EQL: Fix cidrMatch function fails to match when used in scripts

[aleksmaus]

Replaced the previous implementation with script function.
Addresses #55709

@astefan I think this will conflict with your changes on query folding with equal operator optimization, it generates a different script with function now.

[elasticmachine]

Pinging @elastic/es-ql (:Query Languages/EQL)

[rw-access]

Suggested change

	Object o = field.fold();
	ArrayList<Object> arr = new ArrayList<>(addresses.size());
	for (Expression address : addresses) {
	final Equals eq = new Equals(source(), field, address);
	func = (func == null) ? eq : new Or(source(), func, eq);
	arr.add(address.fold());
	}
	return doProcess(o, arr);
	return doProcess(field.fold(), Expressions.fold(addresses));

[aleksmaus]

Updated

[rw-access]

Suggested change

	List<Object> values = new ArrayList<>(new LinkedHashSet<>(foldListOfValues(addresses, field.dataType())));
	List<Object> values = Expressions.fold(addresses)

[aleksmaus]

this will not eliminate duplicated values as far as I see

[rw-access]

Should we add an optimizer rule to handle this so that we don't lose the more performant term query?

[aleksmaus]

Will probably have to do another pass for that after @astefan merges his PR that also will affect the query planning optimization for simple equals. Can adjust this PR if that change merges sooner, sometimes this week.

[aleksmaus]

Updated PR to use term query for cidrMatch when possible otherwise fallback to script.
Thanks @astefan for pointers!

[rw-access]

Is this worthwhile to add as a method? It's also called within CidrMatch.asScript

[aleksmaus]

Not exactly, needed Set here for TermsQuery constructor and List for the scripting func

[aleksmaus]

preferred without static importing everything here, more visible QL translators vs EQL.

[astefan]

A relevant aspect here: you might want to update your branch from master, to incorporate the StartsWith changes from #56404. In that PR, the Scalars from QL was updated to have startsWith use a PrefixQuery whenever possible. And for EQL and its QueryTranslator that you added, it will probably need the Scalars from QL, as well.

[aleksmaus]

Updated, and adjusted Scalar translation in EQ to be able to reuse it for startsWith function

[astefan]

Looks good in general, but I have some comments as well.

[astefan]

Since this code is in EQL, maybe we should handle the IllegalArgumentException here and wrap it in EqlIllegalArgumentException?

[aleksmaus]

Done

[astefan]

A relevant aspect here: you might want to update your branch from master, to incorporate the StartsWith changes from #56404. In that PR, the Scalars from QL was updated to have startsWith use a PrefixQuery whenever possible. And for EQL and its QueryTranslator that you added, it will probably need the Scalars from QL, as well.

[astefan]

This class is the same as QlTranslatorHandler except asQuery method. Maybe you could reuse most of the code from QlTranslatorHandler and only change the relevant bit in EqlTranslatorHandler. For example, why not extending QlTranslatorHandler and override asQuery only?

[aleksmaus]

Updated.

[astefan]

Please, add one more test where there are two cidrMatch function calls in the same query: where cidrMatch(whatever) or cidrMatch(another_whatever).

[aleksmaus]

Added.

[astefan]

Indeed, it is relevant to have both terms queries in there and the must for event.category, but there has to be a bool should as well.
The query should translate as a bool with two must statements:

• one is term on event.category
• the other is a bool with two should statements where terms on the source_address is used.

[aleksmaus]

Updated

[astefan]

LGTM