elastic · elasticsearchmachine · Nov 25, 2024 · Nov 25, 2024 · Nov 25, 2024
diff --git a/docs/reference/esql/functions/description/kql.asciidoc b/docs/reference/esql/functions/description/kql.asciidoc
diff --git a/docs/reference/esql/functions/examples/kql.asciidoc b/docs/reference/esql/functions/examples/kql.asciidoc
diff --git a/docs/reference/esql/functions/kibana/definition/kql.json b/docs/reference/esql/functions/kibana/definition/kql.json
diff --git a/docs/reference/esql/functions/kibana/docs/kql.md b/docs/reference/esql/functions/kibana/docs/kql.md
diff --git a/docs/reference/esql/functions/layout/kql.asciidoc b/docs/reference/esql/functions/layout/kql.asciidoc
diff --git a/docs/reference/esql/functions/parameters/kql.asciidoc b/docs/reference/esql/functions/parameters/kql.asciidoc
diff --git a/docs/reference/esql/functions/signature/kql.svg b/docs/reference/esql/functions/signature/kql.svg
diff --git a/docs/reference/esql/functions/types/kql.asciidoc b/docs/reference/esql/functions/types/kql.asciidoc
diff --git a/x-pack/plugin/esql/build.gradle b/x-pack/plugin/esql/build.gradle
@@ -28,6 +28,7 @@ dependencies {
   compileOnly project(':modules:lang-painless:spi')
   compileOnly project(xpackModule('esql-core'))
   compileOnly project(xpackModule('ml'))
+  implementation project(xpackModule('kql'))
   implementation project('compute')
   implementation project('compute:ann')
   implementation project(':libs:dissect')
@@ -44,6 +45,7 @@ dependencies {
   testImplementation(testArtifact(project(xpackModule('core'))))
   testImplementation project(path: xpackModule('enrich'))
   testImplementation project(path: xpackModule('spatial'))
+  testImplementation project(path: xpackModule('kql'))
 
   testImplementation project(path: ':modules:reindex')
   testImplementation project(path: ':modules:parent-join')

diff --git a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/kql-function.csv-spec b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/kql-function.csv-spec
@@ -0,0 +1,153 @@
+###############################################
+# Tests for KQL function
+#
+
+kqlWithField
+required_capability: kql_function
+
+// tag::kql-with-field[]
+FROM books 
+| WHERE KQL("author: Faulkner")
+| KEEP book_no, author 
+| SORT book_no 
+| LIMIT 5;
+// end::kql-with-field[]
+
+// tag::kql-with-field-result[]
+book_no:keyword | author:text
+2378            | [Carol Faulkner, Holly Byers Ochoa, Lucretia Mott]
+2713            | William Faulkner
+2847            | Colleen Faulkner
+2883            | William Faulkner
+3293            | Danny Faulkner
+;
+// end::kql-with-field-result[]
+
+kqlWithMultipleFields
+required_capability: kql_function
+
+from books 
+| where kql("title:Return* AND author:*Tolkien")  
+| keep book_no, title;
+ignoreOrder:true
+
+book_no:keyword | title:text
+2714            | Return of the King Being the Third Part of The Lord of the Rings
+7350            | Return of the Shadow
+;
+
+kqlWithQueryExpressions
+required_capability: kql_function
+
+from books 
+| where kql(CONCAT("title:Return*", " AND author:*Tolkien"))  
+| keep book_no, title;
+ignoreOrder:true
+
+book_no:keyword | title:text
+2714            | Return of the King Being the Third Part of The Lord of the Rings
+7350            | Return of the Shadow
+;
+
+kqlWithConjunction
+required_capability: kql_function
+
+from books 
+| where kql("title: Rings") and ratings > 4.6
+| keep book_no, title;
+ignoreOrder:true
+
+book_no:keyword | title:text
+4023            | A Tolkien Compass: Including J. R. R. Tolkien's Guide to the Names in The Lord of the Rings
+7140            | The Lord of the Rings Poster Collection: Six Paintings by Alan Lee (No. 1)     
+;
+
+kqlWithFunctionPushedToLucene
+required_capability: kql_function
+
+from hosts 
+| where kql("host: beta") and cidr_match(ip1, "127.0.0.2/32", "127.0.0.3/32") 
+| keep card, host, ip0, ip1;
+ignoreOrder:true
+
+card:keyword   |host:keyword   |ip0:ip                   |ip1:ip
+eth1           |beta           |127.0.0.1                |127.0.0.2
+;
+
+kqlWithNonPushableConjunction
+required_capability: kql_function
+
+from books 
+| where kql("title: Rings") and length(title) > 75
+| keep book_no, title;
+ignoreOrder:true
+
+book_no:keyword | title:text
+4023            |A Tolkien Compass: Including J. R. R. Tolkien's Guide to the Names in The Lord of the Rings
+;
+
+kqlWithMultipleWhereClauses
+required_capability: kql_function
+
+from books 
+| where kql("title: rings") 
+| where kql("year > 1 AND year < 2005") 
+| keep book_no, title;
+ignoreOrder:true
+
+book_no:keyword | title:text
+4023            | A Tolkien Compass: Including J. R. R. Tolkien's Guide to the Names in The Lord of the Rings           
+7140            | The Lord of the Rings Poster Collection: Six Paintings by Alan Lee (No. 1)
+;
+
+
+kqlWithMultivaluedTextField
+required_capability: kql_function
+
+from employees 
+| where kql("job_positions: Tech Lead AND job_positions:(Reporting Analyst)") 
+| keep emp_no, first_name, last_name;
+ignoreOrder:true
+
+emp_no:integer | first_name:keyword | last_name:keyword
+10004          | Chirstian          | Koblick        
+10010          | Duangkaew          | Piveteau       
+10011          | Mary               | Sluis          
+10088          | Jungsoon           | Syrzycki       
+10093          | Sailaja            | Desikan        
+10097          | Remzi              | Waschkowski    
+;
+
+kqlWithMultivaluedNumericField
+required_capability: kql_function
+
+from employees 
+| where kql("salary_change > 14") 
+| keep emp_no, first_name, last_name, salary_change;
+ignoreOrder:true
+
+emp_no:integer | first_name:keyword | last_name:keyword | salary_change:double
+10003          | Parto              | Bamford           | [12.82, 14.68]              
+10015          | Guoxiang           | Nooteboom         | [12.4, 14.25]               
+10023          | Bojan              | Montemayor        | [0.8, 14.63]                
+10040          | Weiyi              | Meriste           | [-8.94, 1.92, 6.97, 14.74]  
+10061          | Tse                | Herber            | [-2.58, -0.95, 14.39]       
+10065          | Satosi             | Awdeh             | [-9.81, -1.47, 14.44]       
+10099          | Valter             | Sullins           | [-8.78, -3.98, 10.71, 14.26]
+;
+
+testMultiValuedFieldWithConjunction
+required_capability: kql_function
+
+from employees 
+| where (kql("job_positions: (Data Scientist) OR job_positions:(Support Engineer)")) and gender == "F"
+| keep emp_no, first_name, last_name;
+ignoreOrder:true
+
+emp_no:integer | first_name:keyword | last_name:keyword  
+10023          | Bojan              | Montemayor
+10041          | Uri                | Lenart
+10044          | Mingsen            | Casley
+10053          | Sanjiv             | Zschoche
+10069          | Margareta          | Bierman
+;
diff --git a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/qstr-function.csv-spec b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/qstr-function.csv-spec
@@ -101,8 +101,8 @@ book_no:keyword | title:text
 ;
 
 
-matchMultivaluedTextField
-required_capability: match_function
+qstrWithMultivaluedTextField
+required_capability: qstr_function
 
 from employees 
 | where qstr("job_positions: (Tech Lead) AND job_positions:(Reporting Analyst)") 
@@ -118,8 +118,8 @@ emp_no:integer | first_name:keyword | last_name:keyword
 10097          | Remzi              | Waschkowski    
 ;
 
-matchMultivaluedNumericField
-required_capability: match_function
+qstrWithMultivaluedNumericField
+required_capability: qstr_function
 
 from employees 
 | where qstr("salary_change: [14 TO *]") 
@@ -137,7 +137,7 @@ emp_no:integer | first_name:keyword | last_name:keyword | salary_change:double
 ;
 
 testMultiValuedFieldWithConjunction
-required_capability: match_function
+required_capability: qstr_function
 
 from employees 
 | where (qstr("job_positions: (Data Scientist) OR job_positions:(Support Engineer)")) and gender == "F"