2020-06-29 23:05:14 -06:00
|
|
|
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
2021-03-03 22:12:11 -09:00
|
|
|
# or more contributor license agreements. Licensed under the Elastic License
|
|
|
|
|
# 2.0; you may not use this file except in compliance with the Elastic License
|
|
|
|
|
# 2.0.
|
2020-06-29 23:05:14 -06:00
|
|
|
|
|
|
|
|
import eql
|
|
|
|
|
|
|
|
|
|
from . import ast
|
2020-07-22 13:05:45 -04:00
|
|
|
from .dsl import ToDsl
|
2020-06-29 23:05:14 -06:00
|
|
|
from .eql2kql import Eql2Kql
|
|
|
|
|
from .errors import KqlParseError, KqlCompileError
|
|
|
|
|
from .evaluator import FilterGenerator
|
|
|
|
|
from .kql2eql import KqlToEQL
|
|
|
|
|
from .parser import lark_parse, KqlParser
|
|
|
|
|
|
|
|
|
|
__version__ = '0.1.4'
|
|
|
|
|
__all__ = (
|
|
|
|
|
"ast",
|
|
|
|
|
"from_eql",
|
|
|
|
|
"get_evaluator",
|
|
|
|
|
"KqlParseError",
|
|
|
|
|
"KqlCompileError",
|
2020-07-22 13:05:45 -04:00
|
|
|
"lint",
|
|
|
|
|
"parse",
|
|
|
|
|
"to_dsl",
|
|
|
|
|
"to_eql",
|
2020-06-29 23:05:14 -06:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
2020-07-22 13:05:45 -04:00
|
|
|
def to_dsl(parsed, optimize=True, schema=None):
|
|
|
|
|
"""Convert KQL to Elasticsearch Query DSL."""
|
|
|
|
|
if not isinstance(parsed, ast.KqlNode):
|
|
|
|
|
parsed = parse(parsed, optimize, schema)
|
|
|
|
|
|
|
|
|
|
return ToDsl.convert(parsed)
|
|
|
|
|
|
|
|
|
|
|
2020-06-29 23:05:14 -06:00
|
|
|
def to_eql(text, optimize=True, schema=None):
|
2020-07-22 13:05:45 -04:00
|
|
|
if isinstance(text, bytes):
|
|
|
|
|
text = text.decode("utf-8")
|
|
|
|
|
|
2020-06-29 23:05:14 -06:00
|
|
|
lark_parsed = lark_parse(text)
|
|
|
|
|
|
|
|
|
|
converted = KqlToEQL(text, schema=schema).visit(lark_parsed)
|
|
|
|
|
return converted.optimize(recursive=True) if optimize else converted
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def parse(text, optimize=True, schema=None):
|
2020-07-22 13:05:45 -04:00
|
|
|
if isinstance(text, bytes):
|
|
|
|
|
text = text.decode("utf-8")
|
|
|
|
|
|
2020-06-29 23:05:14 -06:00
|
|
|
lark_parsed = lark_parse(text)
|
|
|
|
|
converted = KqlParser(text, schema=schema).visit(lark_parsed)
|
|
|
|
|
|
|
|
|
|
return converted.optimize(recursive=True) if optimize else converted
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def lint(text):
|
2020-07-22 13:05:45 -04:00
|
|
|
if isinstance(text, bytes):
|
|
|
|
|
text = text.decode("utf-8")
|
|
|
|
|
|
2020-06-29 23:05:14 -06:00
|
|
|
return parse(text, optimize=True).render()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def from_eql(tree, optimize=True):
|
|
|
|
|
if not isinstance(tree, eql.ast.EqlNode):
|
|
|
|
|
try:
|
|
|
|
|
tree = eql.parse_query(tree, implied_any=True)
|
|
|
|
|
except eql.EqlSemanticError:
|
|
|
|
|
tree = eql.parse_expression(tree)
|
|
|
|
|
|
|
|
|
|
converted = Eql2Kql().walk(tree)
|
|
|
|
|
return converted.optimize(recursive=True) if optimize else converted
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def get_evaluator(tree, optimize=False):
|
|
|
|
|
if not isinstance(tree, ast.KqlNode):
|
|
|
|
|
tree = parse(tree, optimize=optimize)
|
|
|
|
|
|
|
|
|
|
return FilterGenerator().filter(tree)
|
