Abstract Syntax Tree¶

EQL syntax tree nodes/schema.

class eql.ast.BaseNode[source]¶

This is the base class for all AST nodes.

render(precedence=None)[source]¶: Render the AST in the target language.

class eql.ast.EqlNode[source]¶: The base class for all nodes within the event query language.

class eql.ast.AstWalker[source]¶

Base class that provides functionality for walking abstract syntax trees of eql.BaseNode.

copy(node, optimize=True)[source]¶

Create a copy of an AST.

Parameters:	node (BaseNode) – Any valid AST optimize (bool) – Return an optimized copy of the AST
Return type:	BaseNode

transform(node, func, optimize=True)[source]¶

Recursively transform the syntax tree by walking bottom-up.

Parameters:	node (BaseNode) – Any AST node func (function) – Callback function for walking with the signature `func(original_node, transformed_node) -> bool` optimize (bool) – Return an optimized copy of the AST
Return type:	BaseNode

classmethod walk(node, func)[source]¶

Walk the syntax tree top-down, until callback returns False.

Parameters:	node (BaseNode) – Any AST node -> bool func ((BaseNode)) – Walk function

class eql.ast.Expression[source]¶: Base class for expressions.

class eql.ast.Literal(value)[source]¶: Static value.

class eql.ast.TimeRange(delta)[source]¶: EQL node for an interval of time.

class eql.ast.Field(base, path=None)[source]¶: Variables and paths in scope of the event.

class eql.ast.Comparison(left, comparator, right)[source]¶

Represents a comparison between two values, as in <expr> <comparator> <expr>.

Comparison operators include ==, !=, <, <=, >=, and >.

class eql.ast.InSet(expression, container)[source]¶: Check if the value of a field within an event matches a list of values.

class eql.ast.And(terms)[source]¶: Perform a boolean and on a list of expressions.

class eql.ast.Or(terms)[source]¶: Perform a boolean or on a list of expressions.

class eql.ast.Not(term)[source]¶: Negate a boolean expression.

class eql.ast.FunctionCall(name, arguments)[source]¶: A call into a user-defined function by name and a list of arguments.

class eql.ast.EventQuery(event_type, query)[source]¶: Query over a specific event type with a boolean condition.

class eql.ast.NamedSubquery(query_type, query)[source]¶

Named of queries perform a subquery with a specific type and returns true if the current event is related.

Query Types: - descendant: Returns true if the pid/unique_pid of the event is a descendant of the subquery process - child: Returns true if the pid/unique_pid of the event is a child of the subquery process - event: Returns true if the pid/unique_pid of the event matches the subquery process

class eql.ast.NamedParams(kv=None)[source]¶: An EQL node for key-value named parameters.

class eql.ast.SubqueryBy(query, params=None, join_values=None)[source]¶: Node for holding the EventQuery and parameters to join on.

class eql.ast.Join(queries, close=None)[source]¶: Another boolean query that can join multiple events that share common values.

class eql.ast.Sequence(queries, params=None, close=None)[source]¶

Sequence is very similar to join, but enforces an ordering.

Sequence supports the until keyword, which indicates an event that causes it to terminate early.

class eql.ast.PipeCommand(arguments=None)[source]¶: Base class for an EQL pipe.

class eql.ast.ByPipe(arguments=None)[source]¶: Pipe that takes a value (field, function, etc.) as a key.

class eql.ast.HeadPipe(arguments=None)[source]¶: Node representing the head pipe, analogous to the unix head command.

class eql.ast.TailPipe(arguments=None)[source]¶: Node representing the tail pipe, analogous to the unix tail command.

class eql.ast.SortPipe(arguments=None)[source]¶: Sorts the pipes by field comparisons.

class eql.ast.UniquePipe(arguments=None)[source]¶: Filters events on a per-field basis, and only outputs the first event seen for a field.

class eql.ast.CountPipe(arguments=None)[source]¶: Counts number of events that match a field, or total number of events if none specified.

class eql.ast.FilterPipe(arguments=None)[source]¶: Takes data coming into an existing pipe and filters it further.

class eql.ast.UniqueCountPipe(arguments=None)[source]¶: Returns unique results but adds a count field.

class eql.ast.PipedQuery(first, pipes=None)[source]¶: List of all the pipes.

class eql.ast.EqlAnalytic(query, actions=None, metadata=None)[source]¶

Analytics are the top-level nodes for matching and returning events.

id¶: Return the ID from metadata.

name¶: Return the name from metadata.