[DOCS] Add basic EQL search tutorial docs (#51574)

I plan to add additional sections to this page with future PRs: * Specify timestamp and event type fields * Specify a join key field * Filter using query DSL * Paginate a large response See #51057.
2020-02-12 08:40:10 -05:00 · 2020-02-12 08:40:10 -05:00 · 20453d3ac8
parent 5d35eaa1cb
commit 20453d3ac8
4 changed files with 50 additions and 5 deletions
--- a/docs/reference/eql/index.asciidoc
+++ b/docs/reference/eql/index.asciidoc
@ -30,7 +30,9 @@ Consider using EQL if you:
 === In this section

 * <<eql-requirements>>
+* <<eql-search>>
 * <<eql-syntax>>

 include::requirements.asciidoc[]
+include::search.asciidoc[]
 include::syntax.asciidoc[]
--- a/docs/reference/eql/requirements.asciidoc
+++ b/docs/reference/eql/requirements.asciidoc
@ -6,6 +6,8 @@
 <titleabbrev>Requirements</titleabbrev>
 ++++

+experimental::[]
+
 EQL is schemaless and works out-of-the-box with most common log formats. If you
 use a standard log format and already know what fields in your index contain
 event type and timestamp information, you can skip this page.
--- a/docs/reference/eql/search.asciidoc
+++ b/docs/reference/eql/search.asciidoc
@ -0,0 +1,46 @@
+[role="xpack"]
+[testenv="basic"]
+[[eql-search]]
+== Run an EQL search
+
+experimental::[]
+
+To start using EQL in {es}, first ensure your event data meets
+<<eql-requirements,EQL requirements>>. Then ingest or add the data to an {es}
+index.
+
+The following <<docs-bulk,bulk API>> request adds some example log data to the
+`sec_logs` index. This log data follows the {ecs-ref}[Elastic Common Schema
+(ECS)].
+
+[source,console]
+----
+PUT sec_logs/_bulk?refresh
+{"index":{"_index" : "sec_logs"}}
+{ "@timestamp": "2020-12-07T11:06:07.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process" }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } }
+{"index":{"_index" : "sec_logs"}}
+{ "@timestamp": "2020-12-07T11:07:08.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "image_load" }, "file": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } }
+{"index":{"_index" : "sec_logs"}}
+{ "@timestamp": "2020-12-07T11:07:09.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process" }, "process": { "name": "regsvr32.exe", "path": "C:\\Windows\\System32\\regsvr32.exe" } }
+----
+
+You can now use the EQL search API to search this index using an EQL query.
+
+The following request searches the `sec_logs` index using the EQL query
+specified in the `rule` parameter. The EQL query matches events with an
+`event.category` of `process` that have a `process.name` of `cmd.exe`.
+
+[source,console]
+----
+GET sec_logs/_eql/search
+{
+  "rule": """
+    process where process.name == "cmd.exe"
+  """
+}
+----
+// TEST[continued]
+
+Because the `sec_log` index follows the ECS, you don't need to specify the
+event type or timestamp fields. The request uses the `event.category` and
+`@timestamp` fields by default.
--- a/docs/reference/redirects.asciidoc
+++ b/docs/reference/redirects.asciidoc
@ -364,8 +364,3 @@ See <<slm-api-start>>.
 === Stop {slm} API

 See <<slm-api-stop>>.
-
-[role="exclude",id="eql-search"]
-=== EQL search  API
-
-See <<eql>>.