1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
|
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
import typing as t
from elastic_transport import ObjectApiResponse
from ._base import NamespacedClient
from .utils import SKIP_IN_PATH, _quote, _rewrite_parameters
class EqlClient(NamespacedClient):
@_rewrite_parameters()
async def delete(
self,
*,
id: str,
error_trace: t.Optional[bool] = None,
filter_path: t.Optional[t.Union[str, t.Sequence[str]]] = None,
human: t.Optional[bool] = None,
pretty: t.Optional[bool] = None,
) -> ObjectApiResponse[t.Any]:
"""
.. raw:: html
<p>Delete an async EQL search.
Delete an async EQL search or a stored synchronous EQL search.
The API also deletes results for the search.</p>
`<https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-eql-delete>`_
:param id: Identifier for the search to delete. A search ID is provided in the
EQL search API's response for an async search. A search ID is also provided
if the request’s `keep_on_completion` parameter is `true`.
"""
if id in SKIP_IN_PATH:
raise ValueError("Empty value passed for parameter 'id'")
__path_parts: t.Dict[str, str] = {"id": _quote(id)}
__path = f'/_eql/search/{__path_parts["id"]}'
__query: t.Dict[str, t.Any] = {}
if error_trace is not None:
__query["error_trace"] = error_trace
if filter_path is not None:
__query["filter_path"] = filter_path
if human is not None:
__query["human"] = human
if pretty is not None:
__query["pretty"] = pretty
__headers = {"accept": "application/json"}
return await self.perform_request( # type: ignore[return-value]
"DELETE",
__path,
params=__query,
headers=__headers,
endpoint_id="eql.delete",
path_parts=__path_parts,
)
@_rewrite_parameters()
async def get(
self,
*,
id: str,
error_trace: t.Optional[bool] = None,
filter_path: t.Optional[t.Union[str, t.Sequence[str]]] = None,
human: t.Optional[bool] = None,
keep_alive: t.Optional[t.Union[str, t.Literal[-1], t.Literal[0]]] = None,
pretty: t.Optional[bool] = None,
wait_for_completion_timeout: t.Optional[
t.Union[str, t.Literal[-1], t.Literal[0]]
] = None,
) -> ObjectApiResponse[t.Any]:
"""
.. raw:: html
<p>Get async EQL search results.
Get the current status and available results for an async EQL search or a stored synchronous EQL search.</p>
`<https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-eql-get>`_
:param id: Identifier for the search.
:param keep_alive: Period for which the search and its results are stored on
the cluster. Defaults to the keep_alive value set by the search’s EQL search
API request.
:param wait_for_completion_timeout: Timeout duration to wait for the request
to finish. Defaults to no timeout, meaning the request waits for complete
search results.
"""
if id in SKIP_IN_PATH:
raise ValueError("Empty value passed for parameter 'id'")
__path_parts: t.Dict[str, str] = {"id": _quote(id)}
__path = f'/_eql/search/{__path_parts["id"]}'
__query: t.Dict[str, t.Any] = {}
if error_trace is not None:
__query["error_trace"] = error_trace
if filter_path is not None:
__query["filter_path"] = filter_path
if human is not None:
__query["human"] = human
if keep_alive is not None:
__query["keep_alive"] = keep_alive
if pretty is not None:
__query["pretty"] = pretty
if wait_for_completion_timeout is not None:
__query["wait_for_completion_timeout"] = wait_for_completion_timeout
__headers = {"accept": "application/json"}
return await self.perform_request( # type: ignore[return-value]
"GET",
__path,
params=__query,
headers=__headers,
endpoint_id="eql.get",
path_parts=__path_parts,
)
@_rewrite_parameters()
async def get_status(
self,
*,
id: str,
error_trace: t.Optional[bool] = None,
filter_path: t.Optional[t.Union[str, t.Sequence[str]]] = None,
human: t.Optional[bool] = None,
pretty: t.Optional[bool] = None,
) -> ObjectApiResponse[t.Any]:
"""
.. raw:: html
<p>Get the async EQL status.
Get the current status for an async EQL search or a stored synchronous EQL search without returning results.</p>
`<https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-eql-get-status>`_
:param id: Identifier for the search.
"""
if id in SKIP_IN_PATH:
raise ValueError("Empty value passed for parameter 'id'")
__path_parts: t.Dict[str, str] = {"id": _quote(id)}
__path = f'/_eql/search/status/{__path_parts["id"]}'
__query: t.Dict[str, t.Any] = {}
if error_trace is not None:
__query["error_trace"] = error_trace
if filter_path is not None:
__query["filter_path"] = filter_path
if human is not None:
__query["human"] = human
if pretty is not None:
__query["pretty"] = pretty
__headers = {"accept": "application/json"}
return await self.perform_request( # type: ignore[return-value]
"GET",
__path,
params=__query,
headers=__headers,
endpoint_id="eql.get_status",
path_parts=__path_parts,
)
@_rewrite_parameters(
body_fields=(
"query",
"allow_partial_search_results",
"allow_partial_sequence_results",
"case_sensitive",
"event_category_field",
"fetch_size",
"fields",
"filter",
"keep_alive",
"keep_on_completion",
"max_samples_per_key",
"result_position",
"runtime_mappings",
"size",
"tiebreaker_field",
"timestamp_field",
"wait_for_completion_timeout",
),
)
async def search(
self,
*,
index: t.Union[str, t.Sequence[str]],
query: t.Optional[str] = None,
allow_no_indices: t.Optional[bool] = None,
allow_partial_search_results: t.Optional[bool] = None,
allow_partial_sequence_results: t.Optional[bool] = None,
case_sensitive: t.Optional[bool] = None,
ccs_minimize_roundtrips: t.Optional[bool] = None,
error_trace: t.Optional[bool] = None,
event_category_field: t.Optional[str] = None,
expand_wildcards: t.Optional[
t.Union[
t.Sequence[
t.Union[str, t.Literal["all", "closed", "hidden", "none", "open"]]
],
t.Union[str, t.Literal["all", "closed", "hidden", "none", "open"]],
]
] = None,
fetch_size: t.Optional[int] = None,
fields: t.Optional[
t.Union[t.Mapping[str, t.Any], t.Sequence[t.Mapping[str, t.Any]]]
] = None,
filter: t.Optional[
t.Union[t.Mapping[str, t.Any], t.Sequence[t.Mapping[str, t.Any]]]
] = None,
filter_path: t.Optional[t.Union[str, t.Sequence[str]]] = None,
human: t.Optional[bool] = None,
ignore_unavailable: t.Optional[bool] = None,
keep_alive: t.Optional[t.Union[str, t.Literal[-1], t.Literal[0]]] = None,
keep_on_completion: t.Optional[bool] = None,
max_samples_per_key: t.Optional[int] = None,
pretty: t.Optional[bool] = None,
result_position: t.Optional[t.Union[str, t.Literal["head", "tail"]]] = None,
runtime_mappings: t.Optional[t.Mapping[str, t.Mapping[str, t.Any]]] = None,
size: t.Optional[int] = None,
tiebreaker_field: t.Optional[str] = None,
timestamp_field: t.Optional[str] = None,
wait_for_completion_timeout: t.Optional[
t.Union[str, t.Literal[-1], t.Literal[0]]
] = None,
body: t.Optional[t.Dict[str, t.Any]] = None,
) -> ObjectApiResponse[t.Any]:
"""
.. raw:: html
<p>Get EQL search results.
Returns search results for an Event Query Language (EQL) query.
EQL assumes each document in a data stream or index corresponds to an event.</p>
`<https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-eql-search>`_
:param index: The name of the index to scope the operation
:param query: EQL query you wish to run.
:param allow_no_indices: Whether to ignore if a wildcard indices expression resolves
into no concrete indices. (This includes `_all` string or when no indices
have been specified)
:param allow_partial_search_results: Allow query execution also in case of shard
failures. If true, the query will keep running and will return results based
on the available shards. For sequences, the behavior can be further refined
using allow_partial_sequence_results
:param allow_partial_sequence_results: This flag applies only to sequences and
has effect only if allow_partial_search_results=true. If true, the sequence
query will return results based on the available shards, ignoring the others.
If false, the sequence query will return successfully, but will always have
empty results.
:param case_sensitive:
:param ccs_minimize_roundtrips: Indicates whether network round-trips should
be minimized as part of cross-cluster search requests execution
:param event_category_field: Field containing the event classification, such
as process, file, or network.
:param expand_wildcards: Whether to expand wildcard expression to concrete indices
that are open, closed or both.
:param fetch_size: Maximum number of events to search at a time for sequence
queries.
:param fields: Array of wildcard (*) patterns. The response returns values for
field names matching these patterns in the fields property of each hit.
:param filter: Query, written in Query DSL, used to filter the events on which
the EQL query runs.
:param ignore_unavailable: If true, missing or closed indices are not included
in the response.
:param keep_alive:
:param keep_on_completion:
:param max_samples_per_key: By default, the response of a sample query contains
up to `10` samples, with one sample per unique set of join keys. Use the
`size` parameter to get a smaller or larger set of samples. To retrieve more
than one sample per set of join keys, use the `max_samples_per_key` parameter.
Pipes are not supported for sample queries.
:param result_position:
:param runtime_mappings:
:param size: For basic queries, the maximum number of matching events to return.
Defaults to 10
:param tiebreaker_field: Field used to sort hits with the same timestamp in ascending
order
:param timestamp_field: Field containing event timestamp. Default "@timestamp"
:param wait_for_completion_timeout:
"""
if index in SKIP_IN_PATH:
raise ValueError("Empty value passed for parameter 'index'")
if query is None and body is None:
raise ValueError("Empty value passed for parameter 'query'")
__path_parts: t.Dict[str, str] = {"index": _quote(index)}
__path = f'/{__path_parts["index"]}/_eql/search'
__query: t.Dict[str, t.Any] = {}
__body: t.Dict[str, t.Any] = body if body is not None else {}
if allow_no_indices is not None:
__query["allow_no_indices"] = allow_no_indices
if ccs_minimize_roundtrips is not None:
__query["ccs_minimize_roundtrips"] = ccs_minimize_roundtrips
if error_trace is not None:
__query["error_trace"] = error_trace
if expand_wildcards is not None:
__query["expand_wildcards"] = expand_wildcards
if filter_path is not None:
__query["filter_path"] = filter_path
if human is not None:
__query["human"] = human
if ignore_unavailable is not None:
__query["ignore_unavailable"] = ignore_unavailable
if pretty is not None:
__query["pretty"] = pretty
if not __body:
if query is not None:
__body["query"] = query
if allow_partial_search_results is not None:
__body["allow_partial_search_results"] = allow_partial_search_results
if allow_partial_sequence_results is not None:
__body["allow_partial_sequence_results"] = (
allow_partial_sequence_results
)
if case_sensitive is not None:
__body["case_sensitive"] = case_sensitive
if event_category_field is not None:
__body["event_category_field"] = event_category_field
if fetch_size is not None:
__body["fetch_size"] = fetch_size
if fields is not None:
__body["fields"] = fields
if filter is not None:
__body["filter"] = filter
if keep_alive is not None:
__body["keep_alive"] = keep_alive
if keep_on_completion is not None:
__body["keep_on_completion"] = keep_on_completion
if max_samples_per_key is not None:
__body["max_samples_per_key"] = max_samples_per_key
if result_position is not None:
__body["result_position"] = result_position
if runtime_mappings is not None:
__body["runtime_mappings"] = runtime_mappings
if size is not None:
__body["size"] = size
if tiebreaker_field is not None:
__body["tiebreaker_field"] = tiebreaker_field
if timestamp_field is not None:
__body["timestamp_field"] = timestamp_field
if wait_for_completion_timeout is not None:
__body["wait_for_completion_timeout"] = wait_for_completion_timeout
__headers = {"accept": "application/json", "content-type": "application/json"}
return await self.perform_request( # type: ignore[return-value]
"POST",
__path,
params=__query,
headers=__headers,
body=__body,
endpoint_id="eql.search",
path_parts=__path_parts,
)
|
