from logs-endpoint
| where process.args IN ("-a", "-x") //returns nothing
I believe IN expects a single element on the left side and doesn't work in that way.
My ES|QL knowledge is still growing. I did find a way to do this but it's a bit messy.
FROM logs-* |
eval values = ["start","connection"] |
WHERE MV_COUNT(MV_DEDUPE(MV_APPEND(event.type, values))) < (MV_DEDUPE(MV_COUNT(event.type)) + MV_COUNT(values)) |
LIMIT 1000
Essentially values is set to the values you want to check for and then I used WHERE MV_COUNT(MV_DEDUPE(MV_APPEND(event.type, values))) < (MV_COUNT(event.type) + MV_COUNT(values))
With MV_COUNT(MV_DEDUPE(MV_APPEND(event.type, values))) being used to join the two lists, remove duplicates, and then take a count, and (MV_COUNT(MV_DEDUPE(event.type)) + MV_COUNT(values)) being used to join the two lists, keep duplicates, and then take a count.
If these two numbers aren't the same, it means there was a duplicate across the two lists, that is that at least one of the items in values was in event.type.
Hopefully there's an easier way to do this and someone will come along with a better suggestion!
Hello Strawgate, I will let you know how this works when our stack gets updated to 8.16 and includes MV_APPEND(). This solution seems clever though, and I appreciate the help. I assume this will have better runtimes than the expensive process.command_line LIKE "*something*" operation.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.