Abstract Syntax Tree¶

EQL syntax tree nodes/schema.

class eql.ast.BaseNode[source]¶

This is the base class for all AST nodes.

render(precedence=None, **kwargs)[source]¶: Render the AST in the target language.

class eql.ast.EqlNode[source]¶: The base class for all nodes within the event query language.

class eql.ast.Walker[source]¶

Base class that provides functionality for walking abstract syntax trees of eql.BaseNode.

active_node¶: Get the active context.

autowalk(node, *args, **kwargs)[source]¶: Automatically walk built-in containers.

classmethod camelized(node_cls)[source]¶: Get the camelized name for the class.

current_event_type¶: Get the active event type while walking.

get_node_method(node_cls, prefix)[source]¶: Get the walk method for a node.

iter_node(node)[source]¶: Iterate through a syntax tree.

parent_node¶: Get the parent context.

register_func(node_cls, func, prefix='_walk_')[source]¶: Register a callback function.

set_context(**kwds)[source]¶: Push a node onto the context stack.

walk(node, *args, **kwargs)[source]¶: Walk the syntax tree top-down.

class eql.walkers.RecursiveWalker[source]¶: Walker that will recursively walk and transform a tree.

class eql.walkers.DepthFirstWalker[source]¶: Walk an AST bottom up.

class eql.ast.Expression[source]¶: Base class for expressions.

class eql.ast.Literal(value)[source]¶: Static value.

class eql.ast.TimeRange(quantity, unit)[source]¶: EQL node for an interval of time.

class eql.ast.Field(base, path=None, as_var=False)[source]¶: Variables and paths in scope of the event.

class eql.ast.Comparison(left, comparator, right)[source]¶

Represents a comparison between two values, as in <expr> <comparator> <expr>.

Comparison operators include ==, !=, <, <=, >=, and >.

class eql.ast.InSet(expression, container)[source]¶: Check if the value of a field within an event matches a list of values.

class eql.ast.And(terms)[source]¶: Perform a boolean and on a list of expressions.

class eql.ast.Or(terms)[source]¶: Perform a boolean or on a list of expressions.

class eql.ast.Not(term)[source]¶: Negate a boolean expression.

class eql.ast.FunctionCall(name, arguments, as_method=False)[source]¶: A call into a user-defined function by name and a list of arguments.

class eql.ast.EventQuery(event_type, query)[source]¶: Query over a specific event type with a boolean condition.

class eql.ast.NamedSubquery(query_type, query)[source]¶

Named of queries perform a subquery with a specific type and returns true if the current event is related.

Query Types: - descendant: Returns true if the pid/unique_pid of the event is a descendant of the subquery process - child: Returns true if the pid/unique_pid of the event is a child of the subquery process - event: Returns true if the pid/unique_pid of the event matches the subquery process

class eql.ast.NamedParams(kv=None)[source]¶: An EQL node for key-value named parameters.

class eql.ast.SubqueryBy(query, join_values=None, fork=None)[source]¶: Node for holding the EventQuery and parameters to join on.

class eql.ast.Join(queries, close=None)[source]¶: Another boolean query that can join multiple events that share common values.

class eql.ast.Sequence(queries, max_span=None, close=None)[source]¶

Sequence is very similar to join, but enforces an ordering.

Sequence supports the until keyword, which indicates an event that causes it to terminate early.

class eql.ast.PipeCommand(arguments=None)[source]¶: Base class for an EQL pipe.

class eql.pipes.ByPipe(arguments=None)[source]¶: Pipe that takes a value (field, function, etc.) as a key.

class eql.pipes.HeadPipe(arguments=None)[source]¶: Node representing the head pipe, analogous to the unix head command.

class eql.pipes.TailPipe(arguments=None)[source]¶: Node representing the tail pipe, analogous to the unix tail command.

class eql.pipes.SortPipe(arguments=None)[source]¶: Sorts the pipes by field comparisons.

class eql.pipes.UniquePipe(arguments=None)[source]¶: Filters events on a per-field basis, and only outputs the first event seen for a field.

class eql.pipes.CountPipe(arguments=None)[source]¶: Counts number of events that match a field, or total number of events if none specified.

class eql.pipes.FilterPipe(arguments=None)[source]¶: Takes data coming into an existing pipe and filters it further.

class eql.pipes.UniqueCountPipe(arguments=None)[source]¶: Returns unique results but adds a count field.

class eql.ast.PipedQuery(first, pipes=None)[source]¶: List of all the pipes.

class eql.ast.EqlAnalytic(query, metadata=None)[source]¶

Analytics are the top-level nodes for matching and returning events.

id¶: Return the ID from metadata.

name¶: Return the name from metadata.