EQL: Remove "wildcard" function#76099
Conversation
This removes "wildcard" as an available function in EQL. This has already been replace with "like" and "regex" embedded synthax (and respective case insensitive variants).
|
Pinging @elastic/es-ql (Team:QL) |
rw-access
left a comment
There was a problem hiding this comment.
LGTM.
My only note is that I'm not sure where wildcard should be deleted and where it should be changed to like.
| [[queries]] | ||
| name = "wildcardFunctionWildcardPattern" | ||
| query = ''' | ||
| file where wildcard(file_name, "winini*.exe", "lsass.*") and opcode == 2 |
There was a problem hiding this comment.
should this be replaced with like?
There was a problem hiding this comment.
There's already a like test for this (likeMultipleArgWithPattern).
| expression = '''substring("hello world", -5, -1)''' | ||
| expected = "worl" | ||
|
|
||
| [wildcard] |
There was a problem hiding this comment.
should this one be replaced with like? is this file even used?
There was a problem hiding this comment.
Yes, file still in use.
I've tried to preserve the wildcard-now-like tests where they're part of a more complex suite (like those in queries.toml) and removed them where |
costin
left a comment
There was a problem hiding this comment.
Assuming the removed tests already have equivalent for like the only comment I have is around fully removing the Wildcard class which is not needed and the substitute construct can be created directly by the parser.
| error("process where stringContains(process_name, 1)")); | ||
| } | ||
|
|
||
| public void testWildcardNotEnoughArguments() { |
There was a problem hiding this comment.
Please convert these to like if there aren't tests that already do that.
There was a problem hiding this comment.
These tests become now syntactic failures. One case could however be indeed converted (ex testWildcardWithNumericField).
There was a problem hiding this comment.
As long as we have equivalent semantical tests, I'm 👍 . Note that wildcard tests that rely on the syntax can be changed to like/like~ hence my point of replacing removed tests (or checking) there are semantical equivalents to them.
| * wildcard(field, "*wildcard*pattern*", ...) | ||
| * field like ("*wildcard*pattern*", ...) | ||
| */ | ||
| public class Wildcard extends BaseSurrogateFunction { |
There was a problem hiding this comment.
No need to keep this class around.
It's used inside the parser ExpressionBuilder#visitOperatorExpressionDefault however its only role is to call makeSubstitute which is similar to ExpressionBuilder#combineExpressions. See the handling of EqlBaseParser.IN_INSENSITIVE: in visitOperatorExpressionDefault.
There was a problem hiding this comment.
Thanks. Class removed.
- remove Wildcard class; - recover one failed translation test.
|
@elasticmachine run elasticsearch-ci/bwc |
|
@elasticmachine update branch |
* master: (868 commits) Query API key - Rest spec and yaml tests (elastic#76238) Delay shard reassignment from nodes which are known to be restarting (elastic#75606) Reenable bwc tests for elastic#76475 (elastic#76576) Set version to 7.15 in BWC code (elastic#76577) Don't remove warning headers on all failure (elastic#76434) Disable bwc tests for elastic#76475 (elastic#76541) Re-enable bwc tests (elastic#76567) Keep track of data recovered from snapshots in RecoveryState (elastic#76499) [Transform] Align transform checkpoint range with date_histogram interval for better performance (elastic#74004) EQL: Remove "wildcard" function (elastic#76099) Fix 'accept' and 'content_type' fields for search_mvt API Add persistent licensed feature tracking (elastic#76476) Add system data streams to feature state snapshots (elastic#75902) fix the error message for instance methods that don't exist (elastic#76512) ILM: Add validation of the number_of_shards parameter in Shrink Action of ILM (elastic#74219) remove dashboard only reserved role (elastic#76507) Fix Stack Overflow in UnassignedInfo in Corner Case (elastic#76480) Add (Extended)KeyUsage KeyUsage, CipherSuite & Protocol to SSL diagnostics (elastic#65634) Add recovery from snapshot to tests (elastic#76535) Reenable BwC Tests after elastic#76532 (elastic#76534) ...
This removes "wildcard" as an available function in EQL. This has
already been replace with "like" and "regex" embedded synthax (and
respective case insensitive variants).
Relates #71906.