o gZh-@sHddlZddlmZddlmZddlmZmZm Z GdddeZ dS)N)ObjectApiResponse)NamespacedClient) SKIP_IN_PATH_quote_rewrite_parametersc2@sHeZdZeddddddedejedejejeej efdejedejede ej f d d Z eddddddd dedejedejejeej efdejed ejejd defdejedejejd defde ej fddZ eddddddedejedejejeej efdejedejede ej f ddZeddddddddddddddddddddddddejeej efdedejedejedejedejedejejej ejdefejdeffdejedejejejeej fej ejeej ffd ejejejeej fej ejeej ffdejejeej efdejed!ejed ejejd defd"ejedejed#ejejd$efd%ejejeejeej ffd&ejed'ejed(ejedejejd defde ej f.d)d*ZdS)+ EqlClientN) error_trace filter_pathhumanprettyidr r r r returnc C||tvrtddt|}i}|dur||d<|dur!||d<|dur)||d<|dur1||d<dd i}|jd |||d S) u  Deletes an async EQL search by ID. If the search is still running, the search request will be cancelled. Otherwise, the saved search results are deleted. ``_ :param id: Identifier for the search to delete. A search ID is provided in the EQL search API's response for an async search. A search ID is also provided if the request’s `keep_on_completion` parameter is `true`. %Empty value passed for parameter 'id' /_eql/search/Nr r r r acceptapplication/jsonDELETEparamsheadersr ValueErrorrZperform_request selfr r r r r _EqlClient__path_EqlClient__query_EqlClient__headersrU/var/www/html/lang_env/lib/python3.10/site-packages/elasticsearch/_sync/client/eql.pydeletes zEqlClient.delete)r r r keep_aliver wait_for_completion_timeoutr"z t.Literal[-1]z t.Literal[0]r#c Cs|tvrtddt|}i} |dur|| d<|dur!|| d<|dur)|| d<|dur1|| d<|dur9|| d<|durA|| d <d d i} |jd || | d S)u Returns async results from previously executed Event Query Language (EQL) search ``_ :param id: Identifier for the search. :param keep_alive: Period for which the search and its results are stored on the cluster. Defaults to the keep_alive value set by the search’s EQL search API request. :param wait_for_completion_timeout: Timeout duration to wait for the request to finish. Defaults to no timeout, meaning the request waits for complete search results. rrNr r r r"r r#rrGETrr) rr r r r r"r r#rrrrrr get@s(z EqlClient.getc Cr) a Returns the status of a previously submitted async or stored Event Query Language (EQL) search ``_ :param id: Identifier for the search. rz/_eql/search/status/Nr r r r rrr$rrrrrr get_statusps zEqlClient.get_statusT)Z body_fields)allow_no_indicescase_sensitiver event_category_fieldexpand_wildcards fetch_sizefieldsfilterr r ignore_unavailabler"keep_on_completionr result_positionruntime_mappingssizetiebreaker_fieldtimestamp_fieldr#indexqueryr'r(r)r*z4t.Literal['all', 'closed', 'hidden', 'none', 'open']r+r,r-r.r/r0zt.Literal['head', 'tail']r1r2r3r4cCs|tvrtd|durtddt|d}i}i}|dur$||d<|dur,||d<|dur4||d<|dur<||d <|durD||d <|durL||d <|durT||d <| dur\| |d <| durd| |d<| durl| |d<| durt| |d<| dur|| |d<|dur||d<|dur||d<|dur||d<|dur||d<|dur||d<|dur||d<|dur||d<|dur||d<|dur||d<ddd}|jd||||dS)a Returns results matching a query expressed in Event Query Language (EQL) ``_ :param index: The name of the index to scope the operation :param query: EQL query you wish to run. :param allow_no_indices: :param case_sensitive: :param event_category_field: Field containing the event classification, such as process, file, or network. :param expand_wildcards: :param fetch_size: Maximum number of events to search at a time for sequence queries. :param fields: Array of wildcard (*) patterns. The response returns values for field names matching these patterns in the fields property of each hit. :param filter: Query, written in Query DSL, used to filter the events on which the EQL query runs. :param ignore_unavailable: If true, missing or closed indices are not included in the response. :param keep_alive: :param keep_on_completion: :param result_position: :param runtime_mappings: :param size: For basic queries, the maximum number of matching events to return. Defaults to 10 :param tiebreaker_field: Field used to sort hits with the same timestamp in ascending order :param timestamp_field: Field containing event timestamp. Default "@timestamp" :param wait_for_completion_timeout: z(Empty value passed for parameter 'index'Nz(Empty value passed for parameter 'query'/z /_eql/searchr6r'r(r r)r*r+r,r-r r r.r"r/r r0r1r2r3r4r#r)rz content-typePOST)rrbodyr)rr5r6r'r(r r)r*r+r,r-r r r.r"r/r r0r1r2r3r4r#rZ_EqlClient__bodyrrrrr searchsjI  zEqlClient.search)__name__ __module__ __qualname__rstrtOptionalboolUnionSequencerAnyr!r%r&intMappingr:rrrr rs& $  / "   ** !"#&r) typingr?Zelastic_transportr_baserutilsrrrrrrrr s