Abstract Syntax Tree¶
EQL syntax tree nodes/schema.
-
class
eql.ast.
Walker
[source]¶ Base class that provides functionality for walking abstract syntax trees of eql.BaseNode.
-
active_node
¶ Get the active context.
-
current_event_type
¶ Get the active event type while walking.
-
parent_node
¶ Get the parent context.
-
-
class
eql.ast.
Comparison
(left, comparator, right)[source]¶ Represents a comparison between two values, as in
<expr> <comparator> <expr>
.Comparison operators include
==
,!=
,<
,<=
,>=
, and>
.
-
class
eql.ast.
InSet
(expression, container)[source]¶ Check if the value of a field within an event matches a list of values.
-
class
eql.ast.
FunctionCall
(name, arguments)[source]¶ A call into a user-defined function by name and a list of arguments.
-
class
eql.ast.
EventQuery
(event_type, query)[source]¶ Query over a specific event type with a boolean condition.
-
class
eql.ast.
NamedSubquery
(query_type, query)[source]¶ Named of queries perform a subquery with a specific type and returns true if the current event is related.
Query Types: - descendant: Returns true if the pid/unique_pid of the event is a descendant of the subquery process - child: Returns true if the pid/unique_pid of the event is a child of the subquery process - event: Returns true if the pid/unique_pid of the event matches the subquery process
-
class
eql.ast.
SubqueryBy
(query, params=None, join_values=None)[source]¶ Node for holding the
EventQuery
and parameters to join on.
-
class
eql.ast.
Join
(queries, close=None)[source]¶ Another boolean query that can join multiple events that share common values.
-
class
eql.ast.
Sequence
(queries, params=None, close=None)[source]¶ Sequence is very similar to join, but enforces an ordering.
Sequence supports the
until
keyword, which indicates an event that causes it to terminate early.
-
class
eql.pipes.
ByPipe
(arguments=None)[source]¶ Pipe that takes a value (field, function, etc.) as a key.
-
class
eql.pipes.
HeadPipe
(arguments=None)[source]¶ Node representing the head pipe, analogous to the unix head command.
-
class
eql.pipes.
TailPipe
(arguments=None)[source]¶ Node representing the tail pipe, analogous to the unix tail command.
-
class
eql.pipes.
UniquePipe
(arguments=None)[source]¶ Filters events on a per-field basis, and only outputs the first event seen for a field.
-
class
eql.pipes.
CountPipe
(arguments=None)[source]¶ Counts number of events that match a field, or total number of events if none specified.
-
class
eql.pipes.
FilterPipe
(arguments=None)[source]¶ Takes data coming into an existing pipe and filters it further.