Skip to content

[DOCS] Add top-level EQL docs page. Adds EQL requirements page. #51334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jan 27, 2020
Merged

[DOCS] Add top-level EQL docs page. Adds EQL requirements page. #51334

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
49dbcaa
[DOCS] Add top-level EQL docs page. Adds EQL requirements page.
jrodewig Jan 22, 2020
a64a2f5
Merge branch 'master' into docs__eql-top-reqs
elasticmachine Jan 27, 2020
d054367
Add link
jrodewig Jan 27, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions docs/reference/eql/index.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
[role="xpack"]
[testenv="basic"]
[[eql]]
= EQL for event-based search
++++
<titleabbrev>EQL</titleabbrev>
++++

experimental::[]

{eql-ref}/index.html[Event Query Language (EQL)] is a query language used for
logs and other event-based data.

You can use EQL in {es} to easily express relationships between events and
quickly match events with shared properties. You can use EQL and query
DSL together to better filter your searches.

[float]
[[when-to-use-eql]]
=== When to use EQL

Consider using EQL if you:

* Use {es} for threat hunting or other security use cases
* Search time-series data or logs, such as network or system logs
* Want an easy way to explore relationships between events
Comment on lines +24 to +26
Copy link
Contributor Author

@jrodewig jrodewig Jan 23, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sethpayne Do you think this covers most of our major use cases for EQL within ES?


[float]
[[eql-toc]]
=== In this section

* <<eql-requirements,EQL requirements>>

include::requirements.asciidoc[]
35 changes: 35 additions & 0 deletions docs/reference/eql/requirements.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
[role="xpack"]
[testenv="basic"]
[[eql-requirements]]
== EQL requirements
++++
<titleabbrev>Requirements</titleabbrev>
++++

EQL is schemaless and works out-of-the-box with most common log formats. If you
use a standard log format and already know what fields in your index contain
event type and timestamp information, you can skip this page.

[discrete]
[[eql-required-fields]]
=== Required fields

In {es}, EQL assumes each document in an index corresponds to an event.

To search an index using EQL, each document in the index must contain the
following field archetypes:

Event type::
A field containing the event classification, such as `process`, `file`, or
`network`. This is typically mapped as a <<keyword,`keyword`>> field.

Timestamp::
A field containing the date and/or time the event occurred. This is typically
mapped as a <<date,`date`>> field.

[TIP]
====
While no schema is required to use EQL in {es}, we recommend the
{ecs-ref}[Elastic Common Schema (ECS)]. {es}'s EQL search is designed to work
with core ECS fields by default.
====
2 changes: 2 additions & 0 deletions docs/reference/index.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ ifeval::["{release-state}"=="unreleased"]

include::autoscaling/index.asciidoc[]

include::eql/index.asciidoc[]

endif::[]

include::sql/index.asciidoc[]
Expand Down