honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[DOCS] EQL: Update keyword family field types (#62254) (#62310) 

Updates several keyword/constant keyword references to use any field type in the
keyword family.
This commit is contained in:
James Rodewig 2020-09-14 09:51:34 -04:00 committed by GitHub
parent af13c9802d
commit 3ab28e84c6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 35 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/reference/eql/eql-search-api.asciidoc
View File

@ -145,8 +145,8 @@ Defaults to `event.category`, as defined in the {ecs-ref}/ecs-event.html[Elastic
Common Schema (ECS)]. If a data stream or index does not contain the Common Schema (ECS)]. If a data stream or index does not contain the
`event.category` field, this value is required. `event.category` field, this value is required.
+ +
The event category field is typically mapped as a <<keyword,`keyword`>> or The event category field is typically mapped as a field type in the
<<constant-keyword-field-type,constant keyword>> field. <<keyword,`keyword`>> family.
`fetch_size`:: `fetch_size`::
(Optional, integer) (Optional, integer)

6
docs/reference/eql/eql.asciidoc
View File

@ -389,9 +389,9 @@ documents use a different timestamp or event category field, you must specify it
in the search request using the `timestamp_field` or `event_category_field` in the search request using the `timestamp_field` or `event_category_field`
parameters. parameters.
The event category field is typically mapped as a <<keyword,`keyword`>> or The event category field is typically mapped as a field type in the
<<constant-keyword-field-type,constant keyword>> field. The timestamp field is typically <<keyword,`keyword`>> family. The timestamp field is typically mapped as a
mapped as a <<date,`date`>> or <<date_nanos,`date_nanos`>> field. <<date,`date`>> or <<date_nanos,`date_nanos`>> field.
NOTE: You cannot use a <<nested,`nested`>> field or the sub-fields of a `nested` NOTE: You cannot use a <<nested,`nested`>> field or the sub-fields of a `nested`
field as the timestamp or event category field. See <<eql-nested-fields>>. field as the timestamp or event category field. See <<eql-nested-fields>>.

90
docs/reference/eql/functions.asciidoc
View File

@ -109,10 +109,8 @@ Source string. Empty strings return an empty string (`""`), regardless of the
If using a field as the argument, this parameter supports only the following If using a field as the argument, this parameter supports only the following
field data types: field data types:
* <<keyword,`keyword`>> * A type in the <<keyword,`keyword`>> family
* <<constant-keyword-field-type,`constant_keyword`>> * <<text,`text`>> field with a <<keyword,`keyword`>> sub-field
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword-field-type,`constant_keyword`>> sub-field
-- --
`<left>`:: `<left>`::
@ -125,10 +123,8 @@ whitespace.
If using a field as the argument, this parameter supports only the following If using a field as the argument, this parameter supports only the following
field data types: field data types:
* <<keyword,`keyword`>> * A type in the <<keyword,`keyword`>> family
* <<constant-keyword-field-type,`constant_keyword`>> * <<text,`text`>> field with a <<keyword,`keyword`>> sub-field
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword-field-type,`constant_keyword`>> sub-field
-- --
`<right>`:: `<right>`::
@ -141,10 +137,8 @@ whitespace.
If using a field as the argument, this parameter supports only the following If using a field as the argument, this parameter supports only the following
field data types: field data types:
* <<keyword,`keyword`>> * A type in the <<keyword,`keyword`>> family
* <<constant-keyword-field-type,`constant_keyword`>> * <<text,`text`>> field with a <<keyword,`keyword`>> sub-field
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword-field-type,`constant_keyword`>> sub-field
-- --
`<greedy_matching>`:: `<greedy_matching>`::
@ -399,10 +393,8 @@ Source string. If `null`, the function returns `null`.
If using a field as the argument, this parameter supports only the following If using a field as the argument, this parameter supports only the following
field data types: field data types:
* <<keyword,`keyword`>> * A type in the <<keyword,`keyword`>> family
* <<constant-keyword-field-type,`constant_keyword`>> * <<text,`text`>> field with a <<keyword,`keyword`>> sub-field
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword-field-type,`constant_keyword`>> sub-field
-- --
`<substring>`:: `<substring>`::
@ -414,10 +406,8 @@ Substring to search for. If `null`, the function returns `null`.
If using a field as the argument, this parameter supports only the following If using a field as the argument, this parameter supports only the following
field data types: field data types:
* <<keyword,`keyword`>> * A type in the <<keyword,`keyword`>> family
* <<constant-keyword-field-type,`constant_keyword`>> * <<text,`text`>> field with a <<keyword,`keyword`>> sub-field
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword-field-type,`constant_keyword`>> sub-field
-- --
*Returns:* boolean or `null` *Returns:* boolean or `null`
@ -477,10 +467,8 @@ Source string. If `null`, the function returns `null`.
If using a field as the argument, this parameter supports only the following If using a field as the argument, this parameter supports only the following
field data types: field data types:
* <<keyword,`keyword`>> * A type in the <<keyword,`keyword`>> family
* <<constant-keyword-field-type,`constant_keyword`>> * <<text,`text`>> field with a <<keyword,`keyword`>> sub-field
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword-field-type,`constant_keyword`>> sub-field
-- --
`<substring>`:: `<substring>`::
@ -498,10 +486,8 @@ Otherwise, empty strings return `0`.
If using a field as the argument, this parameter supports only the following If using a field as the argument, this parameter supports only the following
field data types: field data types:
* <<keyword,`keyword`>> * A type in the <<keyword,`keyword`>> family
* <<constant-keyword-field-type,`constant_keyword`>> * <<text,`text`>> field with a <<keyword,`keyword`>> sub-field
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword-field-type,`constant_keyword`>> sub-field
-- --
`<start_pos>`:: `<start_pos>`::
@ -564,10 +550,8 @@ String for which to return the character length. If `null`, the function returns
If using a field as the argument, this parameter supports only the following If using a field as the argument, this parameter supports only the following
field data types: field data types:
* <<keyword,`keyword`>> * A type in the <<keyword,`keyword`>> family
* <<constant-keyword-field-type,`constant_keyword`>> * <<text,`text`>> field with a <<keyword,`keyword`>> sub-field
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword-field-type,`constant_keyword`>> sub-field
-- --
*Returns:* integer or `null` *Returns:* integer or `null`
@ -614,10 +598,8 @@ Source string. If `null`, the function returns `null`.
If using a field as the argument, this parameter supports only the following If using a field as the argument, this parameter supports only the following
field data types: field data types:
* <<keyword,`keyword`>> * A type in the <<keyword,`keyword`>> family
* <<constant-keyword-field-type,`constant_keyword`>> * <<text,`text`>> field with a <<keyword,`keyword`>> sub-field
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword-field-type,`constant_keyword`>> sub-field
-- --
`<reg_exp>`:: `<reg_exp>`::
@ -811,10 +793,8 @@ ignored. Empty strings (`""`) are not supported.
If using a field as the argument, this parameter supports only the following If using a field as the argument, this parameter supports only the following
field data types: field data types:
* <<keyword,`keyword`>> * A type in the <<keyword,`keyword`>> family
* <<constant-keyword-field-type,`constant_keyword`>> * <<text,`text`>> field with a <<keyword,`keyword`>> sub-field
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword-field-type,`constant_keyword`>> sub-field
If this argument is `null`, the function returns `null`. If this argument is `null`, the function returns `null`.
-- --
@ -879,10 +859,8 @@ Source string. If `null`, the function returns `null`.
If using a field as the argument, this parameter supports only the following If using a field as the argument, this parameter supports only the following
field data types: field data types:
* <<keyword,`keyword`>> * A type in the <<keyword,`keyword`>> family
* <<constant-keyword-field-type,`constant_keyword`>> * <<text,`text`>> field with a <<keyword,`keyword`>> sub-field
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword-field-type,`constant_keyword`>> sub-field
-- --
`<substring>`:: `<substring>`::
@ -894,10 +872,8 @@ Substring to search for. If `null`, the function returns `null`.
If using a field as the argument, this parameter supports only the following If using a field as the argument, this parameter supports only the following
field data types: field data types:
* <<keyword,`keyword`>> * A type in the <<keyword,`keyword`>> family
* <<constant-keyword-field-type,`constant_keyword`>> * <<text,`text`>> field with a <<keyword,`keyword`>> sub-field
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword-field-type,`constant_keyword`>> sub-field
-- --
*Returns:* boolean or `null` *Returns:* boolean or `null`
@ -978,10 +954,8 @@ Source string to search. If `null`, the function returns `null`.
If using a field as the argument, this parameter supports only the following If using a field as the argument, this parameter supports only the following
field data types: field data types:
* <<keyword,`keyword`>> * A type in the <<keyword,`keyword`>> family
* <<constant-keyword-field-type,`constant_keyword`>> * <<text,`text`>> field with a <<keyword,`keyword`>> sub-field
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword-field-type,`constant_keyword`>> sub-field
`<substring>`:: `<substring>`::
(Required, string or `null`) (Required, string or `null`)
@ -990,10 +964,8 @@ Substring to search for. If `null`, the function returns `null`.
If using a field as the argument, this parameter supports only the following If using a field as the argument, this parameter supports only the following
field data types: field data types:
* <<keyword,`keyword`>> * A type in the <<keyword,`keyword`>> family
* <<constant-keyword-field-type,`constant_keyword`>> * <<text,`text`>> field with a <<keyword,`keyword`>> sub-field
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword-field-type,`constant_keyword`>> sub-field
*Returns:* boolean or `null` *Returns:* boolean or `null`
@ -1147,10 +1119,8 @@ Source string. If `null`, the function returns `null`.
If using a field as the argument, this parameter supports only the following If using a field as the argument, this parameter supports only the following
field data types: field data types:
* <<keyword,`keyword`>> * A type in the <<keyword,`keyword`>> family
* <<constant-keyword-field-type,`constant_keyword`>> * <<text,`text`>> field with a <<keyword,`keyword`>> sub-field
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword-field-type,`constant_keyword`>> sub-field
-- --
`<wildcard_exp>`:: `<wildcard_exp>`::