honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-09 06:25:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

[DOCS] EQL: Document unsupported var comparison (#58941) (#59224)

Browse Source 
ES EQL queries do not support the comparison of a variable, such as
a field value, to another variable.

This adds a related para and example to the EQL syntax docs.
This commit is contained in:
James Rodewig 2020-07-08 11:04:05 -04:00 committed by GitHub
parent 6ffdb19a2a
commit 37be56ab97
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
docs/reference/eql/syntax.asciidoc
View File

@ -72,6 +72,34 @@ You can specify and combine these criteria using the following operators:
< <= == != >= > < <= == != >= >
---- ----
You cannot use comparison operators to compare a variable, such as a field
value, to another variable, even if those variables are modified using a
<eql-functions,function>>.
.*Example*
[%collapsible]
====
The following EQL query compares the `process.parent_name` field
value to a static value, `foo`. This comparison is supported.
However, the query also compares the `process.parent.name` field value to the
`process.name` field. This comparison is not supported and will return an
error for the entire query.
[source,eql]
----
process where process.parent.name == "foo" and process.parent.name == process.name
----
Instead, you can rewrite the query to compare both the `process.parent.name`
and `process.name` fields to static values.
[source,eql]
----
process where process.parent.name == "foo" and process.name == "foo"
----
====
[IMPORTANT] [IMPORTANT]
==== ====
Avoid using the equal operator (`==`) to perform exact matching on `text` field Avoid using the equal operator (`==`) to perform exact matching on `text` field