Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

[DOCS] Document `any` keyword in EQL syntax (#52821)

* [DOCS] Document `any` keyword in EQL syntax

Adds documentation for the `any` keyword to the EQL syntax docs.

Includes:

* Definition of an event type and its relationship to the event type
  field.
* Example matching all event types using `any` keyword
* Example matching event types beginning with a digit
* Example using `any` with `where true`

* Remove references to `event_type_field` default

* Reuse "Events starting with digits" section

* Updates for #53073
James Rodewig 5 years ago
parent
fc07dc810a
commit
c6334ee4b7
1 changed files with 51 additions and 6 deletions
Split View Show Diff Stats
  1. 51 6
      docs/reference/eql/syntax.asciidoc

+ 51 - 6
docs/reference/eql/syntax.asciidoc
View File 

@@ -14,21 +14,45 @@ experimental::[]
 
 [[eql-basic-syntax]]
 
 === Basic syntax
 
 
-EQL queries require an event type and a matching condition. The `where` keyword connects them.
 
+EQL queries require an event category and a matching condition. The `where`
 
+keyword connects them.
 
 
 [source,eql]
 
 ----
 
-event.category where condition
 
+event_category where condition
 
 ----
 
 
-For example, the following EQL query matches `process` events with a `process.name`
 
-field value of `svchost.exe`:
 
+For example, the following EQL query matches `process` events with a
 
+`process.name` field value of `svchost.exe`:
 
 
 [source,eql]
 
 ----
 
 process where process.name == "svchost.exe"
 
 ----
 
 
+[discrete]
 
+[[eql-syntax-event-categories]]
 
+==== Event categories
 
+
 
+In {es}, an event category is a valid, indexed value of the
 
+<<eql-required-fields,event category field>>. You can set the event category
 
+field using the `event_category_field` parameter of the EQL search API.
 
+
 
+[discrete]
 
+[[eql-syntax-match-any-event-category]]
 
+===== Match any event category
 
+
 
+To match events of any category, use the `any` keyword. You can also use the
 
+`any` keyword to search for documents without a event category field.
 
+
 
+For example, the following EQL query matches any documents with a
 
+`network.protocol` field value of `http`:
 
+
 
+[source,eql]
 
+----
 
+any where network.protocol == "http"
 
+----
 
+
 
 [discrete]
 
 [[eql-syntax-conditions]]
 
 ==== Conditions
 
@@ -159,7 +183,7 @@ Strings are enclosed with double quotes (`"`) or single quotes (`'`).
 
 
 [discrete]
 
 [[eql-syntax-wildcards]]
 
-===== Wildcards 
+===== Wildcards
 
 
 You can use the wildcard operator (`*`) within a string to match specific
 
 patterns. You can use wildcards with the `==` (equal) or `!=` (not equal)
 
@@ -171,9 +195,30 @@ field == "example*wildcard"
 
 field != "example*wildcard"
 
 ----
 
 
+[discrete]
 
+[[eql-syntax-match-any-condition]]
 
+===== Match any condition
 
+
 
+To match events solely on event category, use the `where true` condition.
 
+
 
+For example, the following EQL query matches any `file` events:
 
+
 
+[source,eql]
 
+----
 
+file where true
 
+----
 
+
 
+To match any event, you can combine the `any` keyword with the `where true`
 
+condition:
 
+
 
+[source,eql]
 
+----
 
+any where true
 
+----
 
+
 
 [discrete]
 
 [[eql-syntax-escaped-characters]]
 
-===== Escaped characters 
+===== Escaped characters
 
 
 When used within a string, special characters, such as a carriage return or
 
 double quote (`"`), must be escaped with a preceding backslash (`\`).