From ca34817659734778d888c8f2d2a96a73dfac8e92 Mon Sep 17 00:00:00 2001
From: James Rodewig <james.rodewig@elastic.co>
Date: Wed, 12 Feb 2020 08:45:15 -0500
Subject: [PATCH] [DOCS] Add EQL limitations page (#52001)

Documents limitations for EQL in Elasticsearch.
---
 docs/reference/eql/index.asciidoc       |  2 ++
 docs/reference/eql/limitations.asciidoc | 29 +++++++++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 docs/reference/eql/limitations.asciidoc

diff --git a/docs/reference/eql/index.asciidoc b/docs/reference/eql/index.asciidoc
index a6a30ea234d..328f40a36a5 100644
--- a/docs/reference/eql/index.asciidoc
+++ b/docs/reference/eql/index.asciidoc
@@ -32,7 +32,9 @@ Consider using EQL if you:
 * <<eql-requirements>>
 * <<eql-search>>
 * <<eql-syntax>>
+* <<eql-limitations>>
 
 include::requirements.asciidoc[]
 include::search.asciidoc[]
 include::syntax.asciidoc[]
+include::limitations.asciidoc[]
diff --git a/docs/reference/eql/limitations.asciidoc b/docs/reference/eql/limitations.asciidoc
new file mode 100644
index 00000000000..5e6cc74c319
--- /dev/null
+++ b/docs/reference/eql/limitations.asciidoc
@@ -0,0 +1,29 @@
+[role="xpack"]
+[testenv="basic"]
+[[eql-limitations]]
+== EQL limitations
+++++
+<titleabbrev>Limitations</titleabbrev>
+++++
+
+experimental::[]
+
+[discrete]
+[[eql-unsupported-syntax]]
+=== Unsupported syntax
+
+{es} supports a subset of {eql-ref}/index.html[EQL syntax]. {es} cannot run EQL
+queries that contain:
+
+* {eql-ref}/functions.html[Functions]
+
+* {eql-ref}/joins.html[Joins]
+
+* {eql-ref}/basic-syntax.html#event-relationships[Lineage-related keywords]:
+** `child of`
+** `descendant of`
+** `event of`
+
+* {eql-ref}/pipes.html[Pipes]
+
+* {eql-ref}/sequences.html[Sequences]
\ No newline at end of file