honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[DOCS] Fix EQL required fields language

This commit is contained in:
James Rodewig 2020-08-12 09:42:45 -04:00
parent 538c93c923
commit bc37b1b2a7
1 changed files with 17 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
docs/reference/eql/eql.asciidoc
View File

@ -32,15 +32,18 @@ makes it easy to describe activity that goes beyond IOCs.
[[eql-required-fields]] [[eql-required-fields]]
== Required fields == Required fields
EQL assumes each document in a data stream or index corresponds to an event. To TIP: While no schema is required to use EQL in {es}, we recommend using the
search using EQL, each document in the searched data stream or index must {ecs-ref}[Elastic Common Schema (ECS)]. EQL search is designed to work
include a _timestamp_ field and an _event category_ field. with core ECS fields by default.
{es} EQL uses the `@timestamp` and `event.category` fields from the EQL assumes each document in a data stream or index corresponds to an event. To
{ecs-ref}[Elastic Common Schema (ECS)] as the default timestamp and event run an EQL search, each document must contain a _timestamp_ and _event category_
category fields. If your searched documents use a different timestamp or event field.
category field, you must specify it in the search request. See
<<specify-a-timestamp-or-event-category-field>>. EQL uses the `@timestamp` and `event.category` fields from the {ecs-ref}[ECS] as
the default timestamp and event category fields. If your documents use a
different timestamp or event category field, you must specify it in the search
request. See <<specify-a-timestamp-or-event-category-field>>.
[discrete] [discrete]
[[run-an-eql-search]] [[run-an-eql-search]]
@ -404,10 +407,12 @@ GET /my-index-000001/_eql/search
[[specify-a-timestamp-or-event-category-field]] [[specify-a-timestamp-or-event-category-field]]
=== Specify a timestamp or event category field === Specify a timestamp or event category field
By default, the EQL search API uses `@timestamp` and `event.category` as the To run an EQL search, each searched document must contain a timestamp and event
required timestamp and event category fields. If your searched documents use category field. The EQL search API uses the `@timestamp` and `event.category`
a different timestamp or event category field, you must specify it in the search fields from the {ecs-ref}[Elastic Common Schema (ECS)] by default. If your
request using the `timestamp_field` or `event_category_field` parameters. documents use a different timestamp or event category field, you must specify it
in the search request using the `timestamp_field` or `event_category_field`
parameters.
The event category field is typically mapped as a <<keyword,`keyword`>> or The event category field is typically mapped as a <<keyword,`keyword`>> or
<<constant-keyword,constant keyword>> field. The timestamp field is typically <<constant-keyword,constant keyword>> field. The timestamp field is typically