elastic · astefan · Sep 29, 2021 · costin · Oct 11, 2021 · costin
diff --git a/x-pack/plugin/eql/qa/common/src/main/resources/data/extra.data b/x-pack/plugin/eql/qa/common/src/main/resources/data/extra.data
@@ -34,5 +34,22 @@
   "event_type": "STAT",
   "transID": 1235,
   "sequence": 3
+ },
+ {
+  "@timestamp": "100",
+  "event_type": "OPTIONAL",
+  "default_null_value_field": null,
+  "sequence": 4
+ },
+ {
+  "@timestamp": "101",
+  "event_type": "OPTIONAL",
+  "sequence": 5
+ },
+ {
+  "@timestamp": "102",
+  "event_type": "OPTIONAL",
+  "default_null_value_field": null,
+  "sequence": 6
  }
 ]
diff --git a/x-pack/plugin/eql/qa/common/src/main/resources/data/extra.mapping b/x-pack/plugin/eql/qa/common/src/main/resources/data/extra.mapping
@@ -20,6 +20,13 @@
           "path": "sequence"
         }
       }
+    },
+    "no_docs_field": {
+      "type": "keyword"
+    },
+    "default_null_value_field": {
+      "type": "keyword",
+      "null_value": "NULL"
     }
   }
 }
diff --git a/x-pack/plugin/eql/qa/common/src/main/resources/test_extra.toml b/x-pack/plugin/eql/qa/common/src/main/resources/test_extra.toml
@@ -27,3 +27,45 @@ query = '''
     [ STAT where transID == 1234 ]
 '''
 expected_event_ids  = [1,2,3]
+
+[[queries]]
+name = "optionalNoDocsFieldNullEquality"
+query = '''
+  OPTIONAL where ?no_docs_field == null
+'''
+expected_event_ids  = [4,5,6]
+
+[[queries]]
+name = "optionalNoDocsFieldNumericEquality"
+query = '''
+  OPTIONAL where ?no_docs_field == 123
+'''
+expected_event_ids  = []
+
+[[queries]]
+name = "optionalDefaultNullValueFieldEqualNull"
+query = '''
+  OPTIONAL where ?default_null_value_field == null
+'''
+expected_event_ids  = [5]
+
+[[queries]]
+name = "optionalDefaultNullValueFieldEqualDefaultValue"
+query = '''
+  OPTIONAL where ?default_null_value_field == "NULL"
+'''
+expected_event_ids  = [4,6]
+
+[[queries]]
+name = "optionalMissingFieldNullEquality"
+query = '''
+  OPTIONAL where ?inexistent_field == null
+'''
+expected_event_ids  = [4,5,6]
+
+[[queries]]
+name = "optionalMissingFieldImplicitBooleanEquality"
+query = '''
+  OPTIONAL where ?inexistent_field
+'''
+expected_event_ids  = []
diff --git a/x-pack/plugin/eql/src/main/antlr/EqlBase.g4 b/x-pack/plugin/eql/src/main/antlr/EqlBase.g4
@@ -137,7 +137,7 @@ booleanValue
     ;
 
 qualifiedName
-    : identifier (DOT identifier | LB INTEGER_VALUE+ RB)*
+    : OPTIONAL? identifier (DOT identifier | LB INTEGER_VALUE+ RB)*
     ;
 
 identifier
@@ -204,6 +204,7 @@ RB: ']';
 LP: '(';
 RP: ')';
 PIPE: '|';
+OPTIONAL: '?';
 
 fragment STRING_ESCAPE
     : '\\' [btnfr"'\\]

diff --git a/x-pack/plugin/eql/src/main/antlr/EqlBase.tokens b/x-pack/plugin/eql/src/main/antlr/EqlBase.tokens
@@ -39,15 +39,16 @@ RB=38
 LP=39
 RP=40
 PIPE=41
-STRING=42
-INTEGER_VALUE=43
-DECIMAL_VALUE=44
-IDENTIFIER=45
-QUOTED_IDENTIFIER=46
-TILDE_IDENTIFIER=47
-LINE_COMMENT=48
-BRACKETED_COMMENT=49
-WS=50
+OPTIONAL=42
+STRING=43
+INTEGER_VALUE=44
+DECIMAL_VALUE=45
+IDENTIFIER=46
+QUOTED_IDENTIFIER=47
+TILDE_IDENTIFIER=48
+LINE_COMMENT=49
+BRACKETED_COMMENT=50
+WS=51
 'and'=1
 'any'=2
 'by'=3
@@ -89,3 +90,4 @@ WS=50
 '('=39
 ')'=40
 '|'=41
+'?'=42
diff --git a/x-pack/plugin/eql/src/main/antlr/EqlBaseLexer.tokens b/x-pack/plugin/eql/src/main/antlr/EqlBaseLexer.tokens
@@ -39,15 +39,16 @@ RB=38
 LP=39
 RP=40
 PIPE=41
-STRING=42
-INTEGER_VALUE=43
-DECIMAL_VALUE=44
-IDENTIFIER=45
-QUOTED_IDENTIFIER=46
-TILDE_IDENTIFIER=47
-LINE_COMMENT=48
-BRACKETED_COMMENT=49
-WS=50
+OPTIONAL=42
+STRING=43
+INTEGER_VALUE=44
+DECIMAL_VALUE=45
+IDENTIFIER=46
+QUOTED_IDENTIFIER=47
+TILDE_IDENTIFIER=48
+LINE_COMMENT=49
+BRACKETED_COMMENT=50
+WS=51
 'and'=1
 'any'=2
 'by'=3
@@ -89,3 +90,4 @@ WS=50
 '('=39
 ')'=40
 '|'=41
+'?'=42
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/analysis/Analyzer.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/analysis/Analyzer.java
@@ -9,7 +9,8 @@
 
 import org.elasticsearch.xpack.ql.common.Failure;
 import org.elasticsearch.xpack.ql.expression.Attribute;
-import org.elasticsearch.xpack.ql.expression.NamedExpression;
+import org.elasticsearch.xpack.ql.expression.Expression;
+import org.elasticsearch.xpack.ql.expression.Literal;
 import org.elasticsearch.xpack.ql.expression.UnresolvedAttribute;
 import org.elasticsearch.xpack.ql.expression.function.Function;
 import org.elasticsearch.xpack.ql.expression.function.FunctionDefinition;
@@ -21,21 +22,24 @@
 
 import java.util.Collection;
 import java.util.LinkedHashSet;
+import java.util.Set;
 
 import static java.util.Arrays.asList;
 import static org.elasticsearch.xpack.eql.analysis.AnalysisUtils.resolveAgainstList;
-import static org.elasticsearch.xpack.ql.analyzer.AnalyzerRules.AddMissingEqualsToBoolField;
+import org.elasticsearch.xpack.ql.analyzer.AnalyzerRules.AddMissingEqualsToBoolField;
 
 public class Analyzer extends RuleExecutor<LogicalPlan> {
 
     private final Configuration configuration;
     private final FunctionRegistry functionRegistry;
     private final Verifier verifier;
+    private final Set<UnresolvedAttribute> optionals;
 
-    public Analyzer(Configuration configuration, FunctionRegistry functionRegistry, Verifier verifier) {
+    public Analyzer(Configuration configuration, FunctionRegistry functionRegistry, Verifier verifier, Set<UnresolvedAttribute> optionals) {
         this.configuration = configuration;
         this.functionRegistry = functionRegistry;
         this.verifier = verifier;
+        this.optionals = optionals;
     }
 
     @Override
@@ -62,7 +66,7 @@ private LogicalPlan verify(LogicalPlan plan) {
         return plan;
     }
 
-    private static class ResolveRefs extends AnalyzerRule<LogicalPlan> {
+    private class ResolveRefs extends AnalyzerRule<LogicalPlan> {
 
         @Override
         protected LogicalPlan rule(LogicalPlan plan) {
@@ -81,7 +85,11 @@ protected LogicalPlan rule(LogicalPlan plan) {
                 for (LogicalPlan child : plan.children()) {
                     childrenOutput.addAll(child.output());
                 }
-                NamedExpression named = resolveAgainstList(u, childrenOutput);
+                Expression named = resolveAgainstList(u, childrenOutput);
+                // if it's not resolved (it doesn't exist in mappings) and it's an optional field, replace it with "null"
+                if (named == null && optionals.contains(u)) {
+                    named = Literal.NULL;
+                }
                 // if resolved, return it; otherwise keep it in place to be resolved later
                 if (named != null) {
                     if (log.isTraceEnabled()) {

diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/AstBuilder.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/AstBuilder.java
@@ -8,12 +8,15 @@
 package org.elasticsearch.xpack.eql.parser;
 
 import org.elasticsearch.xpack.eql.parser.EqlBaseParser.SingleStatementContext;
+import org.elasticsearch.xpack.ql.expression.UnresolvedAttribute;
 import org.elasticsearch.xpack.ql.plan.logical.LogicalPlan;
 
+import java.util.Set;
+
 public class AstBuilder extends LogicalPlanBuilder {
 
-    AstBuilder(ParserParams params) {
-        super(params);
+    AstBuilder(ParserParams params, Set<UnresolvedAttribute> optionals) {
+        super(params, optionals);
     }
 
     @Override