elasticsearch
elasticsearch copied to clipboard
elastic
EQL sequences: support join on multi-values
Fixes: #64553
This PR adds support for multi-value join keys in sequences (ie. sequence by <multi-value attribute>).
In case a multi-value attributes, each value is considered as a different join key, so the same record will be considered multiple times.
eg.
sequence by name, tags
[...]
[...]
if we have two records: {id:1, name:a, tags: [foo, bar]} and {id:2, name:a, tags: [foo, bar]},
we will have two results, the first one with key = [a, foo] and the second one with key = [a, bar]. The records in each sequence will be the same in this case.
In case of multiple multi-value keys, the resulting keys will be the cartesian product of all the single keys per multi value.
Eg. with the same query as above and two records as {id:1, name:[a, b], tags: [foo, bar]} and {id:2, name:[a, b], tags: [foo, bar]}, the result will be four sequences, with keys respectively [a, foo], [a, bar], [b, foo], [b, bar]. All the four sequences will have the same records.
Thank you for the quick feedback @costin, I'm checking your comments now
sequences have a feature that affects join keys - optional fields. I think it's better to add tests with ?tags keys [...]
Adding them now