[DOCS] EQL: Document `concat` function (#56239)

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
This commit is contained in:
James Rodewig 2020-05-05 16:41:59 -04:00
parent 6674f14fb3
commit 8686200a32
1 changed files with 53 additions and 1 deletions

View File

@ -10,6 +10,7 @@ experimental::[]
* <<eql-fn-between>>
* <<eql-fn-cidrmatch>>
* <<eql-fn-concat>>
* <<eql-fn-endswith>>
* <<eql-fn-indexof>>
* <<eql-fn-length>>
@ -180,6 +181,57 @@ CIDR block you wish to search. If `null`, the function returns `null`.
*Returns:* boolean or `null`
====
[discrete]
[[eql-fn-concat]]
=== `concat`
Returns a concatenated string of provided values.
[%collapsible]
====
*Example*
[source,eql]
----
concat("process is ", "regsvr32.exe") // returns "process is regsvr32.exe"
concat("regsvr32.exe", " ", 42) // returns "regsvr32.exe 42"
concat("regsvr32.exe", " ", 42.5) // returns "regsvr32.exe 42.5"
concat("regsvr32.exe", " ", true) // returns "regsvr32.exe true"
concat("regsvr32.exe") // returns "regsvr32.exe"
// process.name = "regsvr32.exe"
concat(process.name, " ", 42) // returns "regsvr32.exe 42"
concat(process.name, " ", 42.5) // returns "regsvr32.exe 42.5"
concat("process is ", process.name) // returns "process is regsvr32.exe"
concat(process.name, " ", true) // returns "regsvr32.exe true"
concat(process.name) // returns "regsvr32.exe"
// process.arg_count = 4
concat(process.name, " ", process.arg_count) // returns "regsvr32.exe 4"
// null handling
concat(null, "regsvr32.exe") // returns null
concat(process.name, null) // returns null
concat(null) // returns null
----
*Syntax*
[source,txt]
----
concat(<value>[, <value>])
----
*Parameters*
`<value>`::
(Required{multi-arg-ref})
Value to concatenate. If any of the arguments are `null`, the function returns `null`.
+
If using a field as the argument, this parameter does not support the
<<text,`text`>> field datatype.
*Returns:* string or `null`
====
[discrete]
[[eql-fn-endswith]]
=== `endsWith`
@ -775,4 +827,4 @@ returns `null`. Fields are not supported as arguments.
--
*Returns:* boolean
====
====