Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for 'size' in EQL Sample queries #87846

Closed
wants to merge 208 commits into from
Closed

Add support for 'size' in EQL Sample queries #87846

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
208 commits
Select commit Hold shift + click to select a range
f6003b8
Add support for 'size' in EQL Sample queries
luigidellaquila Jun 20, 2022
872cdfa
Merge branch 'feature/eql_samples' into enhancement/eql_samples_limit
luigidellaquila Jun 20, 2022
b690f64
Merge branch 'feature/eql_samples' into enhancement/eql_samples_limit
luigidellaquila Jun 20, 2022
8571f04
Implement review suggestions
luigidellaquila Jun 22, 2022
7299858
Fix hashCode()
luigidellaquila Jun 27, 2022
a2d7d31
Merge branch 'feature/eql_samples' into enhancement/eql_samples_limit
luigidellaquila Jun 30, 2022
8dab37d
Merge branch 'feature/eql_samples' into enhancement/eql_samples_limit
luigidellaquila Jun 30, 2022
21111f7
Merge branch 'feature/eql_samples' into enhancement/eql_samples_limit
luigidellaquila Jul 12, 2022
7c38041
Make it explicit that test expects no rebalancing. (#89040)
idegtiarenko Aug 8, 2022
c4bd4d3
Fix typo in geo-distance-query doc (#89148)
gonmmarques Aug 8, 2022
259d2e0
Fix typo in TRACING.md
pugnascotia Aug 8, 2022
c81f907
Refine size-your-shards wording (#89081)
DaveCTurner Aug 8, 2022
36c4a17
Do not generate empty buckets for the date histogram (#89070)
salvatore-campagna Aug 8, 2022
ee33383
Polling for cluster diagnostics information (#89014)
masseyke Aug 8, 2022
226b8a2
[DOCS] Modifies the description of frequency. (#89128)
szabosteve Aug 8, 2022
7602015
[DOCS] Improves frequent items aggregation docs (#89122)
szabosteve Aug 8, 2022
92dc846
[ML] Extract ML tasks into a context class for use in autoscaling dec…
dimitris-athanasiou Aug 8, 2022
8bf0df8
Implement review suggestions
luigidellaquila Aug 8, 2022
eed422b
Merge branch 'feature/eql_samples' into enhancement/eql_samples_limit
luigidellaquila Aug 8, 2022
cfad420
Enable BloomFilter for _id of non-datastream indices (#88409)
dnhatn Aug 8, 2022
24e367f
Add support for source fallback with the boolean field type (#89052)
jdconrad Aug 8, 2022
81265d2
Add support for source fallback with scaled float field type (#89053)
jdconrad Aug 8, 2022
ac25477
Quote paths with whitespace in Windows service CLIs (#89072)
ChrisHegarty Aug 8, 2022
2429dbc
Dry up custom immutable Map.Entry implementations (#89153)
original-brownbear Aug 8, 2022
f3659a6
Remove redundant and slow null token check from KeywordFieldMapper (#…
original-brownbear Aug 8, 2022
398b014
Upgrade Gradle wrapper to 7.5.1 (#88918)
mark-vieira Aug 8, 2022
cdbd7ad
Add publishing plugin to elasticsearch-grok project (#89184)
mark-vieira Aug 8, 2022
e6cfd9c
Show assigned role descriptors in Get/QueryApiKey response (#89166)
ywangd Aug 9, 2022
254e6bc
Remove needless optimization ShardRouting.asList (#89179)
original-brownbear Aug 9, 2022
c6c05bb
Deduplicate ShardRouting instances when building ClusterInfo (#89190)
original-brownbear Aug 9, 2022
80eeca7
[ML] Confirm platinum license for experimental ML aggregations (#89117)
droberts195 Aug 9, 2022
9dd47d8
Account for `null` metadata in update API key test (#89195)
n1v0lg Aug 9, 2022
c9d4892
Weaken language about "low-latency" networks (#89198)
DaveCTurner Aug 9, 2022
08fb6ed
[ML] Extract downscale to zero logic into its own method (#89197)
dimitris-athanasiou Aug 9, 2022
cd359b3
geo_line aggregation returns a geojson point when the resulting line …
iverase Aug 9, 2022
e63bcb5
Fixing internal action names (#89182)
masseyke Aug 9, 2022
5233229
Update CODEOWNERS (#89155)
jlind23 Aug 9, 2022
7b615ac
Fix ReactiveStorageIT#testScaleDuringSplitOrClone (#88607)
fcofdez Aug 9, 2022
6a91f97
[Stack Monitoring] Cleanup unused mappings properties (#88899)
klacabane Aug 9, 2022
de281b5
Complete listener in ReservedStateErrorTaskExecutor (#89191)
DaveCTurner Aug 9, 2022
264f09f
Script: Common base class for write scripts (#89141)
stu-elastic Aug 9, 2022
895baf0
Delete invalid settings for system indices (#88903)
grcevski Aug 9, 2022
d663231
User Profile - GetProfile API nows supports multiple UIDs (#89023)
ywangd Aug 10, 2022
72e24d3
Log when repository is marked as corrupted (#89132)
idegtiarenko Aug 10, 2022
546a2e2
Add note on per-segment field name overhead (#89152)
DaveCTurner Aug 10, 2022
ceffaf9
Improve rejection of ambiguous voting config name (#89239)
DaveCTurner Aug 10, 2022
a278594
[ML] Move method to compute current memory scale into NativeMemoryCap…
dimitris-athanasiou Aug 10, 2022
341f3b7
[DOCS] Update URLs in plugin document (#89221)
GabyCT Aug 10, 2022
399a8ac
Add TransportHealthNodeAction (#89127)
gmarouli Aug 10, 2022
c0019a3
Ensure APM module is always installed in release test clusters (#89223)
mark-vieira Aug 10, 2022
841ac8e
Upgrade Apache Commons Logging to 1.2 (#85745)
yrodiere Aug 10, 2022
7cc275d
Downgrade known bad containerd version during packaging tests (#89255)
mark-vieira Aug 11, 2022
453b5b1
Verify auto follower recover after full leader cluster restart (#89207)
idegtiarenko Aug 11, 2022
0bf31b7
Fix message for stalled shutdown (#89254)
DaveCTurner Aug 11, 2022
616fd07
Drop transport client from ping_schedule docs (#89264)
DaveCTurner Aug 11, 2022
2d3bcc4
[DOCS] Warn only one date format is added to the field date formats w…
lucabelluccini Aug 11, 2022
7caa242
Autoscaling requirement for empty tier (#89266)
henningandersen Aug 11, 2022
12a1290
Mute FrozenExistenceDeciderIT.testZeroToOne (#89271)
luigidellaquila Aug 11, 2022
5cbf4fb
[ML] Extract timing of autoscaling into its own class (#89253)
dimitris-athanasiou Aug 11, 2022
892ad01
Refactor registering listeners out of constructors (#89265)
gmarouli Aug 11, 2022
993e467
Sort ranges in geo_distance aggregation (#89154)
iverase Aug 11, 2022
88a0f6f
Check for polygon self-intersections in ShapeFieldMapper (#89210)
iverase Aug 11, 2022
e4a19d4
Fixing remote master stability request when there has never been an e…
masseyke Aug 11, 2022
6c12fe0
[Transform] add an unattended mode setting to transform (#89212)
Aug 11, 2022
89ff87d
Fix CloseIndexIT.testConcurrentClose (#89173)
tlrx Aug 11, 2022
9ad91f2
Add Amazon 2022 to platform support testing matrix
mark-vieira Aug 11, 2022
e063ce8
[DOCS] Separate "user lookup" into its own doc (#88533)
tvernum Aug 12, 2022
96febb7
Ensure secureString remain open when reloading secure settings (#88922)
ywangd Aug 12, 2022
8dfbcd5
Limited-by role descriptors in Get/QueryApiKey response (#89273)
ywangd Aug 12, 2022
5a19729
Drop username from AuthenticateRequest (#88365)
ywangd Aug 12, 2022
da3e4e8
Keep test folders of failed build tools integration tests (#89296)
breskeby Aug 12, 2022
654f31d
Update libbeat config module fields type (#88990)
crespocarlos Aug 12, 2022
ed940b6
Clarify that TransportService#sendRequest never throws (#89298)
DaveCTurner Aug 12, 2022
f9055b5
Miscellaneous cleanups in TransportService (#89299)
DaveCTurner Aug 12, 2022
e4c7feb
Fix: Update geo-bounding-box-query.asciidoc (#87459) (#89301)
abdonpijpelink Aug 12, 2022
0502139
[ML] Feature importance test for house pricing data (#89307)
valeriy42 Aug 12, 2022
5a26455
Adding a check to the master stability health API when there is no ma…
masseyke Aug 12, 2022
ca11e82
[ML] Improve reason when autoscaling capacity cannot be computed (#89…
dimitris-athanasiou Aug 12, 2022
dcc87dd
AwaitsFix for #89325
DaveCTurner Aug 13, 2022
4779893
Introduce BatchExecutionContext (#89323)
DaveCTurner Aug 13, 2022
104ad7f
TSDB: fix time series field caps bwc yaml test (#89236)
weizijun Aug 15, 2022
51f89f4
Handle rejection in LeaderChecker (#89326)
DaveCTurner Aug 15, 2022
621c38c
Report better error for GCS credentials load failure (#89336)
DaveCTurner Aug 15, 2022
745947e
Capture deprecation warnings in batched master tasks (#85525)
DaveCTurner Aug 15, 2022
8d37d48
Check circuit breaker before sending join request (#89318)
DaveCTurner Aug 15, 2022
c4c1802
Unify handling of custom Gradle User home in build tool tests (#89304)
breskeby Aug 15, 2022
9b24b41
Force rejection of unsupported bulk actions in v9 (#89339)
DaveCTurner Aug 15, 2022
10b8047
Include runtime fields in total fields count (#89251)
mayya-sharipova Aug 15, 2022
60016c8
convert raw url to hyperlink in javadoc (#89319)
not-napoleon Aug 15, 2022
098f518
Double quote the env variable in curl command (#89279)
ywangd Aug 15, 2022
8360bf9
Fixing a version check for master stability functionality (#89322)
masseyke Aug 15, 2022
3496dd5
ILM get lifecycle remove unused code (#89260)
weizijun Aug 15, 2022
0811850
Enhance changelog for date_histogram speedup (#89353)
nik9000 Aug 15, 2022
2569d1f
Docs: synthetic source doesn't dedupe numbers (#89355)
nik9000 Aug 15, 2022
00d4953
[DOCS] Fixes broken example in pipeline tutorial (#89315)
abdonpijpelink Aug 16, 2022
e4ff839
[ML] Skip renormalization after node shutdown API called (#89347)
droberts195 Aug 16, 2022
f87ce07
[ML] Sync changelogs between 8.4 and main (#89377)
droberts195 Aug 16, 2022
e7a84b1
Remove deprecated convenient methods from GetApiKeyRequest (#89360)
ywangd Aug 16, 2022
80796fb
Small cleanups to Allocation Performance (#89378)
original-brownbear Aug 16, 2022
914e216
Prepare synthetic source docs for tech-preview (#89358)
nik9000 Aug 16, 2022
fd9473a
[ML] Get categories endpoint to use ECS Grok patterns (#89386)
edsavage Aug 16, 2022
ac9f12f
Add logging in GlobalCheckpointSyncIT (#89185)
Tim-Brooks Aug 16, 2022
b327b17
Fix shard splitting for `nested` (#89351)
nik9000 Aug 16, 2022
d248fa4
[DOCS] Update pull request template URLs (#89290)
GabyCT Aug 16, 2022
5af8ec5
Support camel case dates on 7.x indices (#88914)
grcevski Aug 16, 2022
82ad45f
TSDB: Build `_id` without reparsing (#88789)
nik9000 Aug 16, 2022
dc672b0
Handle snapshot restore in file settings (#89321)
grcevski Aug 16, 2022
acf9a67
Document kNN with aggregations (#89359)
jtibshirani Aug 16, 2022
2841bf7
YAML tests and docs for viewing API key role descriptors (#89186)
ywangd Aug 17, 2022
c4dfc66
[DOCS] Use CJKWidthCharFilter in JapaneseAnalyzer (#89364)
johtani Aug 17, 2022
03f3c81
Downsampling: copy`index.hidden` setting from source (#89177)
csoulios Aug 17, 2022
f2257ca
[DOCS] Adds note about escaping backslashes in regex (#89276)
abdonpijpelink Aug 17, 2022
af8ac50
[DOCS] Update search_after section with an example (#89328)
anthonymcglone2022 Aug 17, 2022
2c37c59
Allocation commands related refactoring (#89400)
idegtiarenko Aug 17, 2022
59c745c
[DOCS] Bulk update API keys API (#89215)
n1v0lg Aug 17, 2022
27061a5
Revert "[DOCS] Update search_after section with an example (#89328)" …
abdonpijpelink Aug 17, 2022
e2bf861
Introduce TriangleTreeReader.DecodedVisitor (#89401)
iverase Aug 17, 2022
189f279
Don't modify source map when parsing composite runtime field (#89114)
romseygeek Aug 17, 2022
3c30674
Fix ConcurrentSnapshotsIT.testAssertMultipleSnapshotsAndPrimaryFailOv…
original-brownbear Aug 17, 2022
5d6af58
GeoShapeValue can determine the spatial relationship with a LatLonGeo…
iverase Aug 17, 2022
f1071ca
Remove side-effects in streams in PrimaryShardAllocator (#89218)
arteam Aug 17, 2022
09d0025
Graph: fix race condition in timeout (#88946)
nik9000 Aug 17, 2022
c038a91
Assign the right path to objects merged when parsing mappings (#89389)
javanna Aug 17, 2022
695d1a8
Remove root argument from buildMappers method (#89390)
javanna Aug 17, 2022
837a8d7
Add support for floating point node.processors setting (#89281)
fcofdez Aug 17, 2022
2a08258
Fix BlobStoreIncrementalityIT.testRecordCorrectSegmentCountsWithBackg…
original-brownbear Aug 17, 2022
79a8979
Synthetic source: load text from stored fields (#87480)
nik9000 Aug 17, 2022
ad61274
move log-related logic into log block in IndexLifecycleRunner (#89292)
mushao999 Aug 17, 2022
a1056f1
Docs: Correct ctx.op value to valid 'noop' (#89391)
adammichalik Aug 17, 2022
fe8e586
Add source fallback support for unsigned long mapped type (#89349)
jdconrad Aug 17, 2022
f849847
Fix duplication bug for source fallback in numeric types (#89352)
jdconrad Aug 17, 2022
cbea639
Add the ability to run REST integration tests with 1 allocated proces…
fcofdez Aug 17, 2022
1aa43ec
Add text field support in the Painless scripting fields API (#89396)
jdconrad Aug 17, 2022
f31b1f6
fix a typo in Security.java (#89248)
dh-cloud Aug 17, 2022
825c354
Clean-up file watcher keys. (#89429)
grcevski Aug 17, 2022
63b850c
REST tests for cumulative pipeline aggs (#88966)
nik9000 Aug 17, 2022
b46d95b
REST tests for percentiles_bucket agg (#88029)
nik9000 Aug 17, 2022
3bde177
Rollover min_* conditions docs and highlight (#89434)
joegallo Aug 17, 2022
725367e
User Profile - Detailed errors in hasPrivileges response (#89224)
ywangd Aug 18, 2022
3bb13e2
Return 400 error for GetUserPrivileges call with API keys (#89333)
ywangd Aug 18, 2022
1403ab3
Remove redundant cluster upgrade tests for auth tokens (#89417)
n1v0lg Aug 18, 2022
c238aa1
Add YAML spec docs about matching errors (#89370)
DaveCTurner Aug 18, 2022
18328b0
Remove LegacyClusterTaskResultActionListener (#89459)
DaveCTurner Aug 18, 2022
c541610
Upgrade OpenTelemetry API and remove workaround (#89438)
pugnascotia Aug 18, 2022
58ddca3
feature: support metrics for multi value fields (#88818)
salvatore-campagna Aug 18, 2022
22e1150
Reuse Info in lifecycle step (#89419)
mushao999 Aug 18, 2022
058ea45
Add source fallback support for date and date_nanos mapped types (#89…
jdconrad Aug 18, 2022
9f29241
[ML] Performance improvements related to ECS Grok pattern usage (#89424)
edsavage Aug 18, 2022
3c2fc5a
Mute failing tests (#89465)
williamrandolph Aug 18, 2022
20ed7e3
Better support for multi cluster for run task (#89442)
jakelandis Aug 18, 2022
f0df4b7
Updates to changelog processing after docs redesign (#89463)
pugnascotia Aug 18, 2022
a1015ce
Add periodic job for single processor node testing
mark-vieira Aug 18, 2022
e949dff
Disable openid connect tests due to missing fixture (#89478)
mark-vieira Aug 18, 2022
acf70cd
[Test] Speed up ApiKeyIntegTests (#89444)
ywangd Aug 22, 2022
51c6e6b
Remove deprecated code from `ApiKeyService` (#89380)
n1v0lg Aug 22, 2022
7d7332a
Mute ReactiveStorageIT#testScaleWhileShrinking (#89499)
dimitris-athanasiou Aug 22, 2022
b15f6dd
Mute test in StableMasterDisruptionIT (#89501)
dimitris-athanasiou Aug 22, 2022
58fafe2
Add source fallback support for match_only_text mapped type (#89473)
jdconrad Aug 22, 2022
824bfd0
Inactive shard flush should wait for ongoing one (#89430)
kingherc Aug 22, 2022
e9ea463
SQL: Set track_total_hits to false when not needed (#89106)
luigidellaquila Aug 22, 2022
5b3d51d
Fixing the conditions for fetching remote master history (#89472)
masseyke Aug 22, 2022
6b962ef
Update checkstyle config for newest plugin version (#88919)
mark-vieira Aug 22, 2022
5b999ee
Improve BWC distribution mismatch error message (#88911)
mark-vieira Aug 22, 2022
91d2db2
unmuting fixed test (#89511)
masseyke Aug 22, 2022
4b92e1d
Mark shard failures caused by unsupported aggregations or queries aga…
salvatore-campagna Aug 22, 2022
2800957
Ignore missing reaper logs directory on build completion
mark-vieira Aug 22, 2022
dc0cfd9
Disable ML when testing old ES versions on newer GLIBC (#89517)
mark-vieira Aug 22, 2022
64ccf04
Fork to MANAGEMENT for ILM cache cleanup operations (#89458)
original-brownbear Aug 22, 2022
c9b2cc4
[TEST] Make FileSettingsService test more reliable (#89468)
grcevski Aug 22, 2022
8f52a55
More accurate error message for LDAP user modes (#89492)
ywangd Aug 23, 2022
327b8f8
Stop using BlobContainer to build paths (#89513)
original-brownbear Aug 23, 2022
2b6fdfd
Refactor WildcardExpressionResolver for reusability (#89311)
albertzaharovits Aug 23, 2022
af4421d
Handle expired tokens in cluster migration tests (#89422)
n1v0lg Aug 23, 2022
fb4adda
[ML] Refactor memory autoscaling decider into its own class (#89470)
dimitris-athanasiou Aug 23, 2022
ac71b52
[DOCS] Updates anomaly detection alert rule type screenshot. (#89532)
szabosteve Aug 23, 2022
0cf3dc9
Fix incorrect failed shards count in APIs for current snapshots (#89534)
original-brownbear Aug 23, 2022
b557d20
Update OIDC test fixture (#89526)
jakelandis Aug 23, 2022
74d694e
[DOCS] Resizes anomaly detection screenshot properly. (#89544)
szabosteve Aug 23, 2022
3a78f80
Simplify and improve changelog YAML file validation (#89524)
mark-vieira Aug 23, 2022
5e797c3
More tests for enrich processor (#89554)
nik9000 Aug 23, 2022
1a57652
Add configure_test_clusters_with_one_processor to repro line printer …
mark-vieira Aug 23, 2022
c32e850
Don't use ramdisk for encryption at rest testing
mark-vieira Aug 23, 2022
e276fd9
Docs and yaml tests for viewing API key's limited-by (#89443)
ywangd Aug 23, 2022
32d5122
[ML] Validate trained model deployment queue_capacity limit (#89573)
dimitris-athanasiou Aug 24, 2022
d506aa4
Don't try to disable ML on incompatible versions (#89565)
mark-vieira Aug 24, 2022
0aa0477
Mute StartTrainedModelDeploymentRequestTests.testValidate_GivenQueueC…
mark-vieira Aug 24, 2022
5422860
Small cleanup in ShardGetService (#89578)
romseygeek Aug 24, 2022
365be4d
Bump versions after 8.4.0 release
mark-vieira Aug 24, 2022
caafd4c
Prune changelogs after 8.4.0 release
mark-vieira Aug 24, 2022
773aeab
Bump versions after 7.17.6 release
mark-vieira Aug 24, 2022
061e643
check parent circuit breaker when allocating empty bucket (#89568)
boicehuang Aug 24, 2022
114955f
Add convenience script for pruning old dev branch CI jobs
mark-vieira Aug 24, 2022
875164c
Generate release notes for 8.4 release (#89475)
mark-vieira Aug 23, 2022
7f91884
Remove coming tag from release notes (#89577)
karenzone Aug 24, 2022
ffcf0ea
Ensure only snapshot jdbc driver versions are testing when running ch…
mark-vieira Aug 24, 2022
bdbfcb3
Shorten time that snapshot finalization blocks repo (#89572)
original-brownbear Aug 25, 2022
8cac490
Fix log expectation inconsistency in flush test (#89571)
kingherc Aug 25, 2022
16e4cb1
[ML] Fix random threads_per_allocation in unit test (#89588)
dimitris-athanasiou Aug 25, 2022
862c885
Fix CheckTargetShardsCountStep #(48460) (#89176)
gmarouli Aug 25, 2022
8b3293d
[ML] Remove changelog entry for #89573 (#89613)
dimitris-athanasiou Aug 25, 2022
65b05f8
Add default value for destructive_requires_name (#85591)
Leaf-Lin Aug 25, 2022
2fad061
[DOCS] Update add node section (#89393)
Aug 25, 2022
6616746
Cleanup dead branch and duplication in ThreadContext (#89614)
original-brownbear Aug 25, 2022
3fca120
[ML] Return 408 when start deployment api times out (#89612)
dimitris-athanasiou Aug 25, 2022
dc4debc
[TEST] Fix SimpleThreadPoolIT file watcher thread name (#89624)
grcevski Aug 25, 2022
95a9b35
[Doc] Clarify unsupported operations with DLS/FLS (#89606)
ywangd Aug 26, 2022
98475ee
Merge branch 'main' into enhancement/eql_samples_limit
luigidellaquila Aug 26, 2022
ff7291e
Implement review suggestions
luigidellaquila Aug 26, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions ...ck/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/BaseEqlSpecTestCase.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ public abstract class BaseEqlSpecTestCase extends RemoteClusterAwareEqlRestTestC
* For now, every value will be converted to a String.
*/
private final String[] joinKeys;
private final Integer size;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have only one nitpick around the usage of Integer (object) instead of a primitive.
The sign doesn't seem to be used (head and tail take care of where the limit is applied) hence why not use the negative value as indicator that the size is out of band and thus unspecified?
As Integer, size has 3 states - valid if >=0, unspecified if null and invalid if <0.
What I'm saying is using only 2 through a primitive (int) - valid if >=0, unspecified if <0.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if both size and limit are specified?

Do you mean something like ... | tail n with n different from size?
For samples, at this stage, pipes are not supported yet, so it cannot happen.
For sequences, both conditions are applied, so the smaller one prevails; this seems a reasonable behavior, so I'd say we could have the same for samples in the future


@Before
public void setup() throws Exception {
Expand Down Expand Up @@ -97,19 +98,20 @@ protected static List<Object[]> asArray(List<EqlSpec> specs) {
name = "" + (counter);
}

results.add(new Object[] { spec.query(), name, spec.expectedEventIds(), spec.joinKeys() });
results.add(new Object[] { spec.query(), name, spec.expectedEventIds(), spec.joinKeys(), spec.size() });
}

return results;
}

BaseEqlSpecTestCase(String index, String query, String name, List<long[]> eventIds, String[] joinKeys) {
BaseEqlSpecTestCase(String index, String query, String name, List<long[]> eventIds, String[] joinKeys, Integer size) {
this.index = index;

this.query = query;
this.name = name;
this.eventIds = eventIds;
this.joinKeys = joinKeys;
this.size = size;
}

public void test() throws Exception {
Expand Down Expand Up @@ -139,7 +141,7 @@ protected ObjectPath runQuery(String index, String query) throws Exception {
if (tiebreaker != null) {
builder.field("tiebreaker_field", tiebreaker);
}
builder.field("size", requestSize());
builder.field("size", this.size == null ? requestSize() : this.size);
builder.field("fetch_size", requestFetchSize());
builder.field("result_position", requestResultPosition());
builder.endObject();
Expand Down
8 changes: 4 additions & 4 deletions ...ugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/EqlDateNanosSpecTestCase.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,13 @@ public static List<Object[]> readTestSpecs() throws Exception {
}

// constructor for "local" rest tests
public EqlDateNanosSpecTestCase(String query, String name, List<long[]> eventIds, String[] joinKeys) {
this(TEST_NANOS_INDEX, query, name, eventIds, joinKeys);
public EqlDateNanosSpecTestCase(String query, String name, List<long[]> eventIds, String[] joinKeys, Integer size) {
this(TEST_NANOS_INDEX, query, name, eventIds, joinKeys, size);
}

// constructor for multi-cluster tests
public EqlDateNanosSpecTestCase(String index, String query, String name, List<long[]> eventIds, String[] joinKeys) {
super(index, query, name, eventIds, joinKeys);
public EqlDateNanosSpecTestCase(String index, String query, String name, List<long[]> eventIds, String[] joinKeys, Integer size) {
super(index, query, name, eventIds, joinKeys, size);
}

@Override
Expand Down
8 changes: 4 additions & 4 deletions ...k/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/EqlExtraSpecTestCase.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,13 @@ public static List<Object[]> readTestSpecs() throws Exception {
}

// constructor for "local" rest tests
public EqlExtraSpecTestCase(String query, String name, List<long[]> eventIds, String[] joinKeys) {
this(TEST_EXTRA_INDEX, query, name, eventIds, joinKeys);
public EqlExtraSpecTestCase(String query, String name, List<long[]> eventIds, String[] joinKeys, Integer size) {
this(TEST_EXTRA_INDEX, query, name, eventIds, joinKeys, size);
}

// constructor for multi-cluster tests
public EqlExtraSpecTestCase(String index, String query, String name, List<long[]> eventIds, String[] joinKeys) {
super(index, query, name, eventIds, joinKeys);
public EqlExtraSpecTestCase(String index, String query, String name, List<long[]> eventIds, String[] joinKeys, Integer size) {
super(index, query, name, eventIds, joinKeys, size);
}

@Override
Expand Down
8 changes: 4 additions & 4 deletions x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/EqlSampleTestCase.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,12 @@

public abstract class EqlSampleTestCase extends BaseEqlSpecTestCase {

public EqlSampleTestCase(String query, String name, List<long[]> eventIds, String[] joinKeys) {
this(TEST_SAMPLE, query, name, eventIds, joinKeys);
public EqlSampleTestCase(String query, String name, List<long[]> eventIds, String[] joinKeys, Integer size) {
this(TEST_SAMPLE, query, name, eventIds, joinKeys, size);
}

public EqlSampleTestCase(String index, String query, String name, List<long[]> eventIds, String[] joinKeys) {
super(index, query, name, eventIds, joinKeys);
public EqlSampleTestCase(String index, String query, String name, List<long[]> eventIds, String[] joinKeys, Integer size) {
super(index, query, name, eventIds, joinKeys, size);
}

@ParametersFactory(shuffle = false, argumentFormatting = PARAM_FORMATTING)
Expand Down
18 changes: 16 additions & 2 deletions x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/EqlSpec.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ public class EqlSpec {
private List<long[]> expectedEventIds;
private String[] joinKeys;

private Integer size;

public String name() {
return name;
}
Expand Down Expand Up @@ -84,6 +86,14 @@ public void joinKeys(String[] joinKeys) {
this.joinKeys = joinKeys;
}

public Integer size() {
return size;
}

public void size(Integer size) {
this.size = size;
}

@Override
public String toString() {
String str = "";
Expand All @@ -107,6 +117,10 @@ public String toString() {
if (joinKeys != null) {
str = appendWithComma(str, "join_keys", Arrays.toString(joinKeys));
}
if (size != null) {
str = appendWithComma(str, "size", "" + size);
}

return str;
}

Expand All @@ -122,12 +136,12 @@ public boolean equals(Object other) {

EqlSpec that = (EqlSpec) other;

return Objects.equals(this.query(), that.query());
return Objects.equals(this.query(), that.query()) && Objects.equals(size, that.size);
}

@Override
public int hashCode() {
return Objects.hash(this.query);
return Objects.hash(this.query, size);
}

private static String appendWithComma(String str, String name, String append) {
Expand Down
9 changes: 9 additions & 0 deletions x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/EqlSpecLoader.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,14 @@ private static String getTrimmedString(TomlTable table, String key) {
return null;
}

private static Integer getInteger(TomlTable table, String key) {
Long s = table.getLong(key);
if (s != null) {
return s.intValue();
}
return null;
}

private static List<EqlSpec> readFromStream(InputStream is, Set<String> uniqueTestNames) throws Exception {
List<EqlSpec> testSpecs = new ArrayList<>();

Expand All @@ -81,6 +89,7 @@ private static List<EqlSpec> readFromStream(InputStream is, Set<String> uniqueTe
spec.name(getTrimmedString(table, "name"));
spec.note(getTrimmedString(table, "note"));
spec.description(getTrimmedString(table, "description"));
spec.size(getInteger(table, "size"));

List<?> arr = table.getList("tags");
if (arr != null) {
Expand Down
8 changes: 4 additions & 4 deletions x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/EqlSpecTestCase.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,12 @@ protected String tiebreaker() {
}

// constructor for "local" rest tests
public EqlSpecTestCase(String query, String name, List<long[]> eventIds, String[] joinKeys) {
this(TEST_INDEX, query, name, eventIds, joinKeys);
public EqlSpecTestCase(String query, String name, List<long[]> eventIds, String[] joinKeys, Integer size) {
this(TEST_INDEX, query, name, eventIds, joinKeys, size);
}

// constructor for multi-cluster tests
public EqlSpecTestCase(String index, String query, String name, List<long[]> eventIds, String[] joinKeys) {
super(index, query, name, eventIds, joinKeys);
public EqlSpecTestCase(String index, String query, String name, List<long[]> eventIds, String[] joinKeys, Integer size) {
super(index, query, name, eventIds, joinKeys, size);
}
}
58 changes: 58 additions & 0 deletions x-pack/plugin/eql/qa/common/src/main/resources/test_sample.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -286,3 +286,61 @@ expected_event_ids = [18,11]
join_keys = ["doom","win10"]


[[queries]]
name = "size0"
size = 0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other eql queries use size as well, but none of them require the toml tests to have size in them. I'm wondering if there isn't any other way to test size given that so far there was no need for size in IT toml tests.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For example, the Mapper is the one that generates physical plans based on the logical ones and, according to what's in there already a LimitWithOffset should map to a LimitWithOffsetExec. In your case, SampleExec physical plan includes a Limit, but it should in fact belong to a physical plan having as parent a LimitWithOffsetExec.

I'm not sure I got this comment: LimitWithOffset+Sample logical plan is transformed to LimitWithOffsetExec+SampleExec, then QueryFolder.FoldLimit rule applies the limit (from LimitWithOffsetExec) to SampleExec, that is then used to build SampleIterator.
This is the exact same thing that happens for Sequence execution planning.

About "size" in the tests, we have unit tests (mostly for the execution planning, plus some specific tests for the algorithms) in Java, but they do not fully execute any query (mocking the full execution is extremely convoluted due to the usage of internal - Server - components in the execution, that cannot be instantiated in our tests).
The only real execution tests we have are TOML tests, this is why I added a size attribute there. It allows us to test the size on a full execution path.
In addition, I think also Sequence tests can take advantage of it.

query = '''
sample by host, ?os
[success where true]
[alert where true and id == 21 or id == 24 or id == 11]
'''
expected_event_ids = []
join_keys = []


[[queries]]
name = "size2"
size = 2
query = '''
sample by host, ?os
[success where true]
[alert where true and id == 21 or id == 24 or id == 11]
'''
expected_event_ids = [29,24,
28,21]
join_keys = ["GTA","null",
"doom","null"]


[[queries]]
name = "size3"
size = 3
query = '''
sample by host, ?os
[success where true]
[alert where true and id == 21 or id == 24 or id == 11]
'''
expected_event_ids = [29,24,
28,21,
18,11]
join_keys = ["GTA","null",
"doom","null",
"doom","win10"]


[[queries]]
name = "sizeBig"
size = 500
query = '''
sample by host, ?os
[success where true]
[alert where true and id == 21 or id == 24 or id == 11]
'''
expected_event_ids = [29,24,
28,21,
18,11]
join_keys = ["GTA","null",
"doom","null",
"doom","win10"]


4 changes: 2 additions & 2 deletions ...uster-with-security/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlDateNanosIT.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@

public class EqlDateNanosIT extends EqlDateNanosSpecTestCase {

public EqlDateNanosIT(String query, String name, List<long[]> eventIds, String[] joinKeys) {
super(remoteClusterIndex(TEST_NANOS_INDEX), query, name, eventIds, joinKeys);
public EqlDateNanosIT(String query, String name, List<long[]> eventIds, String[] joinKeys, Integer size) {
super(remoteClusterIndex(TEST_NANOS_INDEX), query, name, eventIds, joinKeys, size);
}
}
4 changes: 2 additions & 2 deletions ...i-cluster-with-security/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlExtraIT.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@

public class EqlExtraIT extends EqlExtraSpecTestCase {

public EqlExtraIT(String query, String name, List<long[]> eventIds, String[] joinKeys) {
super(remoteClusterIndex(TEST_EXTRA_INDEX), query, name, eventIds, joinKeys);
public EqlExtraIT(String query, String name, List<long[]> eventIds, String[] joinKeys, Integer size) {
super(remoteClusterIndex(TEST_EXTRA_INDEX), query, name, eventIds, joinKeys, size);
}
}
4 changes: 2 additions & 2 deletions ...-cluster-with-security/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlSampleIT.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@

public class EqlSampleIT extends EqlSampleTestCase {

public EqlSampleIT(String query, String name, List<long[]> eventIds, String[] joinKeys) {
super(remoteClusterPattern(TEST_SAMPLE), query, name, eventIds, joinKeys);
public EqlSampleIT(String query, String name, List<long[]> eventIds, String[] joinKeys, Integer size) {
super(remoteClusterPattern(TEST_SAMPLE), query, name, eventIds, joinKeys, size);
}
}
4 changes: 2 additions & 2 deletions ...ti-cluster-with-security/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlSpecIT.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@

public class EqlSpecIT extends EqlSpecTestCase {

public EqlSpecIT(String query, String name, List<long[]> eventIds, String[] joinKeys) {
super(remoteClusterIndex(TEST_INDEX), query, name, eventIds, joinKeys);
public EqlSpecIT(String query, String name, List<long[]> eventIds, String[] joinKeys, Integer size) {
super(remoteClusterIndex(TEST_INDEX), query, name, eventIds, joinKeys, size);
}
}
4 changes: 2 additions & 2 deletions .../plugin/eql/qa/rest/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlDateNanosIT.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@

public class EqlDateNanosIT extends EqlDateNanosSpecTestCase {

public EqlDateNanosIT(String query, String name, List<long[]> eventIds, String[] joinKeys) {
super(query, name, eventIds, joinKeys);
public EqlDateNanosIT(String query, String name, List<long[]> eventIds, String[] joinKeys, Integer size) {
super(query, name, eventIds, joinKeys, size);
}
}
4 changes: 2 additions & 2 deletions x-pack/plugin/eql/qa/rest/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlExtraIT.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@

public class EqlExtraIT extends EqlExtraSpecTestCase {

public EqlExtraIT(String query, String name, List<long[]> eventIds, String[] joinKeys) {
super(query, name, eventIds, joinKeys);
public EqlExtraIT(String query, String name, List<long[]> eventIds, String[] joinKeys, Integer size) {
super(query, name, eventIds, joinKeys, size);
}
}
4 changes: 2 additions & 2 deletions x-pack/plugin/eql/qa/rest/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlSampleIT.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@

public class EqlSampleIT extends EqlSampleTestCase {

public EqlSampleIT(String query, String name, List<long[]> eventIds, String[] joinKeys) {
super(query, name, eventIds, joinKeys);
public EqlSampleIT(String query, String name, List<long[]> eventIds, String[] joinKeys, Integer size) {
super(query, name, eventIds, joinKeys, size);
}

}
4 changes: 2 additions & 2 deletions x-pack/plugin/eql/qa/rest/src/javaRestTest/java/org/elasticsearch/xpack/eql/EqlSpecIT.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@

public class EqlSpecIT extends EqlSpecTestCase {

public EqlSpecIT(String query, String name, List<long[]> eventIds, String[] joinKeys) {
super(query, name, eventIds, joinKeys);
public EqlSpecIT(String query, String name, List<long[]> eventIds, String[] joinKeys, Integer size) {
super(query, name, eventIds, joinKeys, size);
}
}
4 changes: 2 additions & 2 deletions ...n/eql/src/main/java/org/elasticsearch/xpack/eql/execution/assembler/ExecutionManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ public Executable assemble(
/*
* Sample assembler
*/
public Executable assemble(List<List<Attribute>> listOfKeys, List<PhysicalPlan> plans) {
public Executable assemble(List<List<Attribute>> listOfKeys, List<PhysicalPlan> plans, Limit limit) {
if (cfg.fetchSize() > SAMPLE_MAX_PAGE_SIZE) {
throw new EqlIllegalArgumentException("Fetch size cannot be greater than [{}]", SAMPLE_MAX_PAGE_SIZE);
}
Expand Down Expand Up @@ -211,7 +211,7 @@ public Executable assemble(List<List<Attribute>> listOfKeys, List<PhysicalPlan>
}
}

return new SampleIterator(new PITAwareQueryClient(session), criteria, cfg.fetchSize(), session.circuitBreaker());
return new SampleIterator(new PITAwareQueryClient(session), criteria, cfg.fetchSize(), limit, session.circuitBreaker());
}

private HitExtractor timestampExtractor(HitExtractor hitExtractor) {
Expand Down
14 changes: 11 additions & 3 deletions ...plugin/eql/src/main/java/org/elasticsearch/xpack/eql/execution/sample/SampleIterator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
import org.elasticsearch.xpack.eql.execution.assembler.SampleCriterion;
import org.elasticsearch.xpack.eql.execution.assembler.SampleQueryRequest;
import org.elasticsearch.xpack.eql.execution.search.HitReference;
import org.elasticsearch.xpack.eql.execution.search.Limit;
import org.elasticsearch.xpack.eql.execution.search.QueryClient;
import org.elasticsearch.xpack.eql.execution.search.RuntimeUtils;
import org.elasticsearch.xpack.eql.execution.sequence.SequenceKey;
Expand Down Expand Up @@ -55,7 +56,7 @@ public class SampleIterator implements Executable {
private final int maxCriteria;
final List<Sample> samples;
private final int fetchSize;

private final Limit limit;
private long startTime;

// ---------- CIRCUIT BREAKER -----------
Expand Down Expand Up @@ -83,12 +84,13 @@ public class SampleIterator implements Executable {
*/
private long previousTotalPageSize = 0;

public SampleIterator(QueryClient client, List<SampleCriterion> criteria, int fetchSize, CircuitBreaker circuitBreaker) {
public SampleIterator(QueryClient client, List<SampleCriterion> criteria, int fetchSize, Limit limit, CircuitBreaker circuitBreaker) {
this.client = client;
this.criteria = criteria;
this.maxCriteria = criteria.size();
this.fetchSize = fetchSize;
this.samples = new ArrayList<>();
this.limit = limit;
this.circuitBreaker = circuitBreaker;
}

Expand Down Expand Up @@ -213,7 +215,13 @@ private void finalStep(ActionListener<Payload> listener) {
if (docGroupsCounter == maxCriteria) {
List<SearchHit> match = matchSample(sample, maxCriteria);
if (match != null) {
samples.add(new Sample(sampleKeys.get(responseIndex / maxCriteria), match));
if (samples.size() < limit.limit()) {
samples.add(new Sample(sampleKeys.get(responseIndex / maxCriteria), match));
}
if (samples.size() == limit.limit()) {
payload(listener);
return;
}
}
docGroupsCounter = 1;
sample = new ArrayList<>(maxCriteria);
Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/LogicalPlanBuilder.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ public Object visitStatement(StatementContext ctx) {
if (ctx.pipe().size() > 0) {
throw new ParsingException(source(ctx.pipe().get(0)), "Samples do not support pipes yet");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't support for pipes now also be possible since limit and offset are both supported?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, because the limit/size comes from a request parameter, not from the query itself (through the query parser).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but it works with sequence, doesn't it? why would sample be different in this regard?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With sequence you have | head 5 | tail 3 | head 1. How do you do this with samples?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you can do sequence [any where true] [any where true] | head 10 | tail 2 why can't you do something like sample [any where true] [any where true] | head 10 | tail 2

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see HEAD and TAIL as very natural operators for sequences, that have well defined semantics defined by their order (eg. TAIL 10: give me last ten - more recent - events).
Samples, on the other hand, do not have a natural order: "last ten samples" is not a clear concept by itself.
In this context, LIMIT/OFFSET is much more similar to the SQL equivalent, where you just need a way to retrieve the results in batches or to show them in a UI in pages.
I agree with @Luegg on the fact that we could support pipes here eventually, but we probably need some slightly different syntax, eg | LIMIT 10 OFFSET 20; or reuse HEAD with | OFFSET 20 | HEAD 10, though it seems less natural in this context.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Luegg, as @luigidellaquila well put this, re-using HEAD and TAIL doesn't reflect the nature of samples which do not have a chronological ordering concept, like sequences do. The only type of ordering that make sense is the one on the join keys, but at that point the simple concepts of HEAD and TAIL are not enough to express the multitude of ordering options available (order by first join key asc, order by the second join key desc, order by the third join key asc and so on; or order by all keys asc, or all keys desc, but at that point one would ask the question why cannot I order by each key individually etc). At this point in the evolution of samples, I believe having a circuit breaker and a simple way of limiting (without computing all the samples) the number of results returned, is enough. With time, and more input from users, we can evaluate our options in providing something more advanced and more granular in terms of limiting the number of results and, at the same time, sorting the results.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see it as reusing head and tail for sample. It's more like making sample work with the other language constructs as sample is the only construct that can not be fed into pipes. In this perspective, head can just fetch the first x results independent of how the order is specified. I agree though that tail might be a bit more work because it requires to reverse the sort order and that's probably better kept out of this PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Luegg I agree with you, tail is definitely not straight forward at this stage.
Also for a proper implementation of pipes on samples (and limit/offset in particular), I think we still need to define a few small details that do not really fit in the scope of this PR.
For this specific one, I'd suggest to stick to the original goal, but keeping a door open for further improvements.

}
return plan;
return new LimitWithOffset(plan.source(), new Literal(Source.EMPTY, params.size(), DataTypes.INTEGER), 0, plan);
}
//
// Add implicit blocks
Expand Down
Loading