Skip to content

Commit

Permalink
[DOCS] EQL: Document stringContains function (#54968)
Browse files Browse the repository at this point in the history
  • Loading branch information
jrodewig authored Apr 24, 2020
1 parent 754e3ca commit cde5fc1
Showing 1 changed file with 63 additions and 0 deletions.
63 changes: 63 additions & 0 deletions docs/reference/eql/functions.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ experimental::[]
* <<eql-fn-length>>
* <<eql-fn-startswith>>
* <<eql-fn-string>>
* <<eql-fn-stringcontains>>
* <<eql-fn-substring>>
* <<eql-fn-wildcard>>

Expand Down Expand Up @@ -532,6 +533,68 @@ If using a field as the argument, this parameter does not support the
*Returns:* string or `null`
====

[discrete]
[[eql-fn-stringcontains]]
=== `stringContains`

Returns `true` if a source string contains a provided substring.

[%collapsible]
====
*Example*
[source,eql]
----
// process.command_line = "start regsvr32.exe"
stringContains(process.command_line, "regsvr32") // returns true
stringContains(process.command_line, "start ") // returns true
stringContains(process.command_line, "explorer") // returns false
// process.name = "regsvr32.exe"
stringContains(command_line, process.name) // returns true
// empty strings
stringContains("", "") // returns false
stringContains(process.command_line, "") // returns false
// null handling
stringContains(null, "regsvr32") // returns null
stringContains(process.command_line, null) // returns null
----
*Syntax*
[source,txt]
----
stringContains(<source>, <substring>)
----
*Parameters*
`<source>`::
(Required, string or `null`)
Source string to search. If `null`, the function returns `null`.
If using a field as the argument, this parameter supports only the following
field datatypes:
* <<keyword,`keyword`>>
* <<constant-keyword,`constant_keyword`>>
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword,`constant_keyword`>> sub-field
`<substring>`::
(Required, string or `null`)
Substring to search for. If `null`, the function returns `null`.
If using a field as the argument, this parameter supports only the following
field datatypes:
* <<keyword,`keyword`>>
* <<constant-keyword,`constant_keyword`>>
* <<text,`text`>> field with a <<keyword,`keyword`>> or
<<constant-keyword,`constant_keyword`>> sub-field
*Returns:* boolean or `null`
====

[discrete]
[[eql-fn-substring]]
=== `substring`
Expand Down

0 comments on commit cde5fc1

Please sign in to comment.