elastic
diff --git a/‎src/platform/packages/shared/kbn-esql-utils/index.ts‎
Lines changed: 1 addition & 0 deletions b/‎src/platform/packages/shared/kbn-esql-utils/index.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/platform/packages/shared/kbn-esql-utils/src/index.ts‎
Lines changed: 1 addition & 0 deletions b/‎src/platform/packages/shared/kbn-esql-utils/src/index.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/platform/packages/shared/kbn-esql-utils/src/utils/append_to_query.test.ts‎
Lines changed: 6 additions & 6 deletions b/‎src/platform/packages/shared/kbn-esql-utils/src/utils/append_to_query.test.ts‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎src/platform/packages/shared/kbn-esql-utils/src/utils/append_to_query.ts‎
Lines changed: 58 additions & 26 deletions b/‎src/platform/packages/shared/kbn-esql-utils/src/utils/append_to_query.ts‎
Lines changed: 58 additions & 26 deletions
diff --git a/‎src/platform/packages/shared/kbn-esql-utils/src/utils/cascaded_documents_helpers.test.ts‎
Lines changed: 109 additions & 0 deletions b/‎src/platform/packages/shared/kbn-esql-utils/src/utils/cascaded_documents_helpers.test.ts‎
Lines changed: 109 additions & 0 deletions
@@ -52,6 +52,7 @@ export {
   getESQLStatsQueryMeta,
   constructCascadeQuery,
   mutateQueryStatsGrouping,
+  appendFilteringWhereClauseForCascadeLayout,
 } from './src';
 
 export { ENABLE_ESQL, FEEDBACK_LINK } from './constants';
@@ -59,4 +59,5 @@ export {
   getESQLStatsQueryMeta,
   constructCascadeQuery,
   mutateQueryStatsGrouping,
+  appendFilteringWhereClauseForCascadeLayout,
 } from './utils/cascaded_documents_helpers';
@@ -37,15 +37,15 @@ describe('appendToQuery', () => {
         appendWhereClauseToESQLQuery('from logstash-* // meow', 'dest', 'tada!', '+', 'string')
       ).toBe(
         `from logstash-* // meow
-| WHERE \`dest\`=="tada!"`
+| WHERE \`dest\` == "tada!"`
       );
     });
     it('appends a filter out where clause in an existing query', () => {
       expect(
         appendWhereClauseToESQLQuery('from logstash-* // meow', 'dest', 'tada!', '-', 'string')
       ).toBe(
         `from logstash-* // meow
-| WHERE \`dest\`!="tada!"`
+| WHERE \`dest\` != "tada!"`
       );
     });
 
@@ -54,14 +54,14 @@ describe('appendToQuery', () => {
         appendWhereClauseToESQLQuery('from logstash-* // meow', 'ip_field', 'tada!', '-', 'ip')
       ).toBe(
         `from logstash-* // meow
-| WHERE \`ip_field\`!="tada!"`
+| WHERE \`ip_field\` != "tada!"`
       );
     });
 
     it('appends a where clause in an existing query with casting to string when the type is not given', () => {
       expect(appendWhereClauseToESQLQuery('from logstash-* // meow', 'dest', 'tada!', '-')).toBe(
         `from logstash-* // meow
-| WHERE \`dest\`::string!="tada!"`
+| WHERE \`dest\`::string != "tada!"`
       );
     });
 
@@ -106,7 +106,7 @@ describe('appendToQuery', () => {
         )
       ).toBe(
         `from logstash-* | where country == "GR"
-AND \`dest\`=="Crete"`
+AND \`dest\` == "Crete"`
       );
     });
 
@@ -169,7 +169,7 @@ AND \`dest\`=="Crete"`
         )
       ).toBe(
         `from logstash-* | where CIDR_MATCH(ip1, "127.0.0.2/32", "127.0.0.3/32")
-and \`ip\`!="127.0.0.2/32"`
+and \`ip\` != "127.0.0.2/32"`
       );
     });
 
 
@@ -7,10 +7,11 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
-import { parse, mutate, BasicPrettyPrinter } from '@kbn/esql-ast';
+import { BasicPrettyPrinter, EsqlQuery, parse, mutate } from '@kbn/esql-ast';
+import type { BinaryExpressionComparisonOperator } from '@kbn/esql-ast/src/types';
 import { sanitazeESQLInput } from './sanitaze_input';
 
-const PARAM_TYPES_NO_NEED_IMPLICIT_STRING_CASTING = [
+export const PARAM_TYPES_NO_NEED_IMPLICIT_STRING_CASTING = [
   'date',
   'date_nanos',
   'version',
@@ -20,12 +21,47 @@ const PARAM_TYPES_NO_NEED_IMPLICIT_STRING_CASTING = [
   'string',
 ];
 
+export type SupportedOperators =
+  | Extract<BinaryExpressionComparisonOperator, '==' | '!='>
+  | 'is not null'
+  | 'is null';
+
 // Append in a new line the appended text to take care of the case where the user adds a comment at the end of the query
 // in these cases a base query such as "from index // comment" will result in errors or wrong data if we don't append in a new line
 export function appendToESQLQuery(baseESQLQuery: string, appendedText: string): string {
   return `${baseESQLQuery}\n${appendedText}`;
 }
 
+/**
+ * Gets the operator and expression type for the given operation
+ */
+export const getOperator = (
+  operation: '+' | '-' | 'is_not_null' | 'is_null'
+): { operator: SupportedOperators; expressionType: 'postfix-unary' | 'binary' } => {
+  switch (operation) {
+    case 'is_not_null':
+      return {
+        operator: 'is not null',
+        expressionType: 'postfix-unary',
+      };
+    case 'is_null':
+      return {
+        operator: 'is null',
+        expressionType: 'postfix-unary',
+      };
+    case '-':
+      return {
+        operator: '!=',
+        expressionType: 'binary',
+      };
+    default:
+      return {
+        operator: '==',
+        expressionType: 'binary',
+      };
+  }
+};
+
 export function appendWhereClauseToESQLQuery(
   baseESQLQuery: string,
   field: string,
@@ -37,20 +73,13 @@ export function appendWhereClauseToESQLQuery(
   if (Array.isArray(value)) {
     return undefined;
   }
-  let operator;
-  switch (operation) {
-    case 'is_not_null':
-      operator = ' is not null';
-      break;
-    case 'is_null':
-      operator = ' is null';
-      break;
-    case '-':
-      operator = '!=';
-      break;
-    default:
-      operator = '==';
-  }
+
+  const ESQLQuery = EsqlQuery.fromSrc(baseESQLQuery);
+
+  const whereCommands = Array.from(mutate.commands.where.list(ESQLQuery.ast));
+
+  const { operator } = getOperator(operation);
+
   let filterValue =
     typeof value === 'string' ? `"${value.replace(/\\/g, '\\\\').replace(/\"/g, '\\"')}"` : value;
   // Adding the backticks here are they are needed for special char fields
@@ -69,16 +98,14 @@ export function appendWhereClauseToESQLQuery(
     filterValue = '';
   }
 
-  const { ast } = parse(baseESQLQuery);
-
-  const lastCommandIsWhere = ast[ast.length - 1].name === 'where';
   // if where command already exists in the end of the query:
-  // - we need to append with and if the filter doesnt't exist
+  // - we need to append with and if the filter doesn't exist
   // - we need to change the filter operator if the filter exists with different operator
   // - we do nothing if the filter exists with the same operator
-  if (lastCommandIsWhere) {
-    const whereCommand = ast[ast.length - 1];
-    const whereAstText = whereCommand.text;
+  if (Boolean(whereCommands.length)) {
+    const lastWhereCommand = whereCommands[whereCommands.length - 1];
+
+    const whereAstText = lastWhereCommand.text;
     // the filter already exists in the where clause
     if (whereAstText.includes(field) && whereAstText.includes(String(filterValue))) {
       const pipesArray = baseESQLQuery.split('|');
@@ -88,7 +115,10 @@ export function appendWhereClauseToESQLQuery(
       if (matches) {
         const existingOperator = matches[1]?.trim().replace('`', '').toLowerCase();
         if (!['==', '!=', 'is not null', 'is null'].includes(existingOperator.trim())) {
-          return appendToESQLQuery(baseESQLQuery, `and ${fieldName}${operator}${filterValue}`);
+          return appendToESQLQuery(
+            baseESQLQuery,
+            `and ${fieldName} ${operator} ${filterValue}`.trim()
+          );
         }
         // the filter is the same
         if (existingOperator === operator.trim()) {
@@ -101,11 +131,13 @@ export function appendWhereClauseToESQLQuery(
         }
       }
     }
+
     // filter does not exist in the where clause
-    const whereClause = `AND ${fieldName}${operator}${filterValue}`;
+    const whereClause = `AND ${fieldName} ${operator} ${filterValue}`.trim();
     return appendToESQLQuery(baseESQLQuery, whereClause);
   }
-  const whereClause = `| WHERE ${fieldName}${operator}${filterValue}`;
+
+  const whereClause = `| WHERE ${fieldName} ${operator} ${filterValue}`.trim();
   return appendToESQLQuery(baseESQLQuery, whereClause);
 }
 
 
@@ -12,6 +12,7 @@ import {
   getESQLStatsQueryMeta,
   constructCascadeQuery,
   mutateQueryStatsGrouping,
+  appendFilteringWhereClauseForCascadeLayout,
 } from './cascaded_documents_helpers';
 
 describe('cascaded documents helpers utils', () => {
@@ -350,4 +351,112 @@ describe('cascaded documents helpers utils', () => {
       );
     });
   });
+
+  describe('appendFilteringWhereClauseForCascadeLayout', () => {
+    it('appends a filter in where clause in an existing query containing a stats command without a where command', () => {
+      expect(
+        appendFilteringWhereClauseForCascadeLayout(
+          'from logstash-* | stats var = avg(woof)',
+          'dest',
+          'tada!',
+          '+',
+          'string'
+        )
+      ).toBe('FROM logstash-* | WHERE dest == "tada!" | STATS var = AVG(woof)');
+    });
+
+    it('appends a filter in where clause in an existing query containing a stats command with a where command', () => {
+      expect(
+        appendFilteringWhereClauseForCascadeLayout(
+          'from logstash-* | where country == "GR" | stats var = avg(woof) ',
+          'dest',
+          'tada!',
+          '+',
+          'string'
+        )
+      ).toBe('FROM logstash-* | WHERE dest == "tada!" AND country == "GR" | STATS var = AVG(woof)');
+    });
+
+    it('negates a filter in where clause in an existing query containing a stats command without a where command', () => {
+      expect(
+        appendFilteringWhereClauseForCascadeLayout(
+          `FROM logstash-* | WHERE \`geo.dest\` == "BT" | SORT @timestamp DESC | LIMIT 10000 | STATS countB = COUNT(bytes) BY geo.dest | SORT countB`,
+          'geo.dest',
+          'BT',
+          '-',
+          'string'
+        )
+      ).toBe(
+        'FROM logstash-* | WHERE `geo.dest` != "BT" | SORT @timestamp DESC | LIMIT 10000 | STATS countB = COUNT(bytes) BY geo.dest | SORT countB'
+      );
+    });
+
+    it("accounts for case where there's a pre-existing where command that references a runtime field created in a previous stats command ", () => {
+      expect(
+        appendFilteringWhereClauseForCascadeLayout(
+          'from logstash-* | sort @timestamp desc | limit 10000 | stats countB = count(bytes) by geo.dest | sort countB | where countB > 0',
+          'dest',
+          'tada!',
+          '+',
+          'string'
+        )
+      ).toBe(
+        'FROM logstash-* | WHERE dest == "tada!" | SORT @timestamp DESC | LIMIT 10000 | STATS countB = COUNT(bytes) BY geo.dest | SORT countB | WHERE countB > 0'
+      );
+    });
+
+    it('handles the case where the field being filtered on is a runtime field created by a stats command', () => {
+      expect(
+        appendFilteringWhereClauseForCascadeLayout(
+          'FROM kibana_sample_data_logs | STATS count = COUNT(bytes), average = AVG(memory) BY Pattern = CATEGORIZE(message), agent.keyword, clientip',
+          'Pattern',
+          'tada!',
+          '+',
+          'string'
+        )
+      ).toBe(
+        'FROM kibana_sample_data_logs | STATS count = COUNT(bytes), average = AVG(memory) BY Pattern = CATEGORIZE(message), agent.keyword, clientip | WHERE Pattern == "tada!"'
+      );
+    });
+
+    it('handles the case where the field being filtered on is a runtime field created by a stats command, followed by other commands', () => {
+      expect(
+        appendFilteringWhereClauseForCascadeLayout(
+          'FROM kibana_sample_data_logs | STATS count = COUNT(bytes), average = AVG(memory) BY Pattern = CATEGORIZE(message), agent.keyword, clientip | SORT count DESC',
+          'Pattern',
+          'tada!',
+          '+',
+          'string'
+        )
+      ).toBe(
+        'FROM kibana_sample_data_logs | STATS count = COUNT(bytes), average = AVG(memory) BY Pattern = CATEGORIZE(message), agent.keyword, clientip | WHERE Pattern == "tada!" | SORT count DESC'
+      );
+    });
+
+    it('handles the case where the field being filtered on is a runtime field created by a stats command, and with another filter applied there after', () => {
+      const initialFilterResult = appendFilteringWhereClauseForCascadeLayout(
+        'FROM kibana_sample_data_logs | STATS count = COUNT(bytes), average = AVG(memory) BY Pattern = CATEGORIZE(message), agent.keyword, clientip | SORT count DESC',
+        'Pattern',
+        'tada!',
+        '+',
+        'string'
+      );
+
+      expect(initialFilterResult).toBe(
+        'FROM kibana_sample_data_logs | STATS count = COUNT(bytes), average = AVG(memory) BY Pattern = CATEGORIZE(message), agent.keyword, clientip | WHERE Pattern == "tada!" | SORT count DESC'
+      );
+
+      expect(
+        appendFilteringWhereClauseForCascadeLayout(
+          initialFilterResult,
+          'clientip',
+          '192.168.1.1',
+          '+',
+          'string'
+        )
+      ).toBe(
+        'FROM kibana_sample_data_logs | WHERE clientip == "192.168.1.1" | STATS count = COUNT(bytes), average = AVG(memory) BY Pattern = CATEGORIZE(message), agent.keyword, clientip | WHERE Pattern == "tada!" | SORT count DESC'
+      );
+    });
+  });
 });