Skip to content

[DOCS] Document any keyword in EQL syntax #52821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Mar 5, 2020
Merged

[DOCS] Document any keyword in EQL syntax #52821

merged 5 commits into from
Mar 5, 2020

Conversation

@jrodewig
Copy link
Contributor

@jrodewig jrodewig commented Feb 26, 2020

Adds documentation for the any keyword to the EQL syntax docs.

Includes:

  • Definition of an event type and its relationship to the event type
    field.
  • Example matching all event types using any keyword
  • Example matching event types beginning with a digit
  • Example using any with where true

Depends on #52526

@jrodewig
[DOCS] Document any keyword in EQL syntax
fbca013 
Adds documentation for the `any` keyword to the EQL syntax docs.

Includes:

* Definition of an event type and its relationship to the event type
  field.
* Example matching all event types using `any` keyword
* Example matching event types beginning with a digit
* Example using `any` with `where true`
@jrodewig jrodewig added >docs General docs changes :Analytics/EQL EQL querying labels Feb 26, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Feb 26, 2020

Pinging @elastic/es-search (:Search/EQL)

@elasticmachine
Copy link
Collaborator

elasticmachine commented Feb 26, 2020

Pinging @elastic/es-docs (>docs)

astefan
astefan approved these changes Feb 26, 2020
View reviewed changes
Copy link
Contributor

@astefan astefan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
Unrelated to the changes in this PR, is the in and not in lookup operator already supported?

rw-access
rw-access reviewed Feb 27, 2020
View reviewed changes
docs/reference/eql/syntax.asciidoc Outdated
[[eql-syntax-event-types-starting-with-digits]]
===== Event types starting with digits

EQL queries cannot start with a digit. To match event types starting with a
Copy link
Contributor

@rw-access rw-access Feb 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's safe to drop this section, since we've never suggested anywhere else that this should be supported behavior.
There is an issue that was created for this (#51853), but I think that's more of a feature request than a bug.

My worry here is that the emphasis on digits could cause confusion. You also currently run into the same problem if there are hyphens or special characters in the event type.

One thing we could do, is reuse or merge this section with the previous mention that documents that don't have an "event type" and can't that be queried with the form <event type> where <condition>, can use any where. I think it's good that you show cases where any where ... is convenient, and also when it's necessary.

Copy link
Contributor Author

@jrodewig jrodewig Feb 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback @rw-access. With ea38a56, I added a sentence to the previous section stating that any where can be used for documents without an event type field. Feels much less corner-case-y.

@jrodewig
Copy link
Contributor Author

jrodewig commented Feb 27, 2020
edited
Loading

@astefan It appears that in and not in are both already supported:

in

POST my_index/_doc
{
  "@timestamp": "2020-12-07T11:06:07.000Z",
  "event": {
    "category": "process"
  },
  "process": {
    "name": "cmd.exe"
  }
}

GET my_index/_eql/search
{
  "event_type_field": "event.category",
  "rule": "process where process.name in (\"cmd.exe\")"
}

{
  "took" : 5,
  "timed_out" : false,
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "events" : [
      {
        "_index" : "my_index",
        "_id" : "1BwChnABDtlfLF_OwhVR",
        "_score" : 0.5753642,
        "_source" : {
          "process" : {
            "name" : "cmd.exe"
          },
          "event" : {
            "category" : "process"
          }
        },
        "fields" : {
          "event.category.keyword" : [
            "process"
          ],
          "@timestamp" : [
            "1607339167000"
          ],
          "process.name.keyword" : [
            "cmd.exe"
          ]
        }
      }
    ]
  }
}

not in

POST my_index/_doc
{
  "@timestamp": "2020-12-07T11:06:07.000Z",
  "event": {
    "category": "process"
  },
  "process": {
    "name": "cmd.exe"
  }
}

GET my_index/_eql/search
{
  "event_type_field": "event.category",
  "rule": "process where process.name not in (\"foo.exe\")"
}

{
  "took" : 5,
  "timed_out" : false,
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "events" : [
      {
        "_index" : "my_index",
        "_id" : "1BwChnABDtlfLF_OwhVR",
        "_score" : 0.5753642,
        "_source" : {
          "process" : {
            "name" : "cmd.exe"
          },
          "event" : {
            "category" : "process"
          }
        },
        "fields" : {
          "event.category.keyword" : [
            "process"
          ],
          "@timestamp" : [
            "1607339167000"
          ],
          "process.name.keyword" : [
            "cmd.exe"
          ]
        }
      }
    ]
  }
}

matriv
matriv approved these changes Feb 27, 2020
View reviewed changes
Copy link
Contributor

@matriv matriv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jrodewig jrodewig merged commit c6334ee into elastic:master Mar 5, 2020
@jrodewig jrodewig deleted the docs__eql-any-where branch March 5, 2020 09:44
@jrodewig jrodewig mentioned this pull request Mar 5, 2020
Merged
jrodewig added a commit that referenced this pull request Mar 5, 2020
@jrodewig
[DOCS] Document any keyword in EQL syntax (#52821) (#53157)
e46bb54 
Adds documentation for the `any` keyword to the EQL syntax docs.

Includes:

* Definition of an event category and its relationship to the event
   category field.
* Example matching all event categories using `any` keyword
* Example using `any` with `where true`
@jrodewig
Copy link
Contributor Author

jrodewig commented Mar 5, 2020

Backport commits

master c6334ee
7.x e46bb54

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@astefan astefan astefan approved these changes

@costin costin Awaiting requested review from costin

+2 more reviewers

@matriv matriv matriv approved these changes

@rw-access rw-access rw-access approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

:Analytics/EQL EQL querying >docs General docs changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jrodewig @elasticmachine @astefan @matriv @rw-access