honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[DOCS] EQL: Document `between` function (#54950)

This commit is contained in:
James Rodewig 2020-04-08 13:49:15 -04:00 committed by GitHub
parent c2c0707174
commit 964cf565c9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 113 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
docs/reference/eql/functions.asciidoc
View File

@ -8,11 +8,124 @@ experimental::[]
{es} supports the following EQL functions:
* <<eql-fn-between>>
* <<eql-fn-endswith>>
* <<eql-fn-length>>
* <<eql-fn-startswith>>
* <<eql-fn-substring>>
[discrete]
[[eql-fn-between]]
=== `between`
Extracts a substring that's between a provided `left` and `right` text in a
source string.
[%collapsible]
====
*Example*
[source,eql]
----
// file.path = "C:\\Windows\\System32\\cmd.exe"
between(file.path, "system32\\\\", ".exe") // returns "cmd"
between(file.path, "workspace\\\\", ".exe") // returns ""
// Greedy matching defaults to false.
between(file.path, "\\\\", "\\\\", false) // returns "Windows"
// Sets greedy matching to true
between(file.path, "\\\\", "\\\\", true) // returns "Windows\\System32"
// Case sensitivity defaults to false.
between(file.path, "system32\\\\", ".exe", false, false) // returns "cmd"
// Sets case sensitivity to true
between(file.path, "system32\\\\", ".exe", false, true) // returns ""
between(file.path, "System32\\\\", ".exe", false, true) // returns "cmd"
// empty source string
between("", "system32\\\\", ".exe") // returns ""
between("", "", "") // returns ""
// null handling
between(null, "system32\\\\", ".exe") // returns null
----
*Syntax*
[source,txt]
----
between(<source>, <left>, <right>[, <greedy_matching>, <case_sensitive>])
----
*Parameters*
`<source>`::
+
--
(Required, string or `null`)
Source string. Empty strings return an empty string (`""`), regardless of the
`<left>` or `<right>` parameters. If `null`, the function returns `null`.
If using a field as the argument, this parameter only supports the following
field datatypes:
* <<keyword,`keyword`>>
* <<constant-keyword,`constant_keyword`>>
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword,`constant_keyword`>> sub-field
Fields containing <<array,array values>> use the first array item only.
--
`<left>`::
+
--
(Required, string)
Text to the left of the substring to extract. This text should include
whitespace.
If using a field as the argument, this parameter only supports the following
field datatypes:
* <<keyword,`keyword`>>
* <<constant-keyword,`constant_keyword`>>
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword,`constant_keyword`>> sub-field
<<array,Array values>> are not supported.
--
`<right>`::
+
--
(Required, string)
Text to the right of the substring to extract. This text should include
whitespace.
If using a field as the argument, this parameter only supports the following
field datatypes:
* <<keyword,`keyword`>>
* <<constant-keyword,`constant_keyword`>>
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword,`constant_keyword`>> sub-field
<<array,Array values>> are not supported.
--
`<greedy_matching>`::
(Optional, boolean)
If `true`, match the longest possible substring, similar to `.*` in regular
expressions. If `false`, match the shortest possible substring, similar to `.*?`
in regular expressions. Defaults to `false`.
`<case_sensitive>`::
(Optional, boolean)
If `true`, matching is case-sensitive. Defaults to `false`.
*Returns:* string or `null`
====
[discrete]
[[eql-fn-endswith]]
=== `endsWith`