-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path10_basic.yml
124 lines (119 loc) · 2.95 KB
/
10_basic.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
---
requires:
serverless: true
stack: true
---
setup:
- do:
indices.create:
index: eql_test
body:
mappings:
properties:
some_keyword:
type: keyword
ignore_above: 5 # see /~https://github.com/elastic/elasticsearch/issues/77152
runtime:
day_of_week:
type: keyword
script:
source: "emit(doc['@timestamp'].value.dayOfWeekEnum.getDisplayName(TextStyle.FULL, Locale.ROOT))"
- do:
bulk:
refresh: true
body:
- index:
_index: eql_test
_id: "1"
- event:
- category: process
"@timestamp": 2020-02-03T12:34:56Z
user: SYSTEM
id: 123
valid: false
some_keyword: longer than normal
- index:
_index: eql_test
_id: "2"
- event:
- category: process
"@timestamp": 2020-02-04T12:34:56Z
user: SYSTEM
id: 123
valid: true
- index:
_index: eql_test
_id: "3"
- event:
- category: process
"@timestamp": 2020-02-05T12:34:56Z
user: SYSTEM
id: 123
valid: true
- index:
_index: eql_test
_id: "4"
- event:
- category: network
"@timestamp": 2020-02-06T12:34:56Z
user: ADMIN
id: 123
valid: true
- index:
_index: eql_test
_id: "5"
- event:
- category: network
"@timestamp": 2020-02-07T12:34:56Z
user: SYSTEM
id: 123
valid: true
- index:
_index: eql_test
_id: "6"
- event:
- category: network
"@timestamp": 2020-02-08T12:34:56Z
user: ADMIN
id: 123
valid: true
- index:
_index: eql_test
_id: "7"
- event:
- category: network
"@timestamp": 2020-02-09T12:34:56Z
user: SYSTEM
id: 123
valid: true
---
teardown:
- do:
indices.delete:
index: eql_test
---
'eql basic tests':
- do:
eql.search:
index: eql_test
keep_on_completion: true
wait_for_completion_timeout: '0ms'
body:
query: 'process where user == "SYSTEM"'
- set: { id: id }
- match: {timed_out: false}
- do:
eql.get_status:
id: $id
- match: { id: $id }
- do:
eql.get:
id: $id
wait_for_completion_timeout: "10s"
- match: { timed_out: false }
- match: { hits.total.value: 3 }
- match: { hits.total.relation: 'eq' }
- do:
eql.delete:
id: $id
- match: { acknowledged: true }