2020-02-12 08:45:15 -05:00
|
|
|
[role="xpack"]
|
|
|
|
[testenv="basic"]
|
|
|
|
[[eql-limitations]]
|
|
|
|
== EQL limitations
|
|
|
|
++++
|
|
|
|
<titleabbrev>Limitations</titleabbrev>
|
|
|
|
++++
|
|
|
|
|
2020-06-02 11:03:12 -04:00
|
|
|
dev::[]
|
2020-02-12 08:45:15 -05:00
|
|
|
|
2020-05-05 11:46:06 -04:00
|
|
|
[discrete]
|
|
|
|
[[eql-nested-fields]]
|
|
|
|
=== EQL search on nested fields is not supported
|
|
|
|
|
|
|
|
You cannot use EQL to search the values of a <<nested,`nested`>> field or the
|
|
|
|
sub-fields of a `nested` field. However, indices containing `nested` field
|
|
|
|
mappings are otherwise supported.
|
|
|
|
|
2020-02-12 08:45:15 -05:00
|
|
|
[discrete]
|
|
|
|
[[eql-unsupported-syntax]]
|
|
|
|
=== Unsupported syntax
|
|
|
|
|
|
|
|
{es} supports a subset of {eql-ref}/index.html[EQL syntax]. {es} cannot run EQL
|
|
|
|
queries that contain:
|
|
|
|
|
2020-03-25 12:23:59 -04:00
|
|
|
* Array functions:
|
|
|
|
** {eql-ref}/functions.html#arrayContains[`arrayContains`]
|
|
|
|
** {eql-ref}/functions.html#arrayCount[`arrayCount`]
|
|
|
|
** {eql-ref}/functions.html#arraySearch[`arraySearch`]
|
2020-02-12 08:45:15 -05:00
|
|
|
|
|
|
|
* {eql-ref}/joins.html[Joins]
|
|
|
|
|
|
|
|
* {eql-ref}/basic-syntax.html#event-relationships[Lineage-related keywords]:
|
|
|
|
** `child of`
|
|
|
|
** `descendant of`
|
|
|
|
** `event of`
|
|
|
|
|
2020-06-30 09:12:54 -04:00
|
|
|
* The following {eql-ref}/pipes.html[pipes]:
|
|
|
|
** {eql-ref}/pipes.html#count[`count`]
|
|
|
|
** {eql-ref}/pipes.html#filter[`filter`]
|
|
|
|
** {eql-ref}/pipes.html#sort[`sort`]
|
|
|
|
** {eql-ref}/pipes.html#unique[`unique`]
|
|
|
|
** {eql-ref}/pipes.html#unique-count[`unique_count`]
|
2020-02-12 08:45:15 -05:00
|
|
|
|
2020-05-14 11:51:40 -04:00
|
|
|
* {eql-ref}/sequences.html[State and timespan-related sequence keywords]:
|
|
|
|
** `with maxspan`
|
|
|
|
** `until`
|