== EQL function reference
Function reference
{es} supports the following <>. Most EQL functions
are case-sensitive by default.
=== `add`
Returns the sum of two provided addends.
add(4, 5) // returns 9
add(4, 0.5) // returns 4.5
add(0.5, 0.25) // returns 0.75
add(4, -2) // returns 2
add(-2, -2) // returns -4
// process.args_count = 4
add(process.args_count, 5) // returns 9
add(process.args_count, 0.5) // returns 4.5
// process.parent.args_count = 2
add(process.args_count, process.parent.args_count) // returns 6
// null handling
add(null, 4) // returns null
add(4. null) // returns null
add(null, process.args_count) // returns null
add(process.args_count null) // returns null
add(, )
(Required, integer or float or `null`)
Addend to add. If `null`, the function returns `null`.
Two addends are required. No more than two addends can be provided.
If using a field as the argument, this parameter supports only
<> field data types.
*Returns:* integer, float, or `null`
=== `between`
Extracts a substring that's between a provided `left` and `right` text in a
source string. Matching is case-sensitive.
// file.path = "C:\\Windows\\System32\\cmd.exe"
between(file.path, "system32\\\\", ".exe") // returns "cmd"
between(file.path, "workspace\\\\", ".exe") // returns ""
// Greedy matching defaults to false.
between(file.path, "\\\\", "\\\\", false) // returns "Windows"
// Sets greedy matching to true
between(file.path, "\\\\", "\\\\", true) // returns "Windows\\System32"
// empty source string
between("", "system32\\\\", ".exe") // returns ""
between("", "", "") // returns ""
// null handling
between(null, "system32\\\\", ".exe") // returns null