From cde5fc1ac51347e4d64bb028c09ea64e0efcecdd Mon Sep 17 00:00:00 2001 From: James Rodewig Date: Fri, 24 Apr 2020 14:53:29 -0400 Subject: [PATCH] [DOCS] EQL: Document `stringContains` function (#54968) --- docs/reference/eql/functions.asciidoc | 63 +++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/docs/reference/eql/functions.asciidoc b/docs/reference/eql/functions.asciidoc index 0162ae8a7b3f9..bc6a42965f1f3 100644 --- a/docs/reference/eql/functions.asciidoc +++ b/docs/reference/eql/functions.asciidoc @@ -15,6 +15,7 @@ experimental::[] * <> * <> * <> +* <> * <> * <> @@ -532,6 +533,68 @@ If using a field as the argument, this parameter does not support the *Returns:* string or `null` ==== +[discrete] +[[eql-fn-stringcontains]] +=== `stringContains` + +Returns `true` if a source string contains a provided substring. + +[%collapsible] +==== +*Example* +[source,eql] +---- +// process.command_line = "start regsvr32.exe" +stringContains(process.command_line, "regsvr32") // returns true +stringContains(process.command_line, "start ") // returns true +stringContains(process.command_line, "explorer") // returns false + +// process.name = "regsvr32.exe" +stringContains(command_line, process.name) // returns true + +// empty strings +stringContains("", "") // returns false +stringContains(process.command_line, "") // returns false + +// null handling +stringContains(null, "regsvr32") // returns null +stringContains(process.command_line, null) // returns null +---- + +*Syntax* +[source,txt] +---- +stringContains(, ) +---- + +*Parameters* +``:: +(Required, string or `null`) +Source string to search. If `null`, the function returns `null`. + +If using a field as the argument, this parameter supports only the following +field datatypes: + +* <> +* <> +* <> field with a <> or + <> sub-field + +``:: +(Required, string or `null`) +Substring to search for. If `null`, the function returns `null`. + +If using a field as the argument, this parameter supports only the following +field datatypes: + +* <> +* <> +* <> field with a <> or + <> sub-field + +*Returns:* boolean or `null` +==== + [discrete] [[eql-fn-substring]] === `substring`