Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

[DOCS] EQL: Document ? wildcard (#65698)

James Rodewig 4 years ago
parent
fd3d7e3368
commit
2044caa667
2 changed files with 30 additions and 8 deletions
Split View Show Diff Stats
  1. 14 2
      docs/reference/eql/functions.asciidoc
  2. 16 6
      docs/reference/eql/syntax.asciidoc

+ 14 - 2
docs/reference/eql/functions.asciidoc
View File 

@@ -1015,15 +1015,25 @@ expressions. Matching is case-sensitive.
 
 *Example*
 
 [source,eql]
 
 ----
 
+// The * wildcard matches zero or more characters.
 
 // process.name = "regsvr32.exe"
 
 wildcard(process.name, "*regsvr32*")                // returns true
 
 wildcard(process.name, "*regsvr32*", "*explorer*")  // returns true
 
 wildcard(process.name, "*explorer*")                // returns false
 
 wildcard(process.name, "*explorer*", "*scrobj*")    // returns false
 
 
+// The ? wildcard matches exactly one character.
 
+// process.name = "regsvr32.exe"
 
+wildcard(process.name, "regsvr32.e?e")                  // returns true
 
+wildcard(process.name, "regsvr32.e?e", "e?plorer.exe")  // returns true
 
+wildcard(process.name, "regsvr32.exe?")                 // returns false
 
+wildcard(process.name, "e?plorer.exe")                  // returns false
 
+wildcard(process.name, "e?plorer.exe", "scrob?.dll")    // returns false
 
+
 
 // empty strings
 
 wildcard("", "*start*")                             // returns false
 
 wildcard("", "*")                                   // returns true
 
+wildcard("", "?")                                   // returns false
 
 wildcard("", "")                                    // returns true
 
 
 // null handling
 
@@ -1056,8 +1066,10 @@ field data types:
 
 +
 
 --
 
 (Required{multi-arg-ref}, string)
 
-Wildcard expression used to match the source string. If `null`, the function
 
-returns `null`. Fields are not supported as arguments.
 
+Wildcard expression used to match the source string. The `*` wildcard matches
 
+zero or more characters. The `?` wildcard matches exactly one character.
 
+
 
+If `null`, the function returns `null`. Fields are not supported as arguments.
 
 --
 
 
 *Returns:* boolean

+ 16 - 6
docs/reference/eql/syntax.asciidoc
View File 

@@ -382,14 +382,24 @@ use a regular string with the `\"` escape sequence.
 
 [[eql-syntax-wildcards]]
 
 === Wildcards
 
 
-For string comparisons using the `:` operator, you can use wildcards (`*`) to
 
-match specific patterns:
 
+For string comparisons using the `:` operator, you can use the `*` and `?`
 
+wildcards to match specific patterns. The `*` wildcard matches zero or more
 
+characters:
 
 
 [source,eql]
 
 ----
 
-field : "f*o"
 
-field : "*foo"
 
-field : "foo*"
 
+my_field : "doc*"  // Matches "doc", "docs", or "document" but not "dos"
 
+my_field : "*doc"  // Matches "adoc" or "asciidoc"
 
+my_field : "d*c"   // Matches "doc" or "disc"
 
+----
 
+
 
+The `?` wildcard matches exactly one character:
 
+
 
+[source,eql]
 
+----
 
+my_field : "doc?"  // Matches "docs" but not "doc", "document", or "dos"
 
+my_field : "?doc"  // Matches "adoc" but not "asciidoc"
 
+my_field : "d?c"   // Matches "doc" but not "disc"
 
 ----
 
 
 The `:` operator also supports wildcards in <<eql-syntax-lookup-operators,list
 
@@ -397,7 +407,7 @@ lookups>>:
 
 
 [source,eql]
 
 ----
 
-field : ("f*o", "*bar", "baz*", "qux")
 
+my_field : ("doc*", "f*o", "ba?", "qux")
 
 ----
 
 
 [discrete]