Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: e86e148ee4
Branches Tags
elasticsearch
/
docs
/
reference
/
eql
/
functions.asciidoc

functions.asciidoc 5.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228 
  1. [[eql-function-ref]]
    2. 

  2. == EQL function reference
    3. 

  3. ++++
    4. 

  4. <titleabbrev>Function reference</titleabbrev>
    5. 

  5. ++++
    6. 

  6. 

  7. experimental::[]
    8. 

  8. 

  9. {es} supports the following EQL functions:
    10. 

  10. 

  11. * <<eql-fn-endswith>>
    12. 

  12. * <<eql-fn-startswith>>
    13. 

  13. * <<eql-fn-substring>>
    14. 

  14. 

  15. [discrete]
    16. 

  16. [[eql-fn-endswith]]
    17. 

  17. === `endsWith`
    18. 

  18. 

  19. Returns `true` if a source string ends with a provided substring. Matching is
    20. 

  20. case insensitive.
    21. 

  21. 

  22. [%collapsible]
    23. 

  23. ====
    24. 

  24. *Example*
    25. 

  25. [source,eql]
    26. 

  26. ----
    27. 

  27. endsWith("regsvr32.exe", ".exe")          // returns true
    28. 

  28. endsWith("regsvr32.exe", ".EXE")          // returns true
    29. 

  29. endsWith("regsvr32.exe", ".dll")          // returns false
    30. 

  30. endsWith("", "")                          // returns true
    31. 

  31. 

  32. // file.name = "regsvr32.exe"
    33. 

  33. endsWith(file.name, ".exe")               // returns true
    34. 

  34. endsWith(file.name, ".dll")               // returns false
    35. 

  35. 

  36. // file.extension = ".exe"
    37. 

  37. endsWith("regsvr32.exe", file.extension)  // returns true
    38. 

  38. endsWith("ntdll.dll", file.name)          // returns false
    39. 

  39. 

  40. // file.name = [ "ntdll.dll", "regsvr32.exe" ]
    41. 

  41. endsWith(file.name, ".dll")               // returns true
    42. 

  42. endsWith(file.name, ".exe")               // returns false
    43. 

  43. 

  44. // null handling
    45. 

  45. endsWith("regsvr32.exe", null)            // returns null
    46. 

  46. endsWith("", null)                        // returns null 
    47. 

  47. endsWith(null, ".exe")                    // returns null
    48. 

  48. endsWith(null, null)                      // returns null
    49. 

  49. ----
    50. 

  50. 

  51. *Syntax*
    52. 

  52. 

  53. [source,txt]
    54. 

  54. ----
    55. 

  55. endsWith(<source>, <substring>)
    56. 

  56. ----
    57. 

  57. 

  58. *Parameters*
    59. 

  59. 

  60. `<source>`::
    61. 

  61. +
    62. 

  62. --
    63. 

  63. (Required, string or `null`)
    64. 

  64. Source string. If `null`, the function returns `null`.
    65. 

  65. 

  66. If using a field as the argument, this parameter only supports the following
    67. 

  67. field datatypes:
    68. 

  68. 

  69. * <<keyword,`keyword`>>
    70. 

  70. * <<constant-keyword,`constant_keyword`>>
    71. 

  71. * <<text,`text`>> field with a <<keyword,`keyword`>> or
    72. 

  72.   <<constant-keyword,`constant_keyword`>> sub-field
    73. 

  73. 

  74. Fields containing array values use the first array item only.
    75. 

  75. --
    76. 

  76. 

  77. `<substring>`::
    78. 

  78. +
    79. 

  79. --
    80. 

  80. (Required, string or `null`)
    81. 

  81. Substring to search for. If `null`, the function returns `null`.
    82. 

  82. 

  83. If using a field as the argument, this parameter only supports the following
    84. 

  84. field datatypes:
    85. 

  85. 

  86. * <<keyword,`keyword`>>
    87. 

  87. * <<constant-keyword,`constant_keyword`>>
    88. 

  88. * <<text,`text`>> field with a <<keyword,`keyword`>> or
    89. 

  89.   <<constant-keyword,`constant_keyword`>> sub-field
    90. 

  90. --
    91. 

  91. 

  92. *Returns:* boolean or `null`
    93. 

  93. ====
    94. 

  94. 

  95. [discrete]
    96. 

  96. [[eql-fn-startswith]]
    97. 

  97. === `startsWith`
    98. 

  98. 

  99. Returns `true` if a source string begins with a provided substring. Matching is
    100. 

  100. case insensitive.
    101. 

  101. 

  102. [%collapsible]
    103. 

  103. ====
    104. 

  104. *Example*
    105. 

  105. [source,eql]
    106. 

  106. ----
    107. 

  107. startsWith("regsvr32.exe", "regsvr32")  // returns true
    108. 

  108. startsWith("regsvr32.exe", "RegSvr32")  // returns true
    109. 

  109. startsWith("regsvr32.exe", "explorer")  // returns false
    110. 

  110. startsWith("", "")                      // returns true
    111. 

  111. 

  112. // process.name = "regsvr32.exe"
    113. 

  113. startsWith(process.name, "regsvr32")    // returns true
    114. 

  114. startsWith(process.name, "explorer")    // returns false
    115. 

  115. 

  116. // process.name = "regsvr32"
    117. 

  117. startsWith("regsvr32.exe", process.name) // returns true
    118. 

  118. startsWith("explorer.exe", process.name) // returns false
    119. 

  119. 

  120. // process.name = [ "explorer.exe", "regsvr32.exe" ]
    121. 

  121. startsWith(process.name, "explorer")    // returns true
    122. 

  122. startsWith(process.name, "regsvr32")    // returns false
    123. 

  123. 

  124. // null handling
    125. 

  125. startsWith("regsvr32.exe", null)        // returns null
    126. 

  126. startsWith("", null)                    // returns null 
    127. 

  127. startsWith(null, "regsvr32")            // returns null
    128. 

  128. startsWith(null, null)                  // returns null
    129. 

  129. ----
    130. 

  130. 

  131. *Syntax*
    132. 

  132. 

  133. [source,txt]
    134. 

  134. ----
    135. 

  135. startsWith(<source>, <substring>)
    136. 

  136. ----
    137. 

  137. 

  138. *Parameters*
    139. 

  139. 

  140. `<source>`::
    141. 

  141. +
    142. 

  142. --
    143. 

  143. (Required, string or `null`)
    144. 

  144. Source string. If `null`, the function returns `null`.
    145. 

  145. 

  146. If using a field as the argument, this parameter only supports the following
    147. 

  147. field datatypes:
    148. 

  148. 

  149. * <<keyword,`keyword`>>
    150. 

  150. * <<constant-keyword,`constant_keyword`>>
    151. 

  151. * <<text,`text`>> field with a <<keyword,`keyword`>> or
    152. 

  152.   <<constant-keyword,`constant_keyword`>> sub-field
    153. 

  153. 

  154. Fields containing array values use the first array item only.
    155. 

  155. --
    156. 

  156. 

  157. `<substring>`::
    158. 

  158. +
    159. 

  159. --
    160. 

  160. (Required, string or `null`)
    161. 

  161. Substring to search for. If `null`, the function returns `null`.
    162. 

  162. 

  163. If using a field as the argument, this parameter only supports the following
    164. 

  164. field datatypes:
    165. 

  165. 

  166. * <<keyword,`keyword`>>
    167. 

  167. * <<constant-keyword,`constant_keyword`>>
    168. 

  168. * <<text,`text`>> field with a <<keyword,`keyword`>> or
    169. 

  169.   <<constant-keyword,`constant_keyword`>> sub-field
    170. 

  170. --
    171. 

  171. 

  172. *Returns:* boolean or `null`
    173. 

  173. ====
    174. 

  174. 

  175. [discrete]
    176. 

  176. [[eql-fn-substring]]
    177. 

  177. === `substring`
    178. 

  178. 

  179. Extracts a substring from a source string at provided start and end positions.
    180. 

  180. 

  181. If no end position is provided, the function extracts the remaining string.
    182. 

  182. 

  183. [%collapsible]
    184. 

  184. ====
    185. 

  185. *Example*
    186. 

  186. [source,eql]
    187. 

  187. ----
    188. 

  188. substring("start regsvr32.exe", 6)        // returns "regsvr32.exe"
    189. 

  189. substring("start regsvr32.exe", 0, 5)     // returns "start"
    190. 

  190. substring("start regsvr32.exe", 6, 14)    // returns "regsvr32"
    191. 

  191. substring("start regsvr32.exe", -4)       // returns ".exe"
    192. 

  192. substring("start regsvr32.exe", -4, -1)   // returns ".ex"
    193. 

  193. ----
    194. 

  194. 

  195. *Syntax*
    196. 

  196. 

  197. [source,txt]
    198. 

  198. ----
    199. 

  199. substring(<source>, <start_pos>[, <end_pos>])
    200. 

  200. ----
    201. 

  201. 

  202. *Parameters*
    203. 

  203. 

  204. `<source>`::
    205. 

  205. (Required, string)
    206. 

  206. Source string.
    207. 

  207. 

  208. `<start_pos>`::
    209. 

  209. +
    210. 

  210. --
    211. 

  211. (Required, integer)
    212. 

  212. Starting position for extraction.
    213. 

  213. 

  214. If this position is higher than the `<end_pos>` position or the length of the
    215. 

  215. `<source>` string, the function returns an empty string.
    216. 

  216. 

  217. Positions are zero-indexed. Negative offsets are supported.
    218. 

  218. --
    219. 

  219. 

  220. `<end_pos>`::
    221. 

  221. (Optional, integer)
    222. 

  222. Exclusive end position for extraction. If this position is not provided, the
    223. 

  223. function returns the remaining string.
    224. 

  224. +
    225. 

  225. Positions are zero-indexed. Negative offsets are supported.
    226. 

  226. 

  227. *Returns:* string
    228. 

  228. ====
    229.