[FR] Skip eql optimizations on parsing query for unique fields (#3443)

(cherry picked from commit 5420537)
elastic · Feb 21, 2024 · 2a74f6d · 2a74f6d
1 parent 4339da4
commit 2a74f6d
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/detection_rules/rule.py b/detection_rules/rule.py
@@ -1358,8 +1358,8 @@ def get_unique_query_fields(rule: TOMLRule) -> List[str]:
     if language in ('kuery', 'eql'):
         # TODO: remove once py-eql supports ipv6 for cidrmatch
 
-        config = set_eql_config(rule.contents.metadata.get('min_stack_version'))
-        with eql.parser.elasticsearch_syntax, eql.parser.ignore_missing_functions, config:
+        cfg = set_eql_config(rule.contents.metadata.get('min_stack_version'))
+        with eql.parser.elasticsearch_syntax, eql.parser.ignore_missing_functions, eql.parser.skip_optimizations, cfg:
             parsed = kql.parse(query) if language == 'kuery' else eql.parse_query(query)
 
         return sorted(set(str(f) for f in parsed if isinstance(f, (eql.ast.Field, kql.ast.Field))))

diff --git a/detection_rules/rule_validators.py b/detection_rules/rule_validators.py
@@ -207,8 +207,8 @@ class EQLValidator(QueryValidator):
     @cached_property
     def ast(self) -> eql.ast.Expression:
         latest_version = Version.parse(load_current_package_version(), optional_minor_and_patch=True)
-        config = set_eql_config(str(latest_version))
-        with eql.parser.elasticsearch_syntax, eql.parser.ignore_missing_functions, config:
+        cfg = set_eql_config(str(latest_version))
+        with eql.parser.elasticsearch_syntax, eql.parser.ignore_missing_functions, eql.parser.skip_optimizations, cfg:
             return eql.parse_query(self.query)
 
     def text_fields(self, eql_schema: Union[ecs.KqlSchema2Eql, endgame.EndgameSchema]) -> List[str]: