in lib/kql/kql/parser.py [0:0]
def convert_value(self, field_name, python_value, value_tree):
field_type = None
field_types = self.get_field_types(field_name)
value_type = self.get_literal_type(python_value)
if field_types is not None:
if len(field_types) == 1:
field_type = list(field_types)[0]
elif len(field_types) > 1:
raise self.error(value_tree,
f"{field_name} has multiple types {', '.join(field_types)}")
if field_type is not None and field_type != value_type:
field_type_family = elasticsearch_type_family(field_type)
if field_type_family in STRING_FIELDS:
return eql.utils.to_unicode(python_value)
elif field_type_family in ("float", "integer"):
try:
return float(python_value) if field_type_family == "float" else int(python_value)
except ValueError:
pass
elif field_type_family == "ip" and value_type == "keyword":
if "::" in python_value or is_ipaddress(python_value) or eql.utils.is_cidr_pattern(python_value):
return python_value
elif field_type_family == 'date' and value_type in STRING_FIELDS:
# this will not validate datemath syntax
return python_value
raise self.error(value_tree, "Value doesn't match {field}'s type: {type}",
field=field_name, type=field_type)
# otherwise, there's nothing to convert
return python_value