EQL: Remove support for `=` for comparisons (#62756)

Since `=` is rarely used and is undocumented we its support for
equality comparisons keeping `==` as the only option. `=` is now only
used for assignments like in `maxspan=10m`.

Closes: #62650

client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java

@@ -141,7 +141,7 @@ public class EqlIT extends ESRestHighLevelClientTestCase {
         EqlClient eql = highLevelClient().eql();
 
         EqlSearchRequest request = new EqlSearchRequest("index",
-                "process where event_type_full = \"process_event\" and serial_event_id in (1,3,5)");
+                "process where event_type_full == \"process_event\" and serial_event_id in (1,3,5)");
 
         EqlSearchResponse response = execute(request, eql::search, eql::searchAsync);
         assertResponse(response, 3);

docs/reference/eql/eql-search-api.asciidoc

@@ -19,7 +19,7 @@ event.
 GET /my-index-000001/_eql/search
 {
   "query": """
-    process where process.name = "regsvr32.exe"
+    process where process.name == "regsvr32.exe"
   """
 }
 ----

x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/RestEqlUsageTestCase.java

@@ -146,7 +146,7 @@ public abstract class RestEqlUsageTestCase extends ESRestTestCase {
         int randomSequenceExecutions = randomIntBetween(1, 15);
         allTotalQueries += randomSequenceExecutions;
         for (int i = 0; i < randomSequenceExecutions; i++) {
-            runEql("sequence [process where serial_event_id = 1] [process where serial_event_id = 2]");
+            runEql("sequence [process where serial_event_id == 1] [process where serial_event_id == 2]");
         }
         responseAsMap = getStats();
         metricsToCheck = Set.of("sequence", "sequence_queries_two", "pipe_head");
@@ -179,7 +179,7 @@ public abstract class RestEqlUsageTestCase extends ESRestTestCase {
                 "  [process where opcode == 1] by user" + 
                 "  [process where opcode == 2] by user" + 
                 "  [file where parent_process_name == \\\"file_delete_event\\\"] by exit_code" +
-                " until [process where opcode=1] by ppid" + 
+                " until [process where opcode==1] by ppid" +
                 " | head 4" + 
                 " | tail 2");
         }
@@ -271,8 +271,8 @@ public abstract class RestEqlUsageTestCase extends ESRestTestCase {
                 runEql(
                     randomFrom(
                         "process where missing_field < 4 | tail 2",
-                        "sequence abc [process where serial_event_id = 1]",
-                        "sequence with maxspan=1x [process where serial_event_id = 1]",
+                        "sequence abc [process where serial_event_id == 1]",
+                        "sequence with maxspan=1x [process where serial_event_id == 1]",
                         "sequence by exit_code, user [process where serial_event_id < 4] by ppid",
                         "sequence by"
                     )

x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml

@@ -69,7 +69,7 @@ expected_event_ids  = [5]
 
 [[queries]]
 name = "concatEquals2"
-query = 'process where concat(serial_event_id) = "1"'
+query = 'process where concat(serial_event_id) == "1"'
 expected_event_ids  = [1]
 
 [[queries]]
@@ -98,7 +98,7 @@ expected_event_ids  = [1, 2, 3, 4]
 
 [[queries]]
 name = "numberStringConversion1"
-query = 'process where string(serial_event_id) = "1"'
+query = 'process where string(serial_event_id) == "1"'
 expected_event_ids  = [1]
 
 
@@ -223,8 +223,8 @@ query = "process where serial_event_id + ((1 + 3) * 2 / (3 - 1)) * 2 == 54 or 70
 name = "twoSequencesAdditional1"
 query = '''
 sequence
-  [process where serial_event_id = 1]
-  [process where serial_event_id = 2]
+  [process where serial_event_id == 1]
+  [process where serial_event_id == 2]
 '''
 expected_event_ids  = [1, 2]
 
@@ -232,7 +232,7 @@ expected_event_ids  = [1, 2]
 name = "twoSequencesAdditional2"
 query = '''
 sequence
-  [process where serial_event_id=1] by unique_pid
+  [process where serial_event_id==1] by unique_pid
   [process where true] by unique_ppid'''
 expected_event_ids  = [1, 2]
 

x-pack/plugin/eql/qa/common/src/main/resources/test_queries.toml

@@ -1,6 +1,6 @@
 [[queries]]
 name = "simpleQueryEqual"
-query = 'process where serial_event_id = 1'
+query = 'process where serial_event_id == 1'
 expected_event_ids  = [1]
 
 [[queries]]
@@ -161,7 +161,7 @@ expected_event_ids = []
 
 [[queries]]
 name = "processWithMultipleConditions1"
-query = 'process where (serial_event_id<=8 and serial_event_id > 7) and (opcode=3 and opcode>2)'
+query = 'process where (serial_event_id<=8 and serial_event_id > 7) and (opcode==3 and opcode>2)'
 expected_event_ids  = [8]
 
 [[queries]]
@@ -371,27 +371,27 @@ expected_event_ids  = [84, 85]
 [[queries]]
 name = "descendant1"
 query = '''
-file where file_name == "csrss.exe" and opcode=0
-  and descendant of [process where opcode in (1,3) and process_name="cmd.exe"]
+file where file_name == "csrss.exe" and opcode==0
+  and descendant of [process where opcode in (1,3) and process_name=="cmd.exe"]
 '''
 expected_event_ids  = [72]
 
 [[queries]]
 name = "descendant2"
 query = '''
-process where opcode=1 and process_name == "csrss.exe"
-  and descendant of [file where file_name == "csrss.exe" and opcode=0]
+process where opcode==1 and process_name == "csrss.exe"
+  and descendant of [file where file_name == "csrss.exe" and opcode==0]
 '''
 expected_event_ids  = [73]
 
 [[queries]]
 name = "descendant3"
 query = '''
-process where opcode=1 and process_name == "smss.exe"
+process where opcode==1 and process_name == "smss.exe"
   and descendant of [
-    file where file_name == "csrss.exe" and opcode=0
+    file where file_name == "csrss.exe" and opcode==0
       and descendant of [
-        process where opcode in(1,3) and process_name="cmd.exe"
+        process where opcode in(1,3) and process_name=="cmd.exe"
       ]
   ]
 '''
@@ -400,24 +400,24 @@ expected_event_ids  = [78]
 [[queries]]
 name = "wildcardAndMultipleConditions1"
 query = '''
-file where file_path="*\\red_ttp\\winin*.*"
-  and opcode in (0,1,2) and user_name="vagrant"
+file where file_path=="*\\red_ttp\\winin*.*"
+  and opcode in (0,1,2) and user_name=="vagrant"
 '''
 expected_event_ids  = [83, 86]
 
 [[queries]]
 name = "wildcardAndMultipleConditions2"
 query = '''
-file where file_path="*\\red_ttp\\winin*.*"
-  and opcode not in (0,1,2) and user_name="vagrant"
+file where file_path=="*\\red_ttp\\winin*.*"
+  and opcode not in (0,1,2) and user_name=="vagrant"
 '''
 expected_event_ids  = []
 
 [[queries]]
 name = "wildcardAndMultipleConditions3"
 query = '''
-file where file_path="*\\red_ttp\\winin*.*"
-  and opcode not in (3, 4, 5, 6 ,7) and user_name="vagrant"
+file where file_path=="*\\red_ttp\\winin*.*"
+  and opcode not in (3, 4, 5, 6 ,7) and user_name=="vagrant"
 '''
 expected_event_ids  = [83, 86]
 
@@ -513,8 +513,8 @@ process where true
 name = "sequenceOneOneMatch"
 query = '''
 sequence
-  [process where serial_event_id = 1]
-  [process where serial_event_id = 2]
+  [process where serial_event_id == 1]
+  [process where serial_event_id == 2]
 '''
 expected_event_ids  = [1, 2]
 
@@ -523,7 +523,7 @@ name = "sequenceManyOneMatch"
 query = '''
 sequence
   [process where serial_event_id < 5]
-  [process where serial_event_id = 5]
+  [process where serial_event_id == 5]
 '''
 expected_event_ids  = [4, 5]
 
@@ -720,7 +720,7 @@ expected_event_ids  = [54, 55, 61, 67]
 name = "sequenceOneManyWithJoin"
 query = '''
 sequence
-  [process where serial_event_id=1] by unique_pid
+  [process where serial_event_id==1] by unique_pid
   [process where true] by unique_ppid
 '''
 expected_event_ids  = [1, 2]
@@ -762,7 +762,7 @@ expected_event_ids  = [1, 2,
 name = "sequencesOnDifferentEventTypes1"
 query = '''
 sequence by unique_pid
-  [process where opcode=1 and process_name == "MSBuild.exe"]
+  [process where opcode==1 and process_name == "MSBuild.exe"]
   [network where true]
 '''
 expected_event_ids  = [75273, 75304]
@@ -867,7 +867,7 @@ expected_event_ids  = [1, 2,
 name = "sequencesOnDifferentEventTypesWithBy"
 query = '''
 sequence
-  [file where opcode=0 and file_name="svchost.exe"] by unique_pid
+  [file where opcode==0 and file_name=="svchost.exe"] by unique_pid
   [process where opcode == 1] by unique_ppid
 '''
 expected_event_ids  = [55, 56]
@@ -876,8 +876,8 @@ expected_event_ids  = [55, 56]
 name = "doubleSameSequenceWithBy"
 query = '''
 sequence
-  [file where opcode=0] by unique_pid
-  [file where opcode=0] by unique_pid
+  [file where opcode==0] by unique_pid
+  [file where opcode==0] by unique_pid
 | head 1
 '''
 expected_event_ids  = [55, 61]
@@ -886,8 +886,8 @@ expected_event_ids  = [55, 61]
 name = "doubleSameSequenceWithByAndFilter"
 query = '''
 sequence
-  [file where opcode=0] by unique_pid
-  [file where opcode=0] by unique_pid
+  [file where opcode==0] by unique_pid
+  [file where opcode==0] by unique_pid
 | filter events[1].serial_event_id == 92
 '''
 expected_event_ids  = [87, 92]
@@ -896,9 +896,9 @@ expected_event_ids  = [87, 92]
 name = "doubleSameSequenceWithByUntilAndHead1"
 query = '''
 sequence
-  [file where opcode=0 and file_name="*.exe"] by unique_pid
-  [file where opcode=0 and file_name="*.exe"] by unique_pid
-until [process where opcode=5000] by unique_ppid
+  [file where opcode==0 and file_name=="*.exe"] by unique_pid
+  [file where opcode==0 and file_name=="*.exe"] by unique_pid
+until [process where opcode==5000] by unique_ppid
 | head 1
 '''
 expected_event_ids  = [55, 61]
@@ -907,9 +907,9 @@ expected_event_ids  = [55, 61]
 name = "doubleSameSequenceWithByUntilAndHead2"
 query = '''
 sequence
-  [file where opcode=0 and file_name="*.exe"] by unique_pid
-  [file where opcode=0 and file_name="*.exe"] by unique_pid
-until [process where opcode=1] by unique_ppid
+  [file where opcode==0 and file_name=="*.exe"] by unique_pid
+  [file where opcode==0 and file_name=="*.exe"] by unique_pid
+until [process where opcode==1] by unique_ppid
 | head 1
 '''
 expected_event_ids = []
@@ -918,9 +918,9 @@ expected_event_ids = []
 name = "doubleJoinWithByUntilAndHead"
 query = '''
 join
-  [file where opcode=0 and file_name="*.exe"] by unique_pid
-  [file where opcode=2 and file_name="*.exe"] by unique_pid
-until [process where opcode=1] by unique_ppid
+  [file where opcode==0 and file_name=="*.exe"] by unique_pid
+  [file where opcode==2 and file_name=="*.exe"] by unique_pid
+until [process where opcode==1] by unique_ppid
 | head 1
 '''
 expected_event_ids  = [61, 59]
@@ -929,7 +929,7 @@ expected_event_ids  = [61, 59]
 name = "twoJoins1"
 query = '''
 join by user_name
-  [process where opcode in (1,3) and process_name="smss.exe"]
+  [process where opcode in (1,3) and process_name=="smss.exe"]
   [process where opcode in (1,3) and process_name == "python.exe"]
 '''
 expected_event_ids  = [78, 48]
@@ -938,8 +938,8 @@ expected_event_ids  = [78, 48]
 name = "threeJoins1"
 query = '''
 join by unique_pid
-  [process where opcode=1]
-  [file where opcode=0 and file_name="svchost.exe"]
+  [process where opcode==1]
+  [file where opcode==0 and file_name=="svchost.exe"]
   [file where opcode == 0 and file_name == "lsass.exe"]
 '''
 expected_event_ids  = [54, 55, 61]
@@ -948,8 +948,8 @@ expected_event_ids  = [54, 55, 61]
 name = "threeJoins2"
 query = '''
 join by string(unique_pid)
-  [process where opcode=1]
-  [file where opcode=0 and file_name="svchost.exe"]
+  [process where opcode==1]
+  [file where opcode==0 and file_name=="svchost.exe"]
   [file where opcode == 0 and file_name == "lsass.exe"]
 '''
 expected_event_ids  = [54, 55, 61]
@@ -958,8 +958,8 @@ expected_event_ids  = [54, 55, 61]
 name = "threeJoinsWithUntil1"
 query = '''
 join by unique_pid
-  [process where opcode=1]
-  [file where opcode=0 and file_name="svchost.exe"]
+  [process where opcode==1]
+  [file where opcode==0 and file_name=="svchost.exe"]
   [file where opcode == 0 and file_name == "lsass.exe"]
 until [file where opcode == 2]
 '''
@@ -969,8 +969,8 @@ expected_event_ids = []
 name = "threeJoinsWithUntil2"
 query = '''
 join by string(unique_pid), unique_pid, unique_pid * 2
-  [process where opcode=1]
-  [file where opcode=0 and file_name="svchost.exe"]
+  [process where opcode==1]
+  [file where opcode==0 and file_name=="svchost.exe"]
   [file where opcode == 0 and file_name == "lsass.exe"]
 until [file where opcode == 2]
 '''
@@ -980,7 +980,7 @@ expected_event_ids = []
 name = "twoJoins2"
 query = '''
 join
-  [file where opcode=0 and file_name="svchost.exe"] by unique_pid
+  [file where opcode==0 and file_name=="svchost.exe"] by unique_pid
   [process where opcode == 1] by unique_ppid
 '''
 expected_event_ids  = [55, 56]
@@ -989,7 +989,7 @@ expected_event_ids  = [55, 56]
 name = "twoJoins3"
 query = '''
 join by unique_pid
-  [process where opcode in (1,3) and process_name="python.exe"]
+  [process where opcode in (1,3) and process_name=="python.exe"]
   [file where file_name == "*.exe"]
 '''
 expected_event_ids  = [54, 55]
@@ -998,7 +998,7 @@ expected_event_ids  = [54, 55]
 name = "twoJoins4"
 query = '''
 join by user_name
-  [process where opcode in (1,3) and process_name="python.exe"]
+  [process where opcode in (1,3) and process_name=="python.exe"]
   [process where opcode in (1,3) and process_name == "smss.exe"]
 '''
 expected_event_ids  = [48, 78]
@@ -1007,7 +1007,7 @@ expected_event_ids  = [48, 78]
 name = "twoJoins5"
 query = '''
 join
-  [process where opcode in (1,3) and process_name="python.exe"]
+  [process where opcode in (1,3) and process_name=="python.exe"]
   [process where opcode in (1,3) and process_name == "smss.exe"]
 '''
 expected_event_ids  = [48, 3, 50, 78]
@@ -1076,7 +1076,7 @@ any where true
 [[queries]]
 name = "multipleConditionsWithDescendant1"
 query = '''
-process where opcode=1 and process_name in ("services.exe", "smss.exe", "lsass.exe")
+process where opcode==1 and process_name in ("services.exe", "smss.exe", "lsass.exe")
   and descendant of [process where process_name == "cmd.exe" ]
 '''
 expected_event_ids  = [62, 68, 78]
@@ -1092,7 +1092,7 @@ expected_event_ids  = [62, 64, 68, 69, 78, 80]
 [[queries]]
 name = "multipleConditionsWithDescendant2"
 query = '''
-process where opcode=2 and process_name in ("services.exe", "smss.exe", "lsass.exe")
+process where opcode==2 and process_name in ("services.exe", "smss.exe", "lsass.exe")
   and descendant of [process where process_name == "cmd.exe" ]
 '''
 expected_event_ids  = [64, 69, 80]
@@ -1100,16 +1100,16 @@ expected_event_ids  = [64, 69, 80]
 [[queries]]
 name = "childOf1"
 query = '''
-process where process_name="svchost.exe"
-  and child of [file where file_name="svchost.exe" and opcode=0]
+process where process_name=="svchost.exe"
+  and child of [file where file_name=="svchost.exe" and opcode==0]
 '''
 expected_event_ids  = [56, 58]
 
 [[queries]]
 name = "childOf2"
 query = '''
-process where process_name="svchost.exe"
-  and not child of [file where file_name="svchost.exe" and opcode=0]
+process where process_name=="svchost.exe"
+  and not child of [file where file_name=="svchost.exe" and opcode==0]
 | head 3
 '''
 expected_event_ids  = [11, 13, 15]
@@ -1117,10 +1117,10 @@ expected_event_ids  = [11, 13, 15]
 [[queries]]
 name = "nestedChildOf1"
 query = '''
-process where process_name="lsass.exe"
+process where process_name=="lsass.exe"
   and child of [
-    process where process_name="python.exe"
-    and child of [process where process_name="cmd.exe"]
+    process where process_name=="python.exe"
+    and child of [process where process_name=="cmd.exe"]
   ]
 '''
 expected_event_ids  = [62, 64]
@@ -1130,7 +1130,7 @@ name = "nestedChildOf2"
 query = '''
 file where child of [
   process where child of [
-      process where child of [process where process_name="*wsmprovhost.exe"]
+      process where child of [process where process_name=="*wsmprovhost.exe"]
   ]
 ]
 | tail 1
@@ -1140,7 +1140,7 @@ expected_event_ids  = [91]
 [[queries]]
 name = "fileByUniquePid1"
 query = '''
-file where process_name = "python.exe"
+file where process_name == "python.exe"
 | unique unique_pid
 '''
 expected_event_ids  = [55, 95]
@@ -1148,7 +1148,7 @@ expected_event_ids  = [55, 95]
 [[queries]]
 name = "fileByUniquePid2"
 query = '''
-file where event of [process where process_name = "python.exe" ]
+file where event of [process where process_name == "python.exe" ]
 | unique unique_pid
 '''
 expected_event_ids  = [55, 95]
@@ -1156,20 +1156,20 @@ expected_event_ids  = [55, 95]
 [[queries]]
 name = "simpleStringEquality"
 query = '''
-process where process_name = "python.exe"
+process where process_name == "python.exe"
 '''
 expected_event_ids  = [48, 50, 51, 54, 93]
 
 [[queries]]
 name = "eventOfProcess"
-query = 'process where event of [process where process_name = "python.exe" ]'
+query = 'process where event of [process where process_name == "python.exe" ]'
 expected_event_ids  = [48, 50, 51, 54, 93]
 
 [[queries]]
 name = "twoSequencesWithKeys2"
 query = '''
 sequence
-  [file where file_name="lsass.exe"] by file_path,process_path
+  [file where file_name=="lsass.exe"] by file_path,process_path
   [process where true] by process_path,parent_process_path
 '''
 expected_event_ids  = [61, 62]
@@ -1178,7 +1178,7 @@ expected_event_ids  = [61, 62]
 name = "twoSequencesWithKeys3"
 query = '''
 sequence by user_name
-  [file where file_name="lsass.exe"] by file_path, process_path
+  [file where file_name=="lsass.exe"] by file_path, process_path
   [process where true] by process_path, parent_process_path
 '''
 expected_event_ids  = [61, 62]
@@ -1187,7 +1187,7 @@ expected_event_ids  = [61, 62]
 name = "twoSequencesWithKeys4"
 query = '''
 sequence by pid
-  [file where file_name="lsass.exe"] by file_path,process_path
+  [file where file_name=="lsass.exe"] by file_path,process_path
   [process where true] by process_path,parent_process_path
 '''
 expected_event_ids = []
@@ -1196,10 +1196,10 @@ expected_event_ids = []
 name = "fourSequencesByMixedFields"
 query = '''
 sequence by user_name
-  [file where opcode=0] by file_path
-  [process where opcode=1] by process_path
-  [process where opcode=2] by process_path
-  [file where opcode=2] by file_path
+  [file where opcode==0] by file_path
+  [process where opcode==1] by process_path
+  [process where opcode==2] by process_path
+  [file where opcode==2] by file_path
 | tail 1
 '''
 expected_event_ids  = [88, 89, 90, 91]
@@ -1208,8 +1208,8 @@ expected_event_ids  = [88, 89, 90, 91]
 name = "twoSequencesWithTwoKeysAndUntil"
 query = '''
 sequence by user_name
-  [file where opcode=0] by pid,file_path
-  [file where opcode=2] by pid,file_path
+  [file where opcode==0] by pid,file_path
+  [file where opcode==2] by pid,file_path
 until
   [process where opcode == 2] by ppid,process_path
 '''
@@ -1219,8 +1219,8 @@ expected_event_ids = []
 name = "twoSequencesWithUntil"
 query = '''
 sequence by user_name
-  [file where opcode=0] by pid,file_path
-  [file where opcode=2] by pid,file_path
+  [file where opcode==0] by pid,file_path
+  [file where opcode==2] by pid,file_path
 until
   [process where opcode == 5] by ppid,process_path
 | head 2
@@ -1231,10 +1231,10 @@ expected_event_ids  = [55, 59, 61, 65]
 name = "fourSequencesWithTail"
 query = '''
 sequence by pid
-  [file where opcode=0] by file_path
-  [process where opcode=1] by process_path
-  [process where opcode=2] by process_path
-  [file where opcode=2] by file_path
+  [file where opcode==0] by file_path
+  [process where opcode==1] by process_path
+  [process where opcode==2] by process_path
+  [file where opcode==2] by file_path
 | tail 1
 '''
 expected_event_ids = []
@@ -1436,7 +1436,7 @@ name = "stringEqualsCaseInsensitive1"
 case_insensitive = true
 query = '''
 process where "net.EXE" == original_file_name
-| filter process_name="net*.exe"
+| filter process_name=="net*.exe"
 '''
 expected_event_ids  = [97]
 note = "check that case insensitive comparisons are performed even for lhs strings."
@@ -1445,7 +1445,7 @@ note = "check that case insensitive comparisons are performed even for lhs strin
 name = "stringEqualsCaseInsensitive2"
 case_insensitive = true
 query = '''
-process where process_name == original_file_name and process_name="net*.exe"
+process where process_name == original_file_name and process_name=="net*.exe"
 '''
 expected_event_ids  = [97, 98]
 note = "check that case insensitive comparisons are performed for fields."
@@ -1463,7 +1463,7 @@ description = "check that case insensitive comparisons are performed for fields.
 name = "startsWithCaseSensitive"
 case_sensitive = true
 query = '''
-file where opcode=0 and startsWith(file_name, "explorer.")
+file where opcode==0 and startsWith(file_name, "explorer.")
 '''
 expected_event_ids  = [88]
 description = "check built-in string functions"
@@ -1473,7 +1473,7 @@ description = "check built-in string functions"
 name = "startsWithCaseInsensitive1"
 case_insensitive = true
 query = '''
-file where opcode=0 and startsWith(file_name, "explorer.")
+file where opcode==0 and startsWith(file_name, "explorer.")
 '''
 expected_event_ids  = [88, 92]
 description = "check built-in string functions"
@@ -1483,7 +1483,7 @@ description = "check built-in string functions"
 name = "startsWithCaseInsensitive2"
 case_insensitive = true
 query = '''
-file where opcode=0 and startsWith(file_name, "exploRER.")
+file where opcode==0 and startsWith(file_name, "exploRER.")
 '''
 expected_event_ids  = [88, 92]
 description = "check built-in string functions"
@@ -1492,7 +1492,7 @@ description = "check built-in string functions"
 name = "startsWithCaseInsensitive3"
 case_insensitive = true
 query = '''
-file where opcode=0 and startsWith(file_name, "expLORER.exe")
+file where opcode==0 and startsWith(file_name, "expLORER.exe")
 '''
 expected_event_ids  = [88, 92]
 description = "check built-in string functions"
@@ -1500,7 +1500,7 @@ description = "check built-in string functions"
 [[queries]]
 name = "endsWith1"
 query = '''
-file where opcode=0 and endsWith(file_name, "lorer.exe")
+file where opcode==0 and endsWith(file_name, "lorer.exe")
 '''
 expected_event_ids  = [88]
 description = "check built-in string functions"
@@ -1510,7 +1510,7 @@ description = "check built-in string functions"
 name = "endsWithCaseInsensitive"
 case_insensitive = true
 query = '''
-file where opcode=0 and endsWith(file_name, "loREr.exe")
+file where opcode==0 and endsWith(file_name, "loREr.exe")
 '''
 expected_event_ids  = [88]
 description = "check built-in string functions"
@@ -1518,7 +1518,7 @@ description = "check built-in string functions"
 [[queries]]
 name = "endsWith2"
 query = '''
-file where opcode=0 and startsWith("explorer.exeaaaaaaaa", file_name)
+file where opcode==0 and startsWith("explorer.exeaaaaaaaa", file_name)
 '''
 expected_event_ids  = [88]
 description = "check built-in string functions"
@@ -1527,7 +1527,7 @@ description = "check built-in string functions"
 name = "endsWithAndCondition"
 case_insensitive = true
 query = '''
-file where opcode=0 and serial_event_id = 88 and startsWith("explorer.exeaAAAA", "EXPLORER.exe")
+file where opcode==0 and serial_event_id == 88 and startsWith("explorer.exeaAAAA", "EXPLORER.exe")
 '''
 expected_event_ids  = [88]
 description = "check built-in string functions"
@@ -1535,7 +1535,7 @@ description = "check built-in string functions"
 [[queries]]
 name = "stringContains2"
 query = '''
-file where opcode=0 and stringContains("ABCDEFGHIexplorer.exeJKLMNOP", file_name)
+file where opcode==0 and stringContains("ABCDEFGHIexplorer.exeJKLMNOP", file_name)
 '''
 expected_event_ids  = [88]
 description = "check built-in string functions"
@@ -1544,7 +1544,7 @@ description = "check built-in string functions"
 name = "indexOfCaseInsensitive"
 case_insensitive = true
 query = '''
-file where opcode=0 and indexOf(file_name, "plore") == 2 and indexOf(file_name, ".pf") == null
+file where opcode==0 and indexOf(file_name, "plore") == 2 and indexOf(file_name, ".pf") == null
 '''
 expected_event_ids  = [88]
 description = "check built-in string functions"
@@ -1552,7 +1552,7 @@ description = "check built-in string functions"
 [[queries]]
 name = "indexOf1"
 query = '''
-file where opcode=0 and indexOf(file_name, "explorer.") > 0 and indexOf(file_name, "plore", 100) > 0
+file where opcode==0 and indexOf(file_name, "explorer.") > 0 and indexOf(file_name, "plore", 100) > 0
 '''
 expected_event_ids = []
 description = "check built-in string functions"
@@ -1561,7 +1561,7 @@ description = "check built-in string functions"
 name = "indexOf2"
 case_sensitive = true
 query = '''
-file where opcode=0 and indexOf(file_name, "plorer.", 0) == 2
+file where opcode==0 and indexOf(file_name, "plorer.", 0) == 2
 '''
 expected_event_ids  = [88]
 description = "check built-in string functions"
@@ -1570,7 +1570,7 @@ description = "check built-in string functions"
 name = "indexOf3"
 case_insensitive = true
 query = '''
-file where opcode=0 and indexOf(file_name, "plorer.", 0) == 2
+file where opcode==0 and indexOf(file_name, "plorer.", 0) == 2
 '''
 expected_event_ids  = [88, 92]
 description = "check built-in string functions"
@@ -1579,7 +1579,7 @@ description = "check built-in string functions"
 name = "indexOf4"
 case_sensitive = true
 query = '''
-file where opcode=0 and indexOf(file_name, "plorer.", 2) != null
+file where opcode==0 and indexOf(file_name, "plorer.", 2) != null
 '''
 expected_event_ids  = [88]
 description = "check built-in string functions"
@@ -1588,7 +1588,7 @@ description = "check built-in string functions"
 name = "indexOf5"
 case_insensitive = true
 query = '''
-file where opcode=0 and indexOf(file_name, "plorer.", 2) != null
+file where opcode==0 and indexOf(file_name, "plorer.", 2) != null
 '''
 expected_event_ids  = [88, 92]
 description = "check built-in string functions"
@@ -1596,7 +1596,7 @@ description = "check built-in string functions"
 [[queries]]
 name = "indexOf6"
 query = '''
-file where opcode=0 and indexOf(file_name, "plorer.", 4) != null
+file where opcode==0 and indexOf(file_name, "plorer.", 4) != null
 '''
 expected_event_ids = []
 description = "check built-in string functions"
@@ -1604,7 +1604,7 @@ description = "check built-in string functions"
 [[queries]]
 name = "indexOf7"
 query = '''
-file where opcode=0 and indexOf(file_name, "thing that never happened") != null
+file where opcode==0 and indexOf(file_name, "thing that never happened") != null
 '''
 expected_event_ids = []
 description = "check built-in string functions"
@@ -1613,7 +1613,7 @@ description = "check built-in string functions"
 name = "indexOf8"
 case_insensitive = true
 query = '''
-file where opcode=0 and indexOf(file_name, "plorer.", 2) == 2
+file where opcode==0 and indexOf(file_name, "plorer.", 2) == 2
 '''
 expected_event_ids  = [88, 92]
 description = "check substring ranges"
@@ -1622,7 +1622,7 @@ description = "check substring ranges"
 name = "indexOf9"
 case_sensitive = true
 query = '''
-file where opcode=0 and indexOf(file_name, "plorer.", 2) == 2
+file where opcode==0 and indexOf(file_name, "plorer.", 2) == 2
 '''
 expected_event_ids  = [88]
 description = "check substring ranges"
@@ -1631,7 +1631,7 @@ description = "check substring ranges"
 name = "indexOf10"
 case_sensitive = true
 query = '''
-file where opcode=0 and indexOf(file_name, "explorer.", 0) == 0
+file where opcode==0 and indexOf(file_name, "explorer.", 0) == 0
 '''
 expected_event_ids  = [88]
 description = "check substring ranges"
@@ -1640,7 +1640,7 @@ description = "check substring ranges"
 name = "indexOf11"
 case_insensitive = true
 query = '''
-file where opcode=0 and indexOf(file_name, "explorer.", 0) == 0
+file where opcode==0 and indexOf(file_name, "explorer.", 0) == 0
 '''
 expected_event_ids  = [88, 92]
 description = "check substring ranges"
@@ -1649,7 +1649,7 @@ description = "check substring ranges"
 name = "substring1"
 case_insensitive = true
 query = '''
-file where serial_event_id=88 and substring(file_name, 0, 4) == "expl"
+file where serial_event_id==88 and substring(file_name, 0, 4) == "expl"
 '''
 expected_event_ids  = [88]
 description = "check substring ranges"

x-pack/plugin/eql/qa/common/src/main/resources/test_queries_unsupported.toml

@@ -238,27 +238,27 @@ registry where length(bytes_written_string_list) == 2 and bytes_written_string_l
 [[queries]]
 name = "descendant1"
 query = '''
-file where file_name == "csrss.exe" and opcode=0
-  and descendant of [process where opcode in (1,3) and process_name="cmd.exe"]
+file where file_name == "csrss.exe" and opcode==0
+  and descendant of [process where opcode in (1,3) and process_name=="cmd.exe"]
 '''
 expected_event_ids  = [72]
 
 [[queries]]
 name = "descendant2"
 query = '''
-process where opcode=1 and process_name == "csrss.exe"
-  and descendant of [file where file_name == "csrss.exe" and opcode=0]
+process where opcode==1 and process_name == "csrss.exe"
+  and descendant of [file where file_name == "csrss.exe" and opcode==0]
 '''
 expected_event_ids  = [73]
 
 [[queries]]
 name = "descendant3"
 query = '''
-process where opcode=1 and process_name == "smss.exe"
+process where opcode==1 and process_name == "smss.exe"
   and descendant of [
-    file where file_name == "csrss.exe" and opcode=0
+    file where file_name == "csrss.exe" and opcode==0
       and descendant of [
-        process where opcode in(1,3) and process_name="cmd.exe"
+        process where opcode in(1,3) and process_name=="cmd.exe"
       ]
   ]
 '''
@@ -349,8 +349,8 @@ process where true
 name = "fourSequencesByPidWithUntil1"
 query = '''
 sequence
-  [file where opcode=0] by unique_pid
-  [file where opcode=0] by unique_pid
+  [file where opcode==0] by unique_pid
+  [file where opcode==0] by unique_pid
 | filter events[1].serial_event_id == 92
 '''
 expected_event_ids  = [87, 92]
@@ -359,9 +359,9 @@ expected_event_ids  = [87, 92]
 name = "doubleSameSequenceWithByUntilAndHead2"
 query = '''
 join
-  [file where opcode=0 and file_name="*.exe"] by unique_pid
-  [file where opcode=2 and file_name="*.exe"] by unique_pid
-until [process where opcode=1] by unique_ppid
+  [file where opcode==0 and file_name=="*.exe"] by unique_pid
+  [file where opcode==2 and file_name=="*.exe"] by unique_pid
+until [process where opcode==1] by unique_ppid
 | head 1
 '''
 expected_event_ids  = [61, 59]
@@ -370,7 +370,7 @@ expected_event_ids  = [61, 59]
 name = "twoJoins1"
 query = '''
 join by user_name
-  [process where opcode in (1,3) and process_name="smss.exe"]
+  [process where opcode in (1,3) and process_name=="smss.exe"]
   [process where opcode in (1,3) and process_name == "python.exe"]
 '''
 expected_event_ids  = [78, 48]
@@ -379,8 +379,8 @@ expected_event_ids  = [78, 48]
 name = "threeJoins1"
 query = '''
 join by unique_pid
-  [process where opcode=1]
-  [file where opcode=0 and file_name="svchost.exe"]
+  [process where opcode==1]
+  [file where opcode==0 and file_name=="svchost.exe"]
   [file where opcode == 0 and file_name == "lsass.exe"]
 '''
 expected_event_ids  = [54, 55, 61]
@@ -389,8 +389,8 @@ expected_event_ids  = [54, 55, 61]
 name = "threeJoins2"
 query = '''
 join by string(unique_pid)
-  [process where opcode=1]
-  [file where opcode=0 and file_name="svchost.exe"]
+  [process where opcode==1]
+  [file where opcode==0 and file_name=="svchost.exe"]
   [file where opcode == 0 and file_name == "lsass.exe"]
 '''
 expected_event_ids  = [54, 55, 61]
@@ -399,8 +399,8 @@ expected_event_ids  = [54, 55, 61]
 name = "threeJoinsWithUntil1"
 query = '''
 join by unique_pid
-  [process where opcode=1]
-  [file where opcode=0 and file_name="svchost.exe"]
+  [process where opcode==1]
+  [file where opcode==0 and file_name=="svchost.exe"]
   [file where opcode == 0 and file_name == "lsass.exe"]
 until [file where opcode == 2]
 '''
@@ -410,8 +410,8 @@ expected_event_ids = []
 name = "threeJoinsWithUntil1"
 query = '''
 join by string(unique_pid), unique_pid, unique_pid * 2
-  [process where opcode=1]
-  [file where opcode=0 and file_name="svchost.exe"]
+  [process where opcode==1]
+  [file where opcode==0 and file_name=="svchost.exe"]
   [file where opcode == 0 and file_name == "lsass.exe"]
 until [file where opcode == 2]
 '''
@@ -421,7 +421,7 @@ expected_event_ids = []
 name = "twoJoins2"
 query = '''
 join
-  [file where opcode=0 and file_name="svchost.exe"] by unique_pid
+  [file where opcode==0 and file_name=="svchost.exe"] by unique_pid
   [process where opcode == 1] by unique_ppid
 '''
 expected_event_ids  = [55, 56]
@@ -430,7 +430,7 @@ expected_event_ids  = [55, 56]
 name = "twoJoins3"
 query = '''
 join by unique_pid
-  [process where opcode in (1,3) and process_name="python.exe"]
+  [process where opcode in (1,3) and process_name=="python.exe"]
   [file where file_name == "*.exe"]
 '''
 expected_event_ids  = [54, 55]
@@ -439,7 +439,7 @@ expected_event_ids  = [54, 55]
 name = "twoJoins4"
 query = '''
 join by user_name
-  [process where opcode in (1,3) and process_name="python.exe"]
+  [process where opcode in (1,3) and process_name=="python.exe"]
   [process where opcode in (1,3) and process_name == "smss.exe"]
 '''
 expected_event_ids  = [48, 78]
@@ -448,7 +448,7 @@ expected_event_ids  = [48, 78]
 name = "twoJoins5"
 query = '''
 join
-  [process where opcode in (1,3) and process_name="python.exe"]
+  [process where opcode in (1,3) and process_name=="python.exe"]
   [process where opcode in (1,3) and process_name == "smss.exe"]
 '''
 expected_event_ids  = [48, 3, 50, 78]
@@ -568,7 +568,7 @@ any where true
 [[queries]]
 name = "multipleConditionsWithDescendant1"
 query = '''
-process where opcode=1 and process_name in ("services.exe", "smss.exe", "lsass.exe")
+process where opcode==1 and process_name in ("services.exe", "smss.exe", "lsass.exe")
   and descendant of [process where process_name == "cmd.exe" ]
 '''
 expected_event_ids  = [62, 68, 78]
@@ -584,7 +584,7 @@ expected_event_ids  = [62, 64, 68, 69, 78, 80]
 [[queries]]
 name = "multipleConditionsWithDescendant2"
 query = '''
-process where opcode=2 and process_name in ("services.exe", "smss.exe", "lsass.exe")
+process where opcode==2 and process_name in ("services.exe", "smss.exe", "lsass.exe")
   and descendant of [process where process_name == "cmd.exe" ]
 '''
 expected_event_ids  = [64, 69, 80]
@@ -592,16 +592,16 @@ expected_event_ids  = [64, 69, 80]
 [[queries]]
 name = "childOf1"
 query = '''
-process where process_name="svchost.exe"
-  and child of [file where file_name="svchost.exe" and opcode=0]
+process where process_name=="svchost.exe"
+  and child of [file where file_name=="svchost.exe" and opcode==0]
 '''
 expected_event_ids  = [56, 58]
 
 [[queries]]
 name = "childOf2"
 query = '''
-process where process_name="svchost.exe"
-  and not child of [file where file_name="svchost.exe" and opcode=0]
+process where process_name=="svchost.exe"
+  and not child of [file where file_name=="svchost.exe" and opcode==0]
 | head 3
 '''
 expected_event_ids  = [11, 13, 15]
@@ -609,10 +609,10 @@ expected_event_ids  = [11, 13, 15]
 [[queries]]
 name = "nestedChildOf1"
 query = '''
-process where process_name="lsass.exe"
+process where process_name=="lsass.exe"
   and child of [
-    process where process_name="python.exe"
-    and child of [process where process_name="cmd.exe"]
+    process where process_name=="python.exe"
+    and child of [process where process_name=="cmd.exe"]
   ]
 '''
 expected_event_ids  = [62, 64]
@@ -622,7 +622,7 @@ name = "nestedChildOf2"
 query = '''
 file where child of [
   process where child of [
-      process where child of [process where process_name="*wsmprovhost.exe"]
+      process where child of [process where process_name=="*wsmprovhost.exe"]
   ]
 ]
 | tail 1
@@ -632,7 +632,7 @@ expected_event_ids  = [91]
 [[queries]]
 name = "fileByUniquePid1"
 query = '''
-file where process_name = "python.exe"
+file where process_name == "python.exe"
 | unique unique_pid
 '''
 expected_event_ids  = [55, 95]
@@ -640,7 +640,7 @@ expected_event_ids  = [55, 95]
 [[queries]]
 name = "fileByUniquePid2"
 query = '''
-file where event of [process where process_name = "python.exe" ]
+file where event of [process where process_name == "python.exe" ]
 | unique unique_pid
 '''
 expected_event_ids  = [55, 95]
@@ -648,13 +648,13 @@ expected_event_ids  = [55, 95]
 [[queries]]
 name = "simpleStringEquality"
 query = '''
-process where process_name = "python.exe"
+process where process_name == "python.exe"
 '''
 expected_event_ids  = [48, 50, 51, 54, 93]
 
 [[queries]]
 name = "eventOfProcess"
-query = 'process where event of [process where process_name = "python.exe" ]'
+query = 'process where event of [process where process_name == "python.exe" ]'
 expected_event_ids  = [48, 50, 51, 54, 93]
 
 [[queries]]
@@ -834,7 +834,7 @@ name = "stringEqualsCaseInsensitive1"
 case_insensitive = true
 query = '''
 process where "net.EXE" == original_file_name
-| filter process_name="net*.exe"
+| filter process_name=="net*.exe"
 '''
 expected_event_ids  = [97]
 note = "check that case insensitive comparisons are performed even for lhs strings."
@@ -843,7 +843,7 @@ note = "check that case insensitive comparisons are performed even for lhs strin
 name = "stringEqualsCaseInsensitive2"
 case_insensitive = true
 query = '''
-process where process_name == original_file_name and process_name="net*.exe"
+process where process_name == original_file_name and process_name=="net*.exe"
 '''
 expected_event_ids  = [97, 98]
 note = "check that case insensitive comparisons are performed for fields."

x-pack/plugin/eql/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/eql/10_basic.yml

@@ -39,7 +39,7 @@ setup:
       eql.search:
         index: eql_test
         body:
-          query: 'process where user = "SYSTEM"'
+          query: 'process where user == "SYSTEM"'
 
   - match: {timed_out: false}
   - match: {hits.total.value: 3}
@@ -55,7 +55,7 @@ setup:
       eql.search:
         index: eql_test
         body:
-          query: 'sequence by user [process where user = "SYSTEM"] [process where true]'
+          query: 'sequence by user [process where user == "SYSTEM"] [process where true]'
   - match: {timed_out: false}
   - match: {hits.total.value: 2}
   - match: {hits.total.relation: "eq"}
@@ -72,7 +72,7 @@ setup:
       eql.search:
         index: eql_test
         body:
-          query: 'sequence by id [process where user = "SYSTEM"] [process where true]'
+          query: 'sequence by id [process where user == "SYSTEM"] [process where true]'
   - match: {timed_out: false}
   - match: {hits.total.value: 2}
   - match: {hits.total.relation: "eq"}
@@ -89,7 +89,7 @@ setup:
       eql.search:
         index: eql_test
         body:
-          query: 'sequence by valid [process where user = "SYSTEM"] [process where true]'
+          query: 'sequence by valid [process where user == "SYSTEM"] [process where true]'
   - match: {timed_out: false}
   - match: {hits.total.value: 1}
   - match: {hits.total.relation: "eq"}
@@ -105,7 +105,7 @@ setup:
         wait_for_completion_timeout: "0ms"
         keep_on_completion: true
         body:
-          query: 'process where user = "SYSTEM"'
+          query: 'process where user == "SYSTEM"'
 
   - is_true: id
   - set: {id: id}

x-pack/plugin/eql/qa/security/src/javaRestTest/java/org/elasticsearch/xpack/eql/AsyncEqlSecurityIT.java

@@ -75,7 +75,7 @@ public class AsyncEqlSecurityIT extends ESRestTestCase {
 
     private void testCase(String user, String other) throws Exception {
         for (String indexName : new String[] {"index", "index-" + user}) {
-            Response submitResp = submitAsyncEqlSearch(indexName, "my_event where val=0", TimeValue.timeValueSeconds(10), user);
+            Response submitResp = submitAsyncEqlSearch(indexName, "my_event where val==0", TimeValue.timeValueSeconds(10), user);
             assertOK(submitResp);
             String id = extractResponseId(submitResp);
             Response getResp = getAsyncEqlSearch(id, user);

x-pack/plugin/eql/src/internalClusterTest/java/org/elasticsearch/xpack/eql/action/AsyncEqlSearchActionIT.java

@@ -102,7 +102,7 @@ public class AsyncEqlSearchActionIT extends AbstractEqlBlockingIntegTestCase {
         prepareIndex();
 
         boolean success = randomBoolean();
-        String query = success ? "my_event where i=1" : "my_event where 10/i=1";
+        String query = success ? "my_event where i==1" : "my_event where 10/i==1";
         EqlSearchRequest request = new EqlSearchRequest().indices("test").query(query).eventCategoryField("event_type")
             .waitForCompletionTimeout(TimeValue.timeValueMillis(1));
 
@@ -151,7 +151,7 @@ public class AsyncEqlSearchActionIT extends AbstractEqlBlockingIntegTestCase {
         prepareIndex();
 
         boolean success = randomBoolean();
-        String query = success ? "my_event where i=1" : "my_event where 10/i=1";
+        String query = success ? "my_event where i==1" : "my_event where 10/i==1";
         EqlSearchRequest request = new EqlSearchRequest().indices("test").query(query).eventCategoryField("event_type")
             .waitForCompletionTimeout(TimeValue.timeValueMillis(1));
 
@@ -204,7 +204,7 @@ public class AsyncEqlSearchActionIT extends AbstractEqlBlockingIntegTestCase {
         prepareIndex();
 
         boolean success = randomBoolean();
-        String query = success ? "my_event where i=1" : "my_event where 10/i=1";
+        String query = success ? "my_event where i==1" : "my_event where 10/i==1";
         EqlSearchRequest request = new EqlSearchRequest().indices("test").query(query).eventCategoryField("event_type")
             .waitForCompletionTimeout(TimeValue.timeValueMillis(1));
 
@@ -243,7 +243,7 @@ public class AsyncEqlSearchActionIT extends AbstractEqlBlockingIntegTestCase {
 
         boolean success = randomBoolean();
         boolean keepOnCompletion = randomBoolean();
-        String query = success ? "my_event where i=1" : "my_event where 10/i=1";
+        String query = success ? "my_event where i==1" : "my_event where 10/i==1";
         EqlSearchRequest request = new EqlSearchRequest().indices("test").query(query).eventCategoryField("event_type")
             .waitForCompletionTimeout(TimeValue.timeValueSeconds(10));
         if (keepOnCompletion || randomBoolean()) {

x-pack/plugin/eql/src/internalClusterTest/java/org/elasticsearch/xpack/eql/action/EqlCancellationIT.java

@@ -58,7 +58,7 @@ public class EqlCancellationIT extends AbstractEqlBlockingIntegTestCase {
         indexRandom(true, builders);
         boolean cancelDuringSearch = randomBoolean();
         List<SearchBlockPlugin> plugins = initBlockFactory(cancelDuringSearch, cancelDuringSearch == false);
-        EqlSearchRequest request = new EqlSearchRequest().indices("test").query("my_event where val=1").eventCategoryField("event_type");
+        EqlSearchRequest request = new EqlSearchRequest().indices("test").query("my_event where val==1").eventCategoryField("event_type");
         String id = randomAlphaOfLength(10);
         logger.trace("Preparing search");
         // We might perform field caps on the same thread if it is local client, so we cannot use the standard mechanism

x-pack/plugin/eql/src/internalClusterTest/java/org/elasticsearch/xpack/eql/action/RestEqlCancellationIT.java

@@ -100,7 +100,7 @@ public class RestEqlCancellationIT extends AbstractEqlBlockingIntegTestCase {
         // We are cancelling during both mapping and searching but we cancel during mapping so we should never reach the second block
         List<SearchBlockPlugin> plugins = initBlockFactory(true, true);
         org.elasticsearch.client.eql.EqlSearchRequest eqlSearchRequest =
-            new org.elasticsearch.client.eql.EqlSearchRequest("test", "my_event where val=1").eventCategoryField("event_type");
+            new org.elasticsearch.client.eql.EqlSearchRequest("test", "my_event where val==1").eventCategoryField("event_type");
         String id = randomAlphaOfLength(10);
 
         Request request = new Request("GET", "/test/_eql/search");

x-pack/plugin/eql/src/main/antlr/EqlBase.g4

@@ -26,7 +26,7 @@ query
     ;
 
 sequenceParams
-    : WITH (MAXSPAN EQ timeUnit)
+    : WITH (MAXSPAN ASGN timeUnit)
     ;
 
 sequence
@@ -169,7 +169,8 @@ WHERE: 'where';
 WITH: 'with';
 
 // Operators
-EQ  : '=' | '==';
+ASGN : '=';
+EQ  : '==';
 NEQ : '!=';
 LT  : '<';
 LTE : '<=';

x-pack/plugin/eql/src/main/antlr/EqlBase.tokens

@@ -15,32 +15,33 @@ TRUE=14
 UNTIL=15
 WHERE=16
 WITH=17
-EQ=18
-NEQ=19
-LT=20
-LTE=21
-GT=22
-GTE=23
-PLUS=24
-MINUS=25
-ASTERISK=26
-SLASH=27
-PERCENT=28
-DOT=29
-COMMA=30
-LB=31
-RB=32
-LP=33
-RP=34
-PIPE=35
-ESCAPED_IDENTIFIER=36
-STRING=37
-INTEGER_VALUE=38
-DECIMAL_VALUE=39
-IDENTIFIER=40
-LINE_COMMENT=41
-BRACKETED_COMMENT=42
-WS=43
+ASGN=18
+EQ=19
+NEQ=20
+LT=21
+LTE=22
+GT=23
+GTE=24
+PLUS=25
+MINUS=26
+ASTERISK=27
+SLASH=28
+PERCENT=29
+DOT=30
+COMMA=31
+LB=32
+RB=33
+LP=34
+RP=35
+PIPE=36
+ESCAPED_IDENTIFIER=37
+STRING=38
+INTEGER_VALUE=39
+DECIMAL_VALUE=40
+IDENTIFIER=41
+LINE_COMMENT=42
+BRACKETED_COMMENT=43
+WS=44
 'and'=1
 'any'=2
 'by'=3
@@ -58,20 +59,22 @@ WS=43
 'until'=15
 'where'=16
 'with'=17
-'!='=19
-'<'=20
-'<='=21
-'>'=22
-'>='=23
-'+'=24
-'-'=25
-'*'=26
-'/'=27
-'%'=28
-'.'=29
-','=30
-'['=31
-']'=32
-'('=33
-')'=34
-'|'=35
+'='=18
+'=='=19
+'!='=20
+'<'=21
+'<='=22
+'>'=23
+'>='=24
+'+'=25
+'-'=26
+'*'=27
+'/'=28
+'%'=29
+'.'=30
+','=31
+'['=32
+']'=33
+'('=34
+')'=35
+'|'=36

x-pack/plugin/eql/src/main/antlr/EqlBaseLexer.tokens

@@ -15,32 +15,33 @@ TRUE=14
 UNTIL=15
 WHERE=16
 WITH=17
-EQ=18
-NEQ=19
-LT=20
-LTE=21
-GT=22
-GTE=23
-PLUS=24
-MINUS=25
-ASTERISK=26
-SLASH=27
-PERCENT=28
-DOT=29
-COMMA=30
-LB=31
-RB=32
-LP=33
-RP=34
-PIPE=35
-ESCAPED_IDENTIFIER=36
-STRING=37
-INTEGER_VALUE=38
-DECIMAL_VALUE=39
-IDENTIFIER=40
-LINE_COMMENT=41
-BRACKETED_COMMENT=42
-WS=43
+ASGN=18
+EQ=19
+NEQ=20
+LT=21
+LTE=22
+GT=23
+GTE=24
+PLUS=25
+MINUS=26
+ASTERISK=27
+SLASH=28
+PERCENT=29
+DOT=30
+COMMA=31
+LB=32
+RB=33
+LP=34
+RP=35
+PIPE=36
+ESCAPED_IDENTIFIER=37
+STRING=38
+INTEGER_VALUE=39
+DECIMAL_VALUE=40
+IDENTIFIER=41
+LINE_COMMENT=42
+BRACKETED_COMMENT=43
+WS=44
 'and'=1
 'any'=2
 'by'=3
@@ -58,20 +59,22 @@ WS=43
 'until'=15
 'where'=16
 'with'=17
-'!='=19
-'<'=20
-'<='=21
-'>'=22
-'>='=23
-'+'=24
-'-'=25
-'*'=26
-'/'=27
-'%'=28
-'.'=29
-','=30
-'['=31
-']'=32
-'('=33
-')'=34
-'|'=35
+'='=18
+'=='=19
+'!='=20
+'<'=21
+'<='=22
+'>'=23
+'>='=24
+'+'=25
+'-'=26
+'*'=27
+'/'=28
+'%'=29
+'.'=30
+','=31
+'['=32
+']'=33
+'('=34
+')'=35
+'|'=36

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseLexer.java

@@ -18,20 +18,20 @@ class EqlBaseLexer extends Lexer {
     new PredictionContextCache();
   public static final int
     AND=1, ANY=2, BY=3, FALSE=4, FORK=5, IN=6, JOIN=7, MAXSPAN=8, NOT=9, NULL=10, 
-    OF=11, OR=12, SEQUENCE=13, TRUE=14, UNTIL=15, WHERE=16, WITH=17, EQ=18, 
-    NEQ=19, LT=20, LTE=21, GT=22, GTE=23, PLUS=24, MINUS=25, ASTERISK=26, 
-    SLASH=27, PERCENT=28, DOT=29, COMMA=30, LB=31, RB=32, LP=33, RP=34, PIPE=35, 
-    ESCAPED_IDENTIFIER=36, STRING=37, INTEGER_VALUE=38, DECIMAL_VALUE=39, 
-    IDENTIFIER=40, LINE_COMMENT=41, BRACKETED_COMMENT=42, WS=43;
+    OF=11, OR=12, SEQUENCE=13, TRUE=14, UNTIL=15, WHERE=16, WITH=17, ASGN=18, 
+    EQ=19, NEQ=20, LT=21, LTE=22, GT=23, GTE=24, PLUS=25, MINUS=26, ASTERISK=27, 
+    SLASH=28, PERCENT=29, DOT=30, COMMA=31, LB=32, RB=33, LP=34, RP=35, PIPE=36, 
+    ESCAPED_IDENTIFIER=37, STRING=38, INTEGER_VALUE=39, DECIMAL_VALUE=40, 
+    IDENTIFIER=41, LINE_COMMENT=42, BRACKETED_COMMENT=43, WS=44;
   public static String[] modeNames = {
     "DEFAULT_MODE"
   };
 
   public static final String[] ruleNames = {
     "AND", "ANY", "BY", "FALSE", "FORK", "IN", "JOIN", "MAXSPAN", "NOT", "NULL", 
-    "OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "EQ", "NEQ", 
-    "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH", "PERCENT", 
-    "DOT", "COMMA", "LB", "RB", "LP", "RP", "PIPE", "ESCAPED_IDENTIFIER", 
+    "OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "ASGN", "EQ", 
+    "NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH", 
+    "PERCENT", "DOT", "COMMA", "LB", "RB", "LP", "RP", "PIPE", "ESCAPED_IDENTIFIER", 
     "STRING", "INTEGER_VALUE", "DECIMAL_VALUE", "IDENTIFIER", "EXPONENT", 
     "DIGIT", "LETTER", "LINE_COMMENT", "BRACKETED_COMMENT", "WS"
   };
@@ -39,14 +39,14 @@ class EqlBaseLexer extends Lexer {
   private static final String[] _LITERAL_NAMES = {
     null, "'and'", "'any'", "'by'", "'false'", "'fork'", "'in'", "'join'", 
     "'maxspan'", "'not'", "'null'", "'of'", "'or'", "'sequence'", "'true'", 
-    "'until'", "'where'", "'with'", null, "'!='", "'<'", "'<='", "'>'", "'>='", 
-    "'+'", "'-'", "'*'", "'/'", "'%'", "'.'", "','", "'['", "']'", "'('", 
-    "')'", "'|'"
+    "'until'", "'where'", "'with'", "'='", "'=='", "'!='", "'<'", "'<='", 
+    "'>'", "'>='", "'+'", "'-'", "'*'", "'/'", "'%'", "'.'", "','", "'['", 
+    "']'", "'('", "')'", "'|'"
   };
   private static final String[] _SYMBOLIC_NAMES = {
     null, "AND", "ANY", "BY", "FALSE", "FORK", "IN", "JOIN", "MAXSPAN", "NOT", 
-    "NULL", "OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "EQ", 
-    "NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH", 
+    "NULL", "OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "ASGN", 
+    "EQ", "NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH", 
     "PERCENT", "DOT", "COMMA", "LB", "RB", "LP", "RP", "PIPE", "ESCAPED_IDENTIFIER", 
     "STRING", "INTEGER_VALUE", "DECIMAL_VALUE", "IDENTIFIER", "LINE_COMMENT", 
     "BRACKETED_COMMENT", "WS"
@@ -106,141 +106,142 @@ class EqlBaseLexer extends Lexer {
   public ATN getATN() { return _ATN; }
 
   public static final String _serializedATN =
-    "\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\2-\u0185\b\1\4\2\t"+
+    "\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\2.\u0187\b\1\4\2\t"+
     "\2\4\3\t\3\4\4\t\4\4\5\t\5\4\6\t\6\4\7\t\7\4\b\t\b\4\t\t\t\4\n\t\n\4\13"+
     "\t\13\4\f\t\f\4\r\t\r\4\16\t\16\4\17\t\17\4\20\t\20\4\21\t\21\4\22\t\22"+
     "\4\23\t\23\4\24\t\24\4\25\t\25\4\26\t\26\4\27\t\27\4\30\t\30\4\31\t\31"+
     "\4\32\t\32\4\33\t\33\4\34\t\34\4\35\t\35\4\36\t\36\4\37\t\37\4 \t \4!"+
     "\t!\4\"\t\"\4#\t#\4$\t$\4%\t%\4&\t&\4\'\t\'\4(\t(\4)\t)\4*\t*\4+\t+\4"+
-    ",\t,\4-\t-\4.\t.\4/\t/\3\2\3\2\3\2\3\2\3\3\3\3\3\3\3\3\3\4\3\4\3\4\3\5"+
-    "\3\5\3\5\3\5\3\5\3\5\3\6\3\6\3\6\3\6\3\6\3\7\3\7\3\7\3\b\3\b\3\b\3\b\3"+
-    "\b\3\t\3\t\3\t\3\t\3\t\3\t\3\t\3\t\3\n\3\n\3\n\3\n\3\13\3\13\3\13\3\13"+
-    "\3\13\3\f\3\f\3\f\3\r\3\r\3\r\3\16\3\16\3\16\3\16\3\16\3\16\3\16\3\16"+
-    "\3\16\3\17\3\17\3\17\3\17\3\17\3\20\3\20\3\20\3\20\3\20\3\20\3\21\3\21"+
-    "\3\21\3\21\3\21\3\21\3\22\3\22\3\22\3\22\3\22\3\23\3\23\3\23\5\23\u00b7"+
-    "\n\23\3\24\3\24\3\24\3\25\3\25\3\26\3\26\3\26\3\27\3\27\3\30\3\30\3\30"+
-    "\3\31\3\31\3\32\3\32\3\33\3\33\3\34\3\34\3\35\3\35\3\36\3\36\3\37\3\37"+
-    "\3 \3 \3!\3!\3\"\3\"\3#\3#\3$\3$\3%\3%\7%\u00e0\n%\f%\16%\u00e3\13%\3"+
-    "%\3%\3&\3&\3&\3&\7&\u00eb\n&\f&\16&\u00ee\13&\3&\3&\3&\3&\3&\7&\u00f5"+
-    "\n&\f&\16&\u00f8\13&\3&\3&\3&\3&\3&\3&\3&\7&\u0101\n&\f&\16&\u0104\13"+
-    "&\3&\3&\3&\3&\3&\3&\3&\7&\u010d\n&\f&\16&\u0110\13&\3&\5&\u0113\n&\3\'"+
-    "\6\'\u0116\n\'\r\'\16\'\u0117\3(\6(\u011b\n(\r(\16(\u011c\3(\3(\7(\u0121"+
-    "\n(\f(\16(\u0124\13(\3(\3(\6(\u0128\n(\r(\16(\u0129\3(\6(\u012d\n(\r("+
-    "\16(\u012e\3(\3(\7(\u0133\n(\f(\16(\u0136\13(\5(\u0138\n(\3(\3(\3(\3("+
-    "\6(\u013e\n(\r(\16(\u013f\3(\3(\5(\u0144\n(\3)\3)\5)\u0148\n)\3)\3)\3"+
-    ")\7)\u014d\n)\f)\16)\u0150\13)\3*\3*\5*\u0154\n*\3*\6*\u0157\n*\r*\16"+
-    "*\u0158\3+\3+\3,\3,\3-\3-\3-\3-\7-\u0163\n-\f-\16-\u0166\13-\3-\5-\u0169"+
-    "\n-\3-\5-\u016c\n-\3-\3-\3.\3.\3.\3.\3.\7.\u0175\n.\f.\16.\u0178\13.\3"+
-    ".\3.\3.\3.\3.\3/\6/\u0180\n/\r/\16/\u0181\3/\3/\3\u0176\2\60\3\3\5\4\7"+
-    "\5\t\6\13\7\r\b\17\t\21\n\23\13\25\f\27\r\31\16\33\17\35\20\37\21!\22"+
-    "#\23%\24\'\25)\26+\27-\30/\31\61\32\63\33\65\34\67\359\36;\37= ?!A\"C"+
-    "#E$G%I&K\'M(O)Q*S\2U\2W\2Y+[,]-\3\2\17\3\2bb\n\2$$))^^ddhhppttvv\6\2\f"+
-    "\f\17\17))^^\6\2\f\f\17\17$$^^\5\2\f\f\17\17$$\5\2\f\f\17\17))\4\2BBa"+
-    "a\4\2GGgg\4\2--//\3\2\62;\4\2C\\c|\4\2\f\f\17\17\5\2\13\f\17\17\"\"\u01a5"+
-    "\2\3\3\2\2\2\2\5\3\2\2\2\2\7\3\2\2\2\2\t\3\2\2\2\2\13\3\2\2\2\2\r\3\2"+
-    "\2\2\2\17\3\2\2\2\2\21\3\2\2\2\2\23\3\2\2\2\2\25\3\2\2\2\2\27\3\2\2\2"+
-    "\2\31\3\2\2\2\2\33\3\2\2\2\2\35\3\2\2\2\2\37\3\2\2\2\2!\3\2\2\2\2#\3\2"+
-    "\2\2\2%\3\2\2\2\2\'\3\2\2\2\2)\3\2\2\2\2+\3\2\2\2\2-\3\2\2\2\2/\3\2\2"+
-    "\2\2\61\3\2\2\2\2\63\3\2\2\2\2\65\3\2\2\2\2\67\3\2\2\2\29\3\2\2\2\2;\3"+
-    "\2\2\2\2=\3\2\2\2\2?\3\2\2\2\2A\3\2\2\2\2C\3\2\2\2\2E\3\2\2\2\2G\3\2\2"+
-    "\2\2I\3\2\2\2\2K\3\2\2\2\2M\3\2\2\2\2O\3\2\2\2\2Q\3\2\2\2\2Y\3\2\2\2\2"+
-    "[\3\2\2\2\2]\3\2\2\2\3_\3\2\2\2\5c\3\2\2\2\7g\3\2\2\2\tj\3\2\2\2\13p\3"+
-    "\2\2\2\ru\3\2\2\2\17x\3\2\2\2\21}\3\2\2\2\23\u0085\3\2\2\2\25\u0089\3"+
-    "\2\2\2\27\u008e\3\2\2\2\31\u0091\3\2\2\2\33\u0094\3\2\2\2\35\u009d\3\2"+
-    "\2\2\37\u00a2\3\2\2\2!\u00a8\3\2\2\2#\u00ae\3\2\2\2%\u00b6\3\2\2\2\'\u00b8"+
-    "\3\2\2\2)\u00bb\3\2\2\2+\u00bd\3\2\2\2-\u00c0\3\2\2\2/\u00c2\3\2\2\2\61"+
-    "\u00c5\3\2\2\2\63\u00c7\3\2\2\2\65\u00c9\3\2\2\2\67\u00cb\3\2\2\29\u00cd"+
-    "\3\2\2\2;\u00cf\3\2\2\2=\u00d1\3\2\2\2?\u00d3\3\2\2\2A\u00d5\3\2\2\2C"+
-    "\u00d7\3\2\2\2E\u00d9\3\2\2\2G\u00db\3\2\2\2I\u00dd\3\2\2\2K\u0112\3\2"+
-    "\2\2M\u0115\3\2\2\2O\u0143\3\2\2\2Q\u0147\3\2\2\2S\u0151\3\2\2\2U\u015a"+
-    "\3\2\2\2W\u015c\3\2\2\2Y\u015e\3\2\2\2[\u016f\3\2\2\2]\u017f\3\2\2\2_"+
-    "`\7c\2\2`a\7p\2\2ab\7f\2\2b\4\3\2\2\2cd\7c\2\2de\7p\2\2ef\7{\2\2f\6\3"+
-    "\2\2\2gh\7d\2\2hi\7{\2\2i\b\3\2\2\2jk\7h\2\2kl\7c\2\2lm\7n\2\2mn\7u\2"+
-    "\2no\7g\2\2o\n\3\2\2\2pq\7h\2\2qr\7q\2\2rs\7t\2\2st\7m\2\2t\f\3\2\2\2"+
-    "uv\7k\2\2vw\7p\2\2w\16\3\2\2\2xy\7l\2\2yz\7q\2\2z{\7k\2\2{|\7p\2\2|\20"+
-    "\3\2\2\2}~\7o\2\2~\177\7c\2\2\177\u0080\7z\2\2\u0080\u0081\7u\2\2\u0081"+
-    "\u0082\7r\2\2\u0082\u0083\7c\2\2\u0083\u0084\7p\2\2\u0084\22\3\2\2\2\u0085"+
-    "\u0086\7p\2\2\u0086\u0087\7q\2\2\u0087\u0088\7v\2\2\u0088\24\3\2\2\2\u0089"+
-    "\u008a\7p\2\2\u008a\u008b\7w\2\2\u008b\u008c\7n\2\2\u008c\u008d\7n\2\2"+
-    "\u008d\26\3\2\2\2\u008e\u008f\7q\2\2\u008f\u0090\7h\2\2\u0090\30\3\2\2"+
-    "\2\u0091\u0092\7q\2\2\u0092\u0093\7t\2\2\u0093\32\3\2\2\2\u0094\u0095"+
-    "\7u\2\2\u0095\u0096\7g\2\2\u0096\u0097\7s\2\2\u0097\u0098\7w\2\2\u0098"+
-    "\u0099\7g\2\2\u0099\u009a\7p\2\2\u009a\u009b\7e\2\2\u009b\u009c\7g\2\2"+
-    "\u009c\34\3\2\2\2\u009d\u009e\7v\2\2\u009e\u009f\7t\2\2\u009f\u00a0\7"+
-    "w\2\2\u00a0\u00a1\7g\2\2\u00a1\36\3\2\2\2\u00a2\u00a3\7w\2\2\u00a3\u00a4"+
-    "\7p\2\2\u00a4\u00a5\7v\2\2\u00a5\u00a6\7k\2\2\u00a6\u00a7\7n\2\2\u00a7"+
-    " \3\2\2\2\u00a8\u00a9\7y\2\2\u00a9\u00aa\7j\2\2\u00aa\u00ab\7g\2\2\u00ab"+
-    "\u00ac\7t\2\2\u00ac\u00ad\7g\2\2\u00ad\"\3\2\2\2\u00ae\u00af\7y\2\2\u00af"+
-    "\u00b0\7k\2\2\u00b0\u00b1\7v\2\2\u00b1\u00b2\7j\2\2\u00b2$\3\2\2\2\u00b3"+
-    "\u00b7\7?\2\2\u00b4\u00b5\7?\2\2\u00b5\u00b7\7?\2\2\u00b6\u00b3\3\2\2"+
-    "\2\u00b6\u00b4\3\2\2\2\u00b7&\3\2\2\2\u00b8\u00b9\7#\2\2\u00b9\u00ba\7"+
-    "?\2\2\u00ba(\3\2\2\2\u00bb\u00bc\7>\2\2\u00bc*\3\2\2\2\u00bd\u00be\7>"+
-    "\2\2\u00be\u00bf\7?\2\2\u00bf,\3\2\2\2\u00c0\u00c1\7@\2\2\u00c1.\3\2\2"+
-    "\2\u00c2\u00c3\7@\2\2\u00c3\u00c4\7?\2\2\u00c4\60\3\2\2\2\u00c5\u00c6"+
-    "\7-\2\2\u00c6\62\3\2\2\2\u00c7\u00c8\7/\2\2\u00c8\64\3\2\2\2\u00c9\u00ca"+
-    "\7,\2\2\u00ca\66\3\2\2\2\u00cb\u00cc\7\61\2\2\u00cc8\3\2\2\2\u00cd\u00ce"+
-    "\7\'\2\2\u00ce:\3\2\2\2\u00cf\u00d0\7\60\2\2\u00d0<\3\2\2\2\u00d1\u00d2"+
-    "\7.\2\2\u00d2>\3\2\2\2\u00d3\u00d4\7]\2\2\u00d4@\3\2\2\2\u00d5\u00d6\7"+
-    "_\2\2\u00d6B\3\2\2\2\u00d7\u00d8\7*\2\2\u00d8D\3\2\2\2\u00d9\u00da\7+"+
-    "\2\2\u00daF\3\2\2\2\u00db\u00dc\7~\2\2\u00dcH\3\2\2\2\u00dd\u00e1\7b\2"+
-    "\2\u00de\u00e0\n\2\2\2\u00df\u00de\3\2\2\2\u00e0\u00e3\3\2\2\2\u00e1\u00df"+
-    "\3\2\2\2\u00e1\u00e2\3\2\2\2\u00e2\u00e4\3\2\2\2\u00e3\u00e1\3\2\2\2\u00e4"+
-    "\u00e5\7b\2\2\u00e5J\3\2\2\2\u00e6\u00ec\7)\2\2\u00e7\u00e8\7^\2\2\u00e8"+
-    "\u00eb\t\3\2\2\u00e9\u00eb\n\4\2\2\u00ea\u00e7\3\2\2\2\u00ea\u00e9\3\2"+
-    "\2\2\u00eb\u00ee\3\2\2\2\u00ec\u00ea\3\2\2\2\u00ec\u00ed\3\2\2\2\u00ed"+
-    "\u00ef\3\2\2\2\u00ee\u00ec\3\2\2\2\u00ef\u0113\7)\2\2\u00f0\u00f6\7$\2"+
-    "\2\u00f1\u00f2\7^\2\2\u00f2\u00f5\t\3\2\2\u00f3\u00f5\n\5\2\2\u00f4\u00f1"+
-    "\3\2\2\2\u00f4\u00f3\3\2\2\2\u00f5\u00f8\3\2\2\2\u00f6\u00f4\3\2\2\2\u00f6"+
-    "\u00f7\3\2\2\2\u00f7\u00f9\3\2\2\2\u00f8\u00f6\3\2\2\2\u00f9\u0113\7$"+
-    "\2\2\u00fa\u00fb\7A\2\2\u00fb\u00fc\7$\2\2\u00fc\u0102\3\2\2\2\u00fd\u00fe"+
-    "\7^\2\2\u00fe\u0101\7$\2\2\u00ff\u0101\n\6\2\2\u0100\u00fd\3\2\2\2\u0100"+
-    "\u00ff\3\2\2\2\u0101\u0104\3\2\2\2\u0102\u0100\3\2\2\2\u0102\u0103\3\2"+
-    "\2\2\u0103\u0105\3\2\2\2\u0104\u0102\3\2\2\2\u0105\u0113\7$\2\2\u0106"+
-    "\u0107\7A\2\2\u0107\u0108\7)\2\2\u0108\u010e\3\2\2\2\u0109\u010a\7^\2"+
-    "\2\u010a\u010d\7)\2\2\u010b\u010d\n\7\2\2\u010c\u0109\3\2\2\2\u010c\u010b"+
-    "\3\2\2\2\u010d\u0110\3\2\2\2\u010e\u010c\3\2\2\2\u010e\u010f\3\2\2\2\u010f"+
-    "\u0111\3\2\2\2\u0110\u010e\3\2\2\2\u0111\u0113\7)\2\2\u0112\u00e6\3\2"+
-    "\2\2\u0112\u00f0\3\2\2\2\u0112\u00fa\3\2\2\2\u0112\u0106\3\2\2\2\u0113"+
-    "L\3\2\2\2\u0114\u0116\5U+\2\u0115\u0114\3\2\2\2\u0116\u0117\3\2\2\2\u0117"+
-    "\u0115\3\2\2\2\u0117\u0118\3\2\2\2\u0118N\3\2\2\2\u0119\u011b\5U+\2\u011a"+
-    "\u0119\3\2\2\2\u011b\u011c\3\2\2\2\u011c\u011a\3\2\2\2\u011c\u011d\3\2"+
-    "\2\2\u011d\u011e\3\2\2\2\u011e\u0122\5;\36\2\u011f\u0121\5U+\2\u0120\u011f"+
-    "\3\2\2\2\u0121\u0124\3\2\2\2\u0122\u0120\3\2\2\2\u0122\u0123\3\2\2\2\u0123"+
-    "\u0144\3\2\2\2\u0124\u0122\3\2\2\2\u0125\u0127\5;\36\2\u0126\u0128\5U"+
-    "+\2\u0127\u0126\3\2\2\2\u0128\u0129\3\2\2\2\u0129\u0127\3\2\2\2\u0129"+
-    "\u012a\3\2\2\2\u012a\u0144\3\2\2\2\u012b\u012d\5U+\2\u012c\u012b\3\2\2"+
-    "\2\u012d\u012e\3\2\2\2\u012e\u012c\3\2\2\2\u012e\u012f\3\2\2\2\u012f\u0137"+
-    "\3\2\2\2\u0130\u0134\5;\36\2\u0131\u0133\5U+\2\u0132\u0131\3\2\2\2\u0133"+
-    "\u0136\3\2\2\2\u0134\u0132\3\2\2\2\u0134\u0135\3\2\2\2\u0135\u0138\3\2"+
-    "\2\2\u0136\u0134\3\2\2\2\u0137\u0130\3\2\2\2\u0137\u0138\3\2\2\2\u0138"+
-    "\u0139\3\2\2\2\u0139\u013a\5S*\2\u013a\u0144\3\2\2\2\u013b\u013d\5;\36"+
-    "\2\u013c\u013e\5U+\2\u013d\u013c\3\2\2\2\u013e\u013f\3\2\2\2\u013f\u013d"+
-    "\3\2\2\2\u013f\u0140\3\2\2\2\u0140\u0141\3\2\2\2\u0141\u0142\5S*\2\u0142"+
-    "\u0144\3\2\2\2\u0143\u011a\3\2\2\2\u0143\u0125\3\2\2\2\u0143\u012c\3\2"+
-    "\2\2\u0143\u013b\3\2\2\2\u0144P\3\2\2\2\u0145\u0148\5W,\2\u0146\u0148"+
-    "\t\b\2\2\u0147\u0145\3\2\2\2\u0147\u0146\3\2\2\2\u0148\u014e\3\2\2\2\u0149"+
-    "\u014d\5W,\2\u014a\u014d\5U+\2\u014b\u014d\7a\2\2\u014c\u0149\3\2\2\2"+
-    "\u014c\u014a\3\2\2\2\u014c\u014b\3\2\2\2\u014d\u0150\3\2\2\2\u014e\u014c"+
-    "\3\2\2\2\u014e\u014f\3\2\2\2\u014fR\3\2\2\2\u0150\u014e\3\2\2\2\u0151"+
-    "\u0153\t\t\2\2\u0152\u0154\t\n\2\2\u0153\u0152\3\2\2\2\u0153\u0154\3\2"+
-    "\2\2\u0154\u0156\3\2\2\2\u0155\u0157\5U+\2\u0156\u0155\3\2\2\2\u0157\u0158"+
-    "\3\2\2\2\u0158\u0156\3\2\2\2\u0158\u0159\3\2\2\2\u0159T\3\2\2\2\u015a"+
-    "\u015b\t\13\2\2\u015bV\3\2\2\2\u015c\u015d\t\f\2\2\u015dX\3\2\2\2\u015e"+
-    "\u015f\7\61\2\2\u015f\u0160\7\61\2\2\u0160\u0164\3\2\2\2\u0161\u0163\n"+
-    "\r\2\2\u0162\u0161\3\2\2\2\u0163\u0166\3\2\2\2\u0164\u0162\3\2\2\2\u0164"+
-    "\u0165\3\2\2\2\u0165\u0168\3\2\2\2\u0166\u0164\3\2\2\2\u0167\u0169\7\17"+
-    "\2\2\u0168\u0167\3\2\2\2\u0168\u0169\3\2\2\2\u0169\u016b\3\2\2\2\u016a"+
-    "\u016c\7\f\2\2\u016b\u016a\3\2\2\2\u016b\u016c\3\2\2\2\u016c\u016d\3\2"+
-    "\2\2\u016d\u016e\b-\2\2\u016eZ\3\2\2\2\u016f\u0170\7\61\2\2\u0170\u0171"+
-    "\7,\2\2\u0171\u0176\3\2\2\2\u0172\u0175\5[.\2\u0173\u0175\13\2\2\2\u0174"+
-    "\u0172\3\2\2\2\u0174\u0173\3\2\2\2\u0175\u0178\3\2\2\2\u0176\u0177\3\2"+
-    "\2\2\u0176\u0174\3\2\2\2\u0177\u0179\3\2\2\2\u0178\u0176\3\2\2\2\u0179"+
-    "\u017a\7,\2\2\u017a\u017b\7\61\2\2\u017b\u017c\3\2\2\2\u017c\u017d\b."+
-    "\2\2\u017d\\\3\2\2\2\u017e\u0180\t\16\2\2\u017f\u017e\3\2\2\2\u0180\u0181"+
-    "\3\2\2\2\u0181\u017f\3\2\2\2\u0181\u0182\3\2\2\2\u0182\u0183\3\2\2\2\u0183"+
-    "\u0184\b/\2\2\u0184^\3\2\2\2\"\2\u00b6\u00e1\u00ea\u00ec\u00f4\u00f6\u0100"+
-    "\u0102\u010c\u010e\u0112\u0117\u011c\u0122\u0129\u012e\u0134\u0137\u013f"+
-    "\u0143\u0147\u014c\u014e\u0153\u0158\u0164\u0168\u016b\u0174\u0176\u0181"+
+    ",\t,\4-\t-\4.\t.\4/\t/\4\60\t\60\3\2\3\2\3\2\3\2\3\3\3\3\3\3\3\3\3\4\3"+
+    "\4\3\4\3\5\3\5\3\5\3\5\3\5\3\5\3\6\3\6\3\6\3\6\3\6\3\7\3\7\3\7\3\b\3\b"+
+    "\3\b\3\b\3\b\3\t\3\t\3\t\3\t\3\t\3\t\3\t\3\t\3\n\3\n\3\n\3\n\3\13\3\13"+
+    "\3\13\3\13\3\13\3\f\3\f\3\f\3\r\3\r\3\r\3\16\3\16\3\16\3\16\3\16\3\16"+
+    "\3\16\3\16\3\16\3\17\3\17\3\17\3\17\3\17\3\20\3\20\3\20\3\20\3\20\3\20"+
+    "\3\21\3\21\3\21\3\21\3\21\3\21\3\22\3\22\3\22\3\22\3\22\3\23\3\23\3\24"+
+    "\3\24\3\24\3\25\3\25\3\25\3\26\3\26\3\27\3\27\3\27\3\30\3\30\3\31\3\31"+
+    "\3\31\3\32\3\32\3\33\3\33\3\34\3\34\3\35\3\35\3\36\3\36\3\37\3\37\3 \3"+
+    " \3!\3!\3\"\3\"\3#\3#\3$\3$\3%\3%\3&\3&\7&\u00e2\n&\f&\16&\u00e5\13&\3"+
+    "&\3&\3\'\3\'\3\'\3\'\7\'\u00ed\n\'\f\'\16\'\u00f0\13\'\3\'\3\'\3\'\3\'"+
+    "\3\'\7\'\u00f7\n\'\f\'\16\'\u00fa\13\'\3\'\3\'\3\'\3\'\3\'\3\'\3\'\7\'"+
+    "\u0103\n\'\f\'\16\'\u0106\13\'\3\'\3\'\3\'\3\'\3\'\3\'\3\'\7\'\u010f\n"+
+    "\'\f\'\16\'\u0112\13\'\3\'\5\'\u0115\n\'\3(\6(\u0118\n(\r(\16(\u0119\3"+
+    ")\6)\u011d\n)\r)\16)\u011e\3)\3)\7)\u0123\n)\f)\16)\u0126\13)\3)\3)\6"+
+    ")\u012a\n)\r)\16)\u012b\3)\6)\u012f\n)\r)\16)\u0130\3)\3)\7)\u0135\n)"+
+    "\f)\16)\u0138\13)\5)\u013a\n)\3)\3)\3)\3)\6)\u0140\n)\r)\16)\u0141\3)"+
+    "\3)\5)\u0146\n)\3*\3*\5*\u014a\n*\3*\3*\3*\7*\u014f\n*\f*\16*\u0152\13"+
+    "*\3+\3+\5+\u0156\n+\3+\6+\u0159\n+\r+\16+\u015a\3,\3,\3-\3-\3.\3.\3.\3"+
+    ".\7.\u0165\n.\f.\16.\u0168\13.\3.\5.\u016b\n.\3.\5.\u016e\n.\3.\3.\3/"+
+    "\3/\3/\3/\3/\7/\u0177\n/\f/\16/\u017a\13/\3/\3/\3/\3/\3/\3\60\6\60\u0182"+
+    "\n\60\r\60\16\60\u0183\3\60\3\60\3\u0178\2\61\3\3\5\4\7\5\t\6\13\7\r\b"+
+    "\17\t\21\n\23\13\25\f\27\r\31\16\33\17\35\20\37\21!\22#\23%\24\'\25)\26"+
+    "+\27-\30/\31\61\32\63\33\65\34\67\359\36;\37= ?!A\"C#E$G%I&K\'M(O)Q*S"+
+    "+U\2W\2Y\2[,]-_.\3\2\17\3\2bb\n\2$$))^^ddhhppttvv\6\2\f\f\17\17))^^\6"+
+    "\2\f\f\17\17$$^^\5\2\f\f\17\17$$\5\2\f\f\17\17))\4\2BBaa\4\2GGgg\4\2-"+
+    "-//\3\2\62;\4\2C\\c|\4\2\f\f\17\17\5\2\13\f\17\17\"\"\u01a6\2\3\3\2\2"+
+    "\2\2\5\3\2\2\2\2\7\3\2\2\2\2\t\3\2\2\2\2\13\3\2\2\2\2\r\3\2\2\2\2\17\3"+
+    "\2\2\2\2\21\3\2\2\2\2\23\3\2\2\2\2\25\3\2\2\2\2\27\3\2\2\2\2\31\3\2\2"+
+    "\2\2\33\3\2\2\2\2\35\3\2\2\2\2\37\3\2\2\2\2!\3\2\2\2\2#\3\2\2\2\2%\3\2"+
+    "\2\2\2\'\3\2\2\2\2)\3\2\2\2\2+\3\2\2\2\2-\3\2\2\2\2/\3\2\2\2\2\61\3\2"+
+    "\2\2\2\63\3\2\2\2\2\65\3\2\2\2\2\67\3\2\2\2\29\3\2\2\2\2;\3\2\2\2\2=\3"+
+    "\2\2\2\2?\3\2\2\2\2A\3\2\2\2\2C\3\2\2\2\2E\3\2\2\2\2G\3\2\2\2\2I\3\2\2"+
+    "\2\2K\3\2\2\2\2M\3\2\2\2\2O\3\2\2\2\2Q\3\2\2\2\2S\3\2\2\2\2[\3\2\2\2\2"+
+    "]\3\2\2\2\2_\3\2\2\2\3a\3\2\2\2\5e\3\2\2\2\7i\3\2\2\2\tl\3\2\2\2\13r\3"+
+    "\2\2\2\rw\3\2\2\2\17z\3\2\2\2\21\177\3\2\2\2\23\u0087\3\2\2\2\25\u008b"+
+    "\3\2\2\2\27\u0090\3\2\2\2\31\u0093\3\2\2\2\33\u0096\3\2\2\2\35\u009f\3"+
+    "\2\2\2\37\u00a4\3\2\2\2!\u00aa\3\2\2\2#\u00b0\3\2\2\2%\u00b5\3\2\2\2\'"+
+    "\u00b7\3\2\2\2)\u00ba\3\2\2\2+\u00bd\3\2\2\2-\u00bf\3\2\2\2/\u00c2\3\2"+
+    "\2\2\61\u00c4\3\2\2\2\63\u00c7\3\2\2\2\65\u00c9\3\2\2\2\67\u00cb\3\2\2"+
+    "\29\u00cd\3\2\2\2;\u00cf\3\2\2\2=\u00d1\3\2\2\2?\u00d3\3\2\2\2A\u00d5"+
+    "\3\2\2\2C\u00d7\3\2\2\2E\u00d9\3\2\2\2G\u00db\3\2\2\2I\u00dd\3\2\2\2K"+
+    "\u00df\3\2\2\2M\u0114\3\2\2\2O\u0117\3\2\2\2Q\u0145\3\2\2\2S\u0149\3\2"+
+    "\2\2U\u0153\3\2\2\2W\u015c\3\2\2\2Y\u015e\3\2\2\2[\u0160\3\2\2\2]\u0171"+
+    "\3\2\2\2_\u0181\3\2\2\2ab\7c\2\2bc\7p\2\2cd\7f\2\2d\4\3\2\2\2ef\7c\2\2"+
+    "fg\7p\2\2gh\7{\2\2h\6\3\2\2\2ij\7d\2\2jk\7{\2\2k\b\3\2\2\2lm\7h\2\2mn"+
+    "\7c\2\2no\7n\2\2op\7u\2\2pq\7g\2\2q\n\3\2\2\2rs\7h\2\2st\7q\2\2tu\7t\2"+
+    "\2uv\7m\2\2v\f\3\2\2\2wx\7k\2\2xy\7p\2\2y\16\3\2\2\2z{\7l\2\2{|\7q\2\2"+
+    "|}\7k\2\2}~\7p\2\2~\20\3\2\2\2\177\u0080\7o\2\2\u0080\u0081\7c\2\2\u0081"+
+    "\u0082\7z\2\2\u0082\u0083\7u\2\2\u0083\u0084\7r\2\2\u0084\u0085\7c\2\2"+
+    "\u0085\u0086\7p\2\2\u0086\22\3\2\2\2\u0087\u0088\7p\2\2\u0088\u0089\7"+
+    "q\2\2\u0089\u008a\7v\2\2\u008a\24\3\2\2\2\u008b\u008c\7p\2\2\u008c\u008d"+
+    "\7w\2\2\u008d\u008e\7n\2\2\u008e\u008f\7n\2\2\u008f\26\3\2\2\2\u0090\u0091"+
+    "\7q\2\2\u0091\u0092\7h\2\2\u0092\30\3\2\2\2\u0093\u0094\7q\2\2\u0094\u0095"+
+    "\7t\2\2\u0095\32\3\2\2\2\u0096\u0097\7u\2\2\u0097\u0098\7g\2\2\u0098\u0099"+
+    "\7s\2\2\u0099\u009a\7w\2\2\u009a\u009b\7g\2\2\u009b\u009c\7p\2\2\u009c"+
+    "\u009d\7e\2\2\u009d\u009e\7g\2\2\u009e\34\3\2\2\2\u009f\u00a0\7v\2\2\u00a0"+
+    "\u00a1\7t\2\2\u00a1\u00a2\7w\2\2\u00a2\u00a3\7g\2\2\u00a3\36\3\2\2\2\u00a4"+
+    "\u00a5\7w\2\2\u00a5\u00a6\7p\2\2\u00a6\u00a7\7v\2\2\u00a7\u00a8\7k\2\2"+
+    "\u00a8\u00a9\7n\2\2\u00a9 \3\2\2\2\u00aa\u00ab\7y\2\2\u00ab\u00ac\7j\2"+
+    "\2\u00ac\u00ad\7g\2\2\u00ad\u00ae\7t\2\2\u00ae\u00af\7g\2\2\u00af\"\3"+
+    "\2\2\2\u00b0\u00b1\7y\2\2\u00b1\u00b2\7k\2\2\u00b2\u00b3\7v\2\2\u00b3"+
+    "\u00b4\7j\2\2\u00b4$\3\2\2\2\u00b5\u00b6\7?\2\2\u00b6&\3\2\2\2\u00b7\u00b8"+
+    "\7?\2\2\u00b8\u00b9\7?\2\2\u00b9(\3\2\2\2\u00ba\u00bb\7#\2\2\u00bb\u00bc"+
+    "\7?\2\2\u00bc*\3\2\2\2\u00bd\u00be\7>\2\2\u00be,\3\2\2\2\u00bf\u00c0\7"+
+    ">\2\2\u00c0\u00c1\7?\2\2\u00c1.\3\2\2\2\u00c2\u00c3\7@\2\2\u00c3\60\3"+
+    "\2\2\2\u00c4\u00c5\7@\2\2\u00c5\u00c6\7?\2\2\u00c6\62\3\2\2\2\u00c7\u00c8"+
+    "\7-\2\2\u00c8\64\3\2\2\2\u00c9\u00ca\7/\2\2\u00ca\66\3\2\2\2\u00cb\u00cc"+
+    "\7,\2\2\u00cc8\3\2\2\2\u00cd\u00ce\7\61\2\2\u00ce:\3\2\2\2\u00cf\u00d0"+
+    "\7\'\2\2\u00d0<\3\2\2\2\u00d1\u00d2\7\60\2\2\u00d2>\3\2\2\2\u00d3\u00d4"+
+    "\7.\2\2\u00d4@\3\2\2\2\u00d5\u00d6\7]\2\2\u00d6B\3\2\2\2\u00d7\u00d8\7"+
+    "_\2\2\u00d8D\3\2\2\2\u00d9\u00da\7*\2\2\u00daF\3\2\2\2\u00db\u00dc\7+"+
+    "\2\2\u00dcH\3\2\2\2\u00dd\u00de\7~\2\2\u00deJ\3\2\2\2\u00df\u00e3\7b\2"+
+    "\2\u00e0\u00e2\n\2\2\2\u00e1\u00e0\3\2\2\2\u00e2\u00e5\3\2\2\2\u00e3\u00e1"+
+    "\3\2\2\2\u00e3\u00e4\3\2\2\2\u00e4\u00e6\3\2\2\2\u00e5\u00e3\3\2\2\2\u00e6"+
+    "\u00e7\7b\2\2\u00e7L\3\2\2\2\u00e8\u00ee\7)\2\2\u00e9\u00ea\7^\2\2\u00ea"+
+    "\u00ed\t\3\2\2\u00eb\u00ed\n\4\2\2\u00ec\u00e9\3\2\2\2\u00ec\u00eb\3\2"+
+    "\2\2\u00ed\u00f0\3\2\2\2\u00ee\u00ec\3\2\2\2\u00ee\u00ef\3\2\2\2\u00ef"+
+    "\u00f1\3\2\2\2\u00f0\u00ee\3\2\2\2\u00f1\u0115\7)\2\2\u00f2\u00f8\7$\2"+
+    "\2\u00f3\u00f4\7^\2\2\u00f4\u00f7\t\3\2\2\u00f5\u00f7\n\5\2\2\u00f6\u00f3"+
+    "\3\2\2\2\u00f6\u00f5\3\2\2\2\u00f7\u00fa\3\2\2\2\u00f8\u00f6\3\2\2\2\u00f8"+
+    "\u00f9\3\2\2\2\u00f9\u00fb\3\2\2\2\u00fa\u00f8\3\2\2\2\u00fb\u0115\7$"+
+    "\2\2\u00fc\u00fd\7A\2\2\u00fd\u00fe\7$\2\2\u00fe\u0104\3\2\2\2\u00ff\u0100"+
+    "\7^\2\2\u0100\u0103\7$\2\2\u0101\u0103\n\6\2\2\u0102\u00ff\3\2\2\2\u0102"+
+    "\u0101\3\2\2\2\u0103\u0106\3\2\2\2\u0104\u0102\3\2\2\2\u0104\u0105\3\2"+
+    "\2\2\u0105\u0107\3\2\2\2\u0106\u0104\3\2\2\2\u0107\u0115\7$\2\2\u0108"+
+    "\u0109\7A\2\2\u0109\u010a\7)\2\2\u010a\u0110\3\2\2\2\u010b\u010c\7^\2"+
+    "\2\u010c\u010f\7)\2\2\u010d\u010f\n\7\2\2\u010e\u010b\3\2\2\2\u010e\u010d"+
+    "\3\2\2\2\u010f\u0112\3\2\2\2\u0110\u010e\3\2\2\2\u0110\u0111\3\2\2\2\u0111"+
+    "\u0113\3\2\2\2\u0112\u0110\3\2\2\2\u0113\u0115\7)\2\2\u0114\u00e8\3\2"+
+    "\2\2\u0114\u00f2\3\2\2\2\u0114\u00fc\3\2\2\2\u0114\u0108\3\2\2\2\u0115"+
+    "N\3\2\2\2\u0116\u0118\5W,\2\u0117\u0116\3\2\2\2\u0118\u0119\3\2\2\2\u0119"+
+    "\u0117\3\2\2\2\u0119\u011a\3\2\2\2\u011aP\3\2\2\2\u011b\u011d\5W,\2\u011c"+
+    "\u011b\3\2\2\2\u011d\u011e\3\2\2\2\u011e\u011c\3\2\2\2\u011e\u011f\3\2"+
+    "\2\2\u011f\u0120\3\2\2\2\u0120\u0124\5=\37\2\u0121\u0123\5W,\2\u0122\u0121"+
+    "\3\2\2\2\u0123\u0126\3\2\2\2\u0124\u0122\3\2\2\2\u0124\u0125\3\2\2\2\u0125"+
+    "\u0146\3\2\2\2\u0126\u0124\3\2\2\2\u0127\u0129\5=\37\2\u0128\u012a\5W"+
+    ",\2\u0129\u0128\3\2\2\2\u012a\u012b\3\2\2\2\u012b\u0129\3\2\2\2\u012b"+
+    "\u012c\3\2\2\2\u012c\u0146\3\2\2\2\u012d\u012f\5W,\2\u012e\u012d\3\2\2"+
+    "\2\u012f\u0130\3\2\2\2\u0130\u012e\3\2\2\2\u0130\u0131\3\2\2\2\u0131\u0139"+
+    "\3\2\2\2\u0132\u0136\5=\37\2\u0133\u0135\5W,\2\u0134\u0133\3\2\2\2\u0135"+
+    "\u0138\3\2\2\2\u0136\u0134\3\2\2\2\u0136\u0137\3\2\2\2\u0137\u013a\3\2"+
+    "\2\2\u0138\u0136\3\2\2\2\u0139\u0132\3\2\2\2\u0139\u013a\3\2\2\2\u013a"+
+    "\u013b\3\2\2\2\u013b\u013c\5U+\2\u013c\u0146\3\2\2\2\u013d\u013f\5=\37"+
+    "\2\u013e\u0140\5W,\2\u013f\u013e\3\2\2\2\u0140\u0141\3\2\2\2\u0141\u013f"+
+    "\3\2\2\2\u0141\u0142\3\2\2\2\u0142\u0143\3\2\2\2\u0143\u0144\5U+\2\u0144"+
+    "\u0146\3\2\2\2\u0145\u011c\3\2\2\2\u0145\u0127\3\2\2\2\u0145\u012e\3\2"+
+    "\2\2\u0145\u013d\3\2\2\2\u0146R\3\2\2\2\u0147\u014a\5Y-\2\u0148\u014a"+
+    "\t\b\2\2\u0149\u0147\3\2\2\2\u0149\u0148\3\2\2\2\u014a\u0150\3\2\2\2\u014b"+
+    "\u014f\5Y-\2\u014c\u014f\5W,\2\u014d\u014f\7a\2\2\u014e\u014b\3\2\2\2"+
+    "\u014e\u014c\3\2\2\2\u014e\u014d\3\2\2\2\u014f\u0152\3\2\2\2\u0150\u014e"+
+    "\3\2\2\2\u0150\u0151\3\2\2\2\u0151T\3\2\2\2\u0152\u0150\3\2\2\2\u0153"+
+    "\u0155\t\t\2\2\u0154\u0156\t\n\2\2\u0155\u0154\3\2\2\2\u0155\u0156\3\2"+
+    "\2\2\u0156\u0158\3\2\2\2\u0157\u0159\5W,\2\u0158\u0157\3\2\2\2\u0159\u015a"+
+    "\3\2\2\2\u015a\u0158\3\2\2\2\u015a\u015b\3\2\2\2\u015bV\3\2\2\2\u015c"+
+    "\u015d\t\13\2\2\u015dX\3\2\2\2\u015e\u015f\t\f\2\2\u015fZ\3\2\2\2\u0160"+
+    "\u0161\7\61\2\2\u0161\u0162\7\61\2\2\u0162\u0166\3\2\2\2\u0163\u0165\n"+
+    "\r\2\2\u0164\u0163\3\2\2\2\u0165\u0168\3\2\2\2\u0166\u0164\3\2\2\2\u0166"+
+    "\u0167\3\2\2\2\u0167\u016a\3\2\2\2\u0168\u0166\3\2\2\2\u0169\u016b\7\17"+
+    "\2\2\u016a\u0169\3\2\2\2\u016a\u016b\3\2\2\2\u016b\u016d\3\2\2\2\u016c"+
+    "\u016e\7\f\2\2\u016d\u016c\3\2\2\2\u016d\u016e\3\2\2\2\u016e\u016f\3\2"+
+    "\2\2\u016f\u0170\b.\2\2\u0170\\\3\2\2\2\u0171\u0172\7\61\2\2\u0172\u0173"+
+    "\7,\2\2\u0173\u0178\3\2\2\2\u0174\u0177\5]/\2\u0175\u0177\13\2\2\2\u0176"+
+    "\u0174\3\2\2\2\u0176\u0175\3\2\2\2\u0177\u017a\3\2\2\2\u0178\u0179\3\2"+
+    "\2\2\u0178\u0176\3\2\2\2\u0179\u017b\3\2\2\2\u017a\u0178\3\2\2\2\u017b"+
+    "\u017c\7,\2\2\u017c\u017d\7\61\2\2\u017d\u017e\3\2\2\2\u017e\u017f\b/"+
+    "\2\2\u017f^\3\2\2\2\u0180\u0182\t\16\2\2\u0181\u0180\3\2\2\2\u0182\u0183"+
+    "\3\2\2\2\u0183\u0181\3\2\2\2\u0183\u0184\3\2\2\2\u0184\u0185\3\2\2\2\u0185"+
+    "\u0186\b\60\2\2\u0186`\3\2\2\2!\2\u00e3\u00ec\u00ee\u00f6\u00f8\u0102"+
+    "\u0104\u010e\u0110\u0114\u0119\u011e\u0124\u012b\u0130\u0136\u0139\u0141"+
+    "\u0145\u0149\u014e\u0150\u0155\u015a\u0166\u016a\u016d\u0176\u0178\u0183"+
     "\3\2\3\2";
   public static final ATN _ATN =
     new ATNDeserializer().deserialize(_serializedATN.toCharArray());

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlBaseParser.java

@@ -18,11 +18,11 @@ class EqlBaseParser extends Parser {
     new PredictionContextCache();
   public static final int
     AND=1, ANY=2, BY=3, FALSE=4, FORK=5, IN=6, JOIN=7, MAXSPAN=8, NOT=9, NULL=10, 
-    OF=11, OR=12, SEQUENCE=13, TRUE=14, UNTIL=15, WHERE=16, WITH=17, EQ=18, 
-    NEQ=19, LT=20, LTE=21, GT=22, GTE=23, PLUS=24, MINUS=25, ASTERISK=26, 
-    SLASH=27, PERCENT=28, DOT=29, COMMA=30, LB=31, RB=32, LP=33, RP=34, PIPE=35, 
-    ESCAPED_IDENTIFIER=36, STRING=37, INTEGER_VALUE=38, DECIMAL_VALUE=39, 
-    IDENTIFIER=40, LINE_COMMENT=41, BRACKETED_COMMENT=42, WS=43;
+    OF=11, OR=12, SEQUENCE=13, TRUE=14, UNTIL=15, WHERE=16, WITH=17, ASGN=18, 
+    EQ=19, NEQ=20, LT=21, LTE=22, GT=23, GTE=24, PLUS=25, MINUS=26, ASTERISK=27, 
+    SLASH=28, PERCENT=29, DOT=30, COMMA=31, LB=32, RB=33, LP=34, RP=35, PIPE=36, 
+    ESCAPED_IDENTIFIER=37, STRING=38, INTEGER_VALUE=39, DECIMAL_VALUE=40, 
+    IDENTIFIER=41, LINE_COMMENT=42, BRACKETED_COMMENT=43, WS=44;
   public static final int
     RULE_singleStatement = 0, RULE_singleExpression = 1, RULE_statement = 2, 
     RULE_query = 3, RULE_sequenceParams = 4, RULE_sequence = 5, RULE_join = 6, 
@@ -45,14 +45,14 @@ class EqlBaseParser extends Parser {
   private static final String[] _LITERAL_NAMES = {
     null, "'and'", "'any'", "'by'", "'false'", "'fork'", "'in'", "'join'", 
     "'maxspan'", "'not'", "'null'", "'of'", "'or'", "'sequence'", "'true'", 
-    "'until'", "'where'", "'with'", null, "'!='", "'<'", "'<='", "'>'", "'>='", 
-    "'+'", "'-'", "'*'", "'/'", "'%'", "'.'", "','", "'['", "']'", "'('", 
-    "')'", "'|'"
+    "'until'", "'where'", "'with'", "'='", "'=='", "'!='", "'<'", "'<='", 
+    "'>'", "'>='", "'+'", "'-'", "'*'", "'/'", "'%'", "'.'", "','", "'['", 
+    "']'", "'('", "')'", "'|'"
   };
   private static final String[] _SYMBOLIC_NAMES = {
     null, "AND", "ANY", "BY", "FALSE", "FORK", "IN", "JOIN", "MAXSPAN", "NOT", 
-    "NULL", "OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "EQ", 
-    "NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH", 
+    "NULL", "OF", "OR", "SEQUENCE", "TRUE", "UNTIL", "WHERE", "WITH", "ASGN", 
+    "EQ", "NEQ", "LT", "LTE", "GT", "GTE", "PLUS", "MINUS", "ASTERISK", "SLASH", 
     "PERCENT", "DOT", "COMMA", "LB", "RB", "LP", "RP", "PIPE", "ESCAPED_IDENTIFIER", 
     "STRING", "INTEGER_VALUE", "DECIMAL_VALUE", "IDENTIFIER", "LINE_COMMENT", 
     "BRACKETED_COMMENT", "WS"
@@ -341,7 +341,7 @@ class EqlBaseParser extends Parser {
   public static class SequenceParamsContext extends ParserRuleContext {
     public TerminalNode WITH() { return getToken(EqlBaseParser.WITH, 0); }
     public TerminalNode MAXSPAN() { return getToken(EqlBaseParser.MAXSPAN, 0); }
-    public TerminalNode EQ() { return getToken(EqlBaseParser.EQ, 0); }
+    public TerminalNode ASGN() { return getToken(EqlBaseParser.ASGN, 0); }
     public TimeUnitContext timeUnit() {
       return getRuleContext(TimeUnitContext.class,0);
     }
@@ -376,7 +376,7 @@ class EqlBaseParser extends Parser {
       setState(77);
       match(MAXSPAN);
       setState(78);
-      match(EQ);
+      match(ASGN);
       setState(79);
       timeUnit();
       }
@@ -2574,7 +2574,7 @@ class EqlBaseParser extends Parser {
   }
 
   public static final String _serializedATN =
-    "\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\3-\u0124\4\2\t\2\4"+
+    "\3\u0430\ud6d1\u8206\uad2d\u4417\uaef1\u8d80\uaadd\3.\u0124\4\2\t\2\4"+
     "\3\t\3\4\4\t\4\4\5\t\5\4\6\t\6\4\7\t\7\4\b\t\b\4\t\t\t\4\n\t\n\4\13\t"+
     "\13\4\f\t\f\4\r\t\r\4\16\t\16\4\17\t\17\4\20\t\20\4\21\t\21\4\22\t\22"+
     "\4\23\t\23\4\24\t\24\4\25\t\25\4\26\t\26\4\27\t\27\4\30\t\30\4\31\t\31"+
@@ -2598,13 +2598,13 @@ class EqlBaseParser extends Parser {
     "\u010e\n\32\r\32\16\32\u010f\3\32\7\32\u0113\n\32\f\32\16\32\u0116\13"+
     "\32\3\33\3\33\3\34\3\34\5\34\u011c\n\34\3\35\3\35\5\35\u0120\n\35\3\36"+
     "\3\36\3\36\2\4 $\37\2\4\6\b\n\f\16\20\22\24\26\30\32\34\36 \"$&(*,.\60"+
-    "\62\64\668:\2\7\3\2\32\33\3\2\34\36\3\2\24\31\4\2\6\6\20\20\4\2&&**\u0132"+
-    "\2<\3\2\2\2\4?\3\2\2\2\6B\3\2\2\2\bL\3\2\2\2\nN\3\2\2\2\fS\3\2\2\2\16"+
-    "h\3\2\2\2\20v\3\2\2\2\22\u0082\3\2\2\2\24\u008b\3\2\2\2\26\u008f\3\2\2"+
-    "\2\30\u009a\3\2\2\2\32\u009e\3\2\2\2\34\u00a2\3\2\2\2\36\u00a7\3\2\2\2"+
-    " \u00b0\3\2\2\2\"\u00c2\3\2\2\2$\u00cb\3\2\2\2&\u00d9\3\2\2\2(\u00ee\3"+
-    "\2\2\2*\u00f0\3\2\2\2,\u0102\3\2\2\2.\u0104\3\2\2\2\60\u0106\3\2\2\2\62"+
-    "\u0108\3\2\2\2\64\u0117\3\2\2\2\66\u0119\3\2\2\28\u011f\3\2\2\2:\u0121"+
+    "\62\64\668:\2\7\3\2\33\34\3\2\35\37\3\2\25\32\4\2\6\6\20\20\4\2\'\'++"+
+    "\u0132\2<\3\2\2\2\4?\3\2\2\2\6B\3\2\2\2\bL\3\2\2\2\nN\3\2\2\2\fS\3\2\2"+
+    "\2\16h\3\2\2\2\20v\3\2\2\2\22\u0082\3\2\2\2\24\u008b\3\2\2\2\26\u008f"+
+    "\3\2\2\2\30\u009a\3\2\2\2\32\u009e\3\2\2\2\34\u00a2\3\2\2\2\36\u00a7\3"+
+    "\2\2\2 \u00b0\3\2\2\2\"\u00c2\3\2\2\2$\u00cb\3\2\2\2&\u00d9\3\2\2\2(\u00ee"+
+    "\3\2\2\2*\u00f0\3\2\2\2,\u0102\3\2\2\2.\u0104\3\2\2\2\60\u0106\3\2\2\2"+
+    "\62\u0108\3\2\2\2\64\u0117\3\2\2\2\66\u0119\3\2\2\28\u011f\3\2\2\2:\u0121"+
     "\3\2\2\2<=\5\6\4\2=>\7\2\2\3>\3\3\2\2\2?@\5\36\20\2@A\7\2\2\3A\5\3\2\2"+
     "\2BF\5\b\5\2CE\5\20\t\2DC\3\2\2\2EH\3\2\2\2FD\3\2\2\2FG\3\2\2\2G\7\3\2"+
     "\2\2HF\3\2\2\2IM\5\f\7\2JM\5\16\b\2KM\5\32\16\2LI\3\2\2\2LJ\3\2\2\2LK"+
@@ -2615,63 +2615,63 @@ class EqlBaseParser extends Parser {
     "\3\2\2\2bc\3\2\2\2cf\3\2\2\2de\7\21\2\2eg\5\26\f\2fd\3\2\2\2fg\3\2\2\2"+
     "g\r\3\2\2\2hj\7\t\2\2ik\5\22\n\2ji\3\2\2\2jk\3\2\2\2kl\3\2\2\2ln\5\24"+
     "\13\2mo\5\24\13\2nm\3\2\2\2op\3\2\2\2pn\3\2\2\2pq\3\2\2\2qt\3\2\2\2rs"+
-    "\7\21\2\2su\5\24\13\2tr\3\2\2\2tu\3\2\2\2u\17\3\2\2\2vw\7%\2\2w\u0080"+
-    "\7*\2\2x}\5 \21\2yz\7 \2\2z|\5 \21\2{y\3\2\2\2|\177\3\2\2\2}{\3\2\2\2"+
+    "\7\21\2\2su\5\24\13\2tr\3\2\2\2tu\3\2\2\2u\17\3\2\2\2vw\7&\2\2w\u0080"+
+    "\7+\2\2x}\5 \21\2yz\7!\2\2z|\5 \21\2{y\3\2\2\2|\177\3\2\2\2}{\3\2\2\2"+
     "}~\3\2\2\2~\u0081\3\2\2\2\177}\3\2\2\2\u0080x\3\2\2\2\u0080\u0081\3\2"+
     "\2\2\u0081\21\3\2\2\2\u0082\u0083\7\5\2\2\u0083\u0088\5\36\20\2\u0084"+
-    "\u0085\7 \2\2\u0085\u0087\5\36\20\2\u0086\u0084\3\2\2\2\u0087\u008a\3"+
+    "\u0085\7!\2\2\u0085\u0087\5\36\20\2\u0086\u0084\3\2\2\2\u0087\u008a\3"+
     "\2\2\2\u0088\u0086\3\2\2\2\u0088\u0089\3\2\2\2\u0089\23\3\2\2\2\u008a"+
     "\u0088\3\2\2\2\u008b\u008d\5\30\r\2\u008c\u008e\5\22\n\2\u008d\u008c\3"+
     "\2\2\2\u008d\u008e\3\2\2\2\u008e\25\3\2\2\2\u008f\u0095\5\30\r\2\u0090"+
-    "\u0093\7\7\2\2\u0091\u0092\7\24\2\2\u0092\u0094\5\60\31\2\u0093\u0091"+
+    "\u0093\7\7\2\2\u0091\u0092\7\25\2\2\u0092\u0094\5\60\31\2\u0093\u0091"+
     "\3\2\2\2\u0093\u0094\3\2\2\2\u0094\u0096\3\2\2\2\u0095\u0090\3\2\2\2\u0095"+
     "\u0096\3\2\2\2\u0096\u0098\3\2\2\2\u0097\u0099\5\22\n\2\u0098\u0097\3"+
-    "\2\2\2\u0098\u0099\3\2\2\2\u0099\27\3\2\2\2\u009a\u009b\7!\2\2\u009b\u009c"+
-    "\5\34\17\2\u009c\u009d\7\"\2\2\u009d\31\3\2\2\2\u009e\u009f\5\34\17\2"+
-    "\u009f\33\3\2\2\2\u00a0\u00a3\7\4\2\2\u00a1\u00a3\5\64\33\2\u00a2\u00a0"+
-    "\3\2\2\2\u00a2\u00a1\3\2\2\2\u00a3\u00a4\3\2\2\2\u00a4\u00a5\7\22\2\2"+
-    "\u00a5\u00a6\5\36\20\2\u00a6\35\3\2\2\2\u00a7\u00a8\5 \21\2\u00a8\37\3"+
-    "\2\2\2\u00a9\u00aa\b\21\1\2\u00aa\u00ab\7\13\2\2\u00ab\u00b1\5 \21\7\u00ac"+
-    "\u00ad\7*\2\2\u00ad\u00ae\7\r\2\2\u00ae\u00b1\5\30\r\2\u00af\u00b1\5\""+
-    "\22\2\u00b0\u00a9\3\2\2\2\u00b0\u00ac\3\2\2\2\u00b0\u00af\3\2\2\2\u00b1"+
-    "\u00ba\3\2\2\2\u00b2\u00b3\f\4\2\2\u00b3\u00b4\7\3\2\2\u00b4\u00b9\5 "+
-    "\21\5\u00b5\u00b6\f\3\2\2\u00b6\u00b7\7\16\2\2\u00b7\u00b9\5 \21\4\u00b8"+
-    "\u00b2\3\2\2\2\u00b8\u00b5\3\2\2\2\u00b9\u00bc\3\2\2\2\u00ba\u00b8\3\2"+
-    "\2\2\u00ba\u00bb\3\2\2\2\u00bb!\3\2\2\2\u00bc\u00ba\3\2\2\2\u00bd\u00c3"+
-    "\5$\23\2\u00be\u00bf\5$\23\2\u00bf\u00c0\5.\30\2\u00c0\u00c1\5$\23\2\u00c1"+
-    "\u00c3\3\2\2\2\u00c2\u00bd\3\2\2\2\u00c2\u00be\3\2\2\2\u00c3#\3\2\2\2"+
-    "\u00c4\u00c5\b\23\1\2\u00c5\u00c7\5(\25\2\u00c6\u00c8\5&\24\2\u00c7\u00c6"+
-    "\3\2\2\2\u00c7\u00c8\3\2\2\2\u00c8\u00cc\3\2\2\2\u00c9\u00ca\t\2\2\2\u00ca"+
-    "\u00cc\5$\23\5\u00cb\u00c4\3\2\2\2\u00cb\u00c9\3\2\2\2\u00cc\u00d5\3\2"+
-    "\2\2\u00cd\u00ce\f\4\2\2\u00ce\u00cf\t\3\2\2\u00cf\u00d4\5$\23\5\u00d0"+
-    "\u00d1\f\3\2\2\u00d1\u00d2\t\2\2\2\u00d2\u00d4\5$\23\4\u00d3\u00cd\3\2"+
-    "\2\2\u00d3\u00d0\3\2\2\2\u00d4\u00d7\3\2\2\2\u00d5\u00d3\3\2\2\2\u00d5"+
-    "\u00d6\3\2\2\2\u00d6%\3\2\2\2\u00d7\u00d5\3\2\2\2\u00d8\u00da\7\13\2\2"+
-    "\u00d9\u00d8\3\2\2\2\u00d9\u00da\3\2\2\2\u00da\u00db\3\2\2\2\u00db\u00dc"+
-    "\7\b\2\2\u00dc\u00dd\7#\2\2\u00dd\u00e2\5\36\20\2\u00de\u00df\7 \2\2\u00df"+
-    "\u00e1\5\36\20\2\u00e0\u00de\3\2\2\2\u00e1\u00e4\3\2\2\2\u00e2\u00e0\3"+
-    "\2\2\2\u00e2\u00e3\3\2\2\2\u00e3\u00e5\3\2\2\2\u00e4\u00e2\3\2\2\2\u00e5"+
-    "\u00e6\7$\2\2\u00e6\'\3\2\2\2\u00e7\u00ef\5,\27\2\u00e8\u00ef\5*\26\2"+
-    "\u00e9\u00ef\5\62\32\2\u00ea\u00eb\7#\2\2\u00eb\u00ec\5\36\20\2\u00ec"+
-    "\u00ed\7$\2\2\u00ed\u00ef\3\2\2\2\u00ee\u00e7\3\2\2\2\u00ee\u00e8\3\2"+
-    "\2\2\u00ee\u00e9\3\2\2\2\u00ee\u00ea\3\2\2\2\u00ef)\3\2\2\2\u00f0\u00f1"+
-    "\7*\2\2\u00f1\u00fa\7#\2\2\u00f2\u00f7\5\36\20\2\u00f3\u00f4\7 \2\2\u00f4"+
-    "\u00f6\5\36\20\2\u00f5\u00f3\3\2\2\2\u00f6\u00f9\3\2\2\2\u00f7\u00f5\3"+
-    "\2\2\2\u00f7\u00f8\3\2\2\2\u00f8\u00fb\3\2\2\2\u00f9\u00f7\3\2\2\2\u00fa"+
-    "\u00f2\3\2\2\2\u00fa\u00fb\3\2\2\2\u00fb\u00fc\3\2\2\2\u00fc\u00fd\7$"+
-    "\2\2\u00fd+\3\2\2\2\u00fe\u0103\7\f\2\2\u00ff\u0103\58\35\2\u0100\u0103"+
-    "\5\60\31\2\u0101\u0103\5:\36\2\u0102\u00fe\3\2\2\2\u0102\u00ff\3\2\2\2"+
-    "\u0102\u0100\3\2\2\2\u0102\u0101\3\2\2\2\u0103-\3\2\2\2\u0104\u0105\t"+
-    "\4\2\2\u0105/\3\2\2\2\u0106\u0107\t\5\2\2\u0107\61\3\2\2\2\u0108\u0114"+
-    "\5\64\33\2\u0109\u010a\7\37\2\2\u010a\u0113\5\64\33\2\u010b\u010d\7!\2"+
-    "\2\u010c\u010e\7(\2\2\u010d\u010c\3\2\2\2\u010e\u010f\3\2\2\2\u010f\u010d"+
-    "\3\2\2\2\u010f\u0110\3\2\2\2\u0110\u0111\3\2\2\2\u0111\u0113\7\"\2\2\u0112"+
+    "\2\2\2\u0098\u0099\3\2\2\2\u0099\27\3\2\2\2\u009a\u009b\7\"\2\2\u009b"+
+    "\u009c\5\34\17\2\u009c\u009d\7#\2\2\u009d\31\3\2\2\2\u009e\u009f\5\34"+
+    "\17\2\u009f\33\3\2\2\2\u00a0\u00a3\7\4\2\2\u00a1\u00a3\5\64\33\2\u00a2"+
+    "\u00a0\3\2\2\2\u00a2\u00a1\3\2\2\2\u00a3\u00a4\3\2\2\2\u00a4\u00a5\7\22"+
+    "\2\2\u00a5\u00a6\5\36\20\2\u00a6\35\3\2\2\2\u00a7\u00a8\5 \21\2\u00a8"+
+    "\37\3\2\2\2\u00a9\u00aa\b\21\1\2\u00aa\u00ab\7\13\2\2\u00ab\u00b1\5 \21"+
+    "\7\u00ac\u00ad\7+\2\2\u00ad\u00ae\7\r\2\2\u00ae\u00b1\5\30\r\2\u00af\u00b1"+
+    "\5\"\22\2\u00b0\u00a9\3\2\2\2\u00b0\u00ac\3\2\2\2\u00b0\u00af\3\2\2\2"+
+    "\u00b1\u00ba\3\2\2\2\u00b2\u00b3\f\4\2\2\u00b3\u00b4\7\3\2\2\u00b4\u00b9"+
+    "\5 \21\5\u00b5\u00b6\f\3\2\2\u00b6\u00b7\7\16\2\2\u00b7\u00b9\5 \21\4"+
+    "\u00b8\u00b2\3\2\2\2\u00b8\u00b5\3\2\2\2\u00b9\u00bc\3\2\2\2\u00ba\u00b8"+
+    "\3\2\2\2\u00ba\u00bb\3\2\2\2\u00bb!\3\2\2\2\u00bc\u00ba\3\2\2\2\u00bd"+
+    "\u00c3\5$\23\2\u00be\u00bf\5$\23\2\u00bf\u00c0\5.\30\2\u00c0\u00c1\5$"+
+    "\23\2\u00c1\u00c3\3\2\2\2\u00c2\u00bd\3\2\2\2\u00c2\u00be\3\2\2\2\u00c3"+
+    "#\3\2\2\2\u00c4\u00c5\b\23\1\2\u00c5\u00c7\5(\25\2\u00c6\u00c8\5&\24\2"+
+    "\u00c7\u00c6\3\2\2\2\u00c7\u00c8\3\2\2\2\u00c8\u00cc\3\2\2\2\u00c9\u00ca"+
+    "\t\2\2\2\u00ca\u00cc\5$\23\5\u00cb\u00c4\3\2\2\2\u00cb\u00c9\3\2\2\2\u00cc"+
+    "\u00d5\3\2\2\2\u00cd\u00ce\f\4\2\2\u00ce\u00cf\t\3\2\2\u00cf\u00d4\5$"+
+    "\23\5\u00d0\u00d1\f\3\2\2\u00d1\u00d2\t\2\2\2\u00d2\u00d4\5$\23\4\u00d3"+
+    "\u00cd\3\2\2\2\u00d3\u00d0\3\2\2\2\u00d4\u00d7\3\2\2\2\u00d5\u00d3\3\2"+
+    "\2\2\u00d5\u00d6\3\2\2\2\u00d6%\3\2\2\2\u00d7\u00d5\3\2\2\2\u00d8\u00da"+
+    "\7\13\2\2\u00d9\u00d8\3\2\2\2\u00d9\u00da\3\2\2\2\u00da\u00db\3\2\2\2"+
+    "\u00db\u00dc\7\b\2\2\u00dc\u00dd\7$\2\2\u00dd\u00e2\5\36\20\2\u00de\u00df"+
+    "\7!\2\2\u00df\u00e1\5\36\20\2\u00e0\u00de\3\2\2\2\u00e1\u00e4\3\2\2\2"+
+    "\u00e2\u00e0\3\2\2\2\u00e2\u00e3\3\2\2\2\u00e3\u00e5\3\2\2\2\u00e4\u00e2"+
+    "\3\2\2\2\u00e5\u00e6\7%\2\2\u00e6\'\3\2\2\2\u00e7\u00ef\5,\27\2\u00e8"+
+    "\u00ef\5*\26\2\u00e9\u00ef\5\62\32\2\u00ea\u00eb\7$\2\2\u00eb\u00ec\5"+
+    "\36\20\2\u00ec\u00ed\7%\2\2\u00ed\u00ef\3\2\2\2\u00ee\u00e7\3\2\2\2\u00ee"+
+    "\u00e8\3\2\2\2\u00ee\u00e9\3\2\2\2\u00ee\u00ea\3\2\2\2\u00ef)\3\2\2\2"+
+    "\u00f0\u00f1\7+\2\2\u00f1\u00fa\7$\2\2\u00f2\u00f7\5\36\20\2\u00f3\u00f4"+
+    "\7!\2\2\u00f4\u00f6\5\36\20\2\u00f5\u00f3\3\2\2\2\u00f6\u00f9\3\2\2\2"+
+    "\u00f7\u00f5\3\2\2\2\u00f7\u00f8\3\2\2\2\u00f8\u00fb\3\2\2\2\u00f9\u00f7"+
+    "\3\2\2\2\u00fa\u00f2\3\2\2\2\u00fa\u00fb\3\2\2\2\u00fb\u00fc\3\2\2\2\u00fc"+
+    "\u00fd\7%\2\2\u00fd+\3\2\2\2\u00fe\u0103\7\f\2\2\u00ff\u0103\58\35\2\u0100"+
+    "\u0103\5\60\31\2\u0101\u0103\5:\36\2\u0102\u00fe\3\2\2\2\u0102\u00ff\3"+
+    "\2\2\2\u0102\u0100\3\2\2\2\u0102\u0101\3\2\2\2\u0103-\3\2\2\2\u0104\u0105"+
+    "\t\4\2\2\u0105/\3\2\2\2\u0106\u0107\t\5\2\2\u0107\61\3\2\2\2\u0108\u0114"+
+    "\5\64\33\2\u0109\u010a\7 \2\2\u010a\u0113\5\64\33\2\u010b\u010d\7\"\2"+
+    "\2\u010c\u010e\7)\2\2\u010d\u010c\3\2\2\2\u010e\u010f\3\2\2\2\u010f\u010d"+
+    "\3\2\2\2\u010f\u0110\3\2\2\2\u0110\u0111\3\2\2\2\u0111\u0113\7#\2\2\u0112"+
     "\u0109\3\2\2\2\u0112\u010b\3\2\2\2\u0113\u0116\3\2\2\2\u0114\u0112\3\2"+
     "\2\2\u0114\u0115\3\2\2\2\u0115\63\3\2\2\2\u0116\u0114\3\2\2\2\u0117\u0118"+
-    "\t\6\2\2\u0118\65\3\2\2\2\u0119\u011b\58\35\2\u011a\u011c\7*\2\2\u011b"+
-    "\u011a\3\2\2\2\u011b\u011c\3\2\2\2\u011c\67\3\2\2\2\u011d\u0120\7)\2\2"+
-    "\u011e\u0120\7(\2\2\u011f\u011d\3\2\2\2\u011f\u011e\3\2\2\2\u01209\3\2"+
-    "\2\2\u0121\u0122\7\'\2\2\u0122;\3\2\2\2\'FLVZ\\bfjpt}\u0080\u0088\u008d"+
+    "\t\6\2\2\u0118\65\3\2\2\2\u0119\u011b\58\35\2\u011a\u011c\7+\2\2\u011b"+
+    "\u011a\3\2\2\2\u011b\u011c\3\2\2\2\u011c\67\3\2\2\2\u011d\u0120\7*\2\2"+
+    "\u011e\u0120\7)\2\2\u011f\u011d\3\2\2\2\u011f\u011e\3\2\2\2\u01209\3\2"+
+    "\2\2\u0121\u0122\7(\2\2\u0122;\3\2\2\2\'FLVZ\\bfjpt}\u0080\u0088\u008d"+
     "\u0093\u0095\u0098\u00a2\u00b0\u00b8\u00ba\u00c2\u00c7\u00cb\u00d3\u00d5"+
     "\u00d9\u00e2\u00ee\u00f7\u00fa\u0102\u010f\u0112\u0114\u011b\u011f";
   public static final ATN _ATN =

x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/analysis/VerifierTests.java

@@ -90,11 +90,11 @@ public class VerifierTests extends ESTestCase {
 
     public void testProcessRelationshipsUnsupported() {
         assertEquals("2:7: Process relationships are not supported",
-                errorParsing("process where opcode=1 and process_name == \"csrss.exe\"\n" +
-                        "  and descendant of [file where file_name == \"csrss.exe\" and opcode=0]"));
+                errorParsing("process where opcode==1 and process_name == \"csrss.exe\"\n" +
+                        "  and descendant of [file where file_name == \"csrss.exe\" and opcode==0]"));
         assertEquals("2:7: Process relationships are not supported",
-                errorParsing("process where process_name=\"svchost.exe\"\n" +
-                        "  and child of [file where file_name=\"svchost.exe\" and opcode=0]"));
+                errorParsing("process where process_name==\"svchost.exe\"\n" +
+                        "  and child of [file where file_name=\"svchost.exe\" and opcode==0]"));
     }
 
     // Some functions fail with "Unsupported" message at the parse stage
@@ -122,10 +122,10 @@ public class VerifierTests extends ESTestCase {
     // Test valid/supported queries
     public void testQueryOk() {
         // Mismatched type, still ok
-        accept("process where serial_event_id = \"abcdef\"");
+        accept("process where serial_event_id == \"abcdef\"");
 
         // Equals condition
-        accept("process where serial_event_id = 1");
+        accept("process where serial_event_id == 1");
 
         // Less then condition
         accept("process where serial_event_id < 4");
@@ -136,7 +136,7 @@ public class VerifierTests extends ESTestCase {
 
         // Or and And/And Not
         accept("process where process_name == \"impossible name\" or (serial_event_id < 4.5 and serial_event_id >= 3.1)");
-        accept("process where (serial_event_id<=8 and not serial_event_id > 7) and (opcode=3 and opcode>2)");
+        accept("process where (serial_event_id<=8 and not serial_event_id > 7) and (opcode==3 and opcode>2)");
 
         // In statement
         accept("process where not (exit_code > -1)\n" +

x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/parser/ExpressionTests.java

@@ -85,8 +85,8 @@ public class ExpressionTests extends ESTestCase {
         ParsingException e = expectThrows(ParsingException.class, () -> expr("'hello world'"));
         assertEquals("line 1:2: Use double quotes [\"] to define string literals, not single quotes [']",
                 e.getMessage());
-        e = expectThrows(ParsingException.class, () -> parser.createStatement("process where name='hello world'"));
-        assertEquals("line 1:21: Use double quotes [\"] to define string literals, not single quotes [']",
+        e = expectThrows(ParsingException.class, () -> parser.createStatement("process where name=='hello world'"));
+        assertEquals("line 1:22: Use double quotes [\"] to define string literals, not single quotes [']",
                 e.getMessage());
     }
 
@@ -101,8 +101,8 @@ public class ExpressionTests extends ESTestCase {
         ParsingException e = expectThrows(ParsingException.class, () -> expr("?'hello world'"));
         assertEquals("line 1:2: Use double quotes [\"] to define string literals, not single quotes [']",
                 e.getMessage());
-        e = expectThrows(ParsingException.class, () -> parser.createStatement("process where name=?'hello world'"));
-        assertEquals("line 1:21: Use double quotes [\"] to define string literals, not single quotes [']",
+        e = expectThrows(ParsingException.class, () -> parser.createStatement("process where name==?'hello world'"));
+        assertEquals("line 1:22: Use double quotes [\"] to define string literals, not single quotes [']",
                 e.getMessage());
     }
 
@@ -160,6 +160,9 @@ public class ExpressionTests extends ESTestCase {
         assertEquals(new GreaterThanOrEqual(null, field, value, UTC), expr(fieldText + ">=" + valueText));
         assertEquals(new GreaterThan(null, field, value, UTC), expr(fieldText + ">" + valueText));
         assertEquals(new LessThan(null, field, value, UTC), expr(fieldText + "<" + valueText));
+
+        expectThrows(ParsingException.class, "Expected syntax error",
+                () -> expr(fieldText + "=" + valueText));
     }
 
     public void testBoolean() {
@@ -247,7 +250,7 @@ public class ExpressionTests extends ESTestCase {
         String secondComparator = "";
         StringBuilder sb = new StringBuilder("a ");
         for (int i = 0 ; i < noComparisions; i++) {
-            String comparator = randomFrom("=", "==", "!=", "<", "<=", ">", ">=");
+            String comparator = randomFrom("==", "!=", "<", "<=", ">", ">=");
             sb.append(comparator).append(" a ");
 
             if (i == 0) {

x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/parser/GrammarTests.java

@@ -36,6 +36,7 @@ public class GrammarTests extends ESTestCase {
             parser.createStatement(q);
         }
     }
+
     public void testUnsupportedQueries() throws Exception {
         EqlParser parser = new EqlParser();
         List<Tuple<String, Integer>> lines = readQueries("/queries-unsupported.eql");

x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/stats/VerifierMetricsTests.java

@@ -52,8 +52,8 @@ public class VerifierMetricsTests extends ESTestCase {
     
     public void testSequenceQuery() {
         Counters c = eql("sequence\r\n" +
-            "  [process where serial_event_id = 1]\r\n" +
-            "  [process where serial_event_id = 2]");
+            "  [process where serial_event_id == 1]\r\n" +
+            "  [process where serial_event_id == 2]");
         assertCounters(c, Set.of(SEQUENCE, PIPE_HEAD, SEQUENCE_QUERIES_TWO));
     }
 
@@ -83,7 +83,7 @@ public class VerifierMetricsTests extends ESTestCase {
             "  [process where opcode == 1] by user\r\n" +
             "  [process where opcode == 2] by user\r\n" +
             "  [file where parent_process_name == \"file_delete_event\"] by exit_code\r\n" +
-            "until [process where opcode=1] by ppid\r\n" +
+            "until [process where opcode==1] by ppid\r\n" +
             "| head 4\r\n" +
             "| tail 2");
         assertCounters(c, Set.of(SEQUENCE, PIPE_HEAD, PIPE_TAIL, SEQUENCE_MAXSPAN, SEQUENCE_UNTIL, SEQUENCE_QUERIES_FOUR, JOIN_KEYS_ONE));
@@ -93,7 +93,7 @@ public class VerifierMetricsTests extends ESTestCase {
         Counters c = eql("sequence with maxspan=1d\r\n" +
             "  [process where serial_event_id < 4] by exit_code\r\n" +
             "  [process where opcode == 1] by user\r\n" +
-            "until [process where opcode=1] by ppid\r\n" +
+            "until [process where opcode==1] by ppid\r\n" +
             "| head 4\r\n" +
             "| tail 2");
         assertCounters(c, Set.of(SEQUENCE, PIPE_HEAD, PIPE_TAIL, SEQUENCE_MAXSPAN, SEQUENCE_UNTIL, SEQUENCE_QUERIES_TWO, JOIN_KEYS_ONE));
@@ -203,4 +203,4 @@ public class VerifierMetricsTests extends ESTestCase {
             return this.metrics[metric.ordinal()];
         }
     }
-}
+}

x-pack/plugin/eql/src/test/resources/queries-supported.eql

@@ -67,9 +67,9 @@ network where a * (b + c * d) + e / f == g + h + i;
 
 process where pid == 4 or pid == 5 or pid == 6 or pid == 7 or pid == 8;
 
-network where pid == 0 or pid == 4 or (ppid == 0 or ppid = 4) or (abc == defgh) and process_name == "*" ;
+network where pid == 0 or pid == 4 or (ppid == 0 or ppid == 4) or (abc == defgh) and process_name == "*" ;
 
-network where pid = 4;
+network where pid == 4;
 
 
 registry where a.b;
@@ -86,7 +86,7 @@ process where a > 100000000000000000000000000000000;
 /* TESTS FROM
  * https://raw.githubusercontent.com/endgameinc/eql/master/eql/etc/test_queries.toml
  */
-process where serial_event_id = 1;
+process where serial_event_id == 1;
 
 process where serial_event_id < 4;
 
@@ -122,7 +122,7 @@ process where 0 < exit_code;
 
 process where 0 > exit_code;
 
-process where (serial_event_id<=8 and serial_event_id > 7) and (opcode=3 and opcode>2);
+process where (serial_event_id<=8 and serial_event_id > 7) and (opcode==3 and opcode>2);
 
 process where (serial_event_id<9 and serial_event_id >= 7) or (opcode == pid);
 
@@ -133,16 +133,16 @@ registry where key_path == "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F
 process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4);
 
 
-file where file_path="*\\red_ttp\\winin*.*"
-  and opcode in (0,1,2) and user_name="vagrant"
+file where file_path=="*\\red_ttp\\winin*.*"
+  and opcode in (0,1,2) and user_name=="vagrant"
 ;
 
-file where file_path="*\\red_ttp\\winin*.*"
-  and opcode not in (0,1,2) and user_name="vagrant"
+file where file_path=="*\\red_ttp\\winin*.*"
+  and opcode not in (0,1,2) and user_name=="vagrant"
 ;
 
-file where file_path="*\\red_ttp\\winin*.*"
-  and opcode not in (3, 4, 5, 6 ,7) and user_name="vagrant"
+file where file_path=="*\\red_ttp\\winin*.*"
+  and opcode not in (3, 4, 5, 6 ,7) and user_name=="vagrant"
 ;
 
 file where file_name in ("wininit.exe", "lsass.exe") and opcode == 2
@@ -169,7 +169,7 @@ process where opcode == 1
 
 
 
-process where process_name = "python.exe";
+process where process_name == "python.exe";
 
 process where command_line == "*%*" ;
 
@@ -193,51 +193,51 @@ process where match(?".*?net1\s+\w{4,15}\s+.*?", command_line)
 process where match(?".*?net1\s+[localgrup]{4,15}\s+.*?", command_line)
 ;
 
-file where opcode=0 and startsWith(file_name, "exploRER.")
+file where opcode==0 and startsWith(file_name, "exploRER.")
 ;
 
-file where opcode=0 and startsWith(file_name, "expLORER.exe")
+file where opcode==0 and startsWith(file_name, "expLORER.exe")
 ;
 
-file where opcode=0 and endsWith(file_name, "loREr.exe");
+file where opcode==0 and endsWith(file_name, "loREr.exe");
 
-file where opcode=0 and startsWith(file_name, "explORER.EXE");
+file where opcode==0 and startsWith(file_name, "explORER.EXE");
 
-file where opcode=0 and startsWith("explorer.exeaaaaaaaa", file_name);
+file where opcode==0 and startsWith("explorer.exeaaaaaaaa", file_name);
 
-file where opcode=0 and serial_event_id = 88 and startsWith("explorer.exeaAAAA", "EXPLORER.exe");
+file where opcode==0 and serial_event_id == 88 and startsWith("explorer.exeaAAAA", "EXPLORER.exe");
 
-file where opcode=0 and stringContains("ABCDEFGHIexplorer.exeJKLMNOP", file_name)
+file where opcode==0 and stringContains("ABCDEFGHIexplorer.exeJKLMNOP", file_name)
 ;
 
-file where opcode=0 and indexOf(file_name, "plore") == 2 and not indexOf(file_name, ".pf")
+file where opcode==0 and indexOf(file_name, "plore") == 2 and not indexOf(file_name, ".pf")
 ;
 
-file where opcode=0 and indexOf(file_name, "explorer.") and indexOf(file_name, "plore", 100)
+file where opcode==0 and indexOf(file_name, "explorer.") and indexOf(file_name, "plore", 100)
 ;
 
-file where opcode=0 and indexOf(file_name, "plorer.", 0) == 2;
+file where opcode==0 and indexOf(file_name, "plorer.", 0) == 2;
 
-file where opcode=0 and indexOf(file_name, "plorer.", 2);
+file where opcode==0 and indexOf(file_name, "plorer.", 2);
 
-file where opcode=0 and indexOf(file_name, "plorer.", 4);
+file where opcode==0 and indexOf(file_name, "plorer.", 4);
 
-file where opcode=0 and indexOf(file_name, "thing that never happened");
+file where opcode==0 and indexOf(file_name, "thing that never happened");
 
-file where opcode=0 and indexOf(file_name, "plorer.", 2) == 2;
+file where opcode==0 and indexOf(file_name, "plorer.", 2) == 2;
 
-file where opcode=0 and indexOf(file_name, "explorer.", 0) == 0;
+file where opcode==0 and indexOf(file_name, "explorer.", 0) == 0;
 
-file where serial_event_id=88 and substring(file_name, 0, 4) == "expl"
+file where serial_event_id==88 and substring(file_name, 0, 4) == "expl"
 ;
 
-file where serial_event_id=88 and substring(file_name, 1, 3) == "xp"
+file where serial_event_id==88 and substring(file_name, 1, 3) == "xp"
 ;
 
-file where serial_event_id=88 and substring(file_name, -4) == ".exe"
+file where serial_event_id==88 and substring(file_name, -4) == ".exe"
 ;
 
-file where serial_event_id=88 and substring(file_name, -4, -1) == ".ex"
+file where serial_event_id==88 and substring(file_name, -4, -1) == ".ex"
 ;
 
 process where add(serial_event_id, 0) == 1 and add(0, 1) == serial_event_id;
@@ -377,38 +377,38 @@ join
 ;
 
 join by user_name
-  [process where opcode in (1,3) and process_name="smss.exe"]
+  [process where opcode in (1,3) and process_name=="smss.exe"]
   [process where opcode in (1,3) and process_name == "python.exe"]
 ;
 
 join by unique_pid
-  [process where opcode=1]
-  [file where opcode=0 and file_name="svchost.exe"]
+  [process where opcode==1]
+  [file where opcode==0 and file_name=="svchost.exe"]
   [file where opcode == 0 and file_name == "lsass.exe"]
 ;
 
 join by unique_pid
-  [process where opcode=1]
-  [file where opcode=0 and file_name="svchost.exe"]
+  [process where opcode==1]
+  [file where opcode==0 and file_name=="svchost.exe"]
   [file where opcode == 0 and file_name == "lsass.exe"]
 until [file where opcode == 2];
 
 join
-  [file where opcode=0 and file_name="svchost.exe"] by unique_pid
+  [file where opcode==0 and file_name=="svchost.exe"] by unique_pid
   [process where opcode == 1] by unique_ppid
 ;
 
 join by unique_pid
-  [process where opcode in (1,3) and process_name="python.exe"]
+  [process where opcode in (1,3) and process_name=="python.exe"]
   [file where file_name == "*.exe"];
 
 join by user_name
-  [process where opcode in (1,3) and process_name="python.exe"]
+  [process where opcode in (1,3) and process_name=="python.exe"]
   [process where opcode in (1,3) and process_name == "smss.exe"]
 ;
 
 join
-  [process where opcode in (1,3) and process_name="python.exe"]
+  [process where opcode in (1,3) and process_name=="python.exe"]
   [process where opcode in (1,3) and process_name == "smss.exe"]
 ;
 
@@ -425,12 +425,12 @@ sequence by user_name
 ;
 
 sequence with maxspan=30s
-  [network where destination_port==3389 and event_subtype_full="*_accept_event*"]
+  [network where destination_port==3389 and event_subtype_full=="*_accept_event*"]
   [security where event_id in (4624, 4625) and logon_type == 10]
 ;
 
 sequence with maxspan=30s
-  [network where destination_port==3389 and event_subtype_full="*_accept_event"] by source_address
+  [network where destination_port==3389 and event_subtype_full=="*_accept_event"] by source_address
   [security where event_id in (4624, 4625) and logon_type == 10] by ip_address
 ;
 
@@ -492,17 +492,17 @@ until [process where 1] by e,f
 ;
 
 sequence
-  [process where serial_event_id = 1]
-  [process where serial_event_id = 2]
+  [process where serial_event_id == 1]
+  [process where serial_event_id == 2]
 ;
 
 sequence
   [process where serial_event_id < 5]
-  [process where serial_event_id = 5]
+  [process where serial_event_id == 5]
 ;
 
 sequence
-  [process where serial_event_id=1] by unique_pid
+  [process where serial_event_id==1] by unique_pid
   [process where true] by unique_ppid;
 
 sequence
@@ -516,33 +516,33 @@ sequence
 ;
 
 sequence
-  [file where opcode=0 and file_name="svchost.exe"] by unique_pid
+  [file where opcode==0 and file_name=="svchost.exe"] by unique_pid
   [process where opcode == 1] by unique_ppid
 ;
 
 sequence
-  [file where file_name="lsass.exe"] by file_path,process_path
+  [file where file_name=="lsass.exe"] by file_path,process_path
   [process where true] by process_path,parent_process_path
 ;
 
 sequence by user_name
-  [file where file_name="lsass.exe"] by file_path, process_path
+  [file where file_name=="lsass.exe"] by file_path, process_path
   [process where true] by process_path, parent_process_path
 ;
 
 sequence by pid
-  [file where file_name="lsass.exe"] by file_path,process_path
+  [file where file_name=="lsass.exe"] by file_path,process_path
   [process where true] by process_path,parent_process_path
 ;
 
 sequence by user_name
-  [file where opcode=0] by pid,file_path
-  [file where opcode=2] by pid,file_path
-until [process where opcode=2] by ppid,process_path
+  [file where opcode==0] by pid,file_path
+  [file where opcode==2] by pid,file_path
+until [process where opcode==2] by ppid,process_path
 ;
 
 sequence by unique_pid 
-    [process where opcode=1 and process_name == "msbuild.exe"]
+    [process where opcode==1 and process_name == "msbuild.exe"]
     [network where true]
 ;
 
@@ -602,8 +602,8 @@ sequence
 
 
 sequence
-  [file where opcode=0] by unique_pid
-  [file where opcode=0] by unique_pid
+  [file where opcode==0] by unique_pid
+  [file where opcode==0] by unique_pid
 | head 1;
 
 
@@ -640,41 +640,41 @@ sequence with maxspan=10s
 | tail 2;
 
 sequence
-  [file where opcode=0 and file_name="*.exe"] by unique_pid
-  [file where opcode=0 and file_name="*.exe"] by unique_pid
-until [process where opcode=5000] by unique_ppid
+  [file where opcode==0 and file_name=="*.exe"] by unique_pid
+  [file where opcode==0 and file_name=="*.exe"] by unique_pid
+until [process where opcode==5000] by unique_ppid
 | head 1;
 
 sequence
-  [file where opcode=0 and file_name="*.exe"] by unique_pid
-  [file where opcode=0 and file_name="*.exe"] by unique_pid
-until [process where opcode=1] by unique_ppid
+  [file where opcode==0 and file_name=="*.exe"] by unique_pid
+  [file where opcode==0 and file_name=="*.exe"] by unique_pid
+until [process where opcode==1] by unique_ppid
 | head 1;
 
 join
-  [file where opcode=0 and file_name="*.exe"] by unique_pid
-  [file where opcode=2 and file_name="*.exe"] by unique_pid
-until [process where opcode=1] by unique_ppid
+  [file where opcode==0 and file_name=="*.exe"] by unique_pid
+  [file where opcode==2 and file_name=="*.exe"] by unique_pid
+until [process where opcode==1] by unique_ppid
 | head 1;
 
 sequence by user_name
-  [file where opcode=0] by file_path
-  [process where opcode=1] by process_path
-  [process where opcode=2] by process_path
-  [file where opcode=2] by file_path
+  [file where opcode==0] by file_path
+  [process where opcode==1] by process_path
+  [process where opcode==2] by process_path
+  [file where opcode==2] by file_path
 | tail 1;
 
 sequence by user_name
-  [file where opcode=0] by pid,file_path
-  [file where opcode=2] by pid,file_path
-until [process where opcode=5] by ppid,process_path
+  [file where opcode==0] by pid,file_path
+  [file where opcode==2] by pid,file_path
+until [process where opcode==5] by ppid,process_path
 | head 2;
 
 sequence by pid
-  [file where opcode=0] by file_path
-  [process where opcode=1] by process_path
-  [process where opcode=2] by process_path
-  [file where opcode=2] by file_path
+  [file where opcode==0] by file_path
+  [process where opcode==1] by process_path
+  [process where opcode==2] by process_path
+  [file where opcode==2] by file_path
 | tail 1;
 
 join by user_name

x-pack/plugin/eql/src/test/resources/queries-unsupported.eql

@@ -73,27 +73,27 @@ file where descendant of [registry where true];
 
 //sequence by unique_pid [process where true] [file where true] fork;
 
-sequence by unique_pid [process where true] [file where true] fork=true;
+sequence by unique_pid [process where true] [file where true] fork==true;
 
 // no longer supported
-//sequence by unique_pid [process where true] [file where true] fork=1;
+//sequence by unique_pid [process where true] [file where true] fork==1;
 
 sequence
   [process where true] by unique_pid
-  [file where true] fork=true by unique_pid
+  [file where true] fork==true by unique_pid
   [process where true] by unique_ppid
 | head 4;
 
-sequence by unique_pid [process where true] [file where true] fork=false;
+sequence by unique_pid [process where true] [file where true] fork==false;
 
 // no longer supported
-// sequence by unique_pid [process where true] [file where true] fork=0 [network where true];
+// sequence by unique_pid [process where true] [file where true] fork==0 [network where true];
 sequence by unique_pid [process where true] [file where true] fork [network where true];
 
 
 // no longer supported
-// sequence by unique_pid [process where true] [file where true] fork=0;
-sequence by unique_pid [process where true] [file where true] fork=true;
+// sequence by unique_pid [process where true] [file where true] fork==0;
+sequence by unique_pid [process where true] [file where true] fork==true;
 
 
 sequence with maxspan=2.5m 
@@ -183,19 +183,19 @@ process where process_name in ("python.exe", "smss.exe")
 
 
 
-file where file_name == "csrss.exe" and opcode=0
+file where file_name == "csrss.exe" and opcode==0
   and descendant of [process where opcode in (1,3) and process_name="cmd.exe"]
 ;
 
-process where opcode=1 and process_name == "csrss.exe"
+process where opcode==1 and process_name == "csrss.exe"
   and descendant of [file where file_name == "csrss.exe" and opcode=0]
 ;
 
-process where opcode=1 and process_name == "smss.exe"
+process where opcode==1 and process_name == "smss.exe"
   and descendant of [
-  file where file_name == "csrss.exe" and opcode=0
+  file where file_name == "csrss.exe" and opcode==0
       and descendant of [
-      process where opcode in(1,3) and process_name="cmd.exe"
+      process where opcode in(1,3) and process_name=="cmd.exe"
       ]
   ]
 ;
@@ -238,52 +238,52 @@ sequence with maxspan=0.5s
 | tail 2;
 
 sequence
-  [file where opcode=0] by unique_pid
-  [file where opcode=0] by unique_pid
+  [file where opcode==0] by unique_pid
+  [file where opcode==0] by unique_pid
 | filter events[1].serial_event_id == 92;
 
 any where true
 | unique event_type_full;
 
-process where opcode=1 and process_name in ("services.exe", "smss.exe", "lsass.exe")
+process where opcode==1 and process_name in ("services.exe", "smss.exe", "lsass.exe")
   and descendant of [process where process_name == "cmd.exe" ];
 
 process where process_name in ("services.exe", "smss.exe", "lsass.exe")
   and descendant of [process where process_name == "cmd.exe" ];
 
-process where opcode=2 and process_name in ("services.exe", "smss.exe", "lsass.exe")
+process where opcode==2 and process_name in ("services.exe", "smss.exe", "lsass.exe")
   and descendant of [process where process_name == "cmd.exe" ];
 
-process where process_name="svchost.exe"
-  and child of [file where file_name="svchost.exe" and opcode=0];
+process where process_name=="svchost.exe"
+  and child of [file where file_name=="svchost.exe" and opcode==0];
 
-process where process_name="svchost.exe"
-  and not child of [file where file_name="svchost.exe" and opcode=0]
+process where process_name=="svchost.exe"
+  and not child of [file where file_name=="svchost.exe" and opcode==0]
 | head 3;
 
-process where process_name="lsass.exe"
+process where process_name=="lsass.exe"
   and child of [
-  process where process_name="python.exe"
-    and child of [process where process_name="cmd.exe"]
+  process where process_name=="python.exe"
+    and child of [process where process_name=="cmd.exe"]
   ]
 ;
 
 file where child of [
 process where child of [
-    process where child of [process where process_name="*wsmprovhost.exe"]
+    process where child of [process where process_name=="*wsmprovhost.exe"]
   ]
 ]
 | tail 1;
 
-file where process_name = "python.exe"
+file where process_name == "python.exe"
 | unique unique_pid;
 
-file where event of [process where process_name = "python.exe" ]
+file where event of [process where process_name == "python.exe" ]
 | unique unique_pid;
 
 
 
-process where event of [process where process_name = "python.exe" ];
+process where event of [process where process_name == "python.exe" ];
 
 sequence
   [process where serial_event_id<3] by unique_pid * 2
@@ -299,11 +299,11 @@ sequence
 
 
 process where "net.EXE" == original_file_name
-| filter process_name="net*.exe"
+| filter process_name=="net*.exe"
 ;
 
 process where process_name == original_file_name
-| filter process_name='net*.exe'
+| filter process_name=='net*.exe'
 ;
 
 process where original_file_name == process_name

x-pack/plugin/eql/src/test/resources/queryfolder_tests.txt

@@ -19,7 +19,7 @@ null
 ;
 
 singleNumericFilterEquals
-process where serial_event_id = 1
+process where serial_event_id == 1
 ;
 "term":{"serial_event_id":{"value":1
 ;

x-pack/plugin/src/test/resources/rest-api-spec/test/data_stream/10_data_stream_resolvability.yml

@@ -516,7 +516,7 @@
       eql.search:
         index: simple-data-stream1
         body:
-          query: 'process where user = "SYSTEM"'
+          query: 'process where user == "SYSTEM"'
 
   - match: {timed_out: false}
   - match: {hits.total.value: 1}
@@ -527,7 +527,7 @@
       eql.search:
         index: simple-data-s*
         body:
-          query: 'process where user = "SYSTEM"'
+          query: 'process where user == "SYSTEM"'
 
   - match: {timed_out: false}
   - match: {hits.total.value: 1}