Skip to content

Commit

Permalink
[KQL] Add support for date fields in parser (elastic#1487)
Browse files Browse the repository at this point in the history 
* [KQL] Add support for date fields in parser

* add test for parsing date value
  • Loading branch information
@brokensound77
brokensound77 authored Sep 16, 2021
1 parent 7179942 commit 582a842
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 1 deletion.
2 changes: 1 addition & 1 deletion kql/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
from .kql2eql import KqlToEQL
from .parser import lark_parse, KqlParser

__version__ = '0.1.4'
__version__ = '0.1.5'
__all__ = (
"ast",
"from_eql",
Expand Down
3 changes: 3 additions & 0 deletions kql/parser.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,9 @@ def convert_value(self, field_name, python_value, value_tree):
elif field_type_family == "ip" and value_type == "keyword":
if "::" in python_value or self.ip_regex.match(python_value) is not None:
return python_value
elif field_type_family == 'date' and value_type in STRING_FIELDS:
# this will not validate datemath syntax
return python_value

raise self.error(value_tree, "Value doesn't match {field}'s type: {type}",
field=field_name, type=field_type)
Expand Down
9 changes: 9 additions & 0 deletions tests/kuery/test_parser.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
from kql.ast import (
Field,
FieldComparison,
FieldRange,
String,
Number,
Exists,
Expand Down Expand Up @@ -72,7 +73,15 @@ def test_number_wildcard_fail(self):
def test_type_family_success(self):
kql.parse("abc : 1.2345", schema={"abc": "scaled_float"})
kql.parse("abc : hello", schema={"abc": "annotated-text"})
kql.parse("abc >= now-30d", schema={"abc": "date_nanos"})

def test_type_family_fail(self):
with self.assertRaises(kql.KqlParseError):
kql.parse('foo : "hello world"', schema={"foo": "scaled_float"})

def test_date(self):
schema = {"@time": "date"}
self.validate('@time <= now-10d', FieldRange(Field("@time"), "<=", String("now-10d")), schema=schema)

with self.assertRaises(kql.KqlParseError):
kql.parse("@time > 5", schema=schema)

0 comments on commit 582a842

Please sign in to comment.