honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[DOCS] EQL: Document `length` function (#54225)

This commit is contained in:
James Rodewig 2020-04-01 11:35:36 -04:00 committed by GitHub
parent c9ffa379ba
commit 4982b720ef
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 53 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
docs/reference/eql/functions.asciidoc
View File

@ -9,6 +9,7 @@ experimental::[]
{es} supports the following EQL functions:
* <<eql-fn-endswith>>
* <<eql-fn-length>>
* <<eql-fn-startswith>>
* <<eql-fn-substring>>
@ -71,7 +72,7 @@ field datatypes:
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword,`constant_keyword`>> sub-field
Fields containing array values use the first array item only.
Fields containing <<array,array values>> use the first array item only.
--
`<substring>`::
@ -92,6 +93,56 @@ field datatypes:
*Returns:* boolean or `null`
====
[discrete]
[[eql-fn-length]]
=== `length`
Returns the character length of a provided string, including whitespace and
punctuation.
[%collapsible]
====
*Example*
[source,eql]
----
length("explorer.exe") // returns 12
length("start explorer.exe") // returns 18
length("") // returns 0
length(null) // returns null
// process.name = "regsvr32.exe"
length(process.name) // returns 12
----
*Syntax*
[source,txt]
----
length(<string>)
----
*Parameters*
`<string>`::
+
--
(Required, string or `null`)
String for which to return the character length. If `null`, the function returns
`null`. Empty strings return `0`.
If using a field as the argument, this parameter only supports the following
field datatypes:
* <<keyword,`keyword`>>
* <<constant-keyword,`constant_keyword`>>
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword,`constant_keyword`>> sub-field
<<array,Array values>> are not supported.
--
*Returns:* integer or `null`
====
[discrete]
[[eql-fn-startswith]]
=== `startsWith`
@ -151,7 +202,7 @@ field datatypes:
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword,`constant_keyword`>> sub-field
Fields containing array values use the first array item only.
Fields containing <<array,array values>> use the first array item only.
--
`<substring>`::