Skip to content

[7.16] EQL: Add optional fields and limit joining keys on non-null values only (#79677) #79807

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 26, 2021
Merged

[7.16] EQL: Add optional fields and limit joining keys on non-null values only (#79677) #79807

merged 1 commit into from
Oct 26, 2021

Conversation

astefan
Copy link
Contributor

@astefan astefan commented Oct 26, 2021

Backports the following commits to 7.16:

@astefan
EQL: Add optional fields and limit joining keys on non-null values on…
67cc09d 
…ly (elastic#79677)

Add optional fields, with usage inside queries' filters and as join
keys. Optional fields have a question mark in front of their name
(`?some_field`) and can be used in standalone event queries and
sequences. If the field exists in at least one index that's getting
queried, that field will actually be used in queries. If the field
doesn't exist in any of the indices, all its mentions in query filters
will be replaced with `null`. For sequences, optional fields as keys can
have `null` as a value, whereas non-optional fields will be restricted
to non-null values only. For example, a query like

```
sequence by ?process.entity_id, process.pid
  [process where transID == 2]
  [file where transID == 0] with runs=2
```

can return a sequence with a join key `[null,123]`. If the sequence will
use `process.pid` as an optional field (`sequence by ?process.entity_id,
?process.pid`), as well, the sequence can now return join keys as
`[null,123]`, `[null,null]`, `[512,null]`.
@astefan astefan added auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) backport labels Oct 26, 2021
@elasticsearchmachine elasticsearchmachine mentioned this pull request Oct 26, 2021
Merged
@elasticsearchmachine elasticsearchmachine merged commit 0e600f7 into elastic:7.16 Oct 26, 2021
@astefan astefan deleted the backport/7.16/pr-79677 branch October 26, 2021 14:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) backport v7.16.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@astefan @danhermann @elasticsearchmachine