forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
kql.g
51 lines (40 loc) · 1.37 KB
/
kql.g
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
?query: or_query
?or_query: and_query (OR and_query)*
?and_query: not_query (AND not_query)*
?not_query: NOT? sub_query
?sub_query: "(" or_query ")"
| nested_query
?nested_query: field ":" "{" or_query "}"
| expression
?expression: field_range_expression
| field_value_expression
| value_expression
field_range_expression: field RANGE_OPERATOR literal
field_value_expression: field ":" list_of_values
?value_expression: value
?list_of_values: "(" or_list_of_values ")"
| value
?or_list_of_values: and_list_of_values (OR and_list_of_values)*
?and_list_of_values: not_list_of_values (AND not_list_of_values)*
?not_list_of_values: NOT? list_of_values
field: literal
value: QUOTED_STRING
| UNQUOTED_LITERAL
literal: QUOTED_STRING
| UNQUOTED_LITERAL
RANGE_OPERATOR: "<="
| ">="
| "<"
| ">"
UNQUOTED_LITERAL: UNQUOTED_CHAR+
UNQUOTED_CHAR: "\\" /[trn]/ // escaped whitespace
| "\\" /[\\():<>"*{}]/ // escaped specials
| "\\" (AND | OR | NOT) // escaped keywords
| "*" // wildcard
| /[^\\():<>"*{} \t\r\n]/ // anything else
QUOTED_STRING: /"(\\[tnr"\\]|[^\r\n"])*"/
OR.2: "or" | "OR"
AND.2: "and" | "AND"
NOT.2: "not" | "NOT"
WHITESPACE: (" " | "\r" | "\n" | "\t" )+
%ignore WHITESPACE