Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 6d28596ead
Branches Tags
elasticsearch
/
docs
/
reference
/
eql
/
functions.asciidoc

functions.asciidoc 11 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459 
  1. [[eql-function-ref]]
    2. 

  2. == EQL function reference
    3. 

  3. ++++
    4. 

  4. <titleabbrev>Function reference</titleabbrev>
    5. 

  5. ++++
    6. 

  6. 

  7. experimental::[]
    8. 

  8. 

  9. {es} supports the following EQL functions:
    10. 

  10. 

  11. * <<eql-fn-between>>
    12. 

  12. * <<eql-fn-endswith>>
    13. 

  13. * <<eql-fn-length>>
    14. 

  14. * <<eql-fn-startswith>>
    15. 

  15. * <<eql-fn-substring>>
    16. 

  16. * <<eql-fn-wildcard>>
    17. 

  17. 

  18. [discrete]
    19. 

  19. [[eql-fn-between]]
    20. 

  20. === `between`
    21. 

  21. 

  22. Extracts a substring that's between a provided `left` and `right` text in a
    23. 

  23. source string.
    24. 

  24. 

  25. [%collapsible]
    26. 

  26. ====
    27. 

  27. *Example*
    28. 

  28. [source,eql]
    29. 

  29. ----
    30. 

  30. // file.path = "C:\\Windows\\System32\\cmd.exe"
    31. 

  31. between(file.path, "system32\\\\", ".exe")   // returns "cmd"
    32. 

  32. between(file.path, "workspace\\\\", ".exe")  // returns ""
    33. 

  33. 

  34. 

  35. // Greedy matching defaults to false.
    36. 

  36. between(file.path, "\\\\", "\\\\", false)  // returns "Windows"
    37. 

  37. // Sets greedy matching to true
    38. 

  38. between(file.path, "\\\\", "\\\\", true)  // returns "Windows\\System32"
    39. 

  39. 

  40. // Case sensitivity defaults to false.
    41. 

  41. between(file.path, "system32\\\\", ".exe", false, false)  // returns "cmd"
    42. 

  42. // Sets case sensitivity to true
    43. 

  43. between(file.path, "system32\\\\", ".exe", false, true)   // returns ""
    44. 

  44. between(file.path, "System32\\\\", ".exe", false, true)   // returns "cmd"
    45. 

  45. 

  46. // empty source string
    47. 

  47. between("", "system32\\\\", ".exe")          // returns ""
    48. 

  48. between("", "", "")                          // returns ""
    49. 

  49. 

  50. // null handling
    51. 

  51. between(null, "system32\\\\", ".exe")                   // returns null
    52. 

  52. ----
    53. 

  53. 

  54. *Syntax*
    55. 

  55. 

  56. [source,txt]
    57. 

  57. ----
    58. 

  58. between(<source>, <left>, <right>[, <greedy_matching>, <case_sensitive>])
    59. 

  59. ----
    60. 

  60. 

  61. *Parameters*
    62. 

  62. 

  63. `<source>`::
    64. 

  64. +
    65. 

  65. --
    66. 

  66. (Required, string or `null`)
    67. 

  67. Source string. Empty strings return an empty string (`""`), regardless of the
    68. 

  68. `<left>` or `<right>` parameters. If `null`, the function returns `null`.
    69. 

  69. 

  70. If using a field as the argument, this parameter only supports the following
    71. 

  71. field datatypes:
    72. 

  72. 

  73. * <<keyword,`keyword`>>
    74. 

  74. * <<constant-keyword,`constant_keyword`>>
    75. 

  75. * <<text,`text`>> field with a <<keyword,`keyword`>> or
    76. 

  76.   <<constant-keyword,`constant_keyword`>> sub-field
    77. 

  77. 

  78. Fields containing <<array,array values>> use the first array item only.
    79. 

  79. --
    80. 

  80. 

  81. `<left>`::
    82. 

  82. +
    83. 

  83. --
    84. 

  84. (Required, string)
    85. 

  85. Text to the left of the substring to extract. This text should include
    86. 

  86. whitespace.
    87. 

  87. 

  88. If using a field as the argument, this parameter only supports the following
    89. 

  89. field datatypes:
    90. 

  90. 

  91. * <<keyword,`keyword`>>
    92. 

  92. * <<constant-keyword,`constant_keyword`>>
    93. 

  93. * <<text,`text`>> field with a <<keyword,`keyword`>> or
    94. 

  94.   <<constant-keyword,`constant_keyword`>> sub-field
    95. 

  95. 

  96. <<array,Array values>> are not supported.
    97. 

  97. --
    98. 

  98. 

  99. `<right>`::
    100. 

  100. +
    101. 

  101. --
    102. 

  102. (Required, string)
    103. 

  103. Text to the right of the substring to extract. This text should include
    104. 

  104. whitespace.
    105. 

  105. 

  106. If using a field as the argument, this parameter only supports the following
    107. 

  107. field datatypes:
    108. 

  108. 

  109. * <<keyword,`keyword`>>
    110. 

  110. * <<constant-keyword,`constant_keyword`>>
    111. 

  111. * <<text,`text`>> field with a <<keyword,`keyword`>> or
    112. 

  112.   <<constant-keyword,`constant_keyword`>> sub-field
    113. 

  113. 

  114. <<array,Array values>> are not supported.
    115. 

  115. --
    116. 

  116. 

  117. `<greedy_matching>`::
    118. 

  118. (Optional, boolean)
    119. 

  119. If `true`, match the longest possible substring, similar to `.*` in regular
    120. 

  120. expressions. If `false`, match the shortest possible substring, similar to `.*?`
    121. 

  121. in regular expressions. Defaults to `false`.
    122. 

  122. 

  123. `<case_sensitive>`::
    124. 

  124. (Optional, boolean)
    125. 

  125. If `true`, matching is case-sensitive. Defaults to `false`.
    126. 

  126. 

  127. *Returns:* string or `null`
    128. 

  128. ====
    129. 

  129. 

  130. [discrete]
    131. 

  131. [[eql-fn-endswith]]
    132. 

  132. === `endsWith`
    133. 

  133. 

  134. Returns `true` if a source string ends with a provided substring. Matching is
    135. 

  135. case insensitive.
    136. 

  136. 

  137. [%collapsible]
    138. 

  138. ====
    139. 

  139. *Example*
    140. 

  140. [source,eql]
    141. 

  141. ----
    142. 

  142. endsWith("regsvr32.exe", ".exe")          // returns true
    143. 

  143. endsWith("regsvr32.exe", ".EXE")          // returns true
    144. 

  144. endsWith("regsvr32.exe", ".dll")          // returns false
    145. 

  145. endsWith("", "")                          // returns true
    146. 

  146. 

  147. // file.name = "regsvr32.exe"
    148. 

  148. endsWith(file.name, ".exe")               // returns true
    149. 

  149. endsWith(file.name, ".dll")               // returns false
    150. 

  150. 

  151. // file.extension = ".exe"
    152. 

  152. endsWith("regsvr32.exe", file.extension)  // returns true
    153. 

  153. endsWith("ntdll.dll", file.name)          // returns false
    154. 

  154. 

  155. // file.name = [ "ntdll.dll", "regsvr32.exe" ]
    156. 

  156. endsWith(file.name, ".dll")               // returns true
    157. 

  157. endsWith(file.name, ".exe")               // returns false
    158. 

  158. 

  159. // null handling
    160. 

  160. endsWith("regsvr32.exe", null)            // returns null
    161. 

  161. endsWith("", null)                        // returns null 
    162. 

  162. endsWith(null, ".exe")                    // returns null
    163. 

  163. endsWith(null, null)                      // returns null
    164. 

  164. ----
    165. 

  165. 

  166. *Syntax*
    167. 

  167. 

  168. [source,txt]
    169. 

  169. ----
    170. 

  170. endsWith(<source>, <substring>)
    171. 

  171. ----
    172. 

  172. 

  173. *Parameters*
    174. 

  174. 

  175. `<source>`::
    176. 

  176. +
    177. 

  177. --
    178. 

  178. (Required, string or `null`)
    179. 

  179. Source string. If `null`, the function returns `null`.
    180. 

  180. 

  181. If using a field as the argument, this parameter only supports the following
    182. 

  182. field datatypes:
    183. 

  183. 

  184. * <<keyword,`keyword`>>
    185. 

  185. * <<constant-keyword,`constant_keyword`>>
    186. 

  186. * <<text,`text`>> field with a <<keyword,`keyword`>> or
    187. 

  187.   <<constant-keyword,`constant_keyword`>> sub-field
    188. 

  188. 

  189. Fields containing <<array,array values>> use the first array item only.
    190. 

  190. --
    191. 

  191. 

  192. `<substring>`::
    193. 

  193. +
    194. 

  194. --
    195. 

  195. (Required, string or `null`)
    196. 

  196. Substring to search for. If `null`, the function returns `null`.
    197. 

  197. 

  198. If using a field as the argument, this parameter only supports the following
    199. 

  199. field datatypes:
    200. 

  200. 

  201. * <<keyword,`keyword`>>
    202. 

  202. * <<constant-keyword,`constant_keyword`>>
    203. 

  203. * <<text,`text`>> field with a <<keyword,`keyword`>> or
    204. 

  204.   <<constant-keyword,`constant_keyword`>> sub-field
    205. 

  205. --
    206. 

  206. 

  207. *Returns:* boolean or `null`
    208. 

  208. ====
    209. 

  209. 

  210. [discrete]
    211. 

  211. [[eql-fn-length]]
    212. 

  212. === `length`
    213. 

  213. 

  214. Returns the character length of a provided string, including whitespace and
    215. 

  215. punctuation.
    216. 

  216. 

  217. [%collapsible]
    218. 

  218. ====
    219. 

  219. *Example*
    220. 

  220. [source,eql]
    221. 

  221. ----
    222. 

  222. length("explorer.exe")         // returns 12
    223. 

  223. length("start explorer.exe")   // returns 18
    224. 

  224. length("")                     // returns 0
    225. 

  225. length(null)                   // returns null
    226. 

  226. 

  227. // process.name = "regsvr32.exe"
    228. 

  228. length(process.name)           // returns 12
    229. 

  229. ----
    230. 

  230. 

  231. *Syntax*
    232. 

  232. [source,txt]
    233. 

  233. ----
    234. 

  234. length(<string>)
    235. 

  235. ----
    236. 

  236. 

  237. *Parameters*
    238. 

  238. 

  239. `<string>`::
    240. 

  240. +
    241. 

  241. --
    242. 

  242. (Required, string or `null`)
    243. 

  243. String for which to return the character length. If `null`, the function returns
    244. 

  244. `null`. Empty strings return `0`.
    245. 

  245. 

  246. If using a field as the argument, this parameter only supports the following
    247. 

  247. field datatypes:
    248. 

  248. 

  249. * <<keyword,`keyword`>>
    250. 

  250. * <<constant-keyword,`constant_keyword`>>
    251. 

  251. * <<text,`text`>> field with a <<keyword,`keyword`>> or
    252. 

  252.   <<constant-keyword,`constant_keyword`>> sub-field
    253. 

  253. 

  254. <<array,Array values>> are not supported.
    255. 

  255. --
    256. 

  256. 

  257. *Returns:* integer or `null`
    258. 

  258. ====
    259. 

  259. 

  260. [discrete]
    261. 

  261. [[eql-fn-startswith]]
    262. 

  262. === `startsWith`
    263. 

  263. 

  264. Returns `true` if a source string begins with a provided substring. Matching is
    265. 

  265. case insensitive.
    266. 

  266. 

  267. [%collapsible]
    268. 

  268. ====
    269. 

  269. *Example*
    270. 

  270. [source,eql]
    271. 

  271. ----
    272. 

  272. startsWith("regsvr32.exe", "regsvr32")  // returns true
    273. 

  273. startsWith("regsvr32.exe", "RegSvr32")  // returns true
    274. 

  274. startsWith("regsvr32.exe", "explorer")  // returns false
    275. 

  275. startsWith("", "")                      // returns true
    276. 

  276. 

  277. // process.name = "regsvr32.exe"
    278. 

  278. startsWith(process.name, "regsvr32")    // returns true
    279. 

  279. startsWith(process.name, "explorer")    // returns false
    280. 

  280. 

  281. // process.name = "regsvr32"
    282. 

  282. startsWith("regsvr32.exe", process.name) // returns true
    283. 

  283. startsWith("explorer.exe", process.name) // returns false
    284. 

  284. 

  285. // process.name = [ "explorer.exe", "regsvr32.exe" ]
    286. 

  286. startsWith(process.name, "explorer")    // returns true
    287. 

  287. startsWith(process.name, "regsvr32")    // returns false
    288. 

  288. 

  289. // null handling
    290. 

  290. startsWith("regsvr32.exe", null)        // returns null
    291. 

  291. startsWith("", null)                    // returns null 
    292. 

  292. startsWith(null, "regsvr32")            // returns null
    293. 

  293. startsWith(null, null)                  // returns null
    294. 

  294. ----
    295. 

  295. 

  296. *Syntax*
    297. 

  297. 

  298. [source,txt]
    299. 

  299. ----
    300. 

  300. startsWith(<source>, <substring>)
    301. 

  301. ----
    302. 

  302. 

  303. *Parameters*
    304. 

  304. 

  305. `<source>`::
    306. 

  306. +
    307. 

  307. --
    308. 

  308. (Required, string or `null`)
    309. 

  309. Source string. If `null`, the function returns `null`.
    310. 

  310. 

  311. If using a field as the argument, this parameter only supports the following
    312. 

  312. field datatypes:
    313. 

  313. 

  314. * <<keyword,`keyword`>>
    315. 

  315. * <<constant-keyword,`constant_keyword`>>
    316. 

  316. * <<text,`text`>> field with a <<keyword,`keyword`>> or
    317. 

  317.   <<constant-keyword,`constant_keyword`>> sub-field
    318. 

  318. 

  319. Fields containing <<array,array values>> use the first array item only.
    320. 

  320. --
    321. 

  321. 

  322. `<substring>`::
    323. 

  323. +
    324. 

  324. --
    325. 

  325. (Required, string or `null`)
    326. 

  326. Substring to search for. If `null`, the function returns `null`.
    327. 

  327. 

  328. If using a field as the argument, this parameter only supports the following
    329. 

  329. field datatypes:
    330. 

  330. 

  331. * <<keyword,`keyword`>>
    332. 

  332. * <<constant-keyword,`constant_keyword`>>
    333. 

  333. * <<text,`text`>> field with a <<keyword,`keyword`>> or
    334. 

  334.   <<constant-keyword,`constant_keyword`>> sub-field
    335. 

  335. --
    336. 

  336. 

  337. *Returns:* boolean or `null`
    338. 

  338. ====
    339. 

  339. 

  340. [discrete]
    341. 

  341. [[eql-fn-substring]]
    342. 

  342. === `substring`
    343. 

  343. 

  344. Extracts a substring from a source string at provided start and end positions.
    345. 

  345. 

  346. If no end position is provided, the function extracts the remaining string.
    347. 

  347. 

  348. [%collapsible]
    349. 

  349. ====
    350. 

  350. *Example*
    351. 

  351. [source,eql]
    352. 

  352. ----
    353. 

  353. substring("start regsvr32.exe", 6)        // returns "regsvr32.exe"
    354. 

  354. substring("start regsvr32.exe", 0, 5)     // returns "start"
    355. 

  355. substring("start regsvr32.exe", 6, 14)    // returns "regsvr32"
    356. 

  356. substring("start regsvr32.exe", -4)       // returns ".exe"
    357. 

  357. substring("start regsvr32.exe", -4, -1)   // returns ".ex"
    358. 

  358. ----
    359. 

  359. 

  360. *Syntax*
    361. 

  361. 

  362. [source,txt]
    363. 

  363. ----
    364. 

  364. substring(<source>, <start_pos>[, <end_pos>])
    365. 

  365. ----
    366. 

  366. 

  367. *Parameters*
    368. 

  368. 

  369. `<source>`::
    370. 

  370. (Required, string)
    371. 

  371. Source string.
    372. 

  372. 

  373. `<start_pos>`::
    374. 

  374. +
    375. 

  375. --
    376. 

  376. (Required, integer)
    377. 

  377. Starting position for extraction.
    378. 

  378. 

  379. If this position is higher than the `<end_pos>` position or the length of the
    380. 

  380. `<source>` string, the function returns an empty string.
    381. 

  381. 

  382. Positions are zero-indexed. Negative offsets are supported.
    383. 

  383. --
    384. 

  384. 

  385. `<end_pos>`::
    386. 

  386. (Optional, integer)
    387. 

  387. Exclusive end position for extraction. If this position is not provided, the
    388. 

  388. function returns the remaining string.
    389. 

  389. +
    390. 

  390. Positions are zero-indexed. Negative offsets are supported.
    391. 

  391. 

  392. *Returns:* string
    393. 

  393. ====
    394. 

  394. 

  395. [discrete]
    396. 

  396. [[eql-fn-wildcard]]
    397. 

  397. === `wildcard`
    398. 

  398. Returns `true` if a source string matches one or more provided wildcard
    399. 

  399. expressions.
    400. 

  400. 

  401. [%collapsible]
    402. 

  402. ====
    403. 

  403. *Example*
    404. 

  404. [source,eql]
    405. 

  405. ----
    406. 

  406. // The two following expressions are equivalent.
    407. 

  407. process.name == "*regsvr32*" or process.name == "*explorer*"
    408. 

  408. wildcard(process.name, "*regsvr32*", "*explorer*")
    409. 

  409. 

  410. // process.name = "regsvr32.exe"
    411. 

  411. wildcard(process.name, "*regsvr32*")                // returns true
    412. 

  412. wildcard(process.name, "*regsvr32*", "*explorer*")  // returns true
    413. 

  413. wildcard(process.name, "*explorer*")                // returns false
    414. 

  414. wildcard(process.name, "*explorer*", "*scrobj*")    // returns false
    415. 

  415. 

  416. // empty strings
    417. 

  417. wildcard("", "*start*")                             // returns false
    418. 

  418. wildcard("", "*")                                   // returns true
    419. 

  419. wildcard("", "")                                    // returns true
    420. 

  420. 

  421. // null handling
    422. 

  422. wildcard(null, "*regsvr32*")                        // returns null
    423. 

  423. wildcard(process.name, null)                        // returns null
    424. 

  424. ----
    425. 

  425. 

  426. *Syntax*
    427. 

  427. 

  428. [source,txt]
    429. 

  429. ----
    430. 

  430. wildcard(<source>, <wildcard_exp>[, ...])
    431. 

  431. ----
    432. 

  432. 

  433. *Parameters*
    434. 

  434. 

  435. `<source>`::
    436. 

  436. +
    437. 

  437. --
    438. 

  438. (Required, string)
    439. 

  439. Source string. If `null`, the function returns `null`.
    440. 

  440. 

  441. If using a field as the argument, this parameter only supports the following
    442. 

  442. field datatypes:
    443. 

  443. 

  444. * <<keyword,`keyword`>>
    445. 

  445. * <<constant-keyword,`constant_keyword`>>
    446. 

  446. * <<text,`text`>> field with a <<keyword,`keyword`>> or
    447. 

  447.   <<constant-keyword,`constant_keyword`>> sub-field
    448. 

  448. --
    449. 

  449. 

  450. `<wildcard_exp>`::
    451. 

  451. +
    452. 

  452. --
    453. 

  453. (Required{multi-arg}, string)
    454. 

  454. Wildcard expression used to match the source string. If `null`, the function
    455. 

  455. returns `null`. Fields are not supported as arguments.
    456. 

  456. -- 
    457. 

  457. 

  458. *Returns:* boolean
    459. 

  459. ====
    460.