[DOCS] EQL: Document `concat` function (#56239)

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
2020-05-05 16:41:59 -04:00 · 2020-05-05 16:41:59 -04:00 · 8686200a32
parent 6674f14fb3
commit 8686200a32
1 changed files with 53 additions and 1 deletions
--- a/docs/reference/eql/functions.asciidoc
+++ b/docs/reference/eql/functions.asciidoc
@ -10,6 +10,7 @@ experimental::[]

 * <<eql-fn-between>>
 * <<eql-fn-cidrmatch>>
+* <<eql-fn-concat>>
 * <<eql-fn-endswith>>
 * <<eql-fn-indexof>>
 * <<eql-fn-length>>
@ -180,6 +181,57 @@ CIDR block you wish to search. If `null`, the function returns `null`.
 *Returns:* boolean or `null`
 ====

+[discrete]
+[[eql-fn-concat]]
+=== `concat`
+
+Returns a concatenated string of provided values.
+
+[%collapsible]
+====
+*Example*
+[source,eql]
+----
+concat("process is ", "regsvr32.exe")         // returns "process is regsvr32.exe"
+concat("regsvr32.exe", " ", 42)               // returns "regsvr32.exe 42"
+concat("regsvr32.exe", " ", 42.5)             // returns "regsvr32.exe 42.5"
+concat("regsvr32.exe", " ", true)             // returns "regsvr32.exe true"
+concat("regsvr32.exe")                        // returns "regsvr32.exe"
+
+// process.name = "regsvr32.exe"
+concat(process.name, " ", 42)                 // returns "regsvr32.exe 42"
+concat(process.name, " ", 42.5)               // returns "regsvr32.exe 42.5"
+concat("process is ", process.name)           // returns "process is regsvr32.exe"
+concat(process.name, " ", true)               // returns "regsvr32.exe true"
+concat(process.name)                          // returns "regsvr32.exe"
+
+// process.arg_count = 4
+concat(process.name, " ", process.arg_count)  // returns "regsvr32.exe 4"
+
+// null handling
+concat(null, "regsvr32.exe")                  // returns null
+concat(process.name, null)                    // returns null
+concat(null)                                  // returns null 
+----
+
+*Syntax*
+[source,txt]
+----
+concat(<value>[, <value>])
+----
+
+*Parameters*
+
+`<value>`::
+(Required{multi-arg-ref})
+Value to concatenate. If any of the arguments are `null`, the function returns `null`.
+
+If using a field as the argument, this parameter does not support the
+<<text,`text`>> field datatype.
+
+*Returns:* string or `null`
+====
+
 [discrete]
 [[eql-fn-endswith]]
 === `endsWith`