EQL: Most recent matches returned by default

[costin]

When no order is specified (tail or head), EQL should return the most recent X matches (similar to how ES does for search).

This is different than Python EQL which returns the earliest matches first (time ASC). For compatibility purposes this behavior can be enabled (without modifying the query) through a dedicated parameter (say default_order or missing_order) which can be ASC/DESC.

[elasticmachine]

Pinging @elastic/es-ql (:Query Languages/EQL)

[costin]

@tsg Just so you're aware.
@rw-access tag for awareness/propagating the change on the endpoint side.

[costin]

PRs #59014 and #59063 have added the server support. What's left is exposing the default order in the request so that clients can specified the default order (currently it defaults to ASC for test compatibility - once this parameter is in place, we can configure it at test level).

[rw-access]

@costin what change are you expecting on the endpoint side? In EQL itself or in the test suite?
I think the test suite would be more appropriate, but even then, this seems like an implementation-specific detail, and I think it's okay not to propagate the changes back, but instead interpret the expected_event_ids part of the spec differently.

[costin]

@costin what change are you expecting on the endpoint side? In EQL itself or in the test suite?

The changes proposed are to be implemented in Elasticsearch EQL to allow compatibility with the existing EQL expectation (including the test suite). I don't have any expectation of pushing this functionality further since I have little insight into what that entails.