Skip to content

Commit 7738ed4

Browse files
jrodewigjrodewig
authored
[DOCS] EQL: Document length function (#54225)
1 parent 55aeefa commit 7738ed4

File tree

1 file changed

+53
-2
lines changed

1 file changed

+53
-2
lines changed

docs/reference/eql/functions.asciidoc

Lines changed: 53 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ experimental::[]
99
{es} supports the following EQL functions:
1010

1111
* <<eql-fn-endswith>>
12+
* <<eql-fn-length>>
1213
* <<eql-fn-startswith>>
1314
* <<eql-fn-substring>>
1415

@@ -71,7 +72,7 @@ field datatypes:
7172
* <<text,`text`>> field with a <<keyword,`keyword`>> or
7273
<<constant-keyword,`constant_keyword`>> sub-field
7374
74-
Fields containing array values use the first array item only.
75+
Fields containing <<array,array values>> use the first array item only.
7576
--
7677
7778
`<substring>`::
@@ -92,6 +93,56 @@ field datatypes:
9293
*Returns:* boolean or `null`
9394
====
9495

96+
[discrete]
97+
[[eql-fn-length]]
98+
=== `length`
99+
100+
Returns the character length of a provided string, including whitespace and
101+
punctuation.
102+
103+
[%collapsible]
104+
====
105+
*Example*
106+
[source,eql]
107+
----
108+
length("explorer.exe") // returns 12
109+
length("start explorer.exe") // returns 18
110+
length("") // returns 0
111+
length(null) // returns null
112+
113+
// process.name = "regsvr32.exe"
114+
length(process.name) // returns 12
115+
----
116+
117+
*Syntax*
118+
[source,txt]
119+
----
120+
length(<string>)
121+
----
122+
123+
*Parameters*
124+
125+
`<string>`::
126+
+
127+
--
128+
(Required, string or `null`)
129+
String for which to return the character length. If `null`, the function returns
130+
`null`. Empty strings return `0`.
131+
132+
If using a field as the argument, this parameter only supports the following
133+
field datatypes:
134+
135+
* <<keyword,`keyword`>>
136+
* <<constant-keyword,`constant_keyword`>>
137+
* <<text,`text`>> field with a <<keyword,`keyword`>> or
138+
<<constant-keyword,`constant_keyword`>> sub-field
139+
140+
<<array,Array values>> are not supported.
141+
--
142+
143+
*Returns:* integer or `null`
144+
====
145+
95146
[discrete]
96147
[[eql-fn-startswith]]
97148
=== `startsWith`
@@ -151,7 +202,7 @@ field datatypes:
151202
* <<text,`text`>> field with a <<keyword,`keyword`>> or
152203
<<constant-keyword,`constant_keyword`>> sub-field
153204
154-
Fields containing array values use the first array item only.
205+
Fields containing <<array,array values>> use the first array item only.
155206
--
156207
157208
`<substring>`::

0 commit comments

Comments
 (0)