[DOCS] EQL: Add collapsible sections to EQL tutorial docs (#56235)

Adds collapsible sections to the snippet examples of the EQL tutorial
docs.

Also adds a leading slash to EQL API snippet examples.
This commit is contained in:
James Rodewig 2020-05-05 16:29:11 -04:00
parent e7df8b388e
commit dac4ed282e
2 changed files with 36 additions and 18 deletions

View File

@ -16,7 +16,7 @@ In {es}, EQL assumes each document in an index corresponds to an event.
//// ////
[source,console] [source,console]
---- ----
PUT my_index/_bulk?refresh PUT /my_index/_bulk?refresh
{"index":{"_index" : "my_index", "_id" : "1"}} {"index":{"_index" : "my_index", "_id" : "1"}}
{ "@timestamp": "2020-12-06T11:04:05.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process" }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } } { "@timestamp": "2020-12-06T11:04:05.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process" }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } }
{"index":{"_index" : "my_index", "_id" : "2"}} {"index":{"_index" : "my_index", "_id" : "2"}}
@ -44,9 +44,9 @@ GET my_index/_eql/search
[[eql-search-api-request]] [[eql-search-api-request]]
==== {api-request-title} ==== {api-request-title}
`GET <index>/_eql/search` `GET /<index>/_eql/search`
`POST <index>/_eql/search` `POST /<index>/_eql/search`
[[eql-search-api-prereqs]] [[eql-search-api-prereqs]]
==== {api-prereq-title} ==== {api-prereq-title}

View File

@ -6,8 +6,13 @@
experimental::[] experimental::[]
To start using EQL in {es}, first ensure your event data meets To start using EQL in {es}, first ensure your event data meets
<<eql-requirements,EQL requirements>>. Then ingest or add the data to an {es} <<eql-requirements,EQL requirements>>. You can then use the <<eql-search-api,EQL
index. search API>> to search event data stored in one or more {es} indices.
.*Example*
[%collapsible]
====
To get started, ingest or add the data to an {es} index.
The following <<docs-bulk,bulk API>> request adds some example log data to the The following <<docs-bulk,bulk API>> request adds some example log data to the
`sec_logs` index. This log data follows the {ecs-ref}[Elastic Common Schema `sec_logs` index. This log data follows the {ecs-ref}[Elastic Common Schema
@ -15,7 +20,7 @@ The following <<docs-bulk,bulk API>> request adds some example log data to the
[source,console] [source,console]
---- ----
PUT sec_logs/_bulk?refresh PUT /sec_logs/_bulk?refresh
{"index":{"_index" : "sec_logs", "_id" : "1"}} {"index":{"_index" : "sec_logs", "_id" : "1"}}
{ "@timestamp": "2020-12-06T11:04:05.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process" }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } } { "@timestamp": "2020-12-06T11:04:05.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process" }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } }
{"index":{"_index" : "sec_logs", "_id" : "2"}} {"index":{"_index" : "sec_logs", "_id" : "2"}}
@ -30,13 +35,13 @@ PUT sec_logs/_bulk?refresh
// TESTSETUP // TESTSETUP
[TIP] [TIP]
==== =====
You also can set up {beats-ref}/getting-started.html[{beats}], such as You also can set up {beats-ref}/getting-started.html[{beats}], such as
{auditbeat-ref}/auditbeat-getting-started.html[{auditbeat}] or {auditbeat-ref}/auditbeat-getting-started.html[{auditbeat}] or
{winlogbeat-ref}/winlogbeat-getting-started.html[{winlogbeat}], to automatically {winlogbeat-ref}/winlogbeat-getting-started.html[{winlogbeat}], to automatically
send and index your event data in {es}. See send and index your event data in {es}. See
{beats-ref}/getting-started.html[Getting started with {beats}]. {beats-ref}/getting-started.html[Getting started with {beats}].
==== =====
You can now use the EQL search API to search this index using an EQL query. You can now use the EQL search API to search this index using an EQL query.
@ -46,7 +51,7 @@ specified in the `query` parameter. The EQL query matches events with an
[source,console] [source,console]
---- ----
GET sec_logs/_eql/search GET /sec_logs/_eql/search
{ {
"query": """ "query": """
process where process.name == "cmd.exe" process where process.name == "cmd.exe"
@ -122,6 +127,7 @@ https://en.wikipedia.org/wiki/Unix_time[Unix epoch], in ascending order.
} }
---- ----
// TESTRESPONSE[s/"took": 60/"took": $body.took/] // TESTRESPONSE[s/"took": 60/"took": $body.took/]
====
[discrete] [discrete]
[[eql-search-specify-event-category-field]] [[eql-search-specify-event-category-field]]
@ -131,12 +137,15 @@ The EQL search API uses `event.category` as the required
<<eql-required-fields,event category field>> by default. You can use the <<eql-required-fields,event category field>> by default. You can use the
`event_category_field` parameter to specify another event category field. `event_category_field` parameter to specify another event category field.
For example, the following request specifies `file.type` as the event category .*Example*
[%collapsible]
====
The following request specifies `file.type` as the event category
field. field.
[source,console] [source,console]
---- ----
GET sec_logs/_eql/search GET /sec_logs/_eql/search
{ {
"event_category_field": "file.type", "event_category_field": "file.type",
"query": """ "query": """
@ -144,6 +153,7 @@ GET sec_logs/_eql/search
""" """
} }
---- ----
====
[discrete] [discrete]
[[eql-search-specify-timestamp-field]] [[eql-search-specify-timestamp-field]]
@ -153,12 +163,15 @@ The EQL search API uses `@timestamp` as the required <<eql-required-fields,event
timestamp field>> by default. You can use the `timestamp_field` parameter to timestamp field>> by default. You can use the `timestamp_field` parameter to
specify another timestamp field. specify another timestamp field.
For example, the following request specifies `file.accessed` as the event .*Example*
[%collapsible]
====
The following request specifies `file.accessed` as the event
timestamp field. timestamp field.
[source,console] [source,console]
---- ----
GET sec_logs/_eql/search GET /sec_logs/_eql/search
{ {
"timestamp_field": "file.accessed", "timestamp_field": "file.accessed",
"query": """ "query": """
@ -166,23 +179,27 @@ GET sec_logs/_eql/search
""" """
} }
---- ----
====
[discrete] [discrete]
[[eql-search-filter-query-dsl]] [[eql-search-filter-query-dsl]]
=== Filter using query DSL === Filter using query DSL
You can use the `filter` parameter to specify an additional query using You can use the EQL search API's `filter` parameter to specify an additional
<<query-dsl,query DSL>>. This query filters the documents on which the EQL query query using <<query-dsl,query DSL>>. This query filters the documents on which
runs. the EQL query runs.
For example, the following request uses a `range` query to filter the `sec_logs` .*Example*
[%collapsible]
====
The following request uses a `range` query to filter the `sec_logs`
index down to only documents with a `file.size` value greater than `1` but less index down to only documents with a `file.size` value greater than `1` but less
than `1000000` bytes. The EQL query in `query` parameter then runs on these than `1000000` bytes. The EQL query in `query` parameter then runs on these
filtered documents. filtered documents.
[source,console] [source,console]
---- ----
GET sec_logs/_eql/search GET /sec_logs/_eql/search
{ {
"filter": { "filter": {
"range" : { "range" : {
@ -197,3 +214,4 @@ GET sec_logs/_eql/search
""" """
} }
---- ----
====