honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-18 19:05:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

[DOCS] EQL: Reorganize EQL syntax sections (#63179) (#63184)

Browse Source
This commit is contained in:
James Rodewig 2020-10-02 10:25:32 -04:00 committed by GitHub
parent c9baadd19b
commit 099e5d00cc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 44 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
docs/reference/eql/syntax.asciidoc
View File

@ -92,9 +92,6 @@ You can specify and combine these criteria using the following operators:
< <= == != >= > < <= == != >= >
---- ----
.*Definitions*
[%collapsible]
====
`<` (less than):: `<` (less than)::
Returns `true` if the value to the left of the operator is less than the value Returns `true` if the value to the left of the operator is less than the value
to the right. Otherwise returns `false`. to the right. Otherwise returns `false`.
@ -106,6 +103,19 @@ the value to the right. Otherwise returns `false`.
`==` (equal):: `==` (equal)::
Returns `true` if the values to the left and right of the operator are equal. Returns `true` if the values to the left and right of the operator are equal.
Otherwise returns `false`. Otherwise returns `false`.
+
[IMPORTANT]
====
Avoid using the `==` operator to perform exact matching on <<text,`text`>> field
values.
By default, {es} changes the values of `text` fields as part of <<analysis,
analysis>>. This can make finding exact matches for `text` field values
difficult.
To search `text` fields, consider using a <<eql-search-filter-query-dsl,query
DSL filter>> that contains a <<query-dsl-match-query,`match`>> query.
====
`!=` (not equal):: `!=` (not equal)::
Returns `true` if the values to the left and right of the operator are not Returns `true` if the values to the left and right of the operator are not
@ -118,7 +128,6 @@ to the value to the right. Otherwise returns `false`.
`>` (greater than):: `>` (greater than)::
Returns `true` if the value to the left of the operator is greater than the Returns `true` if the value to the left of the operator is greater than the
value to the right. Otherwise returns `false`. value to the right. Otherwise returns `false`.
====
NOTE: `=` is not supported as an equality operator. Use `==` instead. NOTE: `=` is not supported as an equality operator. Use `==` instead.
@ -151,19 +160,6 @@ and `process.name` fields to static values.
process where process.parent.name == "foo" and process.name == "foo" process where process.parent.name == "foo" and process.name == "foo"
---- ----
[IMPORTANT]
====
Avoid using the `==` operator to perform exact matching on <<text,`text`>> field
values.
By default, {es} changes the values of `text` fields as part of <<analysis,
analysis>>. This can make finding exact matches for `text` field values
difficult.
To search `text` fields, consider using a <<eql-search-filter-query-dsl,query
DSL filter>> that contains a <<query-dsl-match-query,`match`>> query.
====
[discrete] [discrete]
[[eql-syntax-logical-operators]] [[eql-syntax-logical-operators]]
===== Logical operators ===== Logical operators
@ -173,9 +169,6 @@ DSL filter>> that contains a <<query-dsl-match-query,`match`>> query.
and or not and or not
---- ----
.*Definitions*
[%collapsible]
====
`and`:: `and`::
Returns `true` only if the condition to the left and right _both_ return `true`. Returns `true` only if the condition to the left and right _both_ return `true`.
Otherwise returns `false. Otherwise returns `false.
@ -186,7 +179,6 @@ Otherwise returns `false.
`not`:: `not`::
Returns `true` if the condition to the right is `false`. Returns `true` if the condition to the right is `false`.
====
[discrete] [discrete]
[[eql-syntax-lookup-operators]] [[eql-syntax-lookup-operators]]
@ -198,15 +190,11 @@ user.name in ("Administrator", "SYSTEM", "NETWORK SERVICE")
user.name not in ("Administrator", "SYSTEM", "NETWORK SERVICE") user.name not in ("Administrator", "SYSTEM", "NETWORK SERVICE")
---- ----
.*Definitions*
[%collapsible]
====
`in`:: `in`::
Returns `true` if the value is contained in the provided list. Returns `true` if the value is contained in the provided list.
`not in`:: `not in`::
Returns `true` if the value is not contained in the provided list. Returns `true` if the value is not contained in the provided list.
====
[discrete] [discrete]
[[eql-syntax-math-operators]] [[eql-syntax-math-operators]]
@ -217,9 +205,6 @@ Returns `true` if the value is not contained in the provided list.
+ - * / % + - * / %
---- ----
.*Definitions*
[%collapsible]
====
`+` (add):: `+` (add)::
Adds the values to the left and right of the operator. Adds the values to the left and right of the operator.
@ -231,11 +216,7 @@ Multiplies the values to the left and right of the operator.
`/` (Divide):: `/` (Divide)::
Divides the value to the left of the operator by the value to the right. Divides the value to the left of the operator by the value to the right.
+
`%` (modulo)::
Divides the value to the left of the operator by the value to the right. Returns only the remainder.
====
[[eql-divide-operator-float-rounding]] [[eql-divide-operator-float-rounding]]
[WARNING] [WARNING]
==== ====
@ -274,35 +255,12 @@ process where ( 4.0 / process.args_count ) == 1
---- ----
==== ====
[discrete] `%` (modulo)::
[[eql-syntax-strings]] Divides the value to the left of the operator by the value to the right. Returns only the remainder.
==== Strings
Strings are enclosed with double quotes (`"`).
[source,eql]
----
"hello world"
----
Strings enclosed in single quotes (`'`) are not supported.
[discrete]
[[eql-syntax-wildcards]]
===== Wildcards
When comparing strings using the `==` or `!=` operators, you can use the `*`
operator within the string to match specific patterns:
[source,eql]
----
field == "example*wildcard"
field != "example*wildcard"
----
[discrete] [discrete]
[[eql-syntax-match-any-condition]] [[eql-syntax-match-any-condition]]
===== Match any condition ==== Match any condition
To match events solely on event category, use the `where true` condition. To match events solely on event category, use the `where true` condition.
@ -321,6 +279,19 @@ condition:
any where true any where true
---- ----
[discrete]
[[eql-syntax-strings]]
==== Strings
Strings are enclosed with double quotes (`"`).
[source,eql]
----
"hello world"
----
Strings enclosed in single quotes (`'`) are not supported.
[discrete] [discrete]
[[eql-syntax-escape-characters]] [[eql-syntax-escape-characters]]
===== Escape characters in a string ===== Escape characters in a string
@ -330,12 +301,9 @@ double quote (`"`), must be escaped with a preceding backslash (`\`).
[source,eql] [source,eql]
---- ----
"example \t of \n escaped \r characters" "example \r of \" escaped \n characters"
---- ----
.*Escape sequences*
[%collapsible]
====
[options="header"] [options="header"]
|==== |====
| Escape sequence | Literal character | Escape sequence | Literal character
@ -345,7 +313,6 @@ double quote (`"`), must be escaped with a preceding backslash (`\`).
|`\\` | A backslash (`\`) character |`\\` | A backslash (`\`) character
|`\"` | A double quote (`"`) character |`\"` | A double quote (`"`) character
|==== |====
====
IMPORTANT: The single quote (`'`) character is reserved for future use. You IMPORTANT: The single quote (`'`) character is reserved for future use. You
cannot use an escaped single quote (`\'`) for literal strings. Use an escaped cannot use an escaped single quote (`\'`) for literal strings. Use an escaped
@ -377,6 +344,19 @@ Raw strings cannot contain only a single backslash or end in an odd number of
backslashes. backslashes.
==== ====
[discrete]
[[eql-syntax-wildcards]]
===== Wildcards
When comparing strings using the `==` or `!=` operators, you can use the `*`
operator within the string to match specific patterns:
[source,eql]
----
field == "example*wildcard"
field != "example*wildcard"
----
[discrete] [discrete]
[[eql-sequences]] [[eql-sequences]]
=== Sequences === Sequences