EQL: implement cidrMatch function

[aleksmaus]

Related to #54132

[elasticmachine]

Pinging @elastic/es-search (:Search/EQL)

[aleksmaus]

Needed mapping to IP type, this creating the index with mapping.

[aleksmaus]

The current enum for error messages doesn't work great for variadic type of function. Open to suggestions.

[rw-access]

I added a method here in my wildcard PR:

elasticsearch/x-pack/plugin/ql/src/main/java/org/elasticsearch/xpack/ql/expression/Expressions.java

Lines 36 to 44 in d482c47

	public static ParamOrdinal fromIndex(int index) {
	switch (index) {
	case 0: return ParamOrdinal.FIRST;
	case 1: return ParamOrdinal.SECOND;
	case 2: return ParamOrdinal.THIRD;
	case 3: return ParamOrdinal.FOURTH;
	default: return ParamOrdinal.DEFAULT;
	}
	}

[rw-access]

Also, should these fields also be isStringAndExact? and an isFoldable check?
Here's how I approached that

elasticsearch/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/function/scalar/string/Wildcard.java

Lines 80 to 83 in d482c47

	lastResolution = isFoldable(p, sourceText(), ParamOrdinal.fromIndex(index));
	if (lastResolution.unresolved()) {
	break;
	}

[aleksmaus]

Cool! Will update after your PR merges.
The ParamOrdinal falls back to ParamOrdinal.DEFAULT after 4 params anyways. Maybe make enum longer if we still want to use enum there?

[astefan]

For how to handle functions that deal with a variable list of parameters, I suggest having a look at org.elasticsearch.xpack.sql.expression.predicate.conditional.Case or org.elasticsearch.xpack.sql.expression.predicate.conditional.Coalesce since these are functions that have a variable list of parameters.

[aleksmaus]

Relying on the same def builder here that was merged with wildcard function for now.
Updated to align with wildcard impl usage of ParamOrdinal.

[astefan]

Left few comments.

[astefan]

I prefer listing the functions in alphabetical order.

[aleksmaus]

Yep. Updated.

[astefan]

Personal preference, but I would like to see a useful description of the function. Not even the original EQL documentation is clear imo: https://eql.readthedocs.io/en/latest/query-guide/functions.html

[aleksmaus]

Added a couple of more lines with a link to the EQL doc.

[astefan]

For how to handle functions that deal with a variable list of parameters, I suggest having a look at org.elasticsearch.xpack.sql.expression.predicate.conditional.Case or org.elasticsearch.xpack.sql.expression.predicate.conditional.Coalesce since these are functions that have a variable list of parameters.

[aleksmaus]

Will address the code review comments and make some adjustments once the wildcard function PR (#54020) is merged, since will have some conflicts and can reuse some code between the functions.

[matriv]

@elastic/es-ql

[aleksmaus]

@elasticmachine run elasticsearch-ci/docs

[aleksmaus]

@elasticmachine run elasticsearch-ci/2

[costin]

Looks good to me - left a comment re: #54795 (waiting for the build to pass before merging).
I would also like some tests regarding incorrect arguments - what if the given string is non-numeric or contains an invalid IP.
How does the current EQL implementation handle that - I'm fine with addressing this in a separate PR however I'd like to have an issue tracking this so it doesn't get lost.
That is, how do we validate and protect against invalid parameters.

[costin]

Please update to take into account #54795 - reduces the class and removes a separate optimizer rule.

[aleksmaus]

Sure, will do once #54795 is merged.

[astefan]

LGTM

[aleksmaus]

@costin regarding validation if the string is a valid IP address the original EQL implementation does validation with regex matching etc. In our case I was not sure if we need to add any additional validation, but pass the string down to elasticsearch and let it match against the IP type of field or handle the error if the value can not be used for matching.
Correct me if I'm wrong.