parent
b54133399e
commit
196c2a52c1
|
@ -267,8 +267,8 @@ this value.
|
||||||
`tiebreaker_field`::
|
`tiebreaker_field`::
|
||||||
(Optional, string)
|
(Optional, string)
|
||||||
Field used to sort hits with the same
|
Field used to sort hits with the same
|
||||||
<<eql-search-api-timestamp-field,timestamp>> in ascending, lexicographic order.
|
<<eql-search-api-timestamp-field,timestamp>> in ascending order. See
|
||||||
See <<eql-search-specify-a-sort-tiebreaker>>.
|
<<eql-search-specify-a-sort-tiebreaker>>.
|
||||||
|
|
||||||
[[eql-search-api-timestamp-field]]
|
[[eql-search-api-timestamp-field]]
|
||||||
`timestamp_field`::
|
`timestamp_field`::
|
||||||
|
@ -512,7 +512,7 @@ in ascending order.
|
||||||
|
|
||||||
If two or more events share the same timestamp, the
|
If two or more events share the same timestamp, the
|
||||||
<<eql-search-api-tiebreaker-field,`tiebreaker_field`>> field is used to sort
|
<<eql-search-api-tiebreaker-field,`tiebreaker_field`>> field is used to sort
|
||||||
the events in ascending, lexicographic order.
|
the events in ascending order.
|
||||||
|
|
||||||
[source,console-result]
|
[source,console-result]
|
||||||
----
|
----
|
||||||
|
|
|
@ -390,20 +390,15 @@ or event category field.
|
||||||
|
|
||||||
By default, the EQL search API returns matching hits by timestamp. If two or
|
By default, the EQL search API returns matching hits by timestamp. If two or
|
||||||
more events share the same timestamp, {es} uses a tiebreaker field value to sort
|
more events share the same timestamp, {es} uses a tiebreaker field value to sort
|
||||||
the events in ascending, lexicographic order.
|
the events in ascending order. {es} orders events with no
|
||||||
|
tiebreaker value after events with a value.
|
||||||
|
|
||||||
If you don't specify a tiebreaker field or the events also share the same
|
If you don't specify a tiebreaker field or the events also share the same
|
||||||
tiebreaker value, {es} considers the events concurrent. Concurrent events cannot
|
tiebreaker value, {es} considers the events concurrent. Concurrent events cannot
|
||||||
be part of the same sequence and may not be returned in a consistent sort order.
|
be part of the same sequence and may not be returned in a consistent sort order.
|
||||||
|
|
||||||
To specify a tiebreaker field, use the `tiebreaker_field` parameter. If you
|
To specify a tiebreaker field, use the `tiebreaker_field` parameter. If you use
|
||||||
specify a tiebreaker field for a sequence query, all events in the searched data
|
the {ecs-ref}[ECS], we recommend using `event.sequence` as the tiebreaker field.
|
||||||
streams or indices must contain a tiebreaker field value. For basic queries,
|
|
||||||
{es} orders matching events with no tiebreaker value after events with a
|
|
||||||
tiebreaker value.
|
|
||||||
|
|
||||||
If you use the {ecs-ref}[ECS], we recommend using `event.sequence` as the
|
|
||||||
tiebreaker field.
|
|
||||||
|
|
||||||
[source,console]
|
[source,console]
|
||||||
----
|
----
|
||||||
|
|
Loading…
Reference in New Issue