Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOCS] EQL: Document wildcard function #54086

Merged
merged 7 commits into from
Apr 10, 2020
Merged

[DOCS] EQL: Document wildcard function #54086

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
ce7a01e
[DOCS] EQL: Document `wildcard` function
jrodewig Apr 6, 2020
d911606
clarifications
jrodewig Apr 6, 2020
9b1e6e0
update null and empty string examples
jrodewig Apr 8, 2020
184bd53
Remove case sensitive references matching per ##54411.
jrodewig Apr 8, 2020
628906f
Simplify examples
jrodewig Apr 8, 2020
1c2ae7a
updates for array and null values
jrodewig Apr 10, 2020
77a0710
fix double space
jrodewig Apr 10, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions docs/reference/eql/functions.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ experimental::[]
* <<eql-fn-length>>
* <<eql-fn-startswith>>
* <<eql-fn-substring>>
* <<eql-fn-wildcard>>

[discrete]
[[eql-fn-endswith]]
Expand Down Expand Up @@ -276,4 +277,70 @@ function returns the remaining string.
Positions are zero-indexed. Negative offsets are supported.

*Returns:* string
====

[discrete]
[[eql-fn-wildcard]]
=== `wildcard`
Returns `true` if a source string matches one or more provided wildcard
expressions.

[%collapsible]
====
*Example*
[source,eql]
----
// The two following expressions are equivalent.
process.name == "*regsvr32*" or process.name == "*explorer*"
wildcard(process.name, "*regsvr32*", "*explorer*")

// process.name = "regsvr32.exe"
wildcard(process.name, "*regsvr32*") // returns true
wildcard(process.name, "*regsvr32*", "*explorer*") // returns true
wildcard(process.name, "*explorer*") // returns false
wildcard(process.name, "*explorer*", "*scrobj*") // returns false

// empty strings
wildcard("", "*start*") // returns false
wildcard("", "*") // returns true
wildcard("", "") // returns true

// null handling
wildcard(null, "*regsvr32*") // returns null
wildcard(process.name, null) // returns null
----

*Syntax*

[source,txt]
----
wildcard(<source>, <wildcard_exp>[, ...])
----

*Parameters*

`<source>`::
+
--
(Required, string)
Source string. If `null`, the function returns `null`.

If using a field as the argument, this parameter only supports the following
field datatypes:

* <<keyword,`keyword`>>
* <<constant-keyword,`constant_keyword`>>
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword,`constant_keyword`>> sub-field
--

`<wildcard_exp>`::
+
--
(Required{multi-arg}, string)
Wildcard expression used to match the source string. If `null`, the function
returns `null`. Fields are not supported as arguments.
--

*Returns:* boolean
====