Functions¶
Function calls keep the core language for EQL simple but easily extendable. Functions are used to perform math, string manipulation or more sophisticated expressions to be expressed.
-
add(x, y)¶ Returns
x + y
-
arrayContains(some_array, value)¶ Check if
valueis a member of the arraysome_array.// {my_array: ["value1", "value2", "value3"]} arrayContains(my_array, "value2") // returns true arrayContains(my_array, "value4") // returns false
-
arraySearch(array, variable, expression)¶ Check if any member in the array matches an expression. Unlike
arrayContains(), this can search over nested structures in arrays, and supports searching over arrays within arrays.// {my_array: [{user: "root", props: [{level: 1}, {level: 2}]}, // {user: "guest", props: [{level: 1}]}] arraySearch(my_array, item, item.user == "root") // returns true arraySearch(my_array, item, item.props[0].level == 1) // returns true arraySearch(my_array, item, item.props[1].level == 4) // returns false arraySearch(my_array, item, arraySearch(item.props, p, p.level == 2)) // returns true
-
concat(...)¶ Returns a concatenated string of all the input arguments.
concat("Process ", process_name, " executed with pid ", pid)
-
divide(m, n)¶ Return
m / n
-
endsWith(x, y)¶ Checks if the string
xends with the substringy.
-
length(s)¶ Returns the length of a string. Non-string values return 0.
-
modulo(m, n) Performs the modulo operator and returns the remainder of
m / n.
-
multiply(x, y)¶ Returns
x * y
-
number(s[, base])¶ Param: base: The base of a number. Default value is 10 if not provided. Returns a number constructed from the string
s.
-
startsWith(x, y)¶ Checks if the string
xstarts with the stringy.
-
string(val)¶ Returns the string representation of the value
val.
-
stringContains(a, b)¶ Returns true if
bis a substring ofa
-
subtract(x, y)¶ Returns
x - y
-
wildcard(value, wildcard[, ...])¶ Compare a value to a list of wildcards. Returns true if any of them match. For example, the following two expressions are equivalent.
command_line == "* create *" or command_line == "* config *" or command_line == "* start *" wildcard(command_line, "* create *", "* config *", "* start *")