EQL: Change request parameter query to filter and rule to query

client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java

@@ -36,32 +36,32 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
     private String[] indices;
     private IndicesOptions indicesOptions = IndicesOptions.fromOptions(false, false, true, false);
 
-    private QueryBuilder query = null;
+    private QueryBuilder filter = null;
     private String timestampField = "@timestamp";
     private String eventTypeField = "event_type";
     private String implicitJoinKeyField = "agent.id";
     private int fetchSize = 50;
     private SearchAfterBuilder searchAfterBuilder;
-    private String rule;
+    private String query;
 
-    static final String KEY_QUERY = "query";
+    static final String KEY_FILTER = "filter";
     static final String KEY_TIMESTAMP_FIELD = "timestamp_field";
     static final String KEY_EVENT_TYPE_FIELD = "event_type_field";
     static final String KEY_IMPLICIT_JOIN_KEY_FIELD = "implicit_join_key_field";
     static final String KEY_SIZE = "size";
     static final String KEY_SEARCH_AFTER = "search_after";
-    static final String KEY_RULE = "rule";
+    static final String KEY_QUERY = "query";
 
-    public EqlSearchRequest(String indices, String rule) {
+    public EqlSearchRequest(String indices, String query) {
         indices(indices);
-        rule(rule);
+        query(query);
     }
 
     @Override
     public XContentBuilder toXContent(XContentBuilder builder, ToXContent.Params params) throws IOException {
         builder.startObject();
-        if (query != null) {
-            builder.field(KEY_QUERY, query);
+        if (filter != null) {
+            builder.field(KEY_FILTER, filter);
         }
         builder.field(KEY_TIMESTAMP_FIELD, timestampField());
         builder.field(KEY_EVENT_TYPE_FIELD, eventTypeField());
@@ -74,7 +74,7 @@ public XContentBuilder toXContent(XContentBuilder builder, ToXContent.Params par
             builder.array(KEY_SEARCH_AFTER, searchAfterBuilder.getSortValues());
         }
 
-        builder.field(KEY_RULE, rule);
+        builder.field(KEY_QUERY, query);
         builder.endObject();
         return builder;
     }
@@ -88,12 +88,12 @@ public EqlSearchRequest indices(String... indices) {
         return this;
     }
 
-    public QueryBuilder query() {
-        return this.query;
+    public QueryBuilder filter() {
+        return this.filter;
     }
 
-    public EqlSearchRequest query(QueryBuilder query) {
-        this.query = query;
+    public EqlSearchRequest filter(QueryBuilder filter) {
+        this.filter = filter;
         return this;
     }
 
@@ -156,13 +156,13 @@ private EqlSearchRequest setSearchAfter(SearchAfterBuilder builder) {
         return this;
     }
 
-    public String rule() {
-        return this.rule;
+    public String query() {
+        return this.query;
     }
 
-    public EqlSearchRequest rule(String rule) {
-        Objects.requireNonNull(rule, "rule must not be null");
-        this.rule = rule;
+    public EqlSearchRequest query(String query) {
+        Objects.requireNonNull(query, "query must not be null");
+        this.query = query;
         return this;
     }
 
@@ -175,30 +175,29 @@ public boolean equals(Object o) {
             return false;
         }
         EqlSearchRequest that = (EqlSearchRequest) o;
-        return
-            fetchSize == that.fetchSize &&
+        return fetchSize == that.fetchSize &&
                 Arrays.equals(indices, that.indices) &&
                 Objects.equals(indicesOptions, that.indicesOptions) &&
-                Objects.equals(query, that.query) &&
+                Objects.equals(filter, that.filter) &&
                 Objects.equals(timestampField, that.timestampField) &&
                 Objects.equals(eventTypeField, that.eventTypeField) &&
                 Objects.equals(implicitJoinKeyField, that.implicitJoinKeyField) &&
                 Objects.equals(searchAfterBuilder, that.searchAfterBuilder) &&
-                Objects.equals(rule, that.rule);
+                Objects.equals(query, that.query);
     }
 
     @Override
     public int hashCode() {
         return Objects.hash(
             Arrays.hashCode(indices),
             indicesOptions,
-            query,
+            filter,
             fetchSize,
             timestampField,
             eventTypeField,
             implicitJoinKeyField,
             searchAfterBuilder,
-            rule);
+            query);
     }
 
     public String[] indices() {

client/rest-high-level/src/test/java/org/elasticsearch/client/eql/EqlSearchRequestTests.java

@@ -46,7 +46,7 @@ protected EqlSearchRequest createClientTestInstance() {
             EqlSearchRequest.eventTypeField(randomAlphaOfLength(10));
         }
         if (randomBoolean()) {
-            EqlSearchRequest.rule(randomAlphaOfLength(10));
+            EqlSearchRequest.query(randomAlphaOfLength(10));
         }
         if (randomBoolean()) {
             EqlSearchRequest.timestampField(randomAlphaOfLength(10));
@@ -56,9 +56,9 @@ protected EqlSearchRequest createClientTestInstance() {
         }
         if (randomBoolean()) {
             if (randomBoolean()) {
-                EqlSearchRequest.query(QueryBuilders.matchAllQuery());
+                EqlSearchRequest.filter(QueryBuilders.matchAllQuery());
             } else {
-                EqlSearchRequest.query(QueryBuilders.termQuery(randomAlphaOfLength(10), randomInt(100)));
+                EqlSearchRequest.filter(QueryBuilders.termQuery(randomAlphaOfLength(10), randomInt(100)));
             }
         }
         return EqlSearchRequest;
@@ -75,8 +75,8 @@ protected void assertInstances(org.elasticsearch.xpack.eql.action.EqlSearchReque
         assertThat(serverInstance.eventTypeField(), equalTo(clientTestInstance.eventTypeField()));
         assertThat(serverInstance.implicitJoinKeyField(), equalTo(clientTestInstance.implicitJoinKeyField()));
         assertThat(serverInstance.timestampField(), equalTo(clientTestInstance.timestampField()));
+        assertThat(serverInstance.filter(), equalTo(clientTestInstance.filter()));
         assertThat(serverInstance.query(), equalTo(clientTestInstance.query()));
-        assertThat(serverInstance.rule(), equalTo(clientTestInstance.rule()));
         assertThat(serverInstance.searchAfter(), equalTo(clientTestInstance.searchAfter()));
         assertThat(serverInstance.indicesOptions(), equalTo(clientTestInstance.indicesOptions()));
         assertThat(serverInstance.indices(), equalTo(clientTestInstance.indices()));

docs/reference/eql/search.asciidoc

@@ -27,15 +27,15 @@ PUT sec_logs/_bulk?refresh
 You can now use the EQL search API to search this index using an EQL query.
 
 The following request searches the `sec_logs` index using the EQL query
-specified in the `rule` parameter. The EQL query matches events with an
+specified in the `query` parameter. The EQL query matches events with an
 `event.category` of `process` that have a `process.name` of `cmd.exe`.
 
 [source,console]
 ----
 GET sec_logs/_eql/search
 {
   "event_type_field": "event.category",
-  "rule": """
+  "query": """
     process where process.name == "cmd.exe"
   """
 }

x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java

@@ -36,31 +36,31 @@ static class SearchTestConfiguration {
     }
 
     public static final String defaultValidationIndexName = "eql_search_validation_test";
-    private static final String validRule = "process where user = 'SYSTEM'";
+    private static final String validQuery = "process where user = 'SYSTEM'";
 
     public static final ArrayList<SearchTestConfiguration> searchValidationTests;
     static {
         searchValidationTests = new ArrayList<>();
         searchValidationTests.add(new SearchTestConfiguration(null, 400, "request body or source parameter is required"));
-        searchValidationTests.add(new SearchTestConfiguration("{}", 400, "rule is null or empty"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"\"}", 400, "rule is null or empty"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"timestamp_field\": \"\"}",
+        searchValidationTests.add(new SearchTestConfiguration("{}", 400, "query is null or empty"));
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"\"}", 400, "query is null or empty"));
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"timestamp_field\": \"\"}",
             400, "timestamp field is null or empty"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"event_type_field\": \"\"}",
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"event_type_field\": \"\"}",
             400, "event type field is null or empty"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"implicit_join_key_field\": \"\"}",
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"implicit_join_key_field\": \"\"}",
             400, "implicit join key field is null or empty"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"size\": 0}",
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"size\": 0}",
             400, "size must be greater than 0"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"size\": -1}",
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"size\": -1}",
             400, "size must be greater than 0"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"search_after\": null}",
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"search_after\": null}",
             400, "search_after doesn't support values of type: VALUE_NULL"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"search_after\": []}",
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"search_after\": []}",
             400, "must contains at least one value"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"query\": null}",
-            400, "query doesn't support values of type: VALUE_NULL"));
-        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"query\": {}}",
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"filter\": null}",
+            400, "filter doesn't support values of type: VALUE_NULL"));
+        searchValidationTests.add(new SearchTestConfiguration("{\"query\": \"" + validQuery + "\", \"filter\": {}}",
             400, "query malformed, empty clause found"));
     }
 

x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml

@@ -17,7 +17,7 @@ setup:
       eql.search:
         index: eql_test
         body:
-          rule: "process where user = 'SYSTEM'"
+          query: "process where user = 'SYSTEM'"
 
   - match: {timed_out: false}
   - match: {hits.total.value: 1}