2020-01-27 16:03:23 -05:00
|
|
|
[role="xpack"]
|
|
|
|
[testenv="basic"]
|
|
|
|
[[eql-requirements]]
|
|
|
|
== EQL requirements
|
|
|
|
++++
|
|
|
|
<titleabbrev>Requirements</titleabbrev>
|
|
|
|
++++
|
|
|
|
|
2020-06-02 11:03:12 -04:00
|
|
|
dev::[]
|
2020-02-12 08:40:10 -05:00
|
|
|
|
2020-03-03 06:59:17 -05:00
|
|
|
EQL is schema-less and works well with most common log formats.
|
|
|
|
|
|
|
|
[TIP]
|
|
|
|
====
|
|
|
|
While no schema is required to use EQL in {es}, we recommend the
|
|
|
|
{ecs-ref}[Elastic Common Schema (ECS)]. The EQL search API is designed to work
|
|
|
|
with core ECS fields by default.
|
|
|
|
====
|
2020-01-27 16:03:23 -05:00
|
|
|
|
|
|
|
[discrete]
|
|
|
|
[[eql-required-fields]]
|
|
|
|
=== Required fields
|
|
|
|
|
2020-07-13 09:03:55 -04:00
|
|
|
In {es}, EQL assumes each document in a data stream or index corresponds to an
|
|
|
|
event.
|
2020-01-27 16:03:23 -05:00
|
|
|
|
2020-07-13 09:03:55 -04:00
|
|
|
To search a data stream or index using EQL, each document in the data stream or
|
|
|
|
index must contain the following field archetypes:
|
2020-01-27 16:03:23 -05:00
|
|
|
|
2020-03-04 09:16:27 -05:00
|
|
|
Event category::
|
2020-01-27 16:03:23 -05:00
|
|
|
A field containing the event classification, such as `process`, `file`, or
|
|
|
|
`network`. This is typically mapped as a <<keyword,`keyword`>> field.
|
|
|
|
|
|
|
|
Timestamp::
|
|
|
|
A field containing the date and/or time the event occurred. This is typically
|
|
|
|
mapped as a <<date,`date`>> field.
|
2020-05-05 11:46:06 -04:00
|
|
|
|
|
|
|
[NOTE]
|
|
|
|
====
|
2020-07-07 14:59:35 -04:00
|
|
|
You cannot use a <<nested,`nested`>> field data type or the sub-fields of a
|
2020-05-05 11:46:06 -04:00
|
|
|
`nested` field dataype as the timestamp or event category field. See
|
|
|
|
<<eql-nested-fields>>.
|
|
|
|
====
|