[DOCS] EQL: Update docs for null tiebreakers (#65078) (#65138)

This commit is contained in:
James Rodewig 2020-11-17 10:42:10 -05:00 committed by GitHub
parent b54133399e
commit 196c2a52c1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 7 additions and 12 deletions

View File

@ -267,8 +267,8 @@ this value.
`tiebreaker_field`:: `tiebreaker_field`::
(Optional, string) (Optional, string)
Field used to sort hits with the same Field used to sort hits with the same
<<eql-search-api-timestamp-field,timestamp>> in ascending, lexicographic order. <<eql-search-api-timestamp-field,timestamp>> in ascending order. See
See <<eql-search-specify-a-sort-tiebreaker>>. <<eql-search-specify-a-sort-tiebreaker>>.
[[eql-search-api-timestamp-field]] [[eql-search-api-timestamp-field]]
`timestamp_field`:: `timestamp_field`::
@ -512,7 +512,7 @@ in ascending order.
If two or more events share the same timestamp, the If two or more events share the same timestamp, the
<<eql-search-api-tiebreaker-field,`tiebreaker_field`>> field is used to sort <<eql-search-api-tiebreaker-field,`tiebreaker_field`>> field is used to sort
the events in ascending, lexicographic order. the events in ascending order.
[source,console-result] [source,console-result]
---- ----

View File

@ -390,20 +390,15 @@ or event category field.
By default, the EQL search API returns matching hits by timestamp. If two or By default, the EQL search API returns matching hits by timestamp. If two or
more events share the same timestamp, {es} uses a tiebreaker field value to sort more events share the same timestamp, {es} uses a tiebreaker field value to sort
the events in ascending, lexicographic order. the events in ascending order. {es} orders events with no
tiebreaker value after events with a value.
If you don't specify a tiebreaker field or the events also share the same If you don't specify a tiebreaker field or the events also share the same
tiebreaker value, {es} considers the events concurrent. Concurrent events cannot tiebreaker value, {es} considers the events concurrent. Concurrent events cannot
be part of the same sequence and may not be returned in a consistent sort order. be part of the same sequence and may not be returned in a consistent sort order.
To specify a tiebreaker field, use the `tiebreaker_field` parameter. If you To specify a tiebreaker field, use the `tiebreaker_field` parameter. If you use
specify a tiebreaker field for a sequence query, all events in the searched data the {ecs-ref}[ECS], we recommend using `event.sequence` as the tiebreaker field.
streams or indices must contain a tiebreaker field value. For basic queries,
{es} orders matching events with no tiebreaker value after events with a
tiebreaker value.
If you use the {ecs-ref}[ECS], we recommend using `event.sequence` as the
tiebreaker field.
[source,console] [source,console]
---- ----