Additional syntax highlighters
GET /mydocuments/_search {
"from": 1,
"query": {
"match_all" {}
}
}
```console
GET /mydocuments/_search
{
"from": 1,
"query": {
"match_all" {}
}
}
```
sequence
sequence
[ file where file.extension == "exe" ]
[ process where true ]
sequence until
sequence by ID
A
B
until C
sample
sample by host
[ file where file.extension == "exe" ]
[ process where true ]
head (pipes)
process where process.name == "svchost.exe"
| tail 5
function calls
modulo(10, 6)
modulo(10, 5)
modulo(10, 0.5)
FROM employees
| LIMIT 1000
ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1"
| DISSECT a """%{date} - %{msg} - %{ip}"""
| KEEP date, msg, ip
FROM books
| WHERE KQL("author: Faulkner")
| KEEP book_no, author
| SORT book_no
| LIMIT 5
FROM hosts
| STATS COUNT_DISTINCT(ip0), COUNT_DISTINCT(ip1)
ROW message = "foo ( bar"
| WHERE message RLIKE "foo \\( bar"
FROM books
| WHERE author:"Faulkner"
| KEEP book_no, author
| SORT book_no
| LIMIT 5;
int i = (int)5L;
Map m = new HashMap();
HashMap hm = (HashMap)m;
ZonedDateTime zdt1 =
ZonedDateTime.of(1983, 10, 13, 22, 15, 30, 0, ZoneId.of('Z'));
ZonedDateTime zdt2 =
ZonedDateTime.of(1983, 10, 17, 22, 15, 35, 0, ZoneId.of('Z'));
if (zdt1.isAfter(zdt2)) {
// handle condition
}
if (doc.containsKey('start') && doc.containsKey('end')) {
if (doc['start'].size() > 0 && doc['end'].size() > 0) {
ZonedDateTime start = doc['start'].value;
ZonedDateTime end = doc['end'].value;
long differenceInMillis = ChronoUnit.MILLIS.between(start, end);
// handle difference in times
} else {
// handle fields without values
}
} else {
// handle index with missing fields
}