honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[DOCS] Reorganize EQL requirements page

This commit is contained in:
James Rodewig 2020-03-03 06:59:17 -05:00
parent 70814daa86
commit bcb68c860c
1 changed files with 9 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
docs/reference/eql/requirements.asciidoc
View File

@ -8,9 +8,15 @@
experimental::[] experimental::[]
EQL is schemaless and works out-of-the-box with most common log formats. If you EQL is schema-less and works well with most common log formats.
use a standard log format and already know what fields in your index contain
event type and timestamp information, you can skip this page.
[TIP]
====
While no schema is required to use EQL in {es}, we recommend the
{ecs-ref}[Elastic Common Schema (ECS)]. The EQL search API is designed to work
with core ECS fields by default.
====
[discrete] [discrete]
[[eql-required-fields]] [[eql-required-fields]]
@ -28,10 +34,3 @@ A field containing the event classification, such as `process`, `file`, or
Timestamp:: Timestamp::
A field containing the date and/or time the event occurred. This is typically A field containing the date and/or time the event occurred. This is typically
mapped as a <<date,`date`>> field. mapped as a <<date,`date`>> field.
[TIP]
====
While no schema is required to use EQL in {es}, we recommend the
{ecs-ref}[Elastic Common Schema (ECS)]. {es}'s EQL search is designed to work
with core ECS fields by default.
====