Remove search_after and implicit_join_key_field (#59232)

client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java

@@ -26,7 +26,6 @@ import org.elasticsearch.common.xcontent.ToXContent;
 import org.elasticsearch.common.xcontent.ToXContentObject;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.index.query.QueryBuilder;
-import org.elasticsearch.search.searchafter.SearchAfterBuilder;
 
 import java.io.IOException;
 import java.util.Arrays;
@@ -40,12 +39,10 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
     private QueryBuilder filter = null;
     private String timestampField = "@timestamp";
     private String eventCategoryField = "event.category";
-    private String implicitJoinKeyField = "agent.id";
     private boolean isCaseSensitive = true;
 
     private int size = 10;
     private int fetchSize = 1000;
-    private SearchAfterBuilder searchAfterBuilder;
     private String query;
     private String tiebreakerField;
 
@@ -58,11 +55,9 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
     static final String KEY_TIMESTAMP_FIELD = "timestamp_field";
     static final String KEY_TIEBREAKER_FIELD = "tiebreaker_field";
     static final String KEY_EVENT_CATEGORY_FIELD = "event_category_field";
-    static final String KEY_IMPLICIT_JOIN_KEY_FIELD = "implicit_join_key_field";
     static final String KEY_CASE_SENSITIVE = "case_sensitive";
     static final String KEY_SIZE = "size";
     static final String KEY_FETCH_SIZE = "fetch_size";
-    static final String KEY_SEARCH_AFTER = "search_after";
     static final String KEY_QUERY = "query";
     static final String KEY_WAIT_FOR_COMPLETION_TIMEOUT = "wait_for_completion_timeout";
     static final String KEY_KEEP_ALIVE = "keep_alive";
@@ -84,16 +79,8 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
             builder.field(KEY_TIEBREAKER_FIELD, tiebreakerField());
         }
         builder.field(KEY_EVENT_CATEGORY_FIELD, eventCategoryField());
-        if (implicitJoinKeyField != null) {
-            builder.field(KEY_IMPLICIT_JOIN_KEY_FIELD, implicitJoinKeyField());
-        }
         builder.field(KEY_SIZE, size());
         builder.field(KEY_FETCH_SIZE, fetchSize());
-
-        if (searchAfterBuilder != null) {
-            builder.array(KEY_SEARCH_AFTER, searchAfterBuilder.getSortValues());
-        }
-
         builder.field(KEY_CASE_SENSITIVE, isCaseSensitive());
 
         builder.field(KEY_QUERY, query);
@@ -156,10 +143,6 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
         return this;
     }
 
-    public String implicitJoinKeyField() {
-        return this.implicitJoinKeyField;
-    }
-
     public boolean isCaseSensitive() {
         return this.isCaseSensitive;
     }
@@ -169,12 +152,6 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
         return this;
     }
 
-    public EqlSearchRequest implicitJoinKeyField(String implicitJoinKeyField) {
-        Objects.requireNonNull(implicitJoinKeyField, "implicit join key must not be null");
-        this.implicitJoinKeyField = implicitJoinKeyField;
-        return this;
-    }
-
     public int size() {
         return this.size;
     }
@@ -199,23 +176,6 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
         return this;
     }
 
-    public Object[] searchAfter() {
-        if (searchAfterBuilder == null) {
-            return null;
-        }
-        return searchAfterBuilder.getSortValues();
-    }
-
-    public EqlSearchRequest searchAfter(Object[] values) {
-        this.searchAfterBuilder = new SearchAfterBuilder().setSortValues(values);
-        return this;
-    }
-
-    private EqlSearchRequest setSearchAfter(SearchAfterBuilder builder) {
-        this.searchAfterBuilder = builder;
-        return this;
-    }
-
     public String query() {
         return this.query;
     }
@@ -269,8 +229,6 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
                 Objects.equals(timestampField, that.timestampField) &&
                 Objects.equals(tiebreakerField, that.tiebreakerField) &&
                 Objects.equals(eventCategoryField, that.eventCategoryField) &&
-                Objects.equals(implicitJoinKeyField, that.implicitJoinKeyField) &&
-                Objects.equals(searchAfterBuilder, that.searchAfterBuilder) &&
                 Objects.equals(query, that.query) &&
                 Objects.equals(isCaseSensitive, that.isCaseSensitive) &&
                 Objects.equals(waitForCompletionTimeout, that.waitForCompletionTimeout) &&
@@ -289,8 +247,6 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
             timestampField,
             tiebreakerField,
             eventCategoryField,
-            implicitJoinKeyField,
-            searchAfterBuilder,
             query,
             isCaseSensitive,
             waitForCompletionTimeout,

client/rest-high-level/src/test/java/org/elasticsearch/client/eql/EqlSearchRequestTests.java

@@ -39,9 +39,6 @@ public class EqlSearchRequestTests extends AbstractRequestTestCase<EqlSearchRequ
         if (randomBoolean()) {
             EqlSearchRequest.fetchSize(randomIntBetween(1, Integer.MAX_VALUE));
         }
-        if (randomBoolean()) {
-            EqlSearchRequest.implicitJoinKeyField(randomAlphaOfLength(10));
-        }
         if (randomBoolean()) {
             EqlSearchRequest.eventCategoryField(randomAlphaOfLength(10));
         }
@@ -54,9 +51,6 @@ public class EqlSearchRequestTests extends AbstractRequestTestCase<EqlSearchRequ
         if (randomBoolean()) {
             EqlSearchRequest.tiebreakerField(randomAlphaOfLength(10));
         }
-        if (randomBoolean()) {
-            EqlSearchRequest.searchAfter(randomArray(1, 4, Object[]::new, () -> randomAlphaOfLength(3)));
-        }
         if (randomBoolean()) {
             if (randomBoolean()) {
                 EqlSearchRequest.filter(QueryBuilders.matchAllQuery());
@@ -76,12 +70,10 @@ public class EqlSearchRequestTests extends AbstractRequestTestCase<EqlSearchRequ
     protected void assertInstances(org.elasticsearch.xpack.eql.action.EqlSearchRequest serverInstance, EqlSearchRequest
         clientTestInstance) {
         assertThat(serverInstance.eventCategoryField(), equalTo(clientTestInstance.eventCategoryField()));
-        assertThat(serverInstance.implicitJoinKeyField(), equalTo(clientTestInstance.implicitJoinKeyField()));
         assertThat(serverInstance.timestampField(), equalTo(clientTestInstance.timestampField()));
         assertThat(serverInstance.tiebreakerField(), equalTo(clientTestInstance.tiebreakerField()));
         assertThat(serverInstance.filter(), equalTo(clientTestInstance.filter()));
         assertThat(serverInstance.query(), equalTo(clientTestInstance.query()));
-        assertThat(serverInstance.searchAfter(), equalTo(clientTestInstance.searchAfter()));
         assertThat(serverInstance.indicesOptions(), equalTo(clientTestInstance.indicesOptions()));
         assertThat(serverInstance.indices(), equalTo(clientTestInstance.indices()));
         assertThat(serverInstance.fetchSize(), equalTo(clientTestInstance.fetchSize()));

docs/reference/eql/eql-search-api.asciidoc

@@ -181,10 +181,6 @@ A greater `fetch_size` value often increases search speed but uses more memory.
 Query, written in query DSL, used to filter the events on which the EQL query
 runs.
 
-`implicit_join_key_field`::
-(Optional, string)
-Reserved for future use.
-
 `keep_alive`::
 +
 --
@@ -235,10 +231,6 @@ If both parameters are specified, only the query parameter is used.
 IMPORTANT: This parameter supports a subset of EQL syntax. See
 <<eql-unsupported-syntax>>.
 
-`search_after`::
-(Optional, string)
-Reserved for future use.
-
 `size`::
 (Optional, integer or float)
 For <<eql-basic-syntax,basic queries>>, the maximum number of matching events to

x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java

@@ -30,11 +30,8 @@ public abstract class CommonEqlRestTestCase extends ESRestTestCase {
             {"{\"query\": \"\"}", "query is null or empty"},
             {"{\"query\": \"" + validQuery + "\", \"timestamp_field\": \"\"}", "timestamp field is null or empty"},
             {"{\"query\": \"" + validQuery + "\", \"event_category_field\": \"\"}", "event category field is null or empty"},
-            {"{\"query\": \"" + validQuery + "\", \"implicit_join_key_field\": \"\"}", "implicit join key field is null or empty"},
             {"{\"query\": \"" + validQuery + "\", \"size\": 0}", "size must be greater than 0"},
             {"{\"query\": \"" + validQuery + "\", \"size\": -1}", "size must be greater than 0"},
-            {"{\"query\": \"" + validQuery + "\", \"search_after\": null}", "search_after doesn't support values of type: VALUE_NULL"},
-            {"{\"query\": \"" + validQuery + "\", \"search_after\": []}", "must contains at least one value"},
             {"{\"query\": \"" + validQuery + "\", \"filter\": null}", "filter doesn't support values of type: VALUE_NULL"},
             {"{\"query\": \"" + validQuery + "\", \"filter\": {}}", "query malformed, empty clause found"}
     };

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java

@@ -21,7 +21,6 @@ import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.common.xcontent.XContentParser;
 import org.elasticsearch.index.query.AbstractQueryBuilder;
 import org.elasticsearch.index.query.QueryBuilder;
-import org.elasticsearch.search.searchafter.SearchAfterBuilder;
 import org.elasticsearch.tasks.Task;
 import org.elasticsearch.tasks.TaskId;
 
@@ -33,7 +32,6 @@ import java.util.function.Supplier;
 
 import static org.elasticsearch.action.ValidateActions.addValidationError;
 import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_EVENT_CATEGORY;
-import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_IMPLICIT_JOIN_KEY;
 import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_TIMESTAMP;
 
 public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Replaceable, ToXContent {
@@ -49,10 +47,8 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
     private String timestampField = FIELD_TIMESTAMP;
     private String tiebreakerField = null;
     private String eventCategoryField = FIELD_EVENT_CATEGORY;
-    private String implicitJoinKeyField = FIELD_IMPLICIT_JOIN_KEY;
     private int size = RequestDefaults.SIZE;
     private int fetchSize = RequestDefaults.FETCH_SIZE;
-    private SearchAfterBuilder searchAfterBuilder;
     private String query;
     private boolean isCaseSensitive = false;
 
@@ -65,10 +61,8 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
     static final String KEY_TIMESTAMP_FIELD = "timestamp_field";
     static final String KEY_TIEBREAKER_FIELD = "tiebreaker_field";
     static final String KEY_EVENT_CATEGORY_FIELD = "event_category_field";
-    static final String KEY_IMPLICIT_JOIN_KEY_FIELD = "implicit_join_key_field";
     static final String KEY_SIZE = "size";
     static final String KEY_FETCH_SIZE = "fetch_size";
-    static final String KEY_SEARCH_AFTER = "search_after";
     static final String KEY_QUERY = "query";
     static final String KEY_WAIT_FOR_COMPLETION_TIMEOUT = "wait_for_completion_timeout";
     static final String KEY_KEEP_ALIVE = "keep_alive";
@@ -79,10 +73,8 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
     static final ParseField TIMESTAMP_FIELD = new ParseField(KEY_TIMESTAMP_FIELD);
     static final ParseField TIEBREAKER_FIELD = new ParseField(KEY_TIEBREAKER_FIELD);
     static final ParseField EVENT_CATEGORY_FIELD = new ParseField(KEY_EVENT_CATEGORY_FIELD);
-    static final ParseField IMPLICIT_JOIN_KEY_FIELD = new ParseField(KEY_IMPLICIT_JOIN_KEY_FIELD);
     static final ParseField SIZE = new ParseField(KEY_SIZE);
     static final ParseField FETCH_SIZE = new ParseField(KEY_FETCH_SIZE);
-    static final ParseField SEARCH_AFTER = new ParseField(KEY_SEARCH_AFTER);
     static final ParseField QUERY = new ParseField(KEY_QUERY);
     static final ParseField WAIT_FOR_COMPLETION_TIMEOUT = new ParseField(KEY_WAIT_FOR_COMPLETION_TIMEOUT);
     static final ParseField KEEP_ALIVE = new ParseField(KEY_KEEP_ALIVE);
@@ -103,10 +95,8 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
         timestampField = in.readString();
         tiebreakerField = in.readOptionalString();
         eventCategoryField = in.readString();
-        implicitJoinKeyField = in.readString();
         size = in.readVInt();
         fetchSize = in.readVInt();
-        searchAfterBuilder = in.readOptionalWriteable(SearchAfterBuilder::new);
         query = in.readString();
         if (in.getVersion().onOrAfter(Version.V_8_0_0)) { // TODO: Remove after backport
             this.waitForCompletionTimeout = in.readOptionalTimeValue();
@@ -147,10 +137,6 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
             validationException = addValidationError("event category field is null or empty", validationException);
         }
 
-        if (implicitJoinKeyField == null || implicitJoinKeyField.isEmpty()) {
-            validationException = addValidationError("implicit join key field is null or empty", validationException);
-        }
-
         if (size <= 0) {
             validationException = addValidationError("size must be greater than 0", validationException);
         }
@@ -177,16 +163,8 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
             builder.field(KEY_TIEBREAKER_FIELD, tiebreakerField());
         }
         builder.field(KEY_EVENT_CATEGORY_FIELD, eventCategoryField());
-        if (implicitJoinKeyField != null) {
-            builder.field(KEY_IMPLICIT_JOIN_KEY_FIELD, implicitJoinKeyField());
-        }
         builder.field(KEY_SIZE, size());
         builder.field(KEY_FETCH_SIZE, fetchSize());
-
-        if (searchAfterBuilder != null) {
-            builder.array(SEARCH_AFTER.getPreferredName(), searchAfterBuilder.getSortValues());
-        }
-
         builder.field(KEY_QUERY, query);
         if (waitForCompletionTimeout != null) {
             builder.field(KEY_WAIT_FOR_COMPLETION_TIMEOUT, waitForCompletionTimeout);
@@ -211,11 +189,8 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
         parser.declareString(EqlSearchRequest::timestampField, TIMESTAMP_FIELD);
         parser.declareString(EqlSearchRequest::tiebreakerField, TIEBREAKER_FIELD);
         parser.declareString(EqlSearchRequest::eventCategoryField, EVENT_CATEGORY_FIELD);
-        parser.declareString(EqlSearchRequest::implicitJoinKeyField, IMPLICIT_JOIN_KEY_FIELD);
         parser.declareInt(EqlSearchRequest::size, SIZE);
         parser.declareInt(EqlSearchRequest::fetchSize, FETCH_SIZE);
-        parser.declareField(EqlSearchRequest::setSearchAfter, SearchAfterBuilder::fromXContent, SEARCH_AFTER,
-            ObjectParser.ValueType.OBJECT_ARRAY);
         parser.declareString(EqlSearchRequest::query, QUERY);
         parser.declareField(EqlSearchRequest::waitForCompletionTimeout,
             (p, c) -> TimeValue.parseTimeValue(p.text(), KEY_WAIT_FOR_COMPLETION_TIMEOUT), WAIT_FOR_COMPLETION_TIMEOUT,
@@ -261,13 +236,6 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
         return this;
     }
 
-    public String implicitJoinKeyField() { return this.implicitJoinKeyField; }
-
-    public EqlSearchRequest implicitJoinKeyField(String implicitJoinKeyField) {
-        this.implicitJoinKeyField = implicitJoinKeyField;
-        return this;
-    }
-
     public int size() {
         return this.size;
     }
@@ -286,23 +254,6 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
         return this;
     }
 
-    public Object[] searchAfter() {
-        if (searchAfterBuilder == null) {
-            return null;
-        }
-        return searchAfterBuilder.getSortValues();
-    }
-
-    public EqlSearchRequest searchAfter(Object[] values) {
-        this.searchAfterBuilder = new SearchAfterBuilder().setSortValues(values);
-        return this;
-    }
-
-    private EqlSearchRequest setSearchAfter(SearchAfterBuilder builder) {
-        this.searchAfterBuilder = builder;
-        return this;
-    }
-
     public String query() { return this.query; }
 
     public EqlSearchRequest query(String query) {
@@ -353,10 +304,8 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
         out.writeString(timestampField);
         out.writeOptionalString(tiebreakerField);
         out.writeString(eventCategoryField);
-        out.writeString(implicitJoinKeyField);
         out.writeVInt(size);
         out.writeVInt(fetchSize);
-        out.writeOptionalWriteable(searchAfterBuilder);
         out.writeString(query);
         if (out.getVersion().onOrAfter(Version.V_8_0_0)) { // TODO: Remove after backport
             out.writeOptionalTimeValue(waitForCompletionTimeout);
@@ -383,8 +332,6 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
                 Objects.equals(timestampField, that.timestampField) &&
                 Objects.equals(tiebreakerField, that.tiebreakerField) &&
                 Objects.equals(eventCategoryField, that.eventCategoryField) &&
-                Objects.equals(implicitJoinKeyField, that.implicitJoinKeyField) &&
-                Objects.equals(searchAfterBuilder, that.searchAfterBuilder) &&
                 Objects.equals(query, that.query) &&
                 Objects.equals(waitForCompletionTimeout, that.waitForCompletionTimeout) &&
                 Objects.equals(keepAlive, that.keepAlive) &&
@@ -402,8 +349,6 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
             timestampField,
             tiebreakerField,
             eventCategoryField,
-            implicitJoinKeyField,
-            searchAfterBuilder,
             query,
             waitForCompletionTimeout,
             keepAlive,

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java

@@ -40,11 +40,6 @@ public class EqlSearchRequestBuilder extends ActionRequestBuilder<EqlSearchReque
         return this;
     }
 
-    public EqlSearchRequestBuilder implicitJoinKeyField(String implicitJoinKeyField) {
-        request.implicitJoinKeyField(implicitJoinKeyField);
-        return this;
-    }
-
     public EqlSearchRequestBuilder size(int size) {
         request.size(size);
         return this;
@@ -55,17 +50,12 @@ public class EqlSearchRequestBuilder extends ActionRequestBuilder<EqlSearchReque
         return this;
     }
 
-    public EqlSearchRequestBuilder searchAfter(Object[] values) {
-        request.searchAfter(values);
-        return this;
-    }
-
     public EqlSearchRequestBuilder query(String query) {
         request.query(query);
         return this;
     }
 
-    public EqlSearchRequestBuilder query(boolean isCaseSensitive) {
+    public EqlSearchRequestBuilder isCaseSensitive(boolean isCaseSensitive) {
         request.isCaseSensitive(isCaseSensitive);
         return this;
     }

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/RequestDefaults.java

@@ -12,7 +12,6 @@ public final class RequestDefaults {
 
     public static final String FIELD_TIMESTAMP = "@timestamp";
     public static final String FIELD_EVENT_CATEGORY = "event.category";
-    public static final String FIELD_IMPLICIT_JOIN_KEY = "agent.id";
 
     public static int SIZE = 10;
     public static int FETCH_SIZE = 1000;

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/ParserParams.java

@@ -12,7 +12,6 @@ import java.util.List;
 import static java.util.Collections.emptyList;
 import static org.elasticsearch.xpack.eql.action.RequestDefaults.FETCH_SIZE;
 import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_EVENT_CATEGORY;
-import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_IMPLICIT_JOIN_KEY;
 import static org.elasticsearch.xpack.eql.action.RequestDefaults.FIELD_TIMESTAMP;
 import static org.elasticsearch.xpack.eql.action.RequestDefaults.SIZE;
 
@@ -22,7 +21,6 @@ public class ParserParams {
     private String fieldEventCategory = FIELD_EVENT_CATEGORY;
     private String fieldTimestamp = FIELD_TIMESTAMP;
     private String fieldTiebreaker = null;
-    private String implicitJoinKey = FIELD_IMPLICIT_JOIN_KEY;
     private int size = SIZE;
     private int fetchSize = FETCH_SIZE;
     private List<Object> queryParams = emptyList();
@@ -58,15 +56,6 @@ public class ParserParams {
         return this;
     }
 
-    public String implicitJoinKey() {
-        return implicitJoinKey;
-    }
-
-    public ParserParams implicitJoinKey(String implicitJoinKey) {
-        this.implicitJoinKey = implicitJoinKey;
-        return this;
-    }
-
     public int size() {
         return size;
     }

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java

@@ -115,7 +115,6 @@ public class TransportEqlSearchAction extends HandledTransportAction<EqlSearchRe
             .fieldEventCategory(request.eventCategoryField())
             .fieldTimestamp(request.timestampField())
             .fieldTiebreaker(request.tiebreakerField())
-            .implicitJoinKey(request.implicitJoinKeyField())
             .size(request.size())
             .fetchSize(request.fetchSize());
 

x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlRequestParserTests.java

@@ -37,11 +37,6 @@ public class EqlRequestParserTests extends ESTestCase {
             EqlSearchRequest::fromXContent);
         assertParsingErrorMessage("{\"event_category_field\" : 123}", "event_category_field doesn't support values of type: VALUE_NUMBER",
             EqlSearchRequest::fromXContent);
-        assertParsingErrorMessage("{\"implicit_join_key_field\" : 123}",
-            "implicit_join_key_field doesn't support values of type: VALUE_NUMBER",
-            EqlSearchRequest::fromXContent);
-        assertParsingErrorMessage("{\"search_after\" : 123}", "search_after doesn't support values of type: VALUE_NUMBER",
-            EqlSearchRequest::fromXContent);
         assertParsingErrorMessage("{\"size\" : \"foo\"}", "failed to parse field [size]", EqlSearchRequest::fromXContent);
         assertParsingErrorMessage("{\"query\" : 123}", "query doesn't support values of type: VALUE_NUMBER",
             EqlSearchRequest::fromXContent);
@@ -55,8 +50,6 @@ public class EqlRequestParserTests extends ESTestCase {
         EqlSearchRequest request = generateRequest("endgame-*", "{\"filter\" : {\"match\" : {\"foo\":\"bar\"}}, "
             + "\"timestamp_field\" : \"tsf\", "
             + "\"event_category_field\" : \"etf\","
-            + "\"implicit_join_key_field\" : \"imjf\","
-            + "\"search_after\" : [ 12345678, \"device-20184\", \"/user/local/foo.exe\", \"2019-11-26T00:45:43.542\" ],"
             + "\"size\" : \"101\","
             + "\"query\" : \"file where user != 'SYSTEM' by file_path\""
             + (setIsCaseSensitive ? (",\"case_sensitive\" : " + isCaseSensitive) : "")
@@ -69,8 +62,6 @@ public class EqlRequestParserTests extends ESTestCase {
         assertEquals("bar", filter.value());
         assertEquals("tsf", request.timestampField());
         assertEquals("etf", request.eventCategoryField());
-        assertEquals("imjf", request.implicitJoinKeyField());
-        assertArrayEquals(new Object[]{12345678, "device-20184", "/user/local/foo.exe", "2019-11-26T00:45:43.542"}, request.searchAfter());
         assertEquals(101, request.size());
         assertEquals(1000, request.fetchSize());
         assertEquals("file where user != 'SYSTEM' by file_path", request.query());

x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestTests.java

@@ -5,19 +5,15 @@
  */
 package org.elasticsearch.xpack.eql.action;
 
-import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
 import org.elasticsearch.common.io.stream.Writeable;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.text.Text;
 import org.elasticsearch.common.xcontent.NamedXContentRegistry;
-import org.elasticsearch.common.xcontent.XContentBuilder;
-import org.elasticsearch.common.xcontent.XContentFactory;
 import org.elasticsearch.common.xcontent.XContentParser;
 import org.elasticsearch.common.xcontent.json.JsonXContent;
 import org.elasticsearch.index.query.QueryBuilder;
 import org.elasticsearch.search.SearchModule;
-import org.elasticsearch.search.searchafter.SearchAfterBuilder;
 import org.elasticsearch.test.AbstractSerializingTestCase;
 import org.elasticsearch.test.ESTestCase;
 import org.junit.Before;
@@ -65,13 +61,9 @@ public class EqlSearchRequestTests extends AbstractSerializingTestCase<EqlSearch
                 .filter(filter)
                 .timestampField(randomAlphaOfLength(10))
                 .eventCategoryField(randomAlphaOfLength(10))
-                .implicitJoinKeyField(randomAlphaOfLength(10))
                 .fetchSize(randomIntBetween(1, 50))
                 .query(randomAlphaOfLength(10));
 
-            if (randomBoolean()) {
-                request.searchAfter(randomJsonSearchFromBuilder());
-            }
             return request;
         } catch (IOException ex) {
             assertNotNull("unexpected IOException " + ex.getCause().getMessage(), ex);
@@ -105,24 +97,6 @@ public class EqlSearchRequestTests extends AbstractSerializingTestCase<EqlSearch
         return value.get();
     }
 
-    private Object[] randomJsonSearchFromBuilder() throws IOException {
-        int numSearchAfter = randomIntBetween(1, 10);
-        XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
-        jsonBuilder.startObject();
-        jsonBuilder.startArray("search_after");
-        for (int i = 0; i < numSearchAfter; i++) {
-            jsonBuilder.value(randomValue());
-        }
-        jsonBuilder.endArray();
-        jsonBuilder.endObject();
-        try (XContentParser parser = createParser(JsonXContent.jsonXContent, BytesReference.bytes(jsonBuilder))) {
-            parser.nextToken();
-            parser.nextToken();
-            parser.nextToken();
-            return SearchAfterBuilder.fromXContent(parser).getSortValues();
-        }
-    }
-
     @Override
     protected Writeable.Reader<EqlSearchRequest> instanceReader() {
         return EqlSearchRequest::new;