OpenSearch/docs/reference/eql/search.asciidoc

[role="xpack"]
[testenv="basic"]
[[eql-search]]
== Run an EQL search

experimental::[]

To start using EQL in {es}, first ensure your event data meets
<<eql-requirements,EQL requirements>>. Then ingest or add the data to an {es}
index.

The following <<docs-bulk,bulk API>> request adds some example log data to the
`sec_logs` index. This log data follows the {ecs-ref}[Elastic Common Schema
(ECS)].

[source,console]
----
PUT sec_logs/_bulk?refresh
{"index":{"_index" : "sec_logs"}}
{ "@timestamp": "2020-12-07T11:06:07.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process" }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } }
{"index":{"_index" : "sec_logs"}}
{ "@timestamp": "2020-12-07T11:07:08.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "image_load" }, "file": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } }
{"index":{"_index" : "sec_logs"}}
{ "@timestamp": "2020-12-07T11:07:09.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process" }, "process": { "name": "regsvr32.exe", "path": "C:\\Windows\\System32\\regsvr32.exe" } }
----

You can now use the EQL search API to search this index using an EQL query.

The following request searches the `sec_logs` index using the EQL query
specified in the `query` parameter. The EQL query matches events with an
`event.category` of `process` that have a `process.name` of `cmd.exe`.

[source,console]
----
GET sec_logs/_eql/search
{
  "event_type_field": "event.category",
  "query": """
    process where process.name == "cmd.exe"
  """
}
----
// TEST[continued]

Because the `sec_log` index follows the ECS, you don't need to specify the
event type or timestamp fields. The request uses the `event.category` and
`@timestamp` fields by default.
[DOCS] Add basic EQL search tutorial docs (#51574) I plan to add additional sections to this page with future PRs: * Specify timestamp and event type fields * Specify a join key field * Filter using query DSL * Paginate a large response See #51057. 2020-02-12 08:40:10 -05:00			`[role="xpack"]`
			`[testenv="basic"]`
			`[[eql-search]]`
			`== Run an EQL search`

			`experimental::[]`

			`To start using EQL in {es}, first ensure your event data meets`
			`<<eql-requirements,EQL requirements>>. Then ingest or add the data to an {es}`
			`index.`

			`The following <<docs-bulk,bulk API>> request adds some example log data to the`
			`sec_logs` index. This log data follows the {ecs-ref}[Elastic Common Schema
			`(ECS)].`

			`[source,console]`
			`----`
			`PUT sec_logs/_bulk?refresh`
			`{"index":{"_index" : "sec_logs"}}`
			`{ "@timestamp": "2020-12-07T11:06:07.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process" }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } }`
			`{"index":{"_index" : "sec_logs"}}`
			`{ "@timestamp": "2020-12-07T11:07:08.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "image_load" }, "file": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } }`
			`{"index":{"_index" : "sec_logs"}}`
			`{ "@timestamp": "2020-12-07T11:07:09.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process" }, "process": { "name": "regsvr32.exe", "path": "C:\\Windows\\System32\\regsvr32.exe" } }`
			`----`

			`You can now use the EQL search API to search this index using an EQL query.`

			The following request searches the `sec_logs` index using the EQL query
EQL: Change request parameter query to filter and rule to query (#52971) (#53006) Related to https://github.com/elastic/elasticsearch/issues/52911 2020-03-02 09:26:23 -05:00			specified in the `query` parameter. The EQL query matches events with an
[DOCS] Add basic EQL search tutorial docs (#51574) I plan to add additional sections to this page with future PRs: * Specify timestamp and event type fields * Specify a join key field * Filter using query DSL * Paginate a large response See #51057. 2020-02-12 08:40:10 -05:00			`event.category` of `process` that have a `process.name` of `cmd.exe`.

			`[source,console]`
			`----`
			`GET sec_logs/_eql/search`
			`{`
EQL: Hook engine to Elasticsearch (#52828) Add query execution and return actual results returned from Elasticsearch inside the tests (cherry picked from commit 3e039282bf991af87604a6d4f8eada19d5e33842) 2020-02-27 04:16:26 -05:00			`"event_type_field": "event.category",`
EQL: Change request parameter query to filter and rule to query (#52971) (#53006) Related to https://github.com/elastic/elasticsearch/issues/52911 2020-03-02 09:26:23 -05:00			`"query": """`
[DOCS] Add basic EQL search tutorial docs (#51574) I plan to add additional sections to this page with future PRs: * Specify timestamp and event type fields * Specify a join key field * Filter using query DSL * Paginate a large response See #51057. 2020-02-12 08:40:10 -05:00			`process where process.name == "cmd.exe"`
			`"""`
			`}`
			`----`
			`// TEST[continued]`

			Because the `sec_log` index follows the ECS, you don't need to specify the
			event type or timestamp fields. The request uses the `event.category` and
			`@timestamp` fields by default.