elastic · rw-access · Mar 24, 2020 · Mar 23, 2020 · Mar 23, 2020
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlParser.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlParser.java
@@ -43,7 +43,7 @@ public class EqlParser {
     public LogicalPlan createStatement(String eql) {
         return createStatement(eql, new ParserParams());
     }
-    
+
     public LogicalPlan createStatement(String eql, ParserParams params) {
         if (log.isDebugEnabled()) {
             log.debug("Parsing as statement: {}", eql);
@@ -133,51 +133,6 @@ private class PostProcessor extends EqlBaseBaseListener {
             this.ruleNames = ruleNames;
         }
 
-
-        @Override
-        public void exitFunctionExpression(EqlBaseParser.FunctionExpressionContext context) {
-            Token token = context.name;
-            String functionName = token.getText();
-
-            switch (functionName) {
-                case "add":
-                case "between":
-                case "cidrMatch":
-                case "concat":
-                case "divide":
-                case "endsWith":
-                case "indexOf":
-                case "length":
-                case "match":
-                case "modulo":
-                case "multiply":
-                case "number":
-                case "startsWith":
-                case "string":
-                case "stringContains":
-                case "substring":
-                case "subtract":
-                case "wildcard":
-                    break;
-
-                case "arrayContains":
-                case "arrayCount":
-                case "arraySearch":
-                    throw new ParsingException(
-                        "Unsupported function [" + functionName + "]",
-                        null,
-                        token.getLine(),
-                        token.getCharPositionInLine());
-
-                default:
-                    throw new ParsingException(
-                        "Unknown function [" + functionName + "]",
-                        null,
-                        token.getLine(),
-                        token.getCharPositionInLine());
-            }
-        }
-
         @Override
         public void exitJoin(EqlBaseParser.JoinContext context) {
             Token token = context.JOIN().getSymbol();

diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java
@@ -113,20 +113,20 @@ public void testJoinUnsupported() {
 
     // Some functions fail with "Unsupported" message at the parse stage
     public void testArrayFunctionsUnsupported() {
-        assertEquals("1:16: Unsupported function [arrayContains]",
-                errorParsing("registry where arrayContains(bytes_written_string_list, 'En')"));
-        assertEquals("1:16: Unsupported function [arraySearch]",
-                errorParsing("registry where arraySearch(bytes_written_string_list, a, a == 'en-us')"));
-        assertEquals("1:16: Unsupported function [arrayCount]",
-                errorParsing("registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1"));
+        assertEquals("1:16: Unknown function [arrayContains]",
+                error("registry where arrayContains(bytes_written_string_list, 'En')"));
+        assertEquals("1:16: Unknown function [arraySearch]",
+            error("registry where arraySearch(bytes_written_string_list, bytes_written_string, true)"));
+        assertEquals("1:16: Unknown function [arrayCount]",
+            error("registry where arrayCount(bytes_written_string_list, bytes_written_string, true) == 1"));
     }
 
     // Some functions fail with "Unknown" message at the parse stage
     public void testFunctionParsingUnknown() {
         assertEquals("1:15: Unknown function [matchLite]",
-                errorParsing("process where matchLite(?'.*?net1\\s+localgroup\\s+.*?', command_line)"));
+                error("process where matchLite(?'.*?net1\\s+localgroup\\s+.*?', command_line)"));
         assertEquals("1:15: Unknown function [safe]",
-                errorParsing("network where safe(divide(process_name, process_name))"));
+                error("network where safe(process_name)"));
     }
 
     // Test the known EQL functions that are not supported

diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/planner/QueryFolderOkTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/planner/QueryFolderOkTests.java
@@ -94,7 +94,7 @@ public void test() {
         PhysicalPlan p = plan(query);
         assertEquals(EsQueryExec.class, p.getClass());
         EsQueryExec eqe = (EsQueryExec) p;
-        assertEquals(23, eqe.output().size());
+        assertEquals(25, eqe.output().size());
         assertEquals(KEYWORD, eqe.output().get(0).dataType());
 
         final String query = eqe.queryContainer().toString().replaceAll("\\s+", "");

diff --git a/x-pack/plugin/eql/src/test/resources/mapping-default.json b/x-pack/plugin/eql/src/test/resources/mapping-default.json
@@ -1,5 +1,11 @@
 {
     "properties" : {
+        "bytes_written_string" : {
+            "type" : "keyword"
+        },
+        "bytes_written_string_list" : {
+            "type" : "keyword"
+        },
         "command_line" : {
             "type" : "keyword"
         },

diff --git a/x-pack/plugin/eql/src/test/resources/queries-unsupported.eql b/x-pack/plugin/eql/src/test/resources/queries-unsupported.eql
@@ -626,58 +626,44 @@ any where process_name == "svchost.exe"
 ;
 
 
-// array functions
-registry where arrayContains(bytes_written_string_list, 'En-uS');
-registry where arrayContains(bytes_written_string_list, 'En');
+// Array functions
+// * parser will recognize as valid, but functions will fail to resolve in verifier
 
 
-network where mysterious_field
-  and arraySearch(mysterious_field.subarray, s, true)
-;
+// registry where arrayContains(bytes_written_string_list, 'En-uS');
+// registry where arrayContains(bytes_written_string_list, 'En');
 
-registry where arraySearch(bytes_written_string_list, a, a == 'en-us');
+// network where mysterious_field
+//  and arraySearch(mysterious_field.subarray, s, true);
 
-registry where arraySearch(bytes_written_string_list, a, endsWith(a, '-us'));
+// registry where arraySearch(bytes_written_string_list, a, a == 'en-us');
+// registry where arraySearch(bytes_written_string_list, a, endsWith(a, '-us'));
+// network where mysterious_field and arraySearch(mysterious_field.subarray, s, false);
+// network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == 's0-*');
+// network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a != 's0-*');
 
+// network where mysterious_field
+//   and arraySearch(mysterious_field.subarray, sub1,
+//     arraySearch(sub1.c, nested, nested.x.y == '*'))
+// ;
 
-network where mysterious_field and arraySearch(mysterious_field.subarray, s, false)
-;
+// network where mysterious_field
+//   and arraySearch(mysterious_field.subarray, sub1,
+//     sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == 's0-c1-x-z'))
+// ;
 
-network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == 's0-*')
-;
+// network where mysterious_field
+//   and arraySearch(mysterious_field.subarray, sub1,
+//     sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == sub1.cross_match));
 
-network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a != 's0-*')
-;
+// network where mysterious_field
+//   and arraySearch(mysterious_field.subarray, sub1,
+//     arraySearch(sub1.c, nested, nested.x.y == mysterious_field.outer_cross_match));
 
-network where mysterious_field
-  and arraySearch(mysterious_field.subarray, sub1,
-    arraySearch(sub1.c, nested, nested.x.y == '*'))
-;
-
-network where mysterious_field
-  and arraySearch(mysterious_field.subarray, sub1,
-    sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == 's0-c1-x-z'))
-;
-
-network where mysterious_field
-  and arraySearch(mysterious_field.subarray, sub1,
-    sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == sub1.cross_match))
-;
+// registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1;
+// registry where arrayCount(bytes_written_string_list, s, s == '*en*') == 2;
+// registry where arrayContains(bytes_written_string_list, "missing", "en-US");
 
-network where mysterious_field
-  and arraySearch(mysterious_field.subarray, sub1,
-    arraySearch(sub1.c, nested, nested.x.y == mysterious_field.outer_cross_match))
-;
-
-
-registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1
-;
-
-registry where arrayCount(bytes_written_string_list, s, s == '*en*') == 2
-;
-
-registry where arrayContains(bytes_written_string_list, "missing", "en-US")
-;
 
 // array fields