From e91e5ff6d7808b96692bc8182d3886eaa32bff3e Mon Sep 17 00:00:00 2001
From: James Rodewig <40268737+jrodewig@users.noreply.github.com>
Date: Wed, 30 Sep 2020 12:26:20 -0400
Subject: [PATCH] [DOCS] Document escaped backticks for identifiers (#63079)
 (#63084)

---
 docs/reference/eql/syntax.asciidoc | 41 +++++++++++++++++-------------
 1 file changed, 24 insertions(+), 17 deletions(-)

diff --git a/docs/reference/eql/syntax.asciidoc b/docs/reference/eql/syntax.asciidoc
index a6aa88387ec..bd3903bd065 100644
--- a/docs/reference/eql/syntax.asciidoc
+++ b/docs/reference/eql/syntax.asciidoc
@@ -54,6 +54,28 @@ For example, the following EQL query matches any documents with a
 any where network.protocol == "http"
 ----
 
+[discrete]
+[[eql-syntax-escape-identifiers]]
+===== Escape an event category or field name
+
+Event categories or field names that contain a hyphen (`-`), contain a space, or
+start with a numeral must be escaped with enclosing backticks (+++`+++).
+
+[source,eql]
+----
+`my-field`
+`my field`
+`6myfield`
+----
+
+Any backticks (+++`+++) in an event category or field name must be escaped using
+double backticks (+++``+++).
+
+[source,eql]
+----
+my`field -> `my``field`
+----
+
 [discrete]
 [[eql-syntax-conditions]]
 ==== Conditions
@@ -300,8 +322,8 @@ any where true
 ----
 
 [discrete]
-[[eql-syntax-escaped-characters]]
-===== Escaped characters
+[[eql-syntax-escape-characters]]
+===== Escape characters in a string
 
 When used within a string, special characters, such as a carriage return or
 double quote (`"`), must be escaped with a preceding backslash (`\`).
@@ -355,21 +377,6 @@ Raw strings cannot contain only a single backslash or end in an odd number of
 backslashes.
 ====
 
-[discrete]
-[[eql-syntax-non-alpha-field-names]]
-==== Non-alphanumeric field names
-
-Field names containing non-alphanumeric characters, such as underscores (`_`),
-dots (`.`), hyphens (`-`), or spaces, must be escaped using backticks (+++`+++).
-
-[source,eql]
-----
-`my_field`
-`my.field`
-`my-field`
-`my field`
-----
-
 [discrete]
 [[eql-sequences]]
 === Sequences