honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-18 19:05:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

[DOCS] EQL: Document endsWith function (#54521)

Browse Source
This commit is contained in:
James Rodewig 2020-04-01 10:43:37 -04:00 committed by GitHub
parent 7787603d56
commit b43eb5ac32
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 81 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
docs/reference/eql/functions.asciidoc
View File

@ -8,9 +8,90 @@ experimental::[]
{es} supports the following EQL functions: {es} supports the following EQL functions:
* <<eql-fn-endswith>>
* <<eql-fn-startswith>> * <<eql-fn-startswith>>
* <<eql-fn-substring>> * <<eql-fn-substring>>
[discrete]
[[eql-fn-endswith]]
=== `endsWith`
Returns `true` if a source string ends with a provided substring. Matching is
case insensitive.
[%collapsible]
====
*Example*
[source,eql]
----
endsWith("regsvr32.exe", ".exe") // returns true
endsWith("regsvr32.exe", ".EXE") // returns true
endsWith("regsvr32.exe", ".dll") // returns false
endsWith("", "") // returns true
// file.name = "regsvr32.exe"
endsWith(file.name, ".exe") // returns true
endsWith(file.name, ".dll") // returns false
// file.extension = ".exe"
endsWith("regsvr32.exe", file.extension) // returns true
endsWith("ntdll.dll", file.name) // returns false
// file.name = [ "ntdll.dll", "regsvr32.exe" ]
endsWith(file.name, ".dll") // returns true
endsWith(file.name, ".exe") // returns false
// null handling
endsWith("regsvr32.exe", null) // returns null
endsWith("", null) // returns null
endsWith(null, ".exe") // returns null
endsWith(null, null) // returns null
----
*Syntax*
[source,txt]
----
endsWith(<source>, <substring>)
----
*Parameters*
`<source>`::
+
--
(Required, string or `null`)
Source string. If `null`, the function returns `null`.
If using a field as the argument, this parameter only supports the following
field datatypes:
* <<keyword,`keyword`>>
* <<constant-keyword,`constant_keyword`>>
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword,`constant_keyword`>> sub-field
Fields containing array values use the first array item only.
--
`<substring>`::
+
--
(Required, string or `null`)
Substring to search for. If `null`, the function returns `null`.
If using a field as the argument, this parameter only supports the following
field datatypes:
* <<keyword,`keyword`>>
* <<constant-keyword,`constant_keyword`>>
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword,`constant_keyword`>> sub-field
--
*Returns:* boolean or `null`
====
[discrete] [discrete]
[[eql-fn-startswith]] [[eql-fn-startswith]]
=== `startsWith` === `startsWith`