Skip to content

EQL: Sequence improvements #56768

New issue
New issue
Closed
Closed
EQL: Sequence improvements#56768
Labels
:Analytics/EQLEQL querying>enhancementTeam:QL (Deprecated)Meta label for query languages team
@costin

Description

@costin
costin
opened on May 14, 2020

This is a meta ticket for must-have improvements now that EQL supports sequences.

  • tie-breaker support
    Due to the distributed nature of ingestion it is quite possible for events to occur at the same time which does require a user-defined tie-breaker to establish serialization, separate from the document-based one in Elasticsearch (_doc).
    Further more this is used by the existing EQL test suite - without it some fails will surely fail.

  • internal pagination
    In order to find X results, the sequence runtime must go through multiple internal pages before sending out the current results. Regardless of the client pagination, the algorithm needs to be able to handle its own pagination which is the norm for large datasets.

Metadata

Metadata

Assignees

No one assigned

    Labels

    :Analytics/EQLEQL querying>enhancementTeam:QL (Deprecated)Meta label for query languages team

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions