EQL: Change result_position default value from head to tail (#66387)

By default, if no pipe is specified, EQL return results from the tail, end of the stream, not the front. The results are returned in ascending order. (cherry picked from commit 2f50423) (cherry picked from commit 946b0ac) (cherry picked from commit 3382f36)
elastic · Dec 17, 2020 · 3d0170e · 3d0170e
1 parent cece81b
commit 3d0170e
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 8 deletions.
diff --git a/client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java b/client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java
@@ -39,7 +39,7 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
     private QueryBuilder filter = null;
     private String timestampField = "@timestamp";
     private String eventCategoryField = "event.category";
-    private String resultPosition = "head";
+    private String resultPosition = "tail";
 
     private int size = 10;
     private int fetchSize = 1000;

diff --git a/...in/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/EqlUsageRestTestCase.java b/...in/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/EqlUsageRestTestCase.java
@@ -120,6 +120,7 @@ public void testEqlRestUsage() throws IOException {
             DataLoader.loadDatasetIntoEs(highLevelClient(), this::createParser);
         }
 
+        String defaultPipe = "pipe_tail";
         //
         // random event queries
         //
@@ -145,7 +146,7 @@ public void testEqlRestUsage() throws IOException {
             runEql("sequence [process where serial_event_id == 1] [process where serial_event_id == 2]");
         }
         responseAsMap = getStats();
-        metricsToCheck = unmodifiableSet(new HashSet<>(Arrays.asList("sequence", "sequence_queries_two", "pipe_head")));
+        metricsToCheck = unmodifiableSet(new HashSet<>(Arrays.asList("sequence", "sequence_queries_two", defaultPipe)));
         assertFeaturesMetrics(randomSequenceExecutions, responseAsMap, metricsToCheck);
         assertFeaturesMetricsExcept(responseAsMap, metricsToCheck);
         assertAllQueryMetrics(allTotalQueries, responseAsMap);
@@ -198,8 +199,8 @@ public void testEqlRestUsage() throws IOException {
                 "  [process where opcode == 2] by user");
         }
         responseAsMap = getStats();
-        metricsToCheck = unmodifiableSet(new HashSet<>(Arrays.asList("sequence", "sequence_queries_three", "pipe_head", "join_keys_one",
-            "sequence_maxspan")));
+        metricsToCheck = unmodifiableSet(new HashSet<>(Arrays.asList("sequence", "sequence_queries_three", "join_keys_one",
+            "sequence_maxspan", defaultPipe)));
         assertFeaturesMetrics(randomThreeQueriesSequences, responseAsMap, metricsToCheck);
         assertFeaturesMetricsExcept(responseAsMap, metricsToCheck);
         assertAllQueryMetrics(allTotalQueries, responseAsMap);
@@ -236,7 +237,7 @@ public void testEqlRestUsage() throws IOException {
                 "  [process where opcode == 1]");
         }
         responseAsMap = getStats();
-        metricsToCheck = unmodifiableSet(new HashSet<>(Arrays.asList("sequence", "sequence_queries_two", "pipe_head", "join_keys_four")));
+        metricsToCheck = unmodifiableSet(new HashSet<>(Arrays.asList("sequence", "sequence_queries_two", "join_keys_four", defaultPipe)));
         assertFeaturesMetrics(randomFourJoinKeysExecutions, responseAsMap, metricsToCheck);
         assertFeaturesMetricsExcept(responseAsMap, metricsToCheck);
         assertAllQueryMetrics(allTotalQueries, responseAsMap);
@@ -252,8 +253,8 @@ public void testEqlRestUsage() throws IOException {
                 "  [process where opcode == 1]");
         }
         responseAsMap = getStats();
-        metricsToCheck = unmodifiableSet(new HashSet<>(Arrays.asList("sequence", "sequence_queries_two", "pipe_head",
-            "join_keys_five_or_more")));
+        metricsToCheck = unmodifiableSet(new HashSet<>(Arrays.asList("sequence", "sequence_queries_two",
+            "join_keys_five_or_more", defaultPipe)));
         assertFeaturesMetrics(randomFiveJoinKeysExecutions, responseAsMap, metricsToCheck);
         assertFeaturesMetricsExcept(responseAsMap, metricsToCheck);
         assertAllQueryMetrics(allTotalQueries, responseAsMap);

diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java
@@ -49,7 +49,7 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
     private int size = RequestDefaults.SIZE;
     private int fetchSize = RequestDefaults.FETCH_SIZE;
     private String query;
-    private String resultPosition = "head";
+    private String resultPosition = "tail";
 
     // Async settings
     private TimeValue waitForCompletionTimeout = null;