diff --git a/client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java b/client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java index a8b342f0a43f1..9bca610194bb6 100644 --- a/client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java +++ b/client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java @@ -36,32 +36,32 @@ public class EqlSearchRequest implements Validatable, ToXContentObject { private String[] indices; private IndicesOptions indicesOptions = IndicesOptions.fromOptions(false, false, true, false); - private QueryBuilder query = null; + private QueryBuilder filter = null; private String timestampField = "@timestamp"; private String eventTypeField = "event_type"; private String implicitJoinKeyField = "agent.id"; private int fetchSize = 50; private SearchAfterBuilder searchAfterBuilder; - private String rule; + private String query; - static final String KEY_QUERY = "query"; + static final String KEY_FILTER = "filter"; static final String KEY_TIMESTAMP_FIELD = "timestamp_field"; static final String KEY_EVENT_TYPE_FIELD = "event_type_field"; static final String KEY_IMPLICIT_JOIN_KEY_FIELD = "implicit_join_key_field"; static final String KEY_SIZE = "size"; static final String KEY_SEARCH_AFTER = "search_after"; - static final String KEY_RULE = "rule"; + static final String KEY_QUERY = "query"; - public EqlSearchRequest(String indices, String rule) { + public EqlSearchRequest(String indices, String query) { indices(indices); - rule(rule); + query(query); } @Override public XContentBuilder toXContent(XContentBuilder builder, ToXContent.Params params) throws IOException { builder.startObject(); - if (query != null) { - builder.field(KEY_QUERY, query); + if (filter != null) { + builder.field(KEY_FILTER, filter); } builder.field(KEY_TIMESTAMP_FIELD, timestampField()); builder.field(KEY_EVENT_TYPE_FIELD, eventTypeField()); @@ -74,7 +74,7 @@ public XContentBuilder toXContent(XContentBuilder builder, ToXContent.Params par builder.array(KEY_SEARCH_AFTER, searchAfterBuilder.getSortValues()); } - builder.field(KEY_RULE, rule); + builder.field(KEY_QUERY, query); builder.endObject(); return builder; } @@ -88,12 +88,12 @@ public EqlSearchRequest indices(String... indices) { return this; } - public QueryBuilder query() { - return this.query; + public QueryBuilder filter() { + return this.filter; } - public EqlSearchRequest query(QueryBuilder query) { - this.query = query; + public EqlSearchRequest filter(QueryBuilder filter) { + this.filter = filter; return this; } @@ -156,13 +156,13 @@ private EqlSearchRequest setSearchAfter(SearchAfterBuilder builder) { return this; } - public String rule() { - return this.rule; + public String query() { + return this.query; } - public EqlSearchRequest rule(String rule) { - Objects.requireNonNull(rule, "rule must not be null"); - this.rule = rule; + public EqlSearchRequest query(String query) { + Objects.requireNonNull(query, "query must not be null"); + this.query = query; return this; } @@ -175,16 +175,15 @@ public boolean equals(Object o) { return false; } EqlSearchRequest that = (EqlSearchRequest) o; - return - fetchSize == that.fetchSize && + return fetchSize == that.fetchSize && Arrays.equals(indices, that.indices) && Objects.equals(indicesOptions, that.indicesOptions) && - Objects.equals(query, that.query) && + Objects.equals(filter, that.filter) && Objects.equals(timestampField, that.timestampField) && Objects.equals(eventTypeField, that.eventTypeField) && Objects.equals(implicitJoinKeyField, that.implicitJoinKeyField) && Objects.equals(searchAfterBuilder, that.searchAfterBuilder) && - Objects.equals(rule, that.rule); + Objects.equals(query, that.query); } @Override @@ -192,13 +191,13 @@ public int hashCode() { return Objects.hash( Arrays.hashCode(indices), indicesOptions, - query, + filter, fetchSize, timestampField, eventTypeField, implicitJoinKeyField, searchAfterBuilder, - rule); + query); } public String[] indices() { diff --git a/client/rest-high-level/src/test/java/org/elasticsearch/client/eql/EqlSearchRequestTests.java b/client/rest-high-level/src/test/java/org/elasticsearch/client/eql/EqlSearchRequestTests.java index cfbe9d8f76f9b..8791b3356e9bb 100644 --- a/client/rest-high-level/src/test/java/org/elasticsearch/client/eql/EqlSearchRequestTests.java +++ b/client/rest-high-level/src/test/java/org/elasticsearch/client/eql/EqlSearchRequestTests.java @@ -46,7 +46,7 @@ protected EqlSearchRequest createClientTestInstance() { EqlSearchRequest.eventTypeField(randomAlphaOfLength(10)); } if (randomBoolean()) { - EqlSearchRequest.rule(randomAlphaOfLength(10)); + EqlSearchRequest.query(randomAlphaOfLength(10)); } if (randomBoolean()) { EqlSearchRequest.timestampField(randomAlphaOfLength(10)); @@ -56,9 +56,9 @@ protected EqlSearchRequest createClientTestInstance() { } if (randomBoolean()) { if (randomBoolean()) { - EqlSearchRequest.query(QueryBuilders.matchAllQuery()); + EqlSearchRequest.filter(QueryBuilders.matchAllQuery()); } else { - EqlSearchRequest.query(QueryBuilders.termQuery(randomAlphaOfLength(10), randomInt(100))); + EqlSearchRequest.filter(QueryBuilders.termQuery(randomAlphaOfLength(10), randomInt(100))); } } return EqlSearchRequest; @@ -75,8 +75,8 @@ protected void assertInstances(org.elasticsearch.xpack.eql.action.EqlSearchReque assertThat(serverInstance.eventTypeField(), equalTo(clientTestInstance.eventTypeField())); assertThat(serverInstance.implicitJoinKeyField(), equalTo(clientTestInstance.implicitJoinKeyField())); assertThat(serverInstance.timestampField(), equalTo(clientTestInstance.timestampField())); + assertThat(serverInstance.filter(), equalTo(clientTestInstance.filter())); assertThat(serverInstance.query(), equalTo(clientTestInstance.query())); - assertThat(serverInstance.rule(), equalTo(clientTestInstance.rule())); assertThat(serverInstance.searchAfter(), equalTo(clientTestInstance.searchAfter())); assertThat(serverInstance.indicesOptions(), equalTo(clientTestInstance.indicesOptions())); assertThat(serverInstance.indices(), equalTo(clientTestInstance.indices())); diff --git a/docs/reference/eql/search.asciidoc b/docs/reference/eql/search.asciidoc index acc061d5457d5..9f1f61e631d6c 100644 --- a/docs/reference/eql/search.asciidoc +++ b/docs/reference/eql/search.asciidoc @@ -27,7 +27,7 @@ PUT sec_logs/_bulk?refresh You can now use the EQL search API to search this index using an EQL query. The following request searches the `sec_logs` index using the EQL query -specified in the `rule` parameter. The EQL query matches events with an +specified in the `query` parameter. The EQL query matches events with an `event.category` of `process` that have a `process.name` of `cmd.exe`. [source,console] @@ -35,7 +35,7 @@ specified in the `rule` parameter. The EQL query matches events with an GET sec_logs/_eql/search { "event_type_field": "event.category", - "rule": """ + "query": """ process where process.name == "cmd.exe" """ } diff --git a/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java b/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java index 628972c4d20dc..be89d3ee9c27e 100644 --- a/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java +++ b/x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java @@ -36,31 +36,31 @@ static class SearchTestConfiguration { } public static final String defaultValidationIndexName = "eql_search_validation_test"; - private static final String validRule = "process where user = 'SYSTEM'"; + private static final String validQuery = "process where user = 'SYSTEM'"; public static final ArrayList searchValidationTests; static { searchValidationTests = new ArrayList<>(); searchValidationTests.add(new SearchTestConfiguration(null, 400, "request body or source parameter is required")); - searchValidationTests.add(new SearchTestConfiguration("{}", 400, "rule is null or empty")); - searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"\"}", 400, "rule is null or empty")); - searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"timestamp_field\": \"\"}", + searchValidationTests.add(new SearchTestConfiguration("{}", 400, "query is null or empty")); + searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"\"}", 400, "query is null or empty")); + searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"timestamp_field\": \"\"}", 400, "timestamp field is null or empty")); - searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"event_type_field\": \"\"}", + searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"event_type_field\": \"\"}", 400, "event type field is null or empty")); - searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"implicit_join_key_field\": \"\"}", + searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"implicit_join_key_field\": \"\"}", 400, "implicit join key field is null or empty")); - searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"size\": 0}", + searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"size\": 0}", 400, "size must be greater than 0")); - searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"size\": -1}", + searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"size\": -1}", 400, "size must be greater than 0")); - searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"search_after\": null}", + searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"search_after\": null}", 400, "search_after doesn't support values of type: VALUE_NULL")); - searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"search_after\": []}", + searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"search_after\": []}", 400, "must contains at least one value")); - searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"query\": null}", - 400, "query doesn't support values of type: VALUE_NULL")); - searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"query\": {}}", + searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"filter\": null}", + 400, "filter doesn't support values of type: VALUE_NULL")); + searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"filter\": {}}", 400, "query malformed, empty clause found")); } diff --git a/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml b/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml index 633b6225780a5..d4ef1aef83eae 100644 --- a/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml +++ b/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml @@ -17,7 +17,7 @@ setup: eql.search: index: eql_test body: - rule: "process where user = 'SYSTEM'" + query: "process where user = 'SYSTEM'" - match: {timed_out: false} - match: {hits.total.value: 1} diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java index 2d5aa5f8c3bd2..89cacf44e719f 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java @@ -37,29 +37,29 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re private IndicesOptions indicesOptions = IndicesOptions.fromOptions(false, false, true, false); - private QueryBuilder query = null; + private QueryBuilder filter = null; private String timestampField = FIELD_TIMESTAMP; private String eventTypeField = FIELD_EVENT_TYPE; private String implicitJoinKeyField = IMPLICIT_JOIN_KEY; private int fetchSize = FETCH_SIZE; private SearchAfterBuilder searchAfterBuilder; - private String rule; + private String query; - static final String KEY_QUERY = "query"; + static final String KEY_FILTER = "filter"; static final String KEY_TIMESTAMP_FIELD = "timestamp_field"; static final String KEY_EVENT_TYPE_FIELD = "event_type_field"; static final String KEY_IMPLICIT_JOIN_KEY_FIELD = "implicit_join_key_field"; static final String KEY_SIZE = "size"; static final String KEY_SEARCH_AFTER = "search_after"; - static final String KEY_RULE = "rule"; + static final String KEY_QUERY = "query"; - static final ParseField QUERY = new ParseField(KEY_QUERY); + static final ParseField FILTER = new ParseField(KEY_FILTER); static final ParseField TIMESTAMP_FIELD = new ParseField(KEY_TIMESTAMP_FIELD); static final ParseField EVENT_TYPE_FIELD = new ParseField(KEY_EVENT_TYPE_FIELD); static final ParseField IMPLICIT_JOIN_KEY_FIELD = new ParseField(KEY_IMPLICIT_JOIN_KEY_FIELD); static final ParseField SIZE = new ParseField(KEY_SIZE); static final ParseField SEARCH_AFTER = new ParseField(KEY_SEARCH_AFTER); - static final ParseField RULE = new ParseField(KEY_RULE); + static final ParseField QUERY = new ParseField(KEY_QUERY); private static final ObjectParser PARSER = objectParser(EqlSearchRequest::new); @@ -71,13 +71,13 @@ public EqlSearchRequest(StreamInput in) throws IOException { super(in); indices = in.readStringArray(); indicesOptions = IndicesOptions.readIndicesOptions(in); - query = in.readOptionalNamedWriteable(QueryBuilder.class); + filter = in.readOptionalNamedWriteable(QueryBuilder.class); timestampField = in.readString(); eventTypeField = in.readString(); implicitJoinKeyField = in.readString(); fetchSize = in.readVInt(); searchAfterBuilder = in.readOptionalWriteable(SearchAfterBuilder::new); - rule = in.readString(); + query = in.readString(); } @Override @@ -99,8 +99,8 @@ public ActionRequestValidationException validate() { validationException = addValidationError("indicesOptions is null", validationException); } - if (rule == null || rule.isEmpty()) { - validationException = addValidationError("rule is null or empty", validationException); + if (query == null || query.isEmpty()) { + validationException = addValidationError("query is null or empty", validationException); } if (timestampField == null || timestampField.isEmpty()) { @@ -124,8 +124,8 @@ public ActionRequestValidationException validate() { @Override public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException { - if (query != null) { - builder.field(KEY_QUERY, query); + if (filter != null) { + builder.field(KEY_FILTER, filter); } builder.field(KEY_TIMESTAMP_FIELD, timestampField()); builder.field(KEY_EVENT_TYPE_FIELD, eventTypeField()); @@ -138,7 +138,7 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws builder.array(SEARCH_AFTER.getPreferredName(), searchAfterBuilder.getSortValues()); } - builder.field(KEY_RULE, rule); + builder.field(KEY_QUERY, query); return builder; } @@ -149,15 +149,15 @@ public static EqlSearchRequest fromXContent(XContentParser parser) { protected static ObjectParser objectParser(Supplier supplier) { ObjectParser parser = new ObjectParser<>("eql/search", false, supplier); - parser.declareObject(EqlSearchRequest::query, - (p, c) -> AbstractQueryBuilder.parseInnerQueryBuilder(p), QUERY); + parser.declareObject(EqlSearchRequest::filter, + (p, c) -> AbstractQueryBuilder.parseInnerQueryBuilder(p), FILTER); parser.declareString(EqlSearchRequest::timestampField, TIMESTAMP_FIELD); parser.declareString(EqlSearchRequest::eventTypeField, EVENT_TYPE_FIELD); parser.declareString(EqlSearchRequest::implicitJoinKeyField, IMPLICIT_JOIN_KEY_FIELD); parser.declareInt(EqlSearchRequest::fetchSize, SIZE); parser.declareField(EqlSearchRequest::setSearchAfter, SearchAfterBuilder::fromXContent, SEARCH_AFTER, ObjectParser.ValueType.OBJECT_ARRAY); - parser.declareString(EqlSearchRequest::rule, RULE); + parser.declareString(EqlSearchRequest::query, QUERY); return parser; } @@ -167,10 +167,10 @@ public EqlSearchRequest indices(String... indices) { return this; } - public QueryBuilder query() { return this.query; } + public QueryBuilder filter() { return this.filter; } - public EqlSearchRequest query(QueryBuilder query) { - this.query = query; + public EqlSearchRequest filter(QueryBuilder filter) { + this.filter = filter; return this; } @@ -219,10 +219,10 @@ private EqlSearchRequest setSearchAfter(SearchAfterBuilder builder) { return this; } - public String rule() { return this.rule; } + public String query() { return this.query; } - public EqlSearchRequest rule(String rule) { - this.rule = rule; + public EqlSearchRequest query(String query) { + this.query = query; return this; } @@ -231,13 +231,13 @@ public void writeTo(StreamOutput out) throws IOException { super.writeTo(out); out.writeStringArrayNullable(indices); indicesOptions.writeIndicesOptions(out); - out.writeOptionalNamedWriteable(query); + out.writeOptionalNamedWriteable(filter); out.writeString(timestampField); out.writeString(eventTypeField); out.writeString(implicitJoinKeyField); out.writeVInt(fetchSize); out.writeOptionalWriteable(searchAfterBuilder); - out.writeString(rule); + out.writeString(query); } @Override @@ -249,16 +249,15 @@ public boolean equals(Object o) { return false; } EqlSearchRequest that = (EqlSearchRequest) o; - return - fetchSize == that.fetchSize && - Arrays.equals(indices, that.indices) && - Objects.equals(indicesOptions, that.indicesOptions) && - Objects.equals(query, that.query) && - Objects.equals(timestampField, that.timestampField) && - Objects.equals(eventTypeField, that.eventTypeField) && - Objects.equals(implicitJoinKeyField, that.implicitJoinKeyField) && - Objects.equals(searchAfterBuilder, that.searchAfterBuilder) && - Objects.equals(rule, that.rule); + return fetchSize == that.fetchSize && + Arrays.equals(indices, that.indices) && + Objects.equals(indicesOptions, that.indicesOptions) && + Objects.equals(filter, that.filter) && + Objects.equals(timestampField, that.timestampField) && + Objects.equals(eventTypeField, that.eventTypeField) && + Objects.equals(implicitJoinKeyField, that.implicitJoinKeyField) && + Objects.equals(searchAfterBuilder, that.searchAfterBuilder) && + Objects.equals(query, that.query); } @Override @@ -266,13 +265,13 @@ public int hashCode() { return Objects.hash( Arrays.hashCode(indices), indicesOptions, - query, + filter, fetchSize, timestampField, eventTypeField, implicitJoinKeyField, searchAfterBuilder, - rule); + query); } @Override diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java index 2e808501ae9f8..743b297a58aba 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java @@ -20,8 +20,8 @@ public EqlSearchRequestBuilder indices(String... indices) { return this; } - public EqlSearchRequestBuilder query(QueryBuilder query) { - request.query(query); + public EqlSearchRequestBuilder filter(QueryBuilder filter) { + request.filter(filter); return this; } @@ -50,8 +50,8 @@ public EqlSearchRequestBuilder searchAfter(Object[] values) { return this; } - public EqlSearchRequestBuilder rule(String rule) { - request.rule(rule); + public EqlSearchRequestBuilder query(String query) { + request.query(query); return this; } diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java index 13aa1d1f62c58..24a3cda7b8f5f 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java @@ -56,7 +56,7 @@ public static void operation(PlanExecutor planExecutor, EqlSearchRequest request String clusterName, ActionListener listener) { // TODO: these should be sent by the client ZoneId zoneId = DateUtils.of("Z"); - QueryBuilder filter = request.query(); + QueryBuilder filter = request.filter(); TimeValue timeout = TimeValue.timeValueSeconds(30); boolean includeFrozen = request.indicesOptions().ignoreThrottled() == false; String clientId = null; @@ -68,7 +68,7 @@ public static void operation(PlanExecutor planExecutor, EqlSearchRequest request Configuration cfg = new Configuration(request.indices(), zoneId, username, clusterName, filter, timeout, request.fetchSize(), includeFrozen, clientId); - planExecutor.eql(cfg, request.rule(), params, wrap(r -> listener.onResponse(createResponse(r)), listener::onFailure)); + planExecutor.eql(cfg, request.query(), params, wrap(r -> listener.onResponse(createResponse(r)), listener::onFailure)); } static EqlSearchResponse createResponse(Results results) { diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java index 2ead24584572f..d0ff969968115 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java @@ -98,7 +98,7 @@ public EqlActionIT(int num, EqlSpec spec) { public final void test() { EqlSearchResponse response = new EqlSearchRequestBuilder(client(), EqlSearchAction.INSTANCE) - .indices(testIndexName).rule(spec.query()).get(); + .indices(testIndexName).query(spec.query()).get(); List events = response.hits().events(); assertNotNull(events); diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlRequestParserTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlRequestParserTests.java index 0e9f551a5a1ec..15828b93b97ba 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlRequestParserTests.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlRequestParserTests.java @@ -31,7 +31,7 @@ public void testUnknownFieldParsingErrors() throws IOException { } public void testSearchRequestParser() throws IOException { - assertParsingErrorMessage("{\"query\" : 123}", "query doesn't support values of type: VALUE_NUMBER", + assertParsingErrorMessage("{\"filter\" : 123}", "filter doesn't support values of type: VALUE_NUMBER", EqlSearchRequest::fromXContent); assertParsingErrorMessage("{\"timestamp_field\" : 123}", "timestamp_field doesn't support values of type: VALUE_NUMBER", EqlSearchRequest::fromXContent); @@ -43,32 +43,32 @@ public void testSearchRequestParser() throws IOException { assertParsingErrorMessage("{\"search_after\" : 123}", "search_after doesn't support values of type: VALUE_NUMBER", EqlSearchRequest::fromXContent); assertParsingErrorMessage("{\"size\" : \"foo\"}", "failed to parse field [size]", EqlSearchRequest::fromXContent); - assertParsingErrorMessage("{\"rule\" : 123}", "rule doesn't support values of type: VALUE_NUMBER", + assertParsingErrorMessage("{\"query\" : 123}", "query doesn't support values of type: VALUE_NUMBER", EqlSearchRequest::fromXContent); - assertParsingErrorMessage("{\"rule\" : \"whatever\", \"size\":\"abc\"}", "failed to parse field [size]", + assertParsingErrorMessage("{\"query\" : \"whatever\", \"size\":\"abc\"}", "failed to parse field [size]", EqlSearchRequest::fromXContent); - EqlSearchRequest request = generateRequest("endgame-*", "{\"query\" : {\"match\" : {\"foo\":\"bar\"}}, " + EqlSearchRequest request = generateRequest("endgame-*", "{\"filter\" : {\"match\" : {\"foo\":\"bar\"}}, " + "\"timestamp_field\" : \"tsf\", " + "\"event_type_field\" : \"etf\"," + "\"implicit_join_key_field\" : \"imjf\"," + "\"search_after\" : [ 12345678, \"device-20184\", \"/user/local/foo.exe\", \"2019-11-26T00:45:43.542\" ]," + "\"size\" : \"101\"," - + "\"rule\" : \"file where user != 'SYSTEM' by file_path\"" + + "\"query\" : \"file where user != 'SYSTEM' by file_path\"" + "}", EqlSearchRequest::fromXContent); assertArrayEquals(new String[]{"endgame-*"}, request.indices()); assertNotNull(request.query()); - assertTrue(request.query() instanceof MatchQueryBuilder); - MatchQueryBuilder query = (MatchQueryBuilder)request.query(); - assertEquals("foo", query.fieldName()); - assertEquals("bar", query.value()); + assertTrue(request.filter() instanceof MatchQueryBuilder); + MatchQueryBuilder filter = (MatchQueryBuilder)request.filter(); + assertEquals("foo", filter.fieldName()); + assertEquals("bar", filter.value()); assertEquals("tsf", request.timestampField()); assertEquals("etf", request.eventTypeField()); assertEquals("imjf", request.implicitJoinKeyField()); assertArrayEquals(new Object[]{12345678, "device-20184", "/user/local/foo.exe", "2019-11-26T00:45:43.542"}, request.searchAfter()); assertEquals(101, request.fetchSize()); - assertEquals("file where user != 'SYSTEM' by file_path", request.rule()); + assertEquals("file where user != 'SYSTEM' by file_path", request.query()); } private EqlSearchRequest generateRequest(String index, String json, Function fromXContent) diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestTests.java index 91c70f29f23cd..008355b2da4fb 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestTests.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestTests.java @@ -32,7 +32,7 @@ public class EqlSearchRequestTests extends AbstractSerializingTestCase { // TODO: possibly add mutations - static String defaultTestQuery = "{\n" + + static String defaultTestFilter = "{\n" + " \"match\" : {\n" + " \"foo\": \"bar\"\n" + " }" + @@ -59,15 +59,15 @@ protected NamedXContentRegistry xContentRegistry() { @Override protected EqlSearchRequest createTestInstance() { try { - QueryBuilder query = parseQuery(defaultTestQuery); + QueryBuilder filter = parseFilter(defaultTestFilter); EqlSearchRequest request = new EqlSearchRequest() .indices(new String[]{defaultTestIndex}) - .query(query) + .filter(filter) .timestampField(randomAlphaOfLength(10)) .eventTypeField(randomAlphaOfLength(10)) .implicitJoinKeyField(randomAlphaOfLength(10)) .fetchSize(randomIntBetween(1, 50)) - .rule(randomAlphaOfLength(10)); + .query(randomAlphaOfLength(10)); if (randomBoolean()) { request.searchAfter(randomJsonSearchFromBuilder()); @@ -79,12 +79,12 @@ protected EqlSearchRequest createTestInstance() { return null; } - protected QueryBuilder parseQuery(String queryAsString) throws IOException { - XContentParser parser = createParser(JsonXContent.jsonXContent, queryAsString); - return parseQuery(parser); + protected QueryBuilder parseFilter(String filter) throws IOException { + XContentParser parser = createParser(JsonXContent.jsonXContent, filter); + return parseFilter(parser); } - protected QueryBuilder parseQuery(XContentParser parser) throws IOException { + protected QueryBuilder parseFilter(XContentParser parser) throws IOException { QueryBuilder parseInnerQueryBuilder = parseInnerQueryBuilder(parser); assertNull(parser.nextToken()); return parseInnerQueryBuilder;