honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[DOCS] Document `any` keyword in EQL syntax (#52821) (#53157) 

Adds documentation for the `any` keyword to the EQL syntax docs.

Includes:

* Definition of an event category and its relationship to the event
   category field.
* Example matching all event categories using `any` keyword
* Example using `any` with `where true`
This commit is contained in:
James Rodewig 2020-03-05 05:02:47 -05:00 committed by GitHub
parent 058113aa42
commit e46bb54c7b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 51 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
docs/reference/eql/syntax.asciidoc
View File

@ -14,21 +14,45 @@ experimental::[]
[[eql-basic-syntax]]
=== Basic syntax
EQL queries require an event type and a matching condition. The `where` keyword connects them.
EQL queries require an event category and a matching condition. The `where`
keyword connects them.
[source,eql]
----
event.category where condition
event_category where condition
----
For example, the following EQL query matches `process` events with a `process.name`
field value of `svchost.exe`:
For example, the following EQL query matches `process` events with a
`process.name` field value of `svchost.exe`:
[source,eql]
----
process where process.name == "svchost.exe"
----
[discrete]
[[eql-syntax-event-categories]]
==== Event categories
In {es}, an event category is a valid, indexed value of the
<<eql-required-fields,event category field>>. You can set the event category
field using the `event_category_field` parameter of the EQL search API.
[discrete]
[[eql-syntax-match-any-event-category]]
===== Match any event category
To match events of any category, use the `any` keyword. You can also use the
`any` keyword to search for documents without a event category field.
For example, the following EQL query matches any documents with a
`network.protocol` field value of `http`:
[source,eql]
----
any where network.protocol == "http"
----
[discrete]
[[eql-syntax-conditions]]
==== Conditions
@ -171,6 +195,27 @@ field == "example*wildcard"
field != "example*wildcard"
----
[discrete]
[[eql-syntax-match-any-condition]]
===== Match any condition
To match events solely on event category, use the `where true` condition.
For example, the following EQL query matches any `file` events:
[source,eql]
----
file where true
----
To match any event, you can combine the `any` keyword with the `where true`
condition:
[source,eql]
----
any where true
----
[discrete]
[[eql-syntax-escaped-characters]]
===== Escaped characters