EQL: Change result_position default value from head to tail (#66387)

By default, if no pipe is specified, EQL will return return matchings from the tail, end of the stream,  not the front. The results are returned in ascending order.

client/rest-high-level/src/main/java/org/elasticsearch/client/eql/EqlSearchRequest.java

@@ -39,7 +39,7 @@ public class EqlSearchRequest implements Validatable, ToXContentObject {
     private QueryBuilder filter = null;
     private String timestampField = "@timestamp";
     private String eventCategoryField = "event.category";
-    private String resultPosition = "head";
+    private String resultPosition = "tail";
 
     private int size = 10;
     private int fetchSize = 1000;

x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/EqlUsageRestTestCase.java

@@ -116,6 +116,7 @@ public void testEqlRestUsage() throws IOException {
             DataLoader.loadDatasetIntoEs(highLevelClient(), this::createParser);
         }
 
+        String defaultPipe = "pipe_tail";
         //
         // random event queries
         //
@@ -141,7 +142,7 @@ public void testEqlRestUsage() throws IOException {
             runEql("sequence [process where serial_event_id == 1] [process where serial_event_id == 2]");
         }
         responseAsMap = getStats();
-        metricsToCheck = Set.of("sequence", "sequence_queries_two", "pipe_head");
+        metricsToCheck = Set.of("sequence", "sequence_queries_two", defaultPipe);
         assertFeaturesMetrics(randomSequenceExecutions, responseAsMap, metricsToCheck);
         assertFeaturesMetricsExcept(responseAsMap, metricsToCheck);
         assertAllQueryMetrics(allTotalQueries, responseAsMap);
@@ -194,7 +195,7 @@ public void testEqlRestUsage() throws IOException {
                 "  [process where opcode == 2] by user");
         }
         responseAsMap = getStats();
-        metricsToCheck = Set.of("sequence", "sequence_queries_three", "pipe_head", "join_keys_one", "sequence_maxspan");
+        metricsToCheck = Set.of("sequence", "sequence_queries_three", "join_keys_one", "sequence_maxspan", defaultPipe);
         assertFeaturesMetrics(randomThreeQueriesSequences, responseAsMap, metricsToCheck);
         assertFeaturesMetricsExcept(responseAsMap, metricsToCheck);
         assertAllQueryMetrics(allTotalQueries, responseAsMap);
@@ -230,7 +231,7 @@ public void testEqlRestUsage() throws IOException {
                 "  [process where opcode == 1]");
         }
         responseAsMap = getStats();
-        metricsToCheck = Set.of("sequence", "sequence_queries_two", "pipe_head", "join_keys_four");
+        metricsToCheck = Set.of("sequence", "sequence_queries_two", "join_keys_four", defaultPipe);
         assertFeaturesMetrics(randomFourJoinKeysExecutions, responseAsMap, metricsToCheck);
         assertFeaturesMetricsExcept(responseAsMap, metricsToCheck);
         assertAllQueryMetrics(allTotalQueries, responseAsMap);
@@ -246,7 +247,7 @@ public void testEqlRestUsage() throws IOException {
                 "  [process where opcode == 1]");
         }
         responseAsMap = getStats();
-        metricsToCheck = Set.of("sequence", "sequence_queries_two", "pipe_head", "join_keys_five_or_more");
+        metricsToCheck = Set.of("sequence", "sequence_queries_two", "join_keys_five_or_more", defaultPipe);
         assertFeaturesMetrics(randomFiveJoinKeysExecutions, responseAsMap, metricsToCheck);
         assertFeaturesMetricsExcept(responseAsMap, metricsToCheck);
         assertAllQueryMetrics(allTotalQueries, responseAsMap);

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequest.java

@@ -49,7 +49,7 @@ public class EqlSearchRequest extends ActionRequest implements IndicesRequest.Re
     private int size = RequestDefaults.SIZE;
     private int fetchSize = RequestDefaults.FETCH_SIZE;
     private String query;
-    private String resultPosition = "head";
+    private String resultPosition = "tail";
 
     // Async settings
     private TimeValue waitForCompletionTimeout = null;