diff --git a/docs/reference/eql/index.asciidoc b/docs/reference/eql/index.asciidoc index 8de75449607..a6a30ea234d 100644 --- a/docs/reference/eql/index.asciidoc +++ b/docs/reference/eql/index.asciidoc @@ -30,7 +30,9 @@ Consider using EQL if you: === In this section * <> +* <> * <> include::requirements.asciidoc[] +include::search.asciidoc[] include::syntax.asciidoc[] diff --git a/docs/reference/eql/requirements.asciidoc b/docs/reference/eql/requirements.asciidoc index 1791b547d50..233a29d661f 100644 --- a/docs/reference/eql/requirements.asciidoc +++ b/docs/reference/eql/requirements.asciidoc @@ -6,6 +6,8 @@ Requirements ++++ +experimental::[] + EQL is schemaless and works out-of-the-box with most common log formats. If you use a standard log format and already know what fields in your index contain event type and timestamp information, you can skip this page. diff --git a/docs/reference/eql/search.asciidoc b/docs/reference/eql/search.asciidoc new file mode 100644 index 00000000000..10dc96a5b9e --- /dev/null +++ b/docs/reference/eql/search.asciidoc @@ -0,0 +1,46 @@ +[role="xpack"] +[testenv="basic"] +[[eql-search]] +== Run an EQL search + +experimental::[] + +To start using EQL in {es}, first ensure your event data meets +<>. Then ingest or add the data to an {es} +index. + +The following <> request adds some example log data to the +`sec_logs` index. This log data follows the {ecs-ref}[Elastic Common Schema +(ECS)]. + +[source,console] +---- +PUT sec_logs/_bulk?refresh +{"index":{"_index" : "sec_logs"}} +{ "@timestamp": "2020-12-07T11:06:07.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process" }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } } +{"index":{"_index" : "sec_logs"}} +{ "@timestamp": "2020-12-07T11:07:08.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "image_load" }, "file": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } } +{"index":{"_index" : "sec_logs"}} +{ "@timestamp": "2020-12-07T11:07:09.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process" }, "process": { "name": "regsvr32.exe", "path": "C:\\Windows\\System32\\regsvr32.exe" } } +---- + +You can now use the EQL search API to search this index using an EQL query. + +The following request searches the `sec_logs` index using the EQL query +specified in the `rule` parameter. The EQL query matches events with an +`event.category` of `process` that have a `process.name` of `cmd.exe`. + +[source,console] +---- +GET sec_logs/_eql/search +{ + "rule": """ + process where process.name == "cmd.exe" + """ +} +---- +// TEST[continued] + +Because the `sec_log` index follows the ECS, you don't need to specify the +event type or timestamp fields. The request uses the `event.category` and +`@timestamp` fields by default. diff --git a/docs/reference/redirects.asciidoc b/docs/reference/redirects.asciidoc index 794c2612ba8..1f21b99f11f 100644 --- a/docs/reference/redirects.asciidoc +++ b/docs/reference/redirects.asciidoc @@ -364,8 +364,3 @@ See <>. === Stop {slm} API See <>. - -[role="exclude",id="eql-search"] -=== EQL search API - -See <>.