Skip to content

Commit 1184f44

Browse files
jrodewigjrodewig
authored
[DOCS] EQL: Minor doc fixes (#68927) (#68929)
1 parent 7106f11 commit 1184f44

File tree

1 file changed

+11
-8
lines changed

1 file changed

+11
-8
lines changed

docs/reference/eql/syntax.asciidoc

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -162,13 +162,17 @@ the operator uses a case-sensitive lexicographic order.
162162

163163
NOTE: `=` is not supported as an equal operator. Use `==` or `:` instead.
164164

165-
You cannot chain comparison operators. Instead, use a
165+
[discrete]
166+
[[limitations-for-comparisons]]
167+
=== Limitations for comparisons
168+
169+
You cannot chain comparisons. Instead, use a
166170
<<eql-syntax-logical-operators,logical operator>> between comparisons. For
167171
example, `foo < bar <= baz` is not supported. However, you can rewrite the
168172
expression as `foo < bar and bar <= baz`, which is supported.
169173

170-
You also cannot use comparison operators to compare a field to another field.
171-
This applies even if the fields are changed using a <<eql-functions,function>>.
174+
You also cannot compare a field to another field, even if the fields are changed
175+
using a <<eql-functions,function>>.
172176

173177
*Example* +
174178
The following EQL query compares the `process.parent_name` field
@@ -217,9 +221,9 @@ Returns `true` if the condition to the right is `false`.
217221

218222
[source,eql]
219223
----
220-
user.name in ("Administrator", "SYSTEM", "NETWORK SERVICE")
221-
user.name not in ("Administrator", "SYSTEM", "NETWORK SERVICE")
222-
user.name : ("administrator", "system", "network service")
224+
my_field in ("Foo", "BAR", "BAZ") // case-sensitive
225+
my_field not in ("Foo", "BAR", "BAZ") // case-sensitive
226+
my_field : ("foo", "bar", "baz") // case-insensitive
223227
----
224228

225229
`in` (case-sensitive)::
@@ -792,7 +796,7 @@ recent sequence overwrites the older one.
792796
* If the query includes <<eql-by-keyword,`by` fields>>, the query uses a
793797
separate state machine for each unique `by` field value.
794798

795-
.*Example*
799+
.*Example*
796800
[%collapsible]
797801
====
798802
A data set contains the following `process` events in ascending chronological
@@ -1002,5 +1006,4 @@ Pending sequence matches move through each machine's states as follows:
10021006
// | +-----------+ +-----------+ +------------+ |
10031007
// +------------------------------------------------------+
10041008
----
1005-
10061009
====

0 commit comments

Comments
 (0)