EQL: Add support for existing functions

[rw-access]

We need to add support for the subset of functions that EQL supports. Some of these may already exist from SQL, and we may need to create additional ones.

The full list is below:

elasticsearch/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/EqlParser.java

Lines 134 to 153 in 6f1890b

	switch (functionName) {
	case "add":
	case "between":
	case "cidrMatch":
	case "concat":
	case "divide":
	case "endsWith":
	case "indexOf":
	case "length":
	case "match":
	case "modulo":
	case "multiply":
	case "number":
	case "startsWith":
	case "string":
	case "stringContains":
	case "substring":
	case "subtract":
	case "wildcard":
	break;

Math functions were created before EQL had math operators. These should be easy to do, and can probably be done together

• add (number, number) -> number EQL: implement math functions: add, divide, module, multiply, subtract #54846
• divide (number, number) -> number EQL: implement math functions: add, divide, module, multiply, subtract #54846
• modulo (number, number) -> number EQL: implement math functions: add, divide, module, multiply, subtract #54846
• multiply (number, number) -> number EQL: implement math functions: add, divide, module, multiply, subtract #54846
• subtract (number, number) -> number EQL: implement math functions: add, divide, module, multiply, subtract #54846

Tracking remaining functions to be implemented

• between (str, str, str [, bool, bool]) -> str EQL: implement between function #54135
• cidrMatch (ip, static cidr, ...) -> bool (convert to IP field match) EQL: implement cidrMatch function #54132
• concat (object, ...) -> str EQL: implement concat function #55185
• endsWith (str, str) -> bool EQL: implement endsWith function #53854
• indexOf (str, str [, int]) -> int|null EQL: implement indexOf function #53856
• length (str | array) -> int EQL: implement length function #53853
• match (str, static str, ...) -> bool EQL: Add match function implementation #55182
• number (str, [int]) -> number EQL: implement number function #54471
• startsWith (str, str) -> bool EQL: implement startsWith function #53855
• string (object) -> str EQL: Add string function #54470
• stringContains (str, str) -> bool EQL: implement stringContains function #54136
• substring (str, int [, int]) -> str) (we may need to adjust for EQL's zero and negative-indexing into strings) EQL: Add Substring function with Python semantics #53688
• wildcard (str, static str, ...) -> bool (convert to Likes) - EQL: Convert wildcards to LIKE in analyzer #51901 and EQL: Add wildcard function #54020

[elasticmachine]

Pinging @elastic/es-search (:Search/EQL)

[costin]

I have updated the initial description with check boxes, as we go through the functions once #53688 gets merged, we should mark them as done and indicate the relevant ticket.

I think the string functions are the first ones to be addressed as they are widely used. The operators one can be easily promoted into functions and so I would do them last as there is a workaround for them.