Skip to content

EQL: implement wildcard function #53999

New issue
New issue
Closed
#54020
Closed
EQL: implement wildcard function#53999
#54020
Assignees
rw-access
Labels
:Analytics/EQLEQL querying
@rw-access

Description

@rw-access
rw-access
opened on Mar 23, 2020

Part of #51556
https://eql.readthedocs.io/en/latest/query-guide/functions.html#wildcard

Specifically, we should catch wildcard(field, "wildcard1", "wildcard2", "wildcard3", ...) and convert to Like as an optimizer rule.

Function behavior

Validation requirements:

  • All wildcard parameters must be constant/foldable strings in the query
  • There must be at least one wildcard string
  • The first parameter must be a string but may or not be foldable.

null behavior:

  • wildcard(missing/null, ...) ==> null
  • wildcard(string, ...) => true or false
  • wildcard(non-null, non-string) => null (if necessary)
    • this shouldn't be possible when compiling to match and using an indexed field. but can we query non-indexed fields? would a document ever have a non-string value?

Metadata

Metadata

Assignees

Labels

:Analytics/EQLEQL querying

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions