From e4b4351a43ae36b510f77fbc673d46632059cb93 Mon Sep 17 00:00:00 2001 From: James Rodewig <40268737+jrodewig@users.noreply.github.com> Date: Wed, 14 Oct 2020 08:48:56 -0400 Subject: [PATCH] [DOCS] EQL: Remove Endgame EQL refs (#63636) (#63664) --- docs/reference/eql/eql-search-api.asciidoc | 5 +- docs/reference/eql/eql.asciidoc | 10 +-- docs/reference/eql/functions.asciidoc | 6 +- docs/reference/eql/syntax.asciidoc | 83 +++++++++++----------- 4 files changed, 50 insertions(+), 54 deletions(-) diff --git a/docs/reference/eql/eql-search-api.asciidoc b/docs/reference/eql/eql-search-api.asciidoc index bceccbd3d39..8e2e74a5371 100644 --- a/docs/reference/eql/eql-search-api.asciidoc +++ b/docs/reference/eql/eql-search-api.asciidoc @@ -11,7 +11,7 @@ beta::[] Returns search results for an <> query. -In {es}, EQL assumes each document in a data stream or index corresponds to an +EQL assumes each document in a data stream or index corresponds to an event. [source,console] @@ -210,9 +210,6 @@ If both parameters are specified, only the query parameter is used. `query`:: (Required, string) <> query you wish to run. -+ -IMPORTANT: This parameter supports a subset of EQL syntax. See -<>. `size`:: (Optional, integer or float) diff --git a/docs/reference/eql/eql.asciidoc b/docs/reference/eql/eql.asciidoc index e4ac4801fd3..6ec85ac7eab 100644 --- a/docs/reference/eql/eql.asciidoc +++ b/docs/reference/eql/eql.asciidoc @@ -8,8 +8,8 @@ beta::[] -{eql-ref}/index.html[Event Query Language (EQL)] is a query language for -event-based, time series data, such as logs. +Event Query Language (EQL) is a query language for event-based, time series +data, such as logs. [discrete] [[eql-advantages]] @@ -32,9 +32,9 @@ makes it easy to describe activity that goes beyond IOCs. [[eql-required-fields]] == Required fields -TIP: While no schema is required to use EQL in {es}, we recommend using the -{ecs-ref}[Elastic Common Schema (ECS)]. EQL search is designed to work -with core ECS fields by default. +TIP: While no schema is required to use EQL, we recommend using the +{ecs-ref}[Elastic Common Schema (ECS)]. EQL searches are designed to work with +core ECS fields by default. EQL assumes each document in a data stream or index corresponds to an event. To run an EQL search, each document must contain a _timestamp_ and _event category_ diff --git a/docs/reference/eql/functions.asciidoc b/docs/reference/eql/functions.asciidoc index bf3925c273a..ac0d797b2c1 100644 --- a/docs/reference/eql/functions.asciidoc +++ b/docs/reference/eql/functions.asciidoc @@ -247,10 +247,8 @@ Returns the quotient of a provided dividend and divisor. [WARNING] ==== If both the dividend and divisor are integers, the `divide` function _rounds -down_ any returned floating point numbers to the nearest integer. - -EQL queries in {es} should account for this rounding. To avoid rounding, convert -either the dividend or divisor to a float. +down_ any returned floating point numbers to the nearest integer. To avoid +rounding, convert either the dividend or divisor to a float. [%collapsible] .**Example** diff --git a/docs/reference/eql/syntax.asciidoc b/docs/reference/eql/syntax.asciidoc index d2178b28237..30075adc12f 100644 --- a/docs/reference/eql/syntax.asciidoc +++ b/docs/reference/eql/syntax.asciidoc @@ -8,9 +8,6 @@ beta::[] -IMPORTANT: {es} supports a subset of {eql-ref}/index.html[EQL syntax]. See -<>. - [discrete] [[eql-basic-syntax]] === Basic syntax @@ -35,7 +32,7 @@ process where process.name == "svchost.exe" [[eql-syntax-event-categories]] ==== Event categories -In {es}, an event category is a valid, indexed value of the +An event category is a valid, indexed value of the <>. You can set the event category field using the `event_category_field` parameter of the EQL search API. @@ -251,10 +248,8 @@ Divides the value to the left of the operator by the value to the right. [WARNING] ==== If both the dividend and divisor are integers, the divide (`\`) operation -_rounds down_ any returned floating point numbers to the nearest integer. - -EQL queries in {es} should account for this rounding. To avoid rounding, convert -either the dividend or divisor to a float. +_rounds down_ any returned floating point numbers to the nearest integer. To +avoid rounding, convert either the dividend or divisor to a float. *Example* + The `process.args_count` field is a <> integer field containing a @@ -599,9 +594,8 @@ until [ process where event.type == "stop" ] [[eql-functions]] === Functions -{es} supports several of EQL's built-in functions. You can use these functions -to convert data types, perform math, manipulate strings, and more. Most -functions are case-sensitive by default. +You can use EQL functions to convert data types, perform math, manipulate +strings, and more. Most functions are case-sensitive by default. For a list of supported functions, see <>. @@ -682,13 +676,13 @@ For a list of supported pipes, see <>. [[eql-syntax-limitations]] === Limitations -{es} EQL does not support the following features and syntax. +EQL does not support the following features and syntax. [discrete] [[eql-compare-fields]] ==== Comparing fields -In {es} EQL, you cannot use comparison operators to compare a field to +You cannot use EQL comparison operators to compare a field to another field. This applies even if the fields are changed using a <>. @@ -696,7 +690,7 @@ another field. This applies even if the fields are changed using a [[eql-array-fields]] ==== Array field values are not supported -{es} EQL does not support <> field values, also known as +EQL does not support <> field values, also known as _multi-value fields_. EQL searches on array field values may return inconsistent results. @@ -709,38 +703,45 @@ sub-fields of a `nested` field. However, data streams and indices containing `nested` field mappings are otherwise supported. [discrete] -[[single-quote-strings]] -==== Single quote strings +[[eql-unsupported-syntax]] +==== Differences from Endgame EQL syntax -In {es} EQL, the single quote (`'`) character is reserved for future use. -Strings enclosed in single quotes are not supported. Enclose strings in +{es} EQL differs from the {eql-ref}/index.html[Elastic Endgame EQL syntax] as +follows: + +* Most operators and functions in {es} EQL are case-sensitive. For +case-insensitive equality comparisons, use the `:` operator. + +* Comparisons using the `==` and `!=` operators do not expand wildcard +characters. For example, `process_name == "cmd*.exe"` interprets `*` as a +literal asterisk, not a wildcard. For case-sensitive wildcard matching, use the +<> function. + +* `=` cannot be substituted for the `==` operator. + +* Strings enclosed in single quotes (`'`) are not supported. Enclose strings in double quotes (`"`) instead. -You cannot use an escaped single quote (`\'`) for literal strings. Use an -escaped double quote (`\"`) instead. +* `?"` and `?'` do not indicate raw strings. Enclose raw strings in +three double quotes (`"""`) instead. -[discrete] -[[eql-unsupported-syntax]] -==== Unsupported syntax +* {es} EQL does not support: -{es} supports a subset of {eql-ref}/index.html[EQL syntax]. {es} cannot run EQL -queries that contain: +** Array functions: +*** {eql-ref}/functions.html#arrayContains[`arrayContains`] +*** {eql-ref}/functions.html#arrayCount[`arrayCount`] +*** {eql-ref}/functions.html#arraySearch[`arraySearch`] -* Array functions: -** {eql-ref}/functions.html#arrayContains[`arrayContains`] -** {eql-ref}/functions.html#arrayCount[`arrayCount`] -** {eql-ref}/functions.html#arraySearch[`arraySearch`] +** {eql-ref}/joins.html[Joins] -* {eql-ref}/joins.html[Joins] +** {eql-ref}/basic-syntax.html#event-relationships[Lineage-related keywords]: +*** `child of` +*** `descendant of` +*** `event of` -* {eql-ref}/basic-syntax.html#event-relationships[Lineage-related keywords]: -** `child of` -** `descendant of` -** `event of` - -* The following {eql-ref}/pipes.html[pipes]: -** {eql-ref}/pipes.html#count[`count`] -** {eql-ref}/pipes.html#filter[`filter`] -** {eql-ref}/pipes.html#sort[`sort`] -** {eql-ref}/pipes.html#unique[`unique`] -** {eql-ref}/pipes.html#unique-count[`unique_count`] +** The following {eql-ref}/pipes.html[pipes]: +*** {eql-ref}/pipes.html#count[`count`] +*** {eql-ref}/pipes.html#filter[`filter`] +*** {eql-ref}/pipes.html#sort[`sort`] +*** {eql-ref}/pipes.html#unique[`unique`] +*** {eql-ref}/pipes.html#unique-count[`unique_count`]