Skip to content

EQL: Introduce support for sequence maxspan #58635

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jun 29, 2020
Merged

EQL: Introduce support for sequence maxspan #58635

merged 8 commits into from
Jun 29, 2020

Conversation

@costin
Copy link
Member

@costin costin commented Jun 27, 2020

Still in draft while sorting out the tests situation

@costin costin added the :Analytics/EQL EQL querying label Jun 27, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Jun 27, 2020

Pinging @elastic/es-ql (:Query Languages/EQL)

@elasticmachine elasticmachine added the Team:QL (Deprecated) Meta label for query languages team label Jun 27, 2020
costin
costin commented Jun 27, 2020
View reviewed changes
x-pack/plugin/eql/qa/common/src/main/resources/test_queries_unsupported.toml Outdated

[[queries]]
query = '''
sequence with maxspan=1h
Copy link
Member Author

@costin costin Jun 27, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rw-access this test and the rest should not return any results; any maxspan lower than 15h would not match a sequence.
Entries 67 and 68 have the same timestamp (131509374395921780) but 69 has a timestamp of 131509374446778110 meaning the distance between the beginning of the sequence and the 69 is:
131509374446778110 - 131509374395921780 = 50856330 millis or ~14h.

Am I missing something?

Copy link
Contributor

@rw-access rw-access Jun 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The timestamp units are windows filetime. One unit is 1e-7 seconds. I'm guessing that's what you're running into

Copy link
Member Author

@costin costin Jun 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. This would need to be aligned with ECS/unix timestamp.

@costin costin requested a review from astefan June 27, 2020 20:50
astefan
astefan approved these changes Jun 29, 2020
View reviewed changes
Copy link
Contributor

@astefan astefan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Left few really minor comments.

x-pack/plugin/eql/qa/common/src/main/resources/mapping-default.json
"@timestamp" : {
"type" : "alias",
"path" : "timestamp"
"type" : "date"
Copy link
Contributor

@astefan astefan Jun 29, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did you change this?

Copy link
Member Author

@costin costin Jun 29, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because timestamp is not unix time but rather window filetime (see this comment and until the dataset gets updated, working on a separate field is the cleaner.

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/execution/assembler/Criterion.java Outdated
public Criterion useMarker(Object[] marker) {
searchSource.searchAfter(marker);
return this;
public Iterable<SearchHit> iterateable(List<SearchHit> hits) {
Copy link
Contributor

@astefan astefan Jun 29, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

iterable sounds better.

...k/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/execution/sequence/SequenceFrame.java
* greater than the given argument alongside its position in the list.
*/
public Tuple<Sequence, Integer> after(long timestamp, Comparable<Object> tiebreaker) {
public Tuple<Sequence, Integer> after(Ordinal ordinal) {
Copy link
Contributor

@astefan astefan Jun 29, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

before and after have almost the same code. Could you reuse it in a common method?

@costin costin merged commit 747c359 into elastic:master Jun 29, 2020
@costin costin deleted the eql/span-until branch June 29, 2020 18:30
costin added a commit that referenced this pull request Jun 29, 2020
@costin
EQL: Introduce support for sequence maxspan (#58635)
3a546f1 
EQL sequences can specify now a maximum time allowed for their span
(computed between the first and the last matching event).

(cherry picked from commit 747c359)
@jrodewig jrodewig mentioned this pull request Jul 2, 2020
Merged
This was referenced Jul 9, 2020
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@astefan astefan astefan approved these changes

+1 more reviewer

@rw-access rw-access rw-access left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

:Analytics/EQL EQL querying Team:QL (Deprecated) Meta label for query languages team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@costin @elasticmachine @astefan @rw-access