Add: OpenSearch Query MustNotExists to querybuilder

alex-heine · alex-heine · commit 49a3a914729d · 2025-11-13T17:16:51.000+01:00
diff --git a/pkg/openSearch/osquery/boolQueryBuilder.go b/pkg/openSearch/osquery/boolQueryBuilder.go
@@ -151,7 +151,7 @@ func (q *BoolQueryBuilder) AddFilterRequest(request *filter.Request) error {
 		if handler, ok := operatorMapping[field.Operator]; ok {
 			value := field.Value
 
-			if field.Operator == filter.CompareOperatorExists {
+			if field.Operator == filter.CompareOperatorExists || field.Operator == filter.CompareOperatorMustNotExists {
 				value = "" // exists operator does not need a value, but for more consistent handling just pass a dummy value
 			}
 			if value == nil {
@@ -289,5 +289,9 @@ func defaultCompareOperators() []CompareOperator {
 			Operator: filter.CompareOperatorExists,
 			Handler:  HandleCompareOperatorExists, MustCondition: true,
 		},
+		{
+			Operator: filter.CompareOperatorMustNotExists,
+			Handler:  HandleCompareOperatorMustNotExists, MustCondition: true,
+		},
 	}
 }
diff --git a/pkg/openSearch/osquery/boolQueryBuilder_test.go b/pkg/openSearch/osquery/boolQueryBuilder_test.go
@@ -608,6 +608,15 @@ func TestBoolQueryBuilder_AddFilterRequest(t *testing.T) {
 		wantDocuments: []ostesting.TestType{doc0, doc1, doc2},
 	})
 
+	// MustNotExists operator
+	addTest("operator must not Exists", testCase{
+		filterRequest: singleFilter(filter.RequestField{
+			Name:     "keywordOmitEmptyField",
+			Operator: filter.CompareOperatorMustNotExists,
+		}),
+		wantDocuments: []ostesting.TestType{doc0},
+	})
+
 	// BetweenDates operator
 	addTest("operator BetweenDates (date time string)", testCase{
 		filterRequest: singleFilter(filter.RequestField{
diff --git a/pkg/openSearch/osquery/compareHandler.go b/pkg/openSearch/osquery/compareHandler.go
@@ -158,6 +158,10 @@ func HandleCompareOperatorExists(fieldName string, _ any) (esquery.Mappable, err
 	return esquery.Exists(fieldName), nil
 }
 
+func HandleCompareOperatorMustNotExists(fieldName string, _ any) (esquery.Mappable, error) {
+	return esquery.Bool().MustNot(esquery.Exists(fieldName)), nil
+}
+
 // HandleCompareOperatorBetweenDates constructs an OpenSearch range query for a given date field.
 // It accepts a field name and a field value, which must be a slice of exactly 2 elements, representing the start and end of range. Accepted slice types:
 // - []time.Time,
diff --git a/pkg/query/filter/type.go b/pkg/query/filter/type.go
@@ -75,6 +75,7 @@ CompareOperator ENUM(
 	betweenDates
 
 	exists
+	mustNotExists
 
 	isEqualToRating
 	isNotEqualToRating
diff --git a/pkg/query/filter/type_enum.go b/pkg/query/filter/type_enum.go

Original file line number	Diff line number	Diff line change
`@@ -151,7 +151,7 @@ func (q BoolQueryBuilder) AddFilterRequest(request filter.Request) error {`
`151`	`151`	`if handler, ok := operatorMapping[field.Operator]; ok {`
`152`	`152`	`value := field.Value`
`153`	`153`
`154`		`- if field.Operator == filter.CompareOperatorExists {`
	`154`	`+ if field.Operator == filter.CompareOperatorExists \|\| field.Operator == filter.CompareOperatorMustNotExists {`
`155`	`155`	`value = "" // exists operator does not need a value, but for more consistent handling just pass a dummy value`
`156`	`156`	`}`
`157`	`157`	`if value == nil {`
`@@ -289,5 +289,9 @@ func defaultCompareOperators() []CompareOperator {`
`289`	`289`	`Operator: filter.CompareOperatorExists,`
`290`	`290`	`Handler: HandleCompareOperatorExists, MustCondition: true,`
`291`	`291`	`},`
	`292`	`+ {`
	`293`	`+ Operator: filter.CompareOperatorMustNotExists,`
	`294`	`+ Handler: HandleCompareOperatorMustNotExists, MustCondition: true,`
	`295`	`+ },`
`292`	`296`	`}`
`293`	`297`	`}`