OpenSearch/docs/reference/eql/index.asciidoc

[role="xpack"]
[testenv="basic"]
[[eql]]
= EQL for event-based search
++++
<titleabbrev>EQL</titleabbrev>
++++

dev::[]

{eql-ref}/index.html[Event Query Language (EQL)] is a query language used for
logs and other event-based data.

You can use EQL in {es} to easily express relationships between events and
quickly match events with shared properties. You can use EQL and query
DSL together to better filter your searches.

[float]
[[eql-advantages]]
=== Advantages of EQL

* *EQL lets you express relationships between events.* +
Many query languages allow you to match only single events. EQL lets you match a
sequence of events across different event categories and time spans.

* *EQL has a low learning curve.* +
EQL syntax looks like other query languages. It lets you write and read queries
intuitively, which makes for quick, iterative searching.

* *We designed EQL for security use cases.* +
While you can use EQL for any event-based data, we created EQL for threat
hunting. EQL not only supports indicator of compromise (IOC) searching but
makes it easy to describe activity that goes beyond IOCs.

[float]
[[when-to-use-eql]]
=== When to use EQL

Consider using EQL if you:

* Use {es} for threat hunting or other security use cases
* Search time-series data or logs, such as network or system logs
* Want an easy way to explore relationships between events

[float]
[[eql-toc]]
=== In this section

* <<eql-requirements>>
* <<eql-search>>
* <<eql-syntax>>
* <<eql-function-ref>>
* <<eql-limitations>>

include::requirements.asciidoc[]
include::search.asciidoc[]
include::syntax.asciidoc[]
include::functions.asciidoc[]
include::limitations.asciidoc[]
[DOCS] Add top-level EQL docs page. Adds EQL requirements page. (#51334) * Creates a top-level page for EQL in the ES reference. This page contains a high-level introduction and will include a nav for other EQL docs pages as they're built. * Creates a requirements page. This page outlines the fields needed to use EQL in ES. 2020-01-27 16:03:23 -05:00			`[role="xpack"]`
			`[testenv="basic"]`
			`[[eql]]`
			`= EQL for event-based search`
			`++++`
			`<titleabbrev>EQL</titleabbrev>`
			`++++`

[DOCS] EQL: Add `dev` admonition to EQL pages (#57531) (#57533) Adds the `dev` admonition to EQL features, which are in development under a feature flag. 2020-06-02 11:03:12 -04:00			`dev::[]`
[DOCS] Add top-level EQL docs page. Adds EQL requirements page. (#51334) * Creates a top-level page for EQL in the ES reference. This page contains a high-level introduction and will include a nav for other EQL docs pages as they're built. * Creates a requirements page. This page outlines the fields needed to use EQL in ES. 2020-01-27 16:03:23 -05:00
			`{eql-ref}/index.html[Event Query Language (EQL)] is a query language used for`
			`logs and other event-based data.`

			`You can use EQL in {es} to easily express relationships between events and`
			`quickly match events with shared properties. You can use EQL and query`
			`DSL together to better filter your searches.`

[DOCS] EQL: Add advantages to overview (#53452) (#56052) Adds a concise list of EQL advantages, based on the "EQL Advantages" section in the [EQL for the masses][0] blog post. The intent is to inform users how EQL could benefit at a high level. [0]: https://www.elastic.co/blog/eql-for-the-masses Co-Authored-By: Ross Wolf <31489089+rw-access@users.noreply.github.com> 2020-04-30 13:19:31 -04:00			`[float]`
			`[[eql-advantages]]`
			`=== Advantages of EQL`

			`* EQL lets you express relationships between events. +`
			`Many query languages allow you to match only single events. EQL lets you match a`
			`sequence of events across different event categories and time spans.`

			`* EQL has a low learning curve. +`
			`EQL syntax looks like other query languages. It lets you write and read queries`
			`intuitively, which makes for quick, iterative searching.`

			`* We designed EQL for security use cases. +`
			`While you can use EQL for any event-based data, we created EQL for threat`
			`hunting. EQL not only supports indicator of compromise (IOC) searching but`
			`makes it easy to describe activity that goes beyond IOCs.`

[DOCS] Add top-level EQL docs page. Adds EQL requirements page. (#51334) * Creates a top-level page for EQL in the ES reference. This page contains a high-level introduction and will include a nav for other EQL docs pages as they're built. * Creates a requirements page. This page outlines the fields needed to use EQL in ES. 2020-01-27 16:03:23 -05:00			`[float]`
			`[[when-to-use-eql]]`
			`=== When to use EQL`

			`Consider using EQL if you:`

			`* Use {es} for threat hunting or other security use cases`
			`* Search time-series data or logs, such as network or system logs`
			`* Want an easy way to explore relationships between events`

			`[float]`
			`[[eql-toc]]`
			`=== In this section`

[DOCS] Add EQL syntax page (#51821) Adds documentation for basic EQL syntax. Joins, sequences, and other syntax to be added as its supported in future development. Co-Authored-By: Ross Wolf <31489089+rw-access@users.noreply.github.com> 2020-02-05 08:12:09 -05:00			`* <<eql-requirements>>`
[DOCS] Add basic EQL search tutorial docs (#51574) I plan to add additional sections to this page with future PRs: * Specify timestamp and event type fields * Specify a join key field * Filter using query DSL * Paginate a large response See #51057. 2020-02-12 08:40:10 -05:00			`* <<eql-search>>`
[DOCS] Add EQL syntax page (#51821) Adds documentation for basic EQL syntax. Joins, sequences, and other syntax to be added as its supported in future development. Co-Authored-By: Ross Wolf <31489089+rw-access@users.noreply.github.com> 2020-02-05 08:12:09 -05:00			`* <<eql-syntax>>`
[DOCS] EQL: Document `substring` function (#53867) Adds documentation for the EQL `substring` function. Supporting changes: * Creates a new "EQL function reference" page * Updates the title of the "EQL syntax reference" page for consistency * Adds a brief "Functions" section to the EQL syntax docs * Updates EQL limitations docs to state that only array functions are unsupported 2020-03-25 12:23:59 -04:00			`* <<eql-function-ref>>`
[DOCS] Add EQL limitations page (#52001) Documents limitations for EQL in Elasticsearch. 2020-02-12 08:45:15 -05:00			`* <<eql-limitations>>`
[DOCS] Add top-level EQL docs page. Adds EQL requirements page. (#51334) * Creates a top-level page for EQL in the ES reference. This page contains a high-level introduction and will include a nav for other EQL docs pages as they're built. * Creates a requirements page. This page outlines the fields needed to use EQL in ES. 2020-01-27 16:03:23 -05:00
			`include::requirements.asciidoc[]`
[DOCS] Add basic EQL search tutorial docs (#51574) I plan to add additional sections to this page with future PRs: * Specify timestamp and event type fields * Specify a join key field * Filter using query DSL * Paginate a large response See #51057. 2020-02-12 08:40:10 -05:00			`include::search.asciidoc[]`
[DOCS] Add EQL syntax page (#51821) Adds documentation for basic EQL syntax. Joins, sequences, and other syntax to be added as its supported in future development. Co-Authored-By: Ross Wolf <31489089+rw-access@users.noreply.github.com> 2020-02-05 08:12:09 -05:00			`include::syntax.asciidoc[]`
[DOCS] EQL: Document `substring` function (#53867) Adds documentation for the EQL `substring` function. Supporting changes: * Creates a new "EQL function reference" page * Updates the title of the "EQL syntax reference" page for consistency * Adds a brief "Functions" section to the EQL syntax docs * Updates EQL limitations docs to state that only array functions are unsupported 2020-03-25 12:23:59 -04:00			`include::functions.asciidoc[]`
[DOCS] Add EQL limitations page (#52001) Documents limitations for EQL in Elasticsearch. 2020-02-12 08:45:15 -05:00			`include::limitations.asciidoc[]`