Skip to content

[DOCS] EQL: Document stringContains function #54968

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Apr 24, 2020
Merged

[DOCS] EQL: Document stringContains function #54968

merged 7 commits into from
Apr 24, 2020

Conversation

@jrodewig
Copy link
Contributor

@jrodewig jrodewig commented Apr 8, 2020

Documents the EQL stringContains function.

Relates to #54380 and #54136

@jrodewig jrodewig added >docs General docs changes :Analytics/EQL EQL querying labels Apr 8, 2020
@jrodewig jrodewig requested a review from aleksmaus April 8, 2020 17:03
@elasticmachine
Copy link
Collaborator

elasticmachine commented Apr 8, 2020

Pinging @elastic/es-ql (:Query Languages/EQL)

@elasticmachine
Copy link
Collaborator

elasticmachine commented Apr 8, 2020

Pinging @elastic/es-docs (>docs)

@jrodewig jrodewig mentioned this pull request Apr 8, 2020
Closed
35 tasks
rw-access
rw-access reviewed Apr 9, 2020
View reviewed changes
docs/reference/eql/functions.asciidoc
stringContains("start regsvr32.exe", "") // returns false
// null handling
stringContains(null, "regsvr32") // returns null
Copy link
Contributor

@rw-access rw-access Apr 9, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based off the conversation today, null in any required input will lead to a null output

Suggested change
stringContains(null, "regsvr32") // returns null
stringContains(null, "regsvr32") // returns null
stringContains(process.command_line, null) // returns null

Copy link
Contributor Author

@jrodewig jrodewig Apr 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Updated with 8bcb8f8.

astefan
astefan approved these changes Apr 24, 2020
View reviewed changes
Copy link
Contributor

@astefan astefan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
Suggested, also, another example to add.

docs/reference/eql/functions.asciidoc
// process.command_line = "start regsvr32.exe"
stringContains(process.command_line, "regsvr32") // returns true
stringContains(process.command_line, "start ") // returns true
stringContains(process.command_line, "explorer") // returns false
Copy link
Contributor

@astefan astefan Apr 24, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add one additional example, to show a less obvious usage: stringContains(process.path, process.name).

Copy link
Contributor Author

@jrodewig jrodewig Apr 24, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added with 5ccc198. Thanks!

@jrodewig jrodewig merged commit cde5fc1 into elastic:master Apr 24, 2020
@jrodewig jrodewig deleted the docs__eql-fn-stringcontains branch April 24, 2020 18:53
@jrodewig jrodewig mentioned this pull request Apr 24, 2020
Merged
jrodewig added a commit that referenced this pull request Apr 24, 2020
@jrodewig
[DOCS] EQL: Document stringContains function (#54968)
5981412
@jrodewig
Copy link
Contributor Author

jrodewig commented Apr 24, 2020

Backport commits

master cde5fc1
7.x 5981412

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@astefan astefan astefan approved these changes

@aleksmaus aleksmaus Awaiting requested review from aleksmaus

+1 more reviewer

@rw-access rw-access rw-access left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

:Analytics/EQL EQL querying >docs General docs changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jrodewig @elasticmachine @astefan @rw-access