Skip to content

Commit cd3663e

Browse files
jrodewigjrodewig
authored
[DOCS] EQL: Document match function (#56134)
1 parent 44414ac commit cd3663e

File tree

1 file changed

+66
-0
lines changed

1 file changed

+66
-0
lines changed

docs/reference/eql/functions.asciidoc

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ experimental::[]
1313
* <<eql-fn-endswith>>
1414
* <<eql-fn-indexof>>
1515
* <<eql-fn-length>>
16+
* <<eql-fn-match>>
1617
* <<eql-fn-startswith>>
1718
* <<eql-fn-string>>
1819
* <<eql-fn-stringcontains>>
@@ -414,6 +415,71 @@ field datatypes:
414415
*Returns:* integer or `null`
415416
====
416417

418+
[discrete]
419+
[[eql-fn-match]]
420+
=== `match`
421+
422+
Returns `true` if a source string matches one or more provided regular
423+
expressions.
424+
425+
[%collapsible]
426+
====
427+
*Example*
428+
[source,eql]
429+
----
430+
match("explorer.exe", "[a-z]*?.exe") // returns true
431+
match("explorer.exe", "[a-z]*?.exe", "[1-9]") // returns true
432+
match("explorer.exe", "[1-9]") // returns false
433+
match("explorer.exe", "") // returns false
434+
435+
// process.name = "explorer.exe"
436+
match(process.name, "[a-z]*?.exe") // returns true
437+
match(process.name, "[a-z]*?.exe", "[1-9]") // returns true
438+
match(process.name, "[1-9]") // returns false
439+
match(process.name, "") // returns false
440+
441+
// null handling
442+
match(null, "[a-z]*?.exe") // returns null
443+
----
444+
445+
*Syntax*
446+
[source,txt]
447+
----
448+
match(<source>, <reg_exp>[, ...])
449+
----
450+
451+
*Parameters*
452+
453+
`<source>`::
454+
+
455+
--
456+
(Required, string or `null`)
457+
Source string. If `null`, the function returns `null`.
458+
459+
If using a field as the argument, this parameter supports only the following
460+
field datatypes:
461+
462+
* <<keyword,`keyword`>>
463+
* <<constant-keyword,`constant_keyword`>>
464+
* <<text,`text`>> field with a <<keyword,`keyword`>> or
465+
<<constant-keyword,`constant_keyword`>> sub-field
466+
--
467+
468+
`<reg_exp>`::
469+
+
470+
--
471+
(Required{multi-arg-ref}, string)
472+
Regular expression used to match the source string. For supported syntax, see
473+
<<regexp-syntax>>.
474+
https://docs.oracle.com/javase/tutorial/essential/regex/pre_char_classes.html[Predefined
475+
character classes] are not supported.
476+
477+
Fields are not supported as arguments.
478+
--
479+
480+
*Returns:* boolean or `null`
481+
====
482+
417483
[discrete]
418484
[[eql-fn-startswith]]
419485
=== `startsWith`

0 commit comments

Comments
 (0)