diff --git a/.gitmodules b/.gitmodules index f196165e37..423ba61e9c 100644 --- a/.gitmodules +++ b/.gitmodules @@ -497,6 +497,9 @@ [submodule "vendor/grammars/elvish"] path = vendor/grammars/elvish url = https://github.com/elves/elvish.git +[submodule "vendor/grammars/esql-syntax"] + path = vendor/grammars/esql-syntax + url = https://github.com/elastic/esql-syntax [submodule "vendor/grammars/factor"] path = vendor/grammars/factor url = https://github.com/slavapestov/factor diff --git a/grammars.yml b/grammars.yml index 4493f412d0..68c6a8d46e 100644 --- a/grammars.yml +++ b/grammars.yml @@ -404,6 +404,8 @@ vendor/grammars/elvish: - source.elvish - source.elvish-transcript - source.elvish.in.markdown +vendor/grammars/esql-syntax: +- source.esql vendor/grammars/factor: - source.factor - text.html.factor diff --git a/lib/linguist/languages.yml b/lib/linguist/languages.yml index ea8dc224f2..75ae5c7dca 100644 --- a/lib/linguist/languages.yml +++ b/lib/linguist/languages.yml @@ -1891,6 +1891,17 @@ EQ: codemirror_mode: clike codemirror_mime_type: text/x-csharp language_id: 96 +ES|QL: + type: data + color: "#00BFB3" + fs_name: ESQL + aliases: + - esql + extensions: + - ".esql" + tm_scope: source.esql + ace_mode: text + language_id: 268242513 Eagle: type: data extensions: diff --git a/samples/ESQL/aggregations.esql b/samples/ESQL/aggregations.esql new file mode 100644 index 0000000000..8bfdccd7df --- /dev/null +++ b/samples/ESQL/aggregations.esql @@ -0,0 +1,9 @@ +FROM logs-* +| WHERE @timestamp >= NOW() - 24h +| STATS request_count = COUNT(*), + avg_duration = AVG(http.response.duration), + p95_duration = PERCENTILE(http.response.duration, 95) + BY http.response.status_code, host.name +| WHERE request_count > 100 +| SORT p95_duration DESC +| LIMIT 20 diff --git a/samples/ESQL/example.esql b/samples/ESQL/example.esql new file mode 100644 index 0000000000..27e987c24e --- /dev/null +++ b/samples/ESQL/example.esql @@ -0,0 +1,68 @@ +// Basic query with pipe chain +FROM kibana_sample_data_logs +| WHERE response.status_code >= 400 +| STATS error_count = COUNT(*) BY host.name +| SORT error_count DESC +| LIMIT 10 + +// Functions and string operations +FROM logs-* +| EVAL message = CONCAT("Error: ", error.message) +| WHERE STARTS_WITH(message, "Error") +| KEEP @timestamp, message, host.name + +// Time intervals and buckets +FROM metrics +| WHERE @timestamp >= NOW() - 1h +| STATS avg_cpu = AVG(system.cpu.total.pct) BY BUCKET(@timestamp, 5minutes) + +// Triple-quoted string (KQL) +FROM logs +| WHERE KQL("""log.level:"error" AND message:"timeout" """) + +/* Block comment */ +ROW value = 1.5::integer, name = "test"::keyword + +FROM employees +| LEFT JOIN departments ON employees.dept_id == departments.id +| KEEP name, department_name + +// Query parameters +FROM ?index +| WHERE status = ?status AND timestamp > ?1 + +// DISSECT and GROK +FROM web_logs +| DISSECT message "%{ip} %{method} %{path} %{status}" +| GROK path "%{WORD:section}/%{GREEDYDATA:rest}" + +// Numeric literals and math +ROW x = 42, y = 3.14, z = 1.5e10 +| EVAL result = SQRT(POW(x, 2) + POW(y, 2)) + +// ENRICH with options +FROM logs +| ENRICH hosts_policy ON host.ip WITH os, datacenter + +// MV functions +FROM events +| EVAL tags = MV_SORT(tags) +| WHERE MV_COUNT(tags) > 3 + +// Backtick-escaped column names +FROM data +| EVAL `my column` = `nested.field` + 1 +| RENAME `my column` AS result + +// FORK +FROM logs +| FORK + ( WHERE level == "error" | STATS errors = COUNT() ) + ( WHERE level == "warn" | STATS warnings = COUNT() ) + +// Boolean operators +FROM data +| WHERE status IS NOT NULL + AND (category IN ("a", "b", "c") OR priority > 5) + AND name LIKE "test*" + AND pattern RLIKE "^[a-z]+$" diff --git a/samples/ESQL/security.esql b/samples/ESQL/security.esql new file mode 100644 index 0000000000..c811991217 --- /dev/null +++ b/samples/ESQL/security.esql @@ -0,0 +1,44 @@ +// Detect brute force login attempts +FROM logs-auth-* +| WHERE event.action == "authentication_failure" +| STATS attempt_count = COUNT(*) BY source.ip, user.name +| WHERE attempt_count > 10 +| SORT attempt_count DESC + +// Identify anomalous data transfer volumes +FROM logs-network-* +| WHERE @timestamp >= NOW() - 24h +| STATS total_bytes = SUM(network.bytes) BY source.ip, destination.ip +| EVAL gb_transferred = total_bytes / 1073741824 +| WHERE gb_transferred > 1.0 +| SORT gb_transferred DESC +| LIMIT 20 + +// Process execution chain analysis +FROM logs-endpoint-* +| WHERE event.category == "process" AND event.type == "start" +| EVAL parent_child = CONCAT(process.parent.name, " -> ", process.name) +| STATS count = COUNT(*) BY parent_child, host.name +| WHERE count < 3 +| SORT count ASC + +// Alert on rare user-agent strings +FROM logs-web-* +| STATS ua_count = COUNT(*) BY user_agent.original +| WHERE ua_count < 5 +| SORT ua_count ASC +| LIMIT 50 + +// Kubernetes pod restart storm +FROM metrics-kubernetes-* +| WHERE @timestamp >= NOW() - 30minutes +| STATS restarts = SUM(kubernetes.pod.restart_count) BY kubernetes.pod.name, kubernetes.namespace +| WHERE restarts > 5 +| SORT restarts DESC + +// Lateral movement: rare process on multiple hosts +FROM logs-endpoint-* +| WHERE event.type == "start" +| STATS host_count = COUNT_DISTINCT(host.name) BY process.name +| WHERE host_count > 3 AND host_count < 10 +| SORT host_count DESC diff --git a/vendor/README.md b/vendor/README.md index 61f074d178..2ef4695bd2 100644 --- a/vendor/README.md +++ b/vendor/README.md @@ -169,6 +169,7 @@ This is a list of grammars that Linguist selects to provide syntax highlighting - **ECLiPSe:** [alnkpa/sublimeprolog](https://github.com/alnkpa/sublimeprolog) - **EJS:** [tree-sitter/tree-sitter-embedded-template](https://github.com/tree-sitter/tree-sitter-embedded-template) 🐌 - **EQ:** [dotnet/csharp-tmLanguage](https://github.com/dotnet/csharp-tmLanguage) +- **ES|QL:** [elastic/esql-syntax](https://github.com/elastic/esql-syntax) - **Eagle:** [textmate/xml.tmbundle](https://github.com/textmate/xml.tmbundle) - **Earthly:** [earthly/earthfile-grammar](https://github.com/earthly/earthfile-grammar) - **Easybuild:** [MagicStack/MagicPython](https://github.com/MagicStack/MagicPython) diff --git a/vendor/grammars/esql-syntax b/vendor/grammars/esql-syntax new file mode 160000 index 0000000000..08bed30903 --- /dev/null +++ b/vendor/grammars/esql-syntax @@ -0,0 +1 @@ +Subproject commit 08bed30903706c0c60245b8dd95431ef039ff558 diff --git a/vendor/licenses/git_submodule/esql-syntax.dep.yml b/vendor/licenses/git_submodule/esql-syntax.dep.yml new file mode 100644 index 0000000000..033c2dd18d --- /dev/null +++ b/vendor/licenses/git_submodule/esql-syntax.dep.yml @@ -0,0 +1,171 @@ +--- +name: esql-syntax +version: 08bed30903706c0c60245b8dd95431ef039ff558 +type: git_submodule +homepage: https://github.com/elastic/esql-syntax.git +license: apache-2.0 +licenses: +- sources: LICENSE.txt + text: |2- + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship made available under + the License, as indicated by a copyright notice that is included in + or attached to the work (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean, as submitted to the Licensor for inclusion + in the Work by the copyright owner or by an individual or Legal Entity + authorized to submit on behalf of the copyright owner. For the purposes + of this definition, "submitted" means any form of electronic, verbal, + or written communication sent to the Licensor or its representatives, + including but not limited to communication on electronic mailing lists, + source code control systems, and issue tracking systems that are managed + by, or on behalf of, the Licensor for the purpose of submitting and + discussing work that is Licensor's contributors. + + "Contributor" shall mean Licensor and any Legal Entity on behalf of + whom a Contribution has been received by the Licensor and included + within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those Contributions by such + Contributor that are necessary to make, use, sell, offer to sell, + import and otherwise transfer those patent licenses. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or Derivative + Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, You must include a readable copy of the + attribution notices contained within such NOTICE file, in + at least one of the following places: within a NOTICE text + file distributed as part of the Derivative Works; within + the Source form or documentation, if provided along with the + Derivative Works; or, within a display generated by the + Derivative Works, if and wherever such third-party notices + normally appear. The contents of the NOTICE file are for + informational purposes only and do not modify the License. + You may add Your own attribution notices within Derivative + Works that You distribute, alongside or in addition to the + NOTICE text from the Work, provided that such additional + attribution notices cannot be construed as modifying the License. + + You may add Your own license statement for Your modifications and + may provide additional terms or conditions for use, reproduction, + or distribution of Your modifications, or for such Derivative + Works as a whole, provided Your use, distribution, and reproduction + of the Work otherwise complies with the conditions stated in this + License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or reproducing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or exemplary damages of any character arising as a + result of this License or out of the use or inability to use the + Work (even if such Contributor has been advised of the possibility + of such damages). + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other additional liability obligations consistent with this + License. However, in accepting such obligations, You may offer only + on behalf of Yourself, and not on behalf of any other Contributor, + and only if You agree to indemnify, defend, and hold each Contributor + harmless for any liability incurred by, or claims asserted against, + such Contributor by reason of your accepting any warranty or + additional liability. + + END OF TERMS AND CONDITIONS +notices: []