lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240
							[role="xpack"]
[testenv="basic"]
[[eql-syntax]]
== EQL syntax reference

experimental::[]

[IMPORTANT]
====
{es} supports a subset of EQL syntax.
====

[discrete]
[[eql-basic-syntax]]
=== Basic syntax

EQL queries require an event type and a matching condition. The `where` keyword connects them.

[source,eql]
----
event_type where condition
----

For example, the following EQL query matches `process` events with a `process.name`
field value of `svchost.exe`:

[source,eql]
----
process where process.name == "svchost.exe"
----

[discrete]
[[eql-syntax-conditions]]
==== Conditions

A condition consists of one or more criteria an event must match.
You can specify and combine these criteria using the following operators:

[discrete]
[[eql-syntax-comparison-operators]]
===== Comparison operators

[source,eql]
----
<   <=   ==   !=   >=   >
----

.*Definitions*
[%collapsible]
====
`<` (less than)::
Returns `true` if the value to the left of the operator is less than the value
to the right. Otherwise returns `false`.

`<=` (less than or equal) ::
Returns `true` if the value to the left of the operator is less than or equal to
the value to the right. Otherwise returns `false`.

`==` (equal)::
Returns `true` if the values to the left and right of the operator are equal.
Otherwise returns `false`.

`!=` (not equal)::
Returns `true` if the values to the left and right of the operator are not
equal. Otherwise returns `false`.

`>=` (greater than or equal) ::
Returns `true` if the value to the left of the operator is greater than or equal
to the value to the right. Otherwise returns `false`.

`>` (greater than)::
Returns `true` if the value to the left of the operator is greater than the
value to the right. Otherwise returns `false`.
====

[discrete]
[[eql-syntax-logical-operators]]
===== Logical operators

[source,eql]
----
and  or  not
----

.*Definitions*
[%collapsible]
====
`and`::
Returns `true` only if the condition to the left and right _both_ return `true`.
Otherwise returns `false.

`or`::
Returns `true` if one of the conditions to the left or right `true`.
Otherwise returns `false.

`not`::
Returns `true` if the condition to the right is `false`.
====

[discrete]
[[eql-syntax-lookup-operators]]
===== Lookup operators

[source,eql]
----
user.name in ("Administrator", "SYSTEM", "NETWORK SERVICE")
user.name not in ("Administrator", "SYSTEM", "NETWORK SERVICE")
----

.*Definitions*
[%collapsible]
====
`in`::
Returns `true` if the value is contained in the provided list.

`not in`::
Returns `true` if the value is not contained in the provided list.
====

[discrete]
[[eql-syntax-math-operators]]
===== Math operators

[source,eql]
----
+  -  *  /  %
----

.*Definitions*
[%collapsible]
====
`+` (add)::
Adds the values to the left and right of the operator.

`-` (Subtract)::
Subtracts the value to the right of the operator from the value to the left.

`*` (Subtract)::
Multiplies the values to the left and right of the operator.

`/` (Divide)::
Divides the value to the left of the operator by the value to the right.

`%` (modulo)::
Divides the value to the left of the operator by the value to the right. Returns only the remainder.
====

[discrete]
[[eql-syntax-strings]]
==== Strings

Strings are enclosed with double quotes (`"`) or single quotes (`'`).

[source,eql]
----
"hello world"
"hello world with 'substring'"
----

[discrete]
[[eql-syntax-wildcards]]
===== Wildcards 

You can use the wildcard operator (`*`) within a string to match specific
patterns. You can use wildcards with the `==` (equal) or `!=` (not equal)
operators:

[source,eql]
----
field == "example*wildcard"
field != "example*wildcard"
----

[discrete]
[[eql-syntax-escaped-characters]]
===== Escaped characters 

When used within a string, special characters, such as a carriage return or
double quote (`"`), must be escaped with a preceding backslash (`\`).

[source,eql]
----
"example \t of \n escaped \r characters"
----

.*Escape sequences*
[%collapsible]
====
[options="header"]
|====
| Escape sequence | Literal character
|`\n`             | A newline (linefeed) character
|`\r`             | A carriage return character
|`\t`             | A tab character
|`\\`             | A backslash (`\`) character
|`\"`             | A double quote (`"`) character
|`\'`             | A single quote (`'`) character
|====
====

[discrete]
[[eql-syntax-raw-strings]]
===== Raw strings

Raw strings are preceded by a question mark (`?`) and treat backslashes (`\`) as
literal characters.

[source,eql]
----
?"String with a literal 'blackslash' \ character included"
----

You can escape single quotes (`'`) and double quotes (`"`) with a backslash, but
the backslash remains in the resulting string.

[source,eql]
----
?"\""
----

[NOTE]
====
Raw strings cannot contain only a single backslash. Additionally, raw strings
cannot end in an odd number of backslashes.
====

[discrete]
[[eql-syntax-non-alpha-field-names]]
==== Non-alphanumeric field names

Field names containing non-alphanumeric characters, such as underscores (`_`),
dots (`.`), hyphens (`-`), or spaces, must be escaped using backticks (+++`+++).

[source,eql]
----
`my_field`
`my.field`
`my-field`
`my field`
----