-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Supporting EQL in Elasticsearch #49581
Labels
:Analytics/EQL
EQL querying
Dependency:SIEM
Meta
Team:QL (Deprecated)
Meta label for query languages team
Comments
Pinging @elastic/es-search (:Search/EQL) |
40 tasks
6 tasks
It seems that some of the infrastructure required for this (notably the multiple search request executor and limited join-handling) could also eventually help support SQL |
imotov
added a commit
to imotov/elasticsearch
that referenced
this issue
Jan 7, 2020
Adds a protocol support for async mode. The actual implementation will added when more details of query handling are clear. Relates to elastic#49581
imotov
added a commit
to imotov/elasticsearch
that referenced
this issue
Jan 9, 2020
Refactors EqlSearchResponse to make it immutable Relates to elastic#49581
imotov
added a commit
that referenced
this issue
Jan 9, 2020
Refactors EqlSearchResponse to make it immutable Relates to #49581
imotov
added a commit
to imotov/elasticsearch
that referenced
this issue
Jan 10, 2020
Removes unnecessary classes from EqlSearchResponse that just represent lists of other elements. Relates to elastic#49581
imotov
added a commit
that referenced
this issue
Jan 13, 2020
Removes unnecessary classes from EqlSearchResponse that just represent lists of other elements. Relates to #49581
imotov
added a commit
to imotov/elasticsearch
that referenced
this issue
Jan 13, 2020
Replaces the existing hand-build Hits parser with a ConstructingObjectParser version. Relates to elastic#49581
imotov
added a commit
that referenced
this issue
Jan 13, 2020
Replaces the existing hand-build Hits parser with a ConstructingObjectParser version. Relates to #49581
35 tasks
aleksmaus
pushed a commit
to aleksmaus/elasticsearch
that referenced
this issue
Jan 27, 2020
Refactors EqlSearchResponse to make it immutable Relates to elastic#49581
aleksmaus
pushed a commit
to aleksmaus/elasticsearch
that referenced
this issue
Jan 27, 2020
Removes unnecessary classes from EqlSearchResponse that just represent lists of other elements. Relates to elastic#49581
aleksmaus
pushed a commit
to aleksmaus/elasticsearch
that referenced
this issue
Jan 27, 2020
…#50925) Replaces the existing hand-build Hits parser with a ConstructingObjectParser version. Relates to elastic#49581
aleksmaus
added a commit
to aleksmaus/elasticsearch
that referenced
this issue
Jan 27, 2020
… for integration tests. (elastic#51370) Related to elastic#49581
aleksmaus
added a commit
to aleksmaus/elasticsearch
that referenced
this issue
Feb 12, 2020
…iginal implementation The tests use the original test queries from https://github.com/endgameinc/eql/blob/master/eql/etc/test_queries.toml for EQL implementation correctness validation. The file test_queries_unsupported.toml serves as a "blacklist" for the queries that we do not support. Currently all of the queries are blacklisted. Over the time the expectation is to eventually have an empty "blacklist" when all of the queries are fully supported. The tests use the original test vector from https://raw.githubusercontent.com/endgameinc/eql/master/eql/etc/test_data.json that was translated to ECS format that matches the latest mapping being used for Endgame platform event streaming and is loaded from endgame.dat file. The endgame.json file contains the matching index mappings/setting. Only one EQL and the response is stubbed for now to match the expected output from that query. This part would need some tweaking after EQL is fully wired. The input .toml file is parsed by hand for now, which is sufficient for our purposes and avoids introducing another dependency just for this particular test case. Related to elastic#49581
aleksmaus
added a commit
that referenced
this issue
Feb 22, 2020
…iginal implementation (#52248) The tests use the original test queries from https://github.com/endgameinc/eql/blob/master/eql/etc/test_queries.toml for EQL implementation correctness validation. The file test_queries_unsupported.toml serves as a "blacklist" for the queries that we do not support. Currently all of the queries are blacklisted. Over the time the expectation is to eventually have an empty "blacklist" when all of the queries are fully supported. The tests use the original test vector from https://raw.githubusercontent.com/endgameinc/eql/master/eql/etc/test_data.json. Only one EQL and the response is stubbed for now to match the expected output from that query. This part would need some tweaking after EQL is fully wired. Related to #49581
aleksmaus
added a commit
to aleksmaus/elasticsearch
that referenced
this issue
Feb 22, 2020
…iginal implementation (elastic#52248) The tests use the original test queries from https://github.com/endgameinc/eql/blob/master/eql/etc/test_queries.toml for EQL implementation correctness validation. The file test_queries_unsupported.toml serves as a "blacklist" for the queries that we do not support. Currently all of the queries are blacklisted. Over the time the expectation is to eventually have an empty "blacklist" when all of the queries are fully supported. The tests use the original test vector from https://raw.githubusercontent.com/endgameinc/eql/master/eql/etc/test_data.json. Only one EQL and the response is stubbed for now to match the expected output from that query. This part would need some tweaking after EQL is fully wired. Related to elastic#49581
aleksmaus
added a commit
that referenced
this issue
Feb 24, 2020
…iginal implementation (#52248) (#52675) The tests use the original test queries from https://github.com/endgameinc/eql/blob/master/eql/etc/test_queries.toml for EQL implementation correctness validation. The file test_queries_unsupported.toml serves as a "blacklist" for the queries that we do not support. Currently all of the queries are blacklisted. Over the time the expectation is to eventually have an empty "blacklist" when all of the queries are fully supported. The tests use the original test vector from https://raw.githubusercontent.com/endgameinc/eql/master/eql/etc/test_data.json. Only one EQL and the response is stubbed for now to match the expected output from that query. This part would need some tweaking after EQL is fully wired. Related to #49581
18 tasks
Replacing this long standing issue with the remaining tasks for 7.11 at #64273 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
:Analytics/EQL
EQL querying
Dependency:SIEM
Meta
Team:QL (Deprecated)
Meta label for query languages team
This is a meta issue to track progress of adding EQL support to Elasticsearch. EQL will be supported via a new Elastic licensed plugin which will provide execution of EQL rules.
The language reference for EQL can be found here
Scope of first iteration
Language features
In Scope
Out of Scope
fork
in sequencesThings to consider during the design and implementation
High level tasks
Each task here has its own issue and some bigger tasks might have their own meta issue:
event_type where CRITERIA
whereCRITERIA
can usefield_name=value
, together with and/or/notThe text was updated successfully, but these errors were encountered: