Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EQL: Implement string function #54465

Closed
rw-access opened this issue Mar 30, 2020 · 3 comments · Fixed by #54470
Closed

EQL: Implement string function #54465

rw-access opened this issue Mar 30, 2020 · 3 comments · Fixed by #54470
Assignees
@rw-access
Labels
:Analytics/EQL EQL querying

Comments

@rw-access
Copy link
Contributor

Part of #51556
https://eql.readthedocs.io/en/latest/query-guide/functions.html#string

Probably the most straightforward function in EQL.

Function behavior

Validation requirements:

  • One exact argument (isExact check)

null behavior:

  • this function will never return null
  • obj.toString()
@rw-access rw-access added the :Analytics/EQL EQL querying label Mar 30, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-ql (:Query Languages/EQL)

@rw-access rw-access self-assigned this Mar 30, 2020
@rw-access rw-access mentioned this issue Mar 30, 2020
Merged
@rw-access rw-access changed the title EQL: Implement string() function EQL: Implement string function Mar 31, 2020
@astefan
Copy link
Contributor

astefan commented Apr 1, 2020
edited
Loading

I think I don't have the whole picture here and I am missing something obvious, thus my questions below, trying to learn more about this function.

What is the main use case for this function?
I see this example in your PR where a comparison is being made between string(serial_event_id) and "1". In this specific case, why not doing serial_event_id = 1?

Same question for the second example - string(ppid) == "null" - why not doing ppid == null?

@astefan astefan mentioned this issue Apr 1, 2020
Closed
@rw-access
Copy link
Contributor Author

rw-access commented Apr 1, 2020
edited
Loading

The string and number (#54471) functions were added to EQL to facilitate comparisons across types.

The test examples were clearly silly, but still tested the function with uncomplicated examples. Ideally, both functions will be rarely used, and every field transformation is done at index time. But having these functions helps us fill in the gaps when types don't quite match when you need them to.

The string function is also identical to concat, but with a single argument.

@jrodewig jrodewig mentioned this issue Apr 10, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rw-access rw-access

Labels
:Analytics/EQL EQL querying
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

EQL: Add string function
3 participants
@astefan @elasticmachine @rw-access