files
authored
EQL: Remove "wildcard" function (#76099)
This removes "wildcard" as an available function in EQL. This has already been replace with "like" and "regex" embedded syntax (and respective case insensitive variants).
1 parent 5424748 commit a388f70

File tree

10 files changed

+19
-276
lines changed

10 files changed

+19
-276
lines changed

x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml

Lines changed: 0 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -273,20 +273,6 @@ file where file_name : ("winini?.exe", "lsass.e?e") and opcode == 2
273273
'''
274274
expected_event_ids = [65, 86]
275275

276-
[[queries]]
277-
name = "wildcardFunctionWildcardPattern"
278-
query = '''
279-
file where wildcard(file_name, "winini*.exe", "lsass.*") and opcode == 2
280-
'''
281-
expected_event_ids = [65, 86]
282-
283-
[[queries]]
284-
name = "wildcardFunctionQuestionMarkPattern"
285-
query = '''
286-
file where wildcard(file_name, "winini?.exe", "lsass.e?e") and opcode == 2
287-
'''
288-
expected_event_ids = [65, 86]
289-
290276
[[queries]]
291277
name = "insensitiveInSingleArg"
292278
query = 'process where string(serial_event_id) in~ ("1")'

x-pack/plugin/eql/qa/correctness/src/javaRestTest/resources/queries.toml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -349,13 +349,13 @@ expected_event_ids = [3299718, 3364047]
349349
filter_counts = [24, 3, 37]
350350
filters = [
351351
'process where process_name == "powershell.exe" and opcode == 1',
352-
'powershell where wildcard(message, "*Get-NetShare*") == true',
352+
'powershell where message like "*Get-NetShare*"',
353353
'process where process_name == "powershell.exe" and opcode == 2'
354354
]
355355
query = '''
356356
sequence by hostname, unique_pid
357357
[process where process_name == "powershell.exe" and opcode == 1]
358-
[powershell where wildcard(message, "*Get-NetShare*") == true]
358+
[powershell where message like "*Get-NetShare*"]
359359
until
360360
[process where process_name == "powershell.exe" and opcode == 2]
361361
'''
@@ -444,17 +444,17 @@ count = 1
444444
expected_event_ids = [2732749, 2732788]
445445
filter_counts = [89, 1]
446446
filters = [
447-
'''file where file_extension in ("exe", "EXE", "Exe", "scr") and wildcard(file_path, "C:\\Users*", "C:\\ProgramData*") and file_name != "DismHost.exe"''',
448-
'''process where opcode == 1 and signature_status == "noSignature" and wildcard(process_path, "C:\\Users*", "C:\\ProgramData*")'''
447+
'''file where file_extension in ("exe", "EXE", "Exe", "scr") and file_path like ("C:\\Users*", "C:\\ProgramData*") and file_name != "DismHost.exe"''',
448+
'''process where opcode == 1 and signature_status == "noSignature" and process_path like ("C:\\Users*", "C:\\ProgramData*")'''
449449
]
450450
query = '''
451451
sequence by hostname with maxspan=5m
452452
[file where file_extension in ("exe", "EXE", "Exe", "scr")
453-
and wildcard(file_path, "C:\\Users*", "C:\\ProgramData*")
453+
and file_path like ("C:\\Users*", "C:\\ProgramData*")
454454
and file_name != "DismHost.exe"
455455
] by process_path
456456
[process where opcode == 1 and signature_status == "noSignature"
457-
and wildcard(process_path, "C:\\Users*", "C:\\ProgramData*")
457+
and process_path like ("C:\\Users*", "C:\\ProgramData*")
458458
] by parent_process_path
459459
'''
460460
time = 7.179757833480835

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/function/EqlFunctionRegistry.java

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,6 @@
1818
import org.elasticsearch.xpack.eql.expression.function.scalar.string.StringContains;
1919
import org.elasticsearch.xpack.eql.expression.function.scalar.string.Substring;
2020
import org.elasticsearch.xpack.eql.expression.function.scalar.string.ToString;
21-
import org.elasticsearch.xpack.eql.expression.function.scalar.string.Wildcard;
2221
import org.elasticsearch.xpack.ql.ParsingException;
2322
import org.elasticsearch.xpack.ql.QlIllegalArgumentException;
2423
import org.elasticsearch.xpack.ql.expression.Expression;
@@ -66,7 +65,6 @@ private FunctionDefinition[][] functions() {
6665
def(ToString.class, ToString::new, "string"),
6766
def(StringContains.class, StringContains::new, "stringcontains"),
6867
def(Substring.class, Substring::new, "substring"),
69-
def(Wildcard.class, Wildcard::new, "wildcard"),
7068
},
7169
// Arithmetic
7270
new FunctionDefinition[]{

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/function/scalar/string/Wildcard.java

Lines changed: 0 additions & 102 deletions
This file was deleted.

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/ExpressionBuilder.java

Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,6 @@
1212
import org.antlr.v4.runtime.tree.TerminalNode;
1313
import org.elasticsearch.xpack.eql.expression.function.EqlFunctionResolution;
1414
import org.elasticsearch.xpack.eql.expression.function.scalar.string.Match;
15-
import org.elasticsearch.xpack.eql.expression.function.scalar.string.Wildcard;
1615
import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveEquals;
1716
import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveWildcardEquals;
1817
import org.elasticsearch.xpack.eql.parser.EqlBaseParser.ArithmeticUnaryContext;
@@ -48,6 +47,7 @@
4847
import org.elasticsearch.xpack.ql.expression.predicate.operator.comparison.LessThan;
4948
import org.elasticsearch.xpack.ql.expression.predicate.operator.comparison.LessThanOrEqual;
5049
import org.elasticsearch.xpack.ql.expression.predicate.operator.comparison.NotEquals;
50+
import org.elasticsearch.xpack.ql.expression.predicate.regex.Like;
5151
import org.elasticsearch.xpack.ql.tree.Source;
5252
import org.elasticsearch.xpack.ql.type.DataType;
5353
import org.elasticsearch.xpack.ql.type.DataTypes;
@@ -58,6 +58,7 @@
5858

5959
import static java.util.Collections.emptyList;
6060
import static java.util.stream.Collectors.toList;
61+
import static org.elasticsearch.xpack.eql.util.StringUtils.toLikePattern;
6162
import static org.elasticsearch.xpack.ql.parser.ParserUtils.source;
6263
import static org.elasticsearch.xpack.ql.parser.ParserUtils.typedParsing;
6364
import static org.elasticsearch.xpack.ql.parser.ParserUtils.visitList;
@@ -176,12 +177,8 @@ public Expression visitOperatorExpressionDefault(EqlBaseParser.OperatorExpressio
176177
return combineExpressions(predicate.constant(), c -> new InsensitiveWildcardEquals(source, expr, c, zoneId));
177178
case EqlBaseParser.LIKE:
178179
case EqlBaseParser.LIKE_INSENSITIVE:
179-
return new Wildcard(
180-
source,
181-
expr,
182-
expressions(predicate.constant()),
183-
predicate.kind.getType() == EqlBaseParser.LIKE_INSENSITIVE
184-
);
180+
return combineExpressions(predicate.constant(), e -> new Like(source, expr,
181+
toLikePattern(e.fold().toString()), predicate.kind.getType() == EqlBaseParser.LIKE_INSENSITIVE));
185182
case EqlBaseParser.REGEX:
186183
case EqlBaseParser.REGEX_INSENSITIVE:
187184
return new Match(

x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/planner/QueryTranslatorFailTests.java

Lines changed: 3 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -206,34 +206,11 @@ public void testStringContainsWrongParams() {
206206
error("process where stringContains(process_name, 1)"));
207207
}
208208

209-
public void testWildcardNotEnoughArguments() {
210-
ParsingException e = expectThrows(ParsingException.class,
211-
() -> plan("process where wildcard(process_name)"));
212-
String msg = e.getMessage();
213-
assertEquals("line 1:16: error building [wildcard]: expects at least two arguments", msg);
214-
}
215-
216-
public void testWildcardAgainstVariable() {
217-
VerificationException e = expectThrows(VerificationException.class,
218-
() -> plan("process where wildcard(process_name, parent_process_name)"));
219-
String msg = e.getMessage();
220-
assertEquals("Found 1 problem\nline 1:15: second argument of [wildcard(process_name, parent_process_name)] " +
221-
"must be a constant, received [parent_process_name]", msg);
222-
}
223-
224-
public void testWildcardWithNumericPattern() {
225-
VerificationException e = expectThrows(VerificationException.class,
226-
() -> plan("process where wildcard(process_name, 1)"));
227-
String msg = e.getMessage();
228-
assertEquals("Found 1 problem\n" +
229-
"line 1:15: second argument of [wildcard(process_name, 1)] must be [string], found value [1] type [integer]", msg);
230-
}
231-
232-
public void testWildcardWithNumericField() {
209+
public void testLikeWithNumericField() {
233210
VerificationException e = expectThrows(VerificationException.class,
234-
() -> plan("process where wildcard(pid, \"*.exe\")"));
211+
() -> plan("process where pid like \"*.exe\""));
235212
String msg = e.getMessage();
236213
assertEquals("Found 1 problem\n" +
237-
"line 1:15: first argument of [wildcard(pid, \"*.exe\")] must be [string], found value [pid] type [long]", msg);
214+
"line 1:15: argument of [pid like \"*.exe\"] must be [string], found value [pid] type [long]", msg);
238215
}
239216
}

x-pack/plugin/eql/src/test/resources/queries-supported.eql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
process where process_name : "svchost.exe" and command_line != "* -k *";
22
process where process_name in ("ipconfig.exe", "netstat.exe", "systeminfo.exe", "route.exe");
3-
process where subtype.create and wildcard(command_line, "*.ost *", "*.pst *")
3+
process where subtype.create and command_line like ("*.ost *", "*.pst *")
44
;
55

66
process where subtype.create and

x-pack/plugin/eql/src/test/resources/querytranslator_tests.txt

Lines changed: 0 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -463,49 +463,6 @@ process where serial_event_id == number("0x32", 16);
463463
;
464464

465465

466-
wildcardFunctionSingleArgument
467-
process where wildcard(process_path, "*\\red_ttp\\wininit.*")
468-
;
469-
"wildcard":{"process_path":{"wildcard":"*\\\\red_ttp\\\\wininit.*","boost":1.0}}
470-
;
471-
472-
wildcardFunctionTwoArguments
473-
process where wildcard(process_path, "*\\red_ttp\\wininit.*", "*\\abc\\*")
474-
;
475-
"wildcard":{"process_path":{"wildcard":"*\\\\red_ttp\\\\wininit.*","boost":1.0}}
476-
"wildcard":{"process_path":{"wildcard":"*\\\\abc\\\\*","boost":1.0}}
477-
;
478-
479-
wildcardFunctionThreeArguments
480-
process where wildcard(process_path, "*\\red_ttp\\wininit.*", "*\\abc\\*", "*def*")
481-
;
482-
"wildcard":{"process_path":{"wildcard":"*\\\\red_ttp\\\\wininit.*","boost":1.0}}
483-
"wildcard":{"process_path":{"wildcard":"*\\\\abc\\\\*","boost":1.0}}
484-
"wildcard":{"process_path":{"wildcard":"*def*","boost":1.0}}
485-
;
486-
487-
wildcardFunctionSingleArgument-insensitive
488-
process where wildcard~(process_path, "*\\red_ttp\\wininit.*")
489-
;
490-
"wildcard":{"process_path":{"wildcard":"*\\\\red_ttp\\\\wininit.*","case_insensitive":true,"boost":1.0}}
491-
;
492-
493-
wildcardFunctionTwoArguments-insensitive
494-
process where wildcard~(process_path, "*\\red_ttp\\wininit.*", "*\\abc\\*")
495-
;
496-
"wildcard":{"process_path":{"wildcard":"*\\\\red_ttp\\\\wininit.*","case_insensitive":true,"boost":1.0}}
497-
"wildcard":{"process_path":{"wildcard":"*\\\\abc\\\\*","case_insensitive":true,"boost":1.0}}
498-
;
499-
500-
wildcardFunctionThreeArguments-insensitive
501-
process where wildcard~(process_path, "*\\red_ttp\\wininit.*", "*\\abc\\*", "*def*")
502-
;
503-
"wildcard":{"process_path":{"wildcard":"*\\\\red_ttp\\\\wininit.*","case_insensitive":true,"boost":1.0}}
504-
"wildcard":{"process_path":{"wildcard":"*\\\\abc\\\\*","case_insensitive":true,"boost":1.0}}
505-
"wildcard":{"process_path":{"wildcard":"*def*","case_insensitive":true,"boost":1.0}}
506-
;
507-
508-
509466
addOperator
510467
process where serial_event_id + 2 == -2147483647
511468
;

x-pack/plugin/eql/src/test/resources/test_string_functions.toml

Lines changed: 0 additions & 70 deletions
Original file line numberDiff line numberDiff line change
@@ -411,73 +411,3 @@ description = "Test the `substring` function when the case already matches"
411411
[[substring.fold.tests]]
412412
expression = '''substring("hello world", -5, -1)'''
413413
expected = "worl"
414-
415-
[wildcard]
416-
description = "Test that `wildcard` folds with correct case matches."
417-
418-
[[wildcard.fold.tests]]
419-
expression = 'wildcard(null, "f*o*o*")'
420-
# expected = null
421-
422-
[[wildcard.fold.tests]]
423-
expression = 'wildcard("Foo", "F*o*o*")'
424-
expected = true
425-
426-
[[wildcard.fold.tests]]
427-
expression = 'wildcard("Foo", "*Foo")'
428-
expected = true
429-
430-
[[wildcard.fold.tests]]
431-
expression = 'wildcard("Foo", "*Foo*")'
432-
expected = true
433-
434-
[[wildcard.fold.tests]]
435-
expression = 'wildcard("Foo", "*")'
436-
expected = true
437-
438-
[[wildcard.fold.tests]]
439-
expression = 'wildcard("Foo", "Bar*")'
440-
expected = false
441-
442-
[[wildcard.fold.tests]]
443-
expression = 'wildcard("Foo", "*Bar*")'
444-
expected = false
445-
446-
[[wildcard.fold.tests]]
447-
expression = 'wildcard("Foo", "*Bar*", "Baz*")'
448-
expected = false
449-
450-
[[wildcard.fold.tests]]
451-
expression = 'wildcard("Foo", "Foo*", "*Bar*", "Baz*")'
452-
expected = true
453-
454-
[[wildcard.fold.tests]]
455-
expression = 'wildcard("Bar", "Foo*", "*Bar*", "Baz*")'
456-
expected = true
457-
458-
[[wildcard.fold.tests]]
459-
expression = 'wildcard("Baz", "Foo*", "*Bar*", "Baz*")'
460-
expected = true
461-
462-
[wildcard_case_insensitive]
463-
description = "Test that `wildcard` function folds case insensitive as expected."
464-
465-
[[wildcard_case_insensitive.fold.tests]]
466-
expression = 'wildcard("FOO", "f*o*o*")'
467-
expected = false
468-
469-
[[wildcard_case_insensitive.fold.tests]]
470-
expression = 'wildcard("bar", "f*o*o*")'
471-
expected = false
472-
473-
474-
[wildcard_case_sensitive]
475-
description = "Test that `wildcard` folds case-sensitive matches."
476-
477-
[[wildcard_case_sensitive.fold.tests]]
478-
expression = 'wildcard("Foo", "F*o*o*")'
479-
expected = true
480-
481-
[[wildcard_case_sensitive.fold.tests]]
482-
expression = 'wildcard("foo", "F*o*o*")'
483-
expected = false

0 commit comments

Comments
 (0)