EQL: Remove support for = for comparisons (#62756)

Since `=` is rarely used and is undocumented we its support for
equality comparisons keeping `==` as the only option. `=` is now only
used for assignments like in `maxspan=10m`.

Closes: #62650

Author: matriv

client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java

@@ -141,7 +141,7 @@ public void testEqualsInFilterConditionSearch() throws Exception {
         EqlClient eql = highLevelClient().eql();
 
         EqlSearchRequest request = new EqlSearchRequest("index",
-                "process where event_type_full = \"process_event\" and serial_event_id in (1,3,5)");
+                "process where event_type_full == \"process_event\" and serial_event_id in (1,3,5)");
 
         EqlSearchResponse response = execute(request, eql::search, eql::searchAsync);
         assertResponse(response, 3);

docs/reference/eql/eql-search-api.asciidoc

@@ -19,7 +19,7 @@ event.
 GET /my-index-000001/_eql/search
 {
   "query": """
-    process where process.name = "regsvr32.exe"
+    process where process.name == "regsvr32.exe"
   """
 }
 ----

x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/stats/RestEqlUsageTestCase.java

@@ -146,7 +146,7 @@ public void testEqlRestUsage() throws IOException {
         int randomSequenceExecutions = randomIntBetween(1, 15);
         allTotalQueries += randomSequenceExecutions;
         for (int i = 0; i < randomSequenceExecutions; i++) {
-            runEql("sequence [process where serial_event_id = 1] [process where serial_event_id = 2]");
+            runEql("sequence [process where serial_event_id == 1] [process where serial_event_id == 2]");
         }
         responseAsMap = getStats();
         metricsToCheck = Set.of("sequence", "sequence_queries_two", "pipe_head");
@@ -179,7 +179,7 @@ public void testEqlRestUsage() throws IOException {
                 "  [process where opcode == 1] by user" + 
                 "  [process where opcode == 2] by user" + 
                 "  [file where parent_process_name == \\\"file_delete_event\\\"] by exit_code" +
-                " until [process where opcode=1] by ppid" + 
+                " until [process where opcode==1] by ppid" +
                 " | head 4" + 
                 " | tail 2");
         }
@@ -271,8 +271,8 @@ public void testEqlRestUsage() throws IOException {
                 runEql(
                     randomFrom(
                         "process where missing_field < 4 | tail 2",
-                        "sequence abc [process where serial_event_id = 1]",
-                        "sequence with maxspan=1x [process where serial_event_id = 1]",
+                        "sequence abc [process where serial_event_id == 1]",
+                        "sequence with maxspan=1x [process where serial_event_id == 1]",
                         "sequence by exit_code, user [process where serial_event_id < 4] by ppid",
                         "sequence by"
                     )

x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml

@@ -69,7 +69,7 @@ expected_event_ids  = [5]
 
 [[queries]]
 name = "concatEquals2"
-query = 'process where concat(serial_event_id) = "1"'
+query = 'process where concat(serial_event_id) == "1"'
 expected_event_ids  = [1]
 
 [[queries]]
@@ -98,7 +98,7 @@ expected_event_ids  = [1, 2, 3, 4]
 
 [[queries]]
 name = "numberStringConversion1"
-query = 'process where string(serial_event_id) = "1"'
+query = 'process where string(serial_event_id) == "1"'
 expected_event_ids  = [1]
 
 
@@ -223,16 +223,16 @@ query = "process where serial_event_id + ((1 + 3) * 2 / (3 - 1)) * 2 == 54 or 70
 name = "twoSequencesAdditional1"
 query = '''
 sequence
-  [process where serial_event_id = 1]
-  [process where serial_event_id = 2]
+  [process where serial_event_id == 1]
+  [process where serial_event_id == 2]
 '''
 expected_event_ids  = [1, 2]
 
 [[queries]]
 name = "twoSequencesAdditional2"
 query = '''
 sequence
-  [process where serial_event_id=1] by unique_pid
+  [process where serial_event_id==1] by unique_pid
   [process where true] by unique_ppid'''
 expected_event_ids  = [1, 2]