From bf6c1ab601f224fbe70bfde8ac0ed740e997b2e6 Mon Sep 17 00:00:00 2001 From: James Rodewig <40268737+jrodewig@users.noreply.github.com> Date: Wed, 18 Nov 2020 13:46:36 -0500 Subject: [PATCH] [DOCS] EQL: Add wildcard support to `:` operator --- docs/reference/eql/syntax.asciidoc | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/docs/reference/eql/syntax.asciidoc b/docs/reference/eql/syntax.asciidoc index dd3f394252b1c..5f433615e5beb 100644 --- a/docs/reference/eql/syntax.asciidoc +++ b/docs/reference/eql/syntax.asciidoc @@ -127,12 +127,13 @@ the value to the right. Otherwise returns `false`. `==` (equal, case-sensitive):: Returns `true` if the values to the left and right of the operator are equal. -Otherwise returns `false`. For strings, matching is case-sensitive. +Otherwise returns `false`. For strings, matching is case-sensitive. Wildcards +are not supported. `:` (equal, case-insensitive):: Returns `true` if strings to the left and right of the operator are equal. Otherwise returns `false`. Matching is case-insensitive and can only be used to -compare strings. +compare strings. <> are supported. [IMPORTANT] ==== @@ -150,6 +151,7 @@ DSL filter>> that contains a <> query. `!=` (not equal, case-sensitive):: Returns `true` if the values to the left and right of the operator are not equal. Otherwise returns `false`. For strings, matching is case-sensitive. +Wildcards are not supported. `>=` (greater than or equal) :: Returns `true` if the value to the left of the operator is greater than or equal @@ -370,6 +372,20 @@ use a regular string with the `\"` escape sequence. "String containing \"\"\" three double quotes" ---- +[discrete] +[[eql-syntax-wildcards]] +===== Wildcards + +For string comparisons using the `:` operator, you can use wildcards (`*`) to +match specific patterns: + +[source,eql] +---- +field : "example*wildcard" +field : "*example-wildcard" +field : "example-wildcard*" +---- + [discrete] [[eql-sequences]] === Sequences