Function calls keep the core language for EQL simple but easily extendable. Functions are used to perform math, string manipulation or more sophisticated expressions to be expressed.
add(x, y)
Returns x + y
arrayContains(some_array, value)
Check if value
is a member of the array some_array
.
// {my_array: ["value1", "value2", "value3"]}
arrayContains(my_array, "value2") // returns true
arrayContains(my_array, "value4") // returns false
arraySearch(array, variable, expression)
Check if any member in the array matches an expression. Unlike arrayContains
, this can search over nested structures in arrays, and supports searching over arrays within arrays.
// {my_array: [{user: "root", props: [{level: 1}, {level: 2}]},
// {user: "guest", props: [{level: 1}]}]
arraySearch(my_array, item, item.user == "root") // returns true
arraySearch(my_array, item, item.props[0].level == 1) // returns true
arraySearch(my_array, item, item.props[1].level == 4) // returns false
arraySearch(my_array, item, arraySearch(item.props, p, p.level == 2)) // returns true
arrayCount(array, variable, expression)
Count the number of matches in an array to an expression.
// {my_array: [{user: "root", props: [{level: 1}, {level: 2}]},
// {user: "guest", props: [{level: 1}]}]
arrayCount(my_array, item, item.user == "root") // returns 1
arrayCount(my_array, item, item.props[0].level == 1) // returns 2
arrayCount(my_array, item, item.props[1].level == 4) // returns 0
arrayCount(my_array, item, arrayCount(item.props, p, p.level == 2) == 1) // returns 1
concat(...)
Returns a concatenated string of all the input arguments.
concat("Process ", process_name, " executed with pid ", pid)
divide(m, n)
Return m / n
endsWith(x, y)
Checks if the string x
ends with the substring y
.
length(s)
Returns the length of a string. Non-string values return 0.
modulo(m, n)
Performs the modulo operator and returns the remainder of m / n
.
multiply(x, y)
Returns x * y
number(s[, base])
- param
base: The base of a number. Default value is 10 if not provided.
Returns a number constructed from the string s
.
startsWith(x, y)
Checks if the string x
starts with the string y
.
string(val)
Returns the string representation of the value val
.
stringContains(a, b)
Returns true if b
is a substring of a
subtract(x, y)
Returns x - y
wildcard(value, wildcard, [, ... ])
Compare a value to a list of wildcards. Returns true if any of them match. For example, the following two expressions are equivalent.
command_line == "* create *" or command_line == "* config *" or command_line == "* start *"
wildcard(command_line, "* create *", "* config *", "* start *")