EQL: consistent naming for event type vs event category (#53073) (#53090)

Related to #52941

Author: aleksmaus

client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java

@@ -37,16 +37,16 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
     private IndicesOptions indicesOptions = IndicesOptions.fromOptions(false, false, true, false);
 
     private QueryBuilder filter = null;
-    private String timestampField = "timestamp";
-    private String eventTypeField = "event_type";
+    private String timestampField = "@timestamp";
+    private String eventCategoryField = "event.category";
     private String implicitJoinKeyField = "agent.id";
     private int fetchSize = 50;
     private SearchAfterBuilder searchAfterBuilder;
     private String query;
 
     static final String KEY_FILTER = "filter";
     static final String KEY_TIMESTAMP_FIELD = "timestamp_field";
-    static final String KEY_EVENT_TYPE_FIELD = "event_type_field";
+    static final String KEY_EVENT_CATEGORY_FIELD = "event_category_field";
     static final String KEY_IMPLICIT_JOIN_KEY_FIELD = "implicit_join_key_field";
     static final String KEY_SIZE = "size";
     static final String KEY_SEARCH_AFTER = "search_after";
@@ -64,7 +64,7 @@ public XContentBuilder toXContent(XContentBuilder builder, ToXContent.Params par
             builder.field(KEY_FILTER, filter);
         }
         builder.field(KEY_TIMESTAMP_FIELD, timestampField());
-        builder.field(KEY_EVENT_TYPE_FIELD, eventTypeField());
+        builder.field(KEY_EVENT_CATEGORY_FIELD, eventCategoryField());
         if (implicitJoinKeyField != null) {
             builder.field(KEY_IMPLICIT_JOIN_KEY_FIELD, implicitJoinKeyField());
         }
@@ -107,13 +107,13 @@ public EqlSearchRequest timestampField(String timestampField) {
         return this;
     }
 
-    public String eventTypeField() {
-        return this.eventTypeField;
+    public String eventCategoryField() {
+        return this.eventCategoryField;
     }
 
-    public EqlSearchRequest eventTypeField(String eventTypeField) {
-        Objects.requireNonNull(eventTypeField, "event type field must not be null");
-        this.eventTypeField = eventTypeField;
+    public EqlSearchRequest eventCategoryField(String eventCategoryField) {
+        Objects.requireNonNull(eventCategoryField, "event category field must not be null");
+        this.eventCategoryField = eventCategoryField;
         return this;
     }
 
@@ -180,7 +180,7 @@ public boolean equals(Object o) {
                 Objects.equals(indicesOptions, that.indicesOptions) &&
                 Objects.equals(filter, that.filter) &&
                 Objects.equals(timestampField, that.timestampField) &&
-                Objects.equals(eventTypeField, that.eventTypeField) &&
+                Objects.equals(eventCategoryField, that.eventCategoryField) &&
                 Objects.equals(implicitJoinKeyField, that.implicitJoinKeyField) &&
                 Objects.equals(searchAfterBuilder, that.searchAfterBuilder) &&
                 Objects.equals(query, that.query);
@@ -194,7 +194,7 @@ public int hashCode() {
             filter,
             fetchSize,
             timestampField,
-            eventTypeField,
+            eventCategoryField,
             implicitJoinKeyField,
             searchAfterBuilder,
             query);

client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java

@@ -42,14 +42,16 @@ public void setupRemoteClusterConfig() throws Exception {
     public void testBasicSearch() throws Exception {
         Request doc1 = new Request(HttpPut.METHOD_NAME, "/index/_doc/1");
         doc1.setJsonEntity("{\"event_subtype_full\": \"already_running\", " +
-                "\"event_type\": \"process\", " +
+                "\"event\": {" +
+                    "\"category\": \"process\"" +
+                "}," +
                 "\"event_type_full\": \"process_event\", " +
                 "\"opcode\": 3," +
                 "\"pid\": 0," +
                 "\"process_name\": \"System Idle Process\"," +
                 "\"serial_event_id\": 1," +
                 "\"subtype\": \"create\"," +
-                "\"timestamp\": 116444736000000000," +
+                "\"@timestamp\": 116444736000000000," +
                 "\"unique_pid\": 1}");
         client().performRequest(doc1);
         client().performRequest(new Request(HttpPost.METHOD_NAME, "/_refresh"));
@@ -78,8 +80,8 @@ public void testLargeMapping() throws Exception {
             sb.append("\"datetime" + i + "\":\"" + now + "\"");
             sb.append(",");
         }
-        sb.append("\"event_type\": \"process\",");
-        sb.append("\"timestamp\": \"2020-02-03T12:34:56Z\",");
+        sb.append("\"event\": {\"category\": \"process\"},");
+        sb.append("\"@timestamp\": \"2020-02-03T12:34:56Z\",");
         sb.append("\"serial_event_id\": 1");
         sb.append("}");
         doc1.setJsonEntity(sb.toString());

client/rest-high-level/src/test/java/org/elasticsearch/client/eql/EqlSearchRequestTests.java

@@ -43,7 +43,7 @@ protected EqlSearchRequest createClientTestInstance() {
             EqlSearchRequest.implicitJoinKeyField(randomAlphaOfLength(10));
         }
         if (randomBoolean()) {
-            EqlSearchRequest.eventTypeField(randomAlphaOfLength(10));
+            EqlSearchRequest.eventCategoryField(randomAlphaOfLength(10));
         }
         if (randomBoolean()) {
             EqlSearchRequest.query(randomAlphaOfLength(10));
@@ -72,7 +72,7 @@ protected org.elasticsearch.xpack.eql.action.EqlSearchRequest doParseToServerIns
     @Override
     protected void assertInstances(org.elasticsearch.xpack.eql.action.EqlSearchRequest serverInstance, EqlSearchRequest
         clientTestInstance) {
-        assertThat(serverInstance.eventTypeField(), equalTo(clientTestInstance.eventTypeField()));
+        assertThat(serverInstance.eventCategoryField(), equalTo(clientTestInstance.eventCategoryField()));
         assertThat(serverInstance.implicitJoinKeyField(), equalTo(clientTestInstance.implicitJoinKeyField()));
         assertThat(serverInstance.timestampField(), equalTo(clientTestInstance.timestampField()));
         assertThat(serverInstance.filter(), equalTo(clientTestInstance.filter()));

docs/reference/eql/search.asciidoc

@@ -35,7 +35,7 @@ specified in the `query` parameter. The EQL query matches events with an
 ----
 GET sec_logs/_eql/search
 {
-  "event_type_field": "event.category",
+  "event_category_field": "event.category",
   "timestamp_field": "@timestamp",
   "query": """
     process where process.name == "cmd.exe"
@@ -89,9 +89,9 @@ The API returns the following response containing the matching event:
 [[eql-search-specify-event-type-field]]
 === Specify an event type field
 
-The EQL search API uses `event_type` as the required <<eql-required-fields,event
-type field>> by default. You can use the `event_type_field` parameter to specify
-another event type field.
+The EQL search API uses `event.category` as the required <<eql-required-fields,event
+category field>> by default. You can use the `event_category_field` parameter to specify
+another event category field.
 
 For example, the following request specifies `file.type` as the event type
 field.
@@ -100,7 +100,7 @@ field.
 ----
 GET sec_logs/_eql/search
 {
-  "event_type_field": "file.type",
+  "event_category_field": "file.type",
   "timestamp_field": "@timestamp",
   "query": """
     file where agent.id == "8a4f500d"
@@ -124,7 +124,7 @@ timestamp field.
 GET sec_logs/_eql/search
 {
   "timestamp_field": "file.accessed",
-  "event_type_field": "event.category",
+  "event_category_field": "event.category",
   "query": """
     file where (file.size > 1 and file.type == "file")
   """
@@ -148,7 +148,7 @@ filtered documents.
 ----
 GET sec_logs/_eql/search
 {
-  "event_type_field": "event.category",
+  "event_category_field": "event.category",
   "timestamp_field": "@timestamp",
   "filter": {
     "range" : {

docs/reference/eql/syntax.asciidoc

@@ -18,7 +18,7 @@ EQL queries require an event type and a matching condition. The `where` keyword
 
 [source,eql]
 ----
-event_type where condition
+event.category where condition
 ----
 
 For example, the following EQL query matches `process` events with a `process.name`

x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java

@@ -46,8 +46,8 @@ static class SearchTestConfiguration {
         searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"\"}", 400, "query is null or empty"));
         searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"timestamp_field\": \"\"}",
             400, "timestamp field is null or empty"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"event_type_field\": \"\"}",
-            400, "event type field is null or empty"));
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"event_category_field\": \"\"}",
+            400, "event category field is null or empty"));
         searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"implicit_join_key_field\": \"\"}",
             400, "implicit join key field is null or empty"));
         searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"size\": 0}",

x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml

@@ -7,8 +7,9 @@ setup:
           - index:
               _index: eql_test
               _id:    1
-          - event_type: process
-            timestamp: 2020-02-03T12:34:56Z
+          - event:
+              - category: process
+            "@timestamp": 2020-02-03T12:34:56Z
             user: SYSTEM
 
 ---

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java

@@ -27,9 +27,9 @@
 
 import static org.elasticsearch.action.ValidateActions.addValidationError;
 import static org.elasticsearch.xpack.eql.action.RequestDefaults.FETCH_SIZE;
-import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_EVENT_TYPE;
+import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_EVENT_CATEGORY;
 import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_TIMESTAMP;
-import static org.elasticsearch.xpack.eql.action.RequestDefaults.IMPLICIT_JOIN_KEY;
+import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_IMPLICIT_JOIN_KEY;
 
 public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Replaceable, ToXContent {
 
@@ -39,23 +39,23 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
 
     private QueryBuilder filter = null;
     private String timestampField = FIELD_TIMESTAMP;
-    private String eventTypeField = FIELD_EVENT_TYPE;
-    private String implicitJoinKeyField = IMPLICIT_JOIN_KEY;
+    private String eventCategoryField = FIELD_EVENT_CATEGORY;
+    private String implicitJoinKeyField = FIELD_IMPLICIT_JOIN_KEY;
     private int fetchSize = FETCH_SIZE;
     private SearchAfterBuilder searchAfterBuilder;
     private String query;
 
     static final String KEY_FILTER = "filter";
     static final String KEY_TIMESTAMP_FIELD = "timestamp_field";
-    static final String KEY_EVENT_TYPE_FIELD = "event_type_field";
+    static final String KEY_EVENT_CATEGORY_FIELD = "event_category_field";
     static final String KEY_IMPLICIT_JOIN_KEY_FIELD = "implicit_join_key_field";
     static final String KEY_SIZE = "size";
     static final String KEY_SEARCH_AFTER = "search_after";
     static final String KEY_QUERY = "query";
 
     static final ParseField FILTER = new ParseField(KEY_FILTER);
     static final ParseField TIMESTAMP_FIELD = new ParseField(KEY_TIMESTAMP_FIELD);
-    static final ParseField EVENT_TYPE_FIELD = new ParseField(KEY_EVENT_TYPE_FIELD);
+    static final ParseField EVENT_CATEGORY_FIELD = new ParseField(KEY_EVENT_CATEGORY_FIELD);
     static final ParseField IMPLICIT_JOIN_KEY_FIELD = new ParseField(KEY_IMPLICIT_JOIN_KEY_FIELD);
     static final ParseField SIZE = new ParseField(KEY_SIZE);
     static final ParseField SEARCH_AFTER = new ParseField(KEY_SEARCH_AFTER);
@@ -73,7 +73,7 @@ public EqlSearchRequest(StreamInput in) throws IOException {
         indicesOptions = IndicesOptions.readIndicesOptions(in);
         filter = in.readOptionalNamedWriteable(QueryBuilder.class);
         timestampField = in.readString();
-        eventTypeField = in.readString();
+        eventCategoryField = in.readString();
         implicitJoinKeyField = in.readString();
         fetchSize = in.readVInt();
         searchAfterBuilder = in.readOptionalWriteable(SearchAfterBuilder::new);
@@ -104,11 +104,11 @@ public ActionRequestValidationException validate() {
         }
 
         if (timestampField == null || timestampField.isEmpty()) {
-            validationException = addValidationError("timestamp field is null or empty", validationException);
+            validationException = addValidationError("@timestamp field is null or empty", validationException);
         }
 
-        if (eventTypeField == null || eventTypeField.isEmpty()) {
-            validationException = addValidationError("event type field is null or empty", validationException);
+        if (eventCategoryField == null || eventCategoryField.isEmpty()) {
+            validationException = addValidationError("event category field is null or empty", validationException);
         }
 
         if (implicitJoinKeyField == null || implicitJoinKeyField.isEmpty()) {
@@ -128,7 +128,7 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws
             builder.field(KEY_FILTER, filter);
         }
         builder.field(KEY_TIMESTAMP_FIELD, timestampField());
-        builder.field(KEY_EVENT_TYPE_FIELD, eventTypeField());
+        builder.field(KEY_EVENT_CATEGORY_FIELD, eventCategoryField());
         if (implicitJoinKeyField != null) {
             builder.field(KEY_IMPLICIT_JOIN_KEY_FIELD, implicitJoinKeyField());
         }
@@ -152,7 +152,7 @@ protected static <R extends EqlSearchRequest> ObjectParser<R, Void> objectParser
         parser.declareObject(EqlSearchRequest::filter,
             (p, c) -> AbstractQueryBuilder.parseInnerQueryBuilder(p), FILTER);
         parser.declareString(EqlSearchRequest::timestampField, TIMESTAMP_FIELD);
-        parser.declareString(EqlSearchRequest::eventTypeField, EVENT_TYPE_FIELD);
+        parser.declareString(EqlSearchRequest::eventCategoryField, EVENT_CATEGORY_FIELD);
         parser.declareString(EqlSearchRequest::implicitJoinKeyField, IMPLICIT_JOIN_KEY_FIELD);
         parser.declareInt(EqlSearchRequest::fetchSize, SIZE);
         parser.declareField(EqlSearchRequest::setSearchAfter, SearchAfterBuilder::fromXContent, SEARCH_AFTER,
@@ -181,10 +181,10 @@ public EqlSearchRequest timestampField(String timestampField) {
         return this;
     }
 
-    public String eventTypeField() { return this.eventTypeField; }
+    public String eventCategoryField() { return this.eventCategoryField; }
 
-    public EqlSearchRequest eventTypeField(String eventTypeField) {
-        this.eventTypeField = eventTypeField;
+    public EqlSearchRequest eventCategoryField(String eventCategoryField) {
+        this.eventCategoryField = eventCategoryField;
         return this;
     }
 
@@ -233,7 +233,7 @@ public void writeTo(StreamOutput out) throws IOException {
         indicesOptions.writeIndicesOptions(out);
         out.writeOptionalNamedWriteable(filter);
         out.writeString(timestampField);
-        out.writeString(eventTypeField);
+        out.writeString(eventCategoryField);
         out.writeString(implicitJoinKeyField);
         out.writeVInt(fetchSize);
         out.writeOptionalWriteable(searchAfterBuilder);
@@ -254,7 +254,7 @@ public boolean equals(Object o) {
                 Objects.equals(indicesOptions, that.indicesOptions) &&
                 Objects.equals(filter, that.filter) &&
                 Objects.equals(timestampField, that.timestampField) &&
-                Objects.equals(eventTypeField, that.eventTypeField) &&
+                Objects.equals(eventCategoryField, that.eventCategoryField) &&
                 Objects.equals(implicitJoinKeyField, that.implicitJoinKeyField) &&
                 Objects.equals(searchAfterBuilder, that.searchAfterBuilder) &&
                 Objects.equals(query, that.query);
@@ -267,8 +267,7 @@ public int hashCode() {
             indicesOptions,
             filter,
             fetchSize,
-            timestampField,
-            eventTypeField,
+            timestampField, eventCategoryField,
             implicitJoinKeyField,
             searchAfterBuilder,
             query);

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java

@@ -30,8 +30,8 @@ public EqlSearchRequestBuilder timestampField(String timestampField) {
         return this;
     }
 
-    public EqlSearchRequestBuilder eventTypeField(String eventTypeField) {
-        request.eventTypeField(eventTypeField);
+    public EqlSearchRequestBuilder eventCategoryField(String eventCategoryField) {
+        request.eventCategoryField(eventCategoryField);
         return this;
     }
 

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/RequestDefaults.java

@@ -10,9 +10,9 @@ public final class RequestDefaults {
 
     private RequestDefaults() {}
 
-    public static final String FIELD_TIMESTAMP = "timestamp";
-    public static final String FIELD_EVENT_TYPE = "event_type";
-    public static final String IMPLICIT_JOIN_KEY = "agent.id";
+    public static final String FIELD_TIMESTAMP = "@timestamp";
+    public static final String FIELD_EVENT_CATEGORY = "event.category";
+    public static final String FIELD_IMPLICIT_JOIN_KEY = "agent.id";
 
     public static int FETCH_SIZE = 50;
 }

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/LogicalPlanBuilder.java

@@ -38,7 +38,7 @@ public LogicalPlan visitEventQuery(EqlBaseParser.EventQueryContext ctx) {
             String eventName = visitIdentifier(ctx.event);
             Literal eventValue = new Literal(eventSource, eventName, DataTypes.KEYWORD);
 
-            UnresolvedAttribute eventField = new UnresolvedAttribute(eventSource, params.fieldEventType());
+            UnresolvedAttribute eventField = new UnresolvedAttribute(eventSource, params.fieldEventCategory());
             Expression eventMatch = new Equals(eventSource, eventField, eventValue);
 
             condition = new And(source, eventMatch, condition);

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/ParserParams.java

@@ -9,23 +9,23 @@
 import java.util.List;
 
 import static java.util.Collections.emptyList;
-import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_EVENT_TYPE;
+import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_EVENT_CATEGORY;
 import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_TIMESTAMP;
-import static org.elasticsearch.xpack.eql.action.RequestDefaults.IMPLICIT_JOIN_KEY;
+import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_IMPLICIT_JOIN_KEY;
 
 public class ParserParams {
 
-    private String fieldEventType = FIELD_EVENT_TYPE;
+    private String fieldEventCategory = FIELD_EVENT_CATEGORY;
     private String fieldTimestamp = FIELD_TIMESTAMP;
-    private String implicitJoinKey = IMPLICIT_JOIN_KEY;
+    private String implicitJoinKey = FIELD_IMPLICIT_JOIN_KEY;
     private List<Object> queryParams = emptyList();
 
-    public String fieldEventType() {
-        return fieldEventType;
+    public String fieldEventCategory() {
+        return fieldEventCategory;
     }
 
-    public ParserParams fieldEventType(String fieldEventType) {
-        this.fieldEventType = fieldEventType;
+    public ParserParams fieldEventCategory(String fieldEventCategory) {
+        this.fieldEventCategory = fieldEventCategory;
         return this;
     }
 

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java

@@ -62,7 +62,7 @@ public static void operation(PlanExecutor planExecutor, EqlSearchRequest request
         String clientId = null;
 
         ParserParams params = new ParserParams()
-            .fieldEventType(request.eventTypeField())
+            .fieldEventCategory(request.eventCategoryField())
             .fieldTimestamp(request.timestampField())
             .implicitJoinKey(request.implicitJoinKeyField());
 
@@ -85,4 +85,4 @@ static String username(SecurityContext securityContext) {
     static String clusterName(ClusterService clusterService) {
         return clusterService.getClusterName().value();
     }
-}
+}