a8bf9a6a91
[DOCS] Make EQL case-sensitive by default ( #63270 ) ( #63280 )
2020-10-05 15:49:48 -04:00
76bba601ab
Remove case_sensitive request option ( #63218 ) ( #63244 )
...
Make EQL case sensitive by default and adapt some of the string functions
Remove the case sensitive option from Between string function
Add case_insensitive option to term and wildcard queries usage
(cherry picked from commit 7550e0664c8c2f1f13519036c759b1e76345551f)
2020-10-05 22:04:42 +03:00
ade91a2d9d
[DOCS] EQL: Update syntax for escaped event categories ( #63202 ) ( #63208 )
2020-10-02 15:19:12 -04:00
a22b90d3cc
[DOCS] EQL: Replace ?"..." with """...""" for raw strings ( #63191 ) ( #63198 )
2020-10-02 14:03:58 -04:00
099e5d00cc
[DOCS] EQL: Reorganize EQL syntax sections ( #63179 ) ( #63184 )
2020-10-02 10:25:32 -04:00
700bfb156d
[DOCS] EQL: date_nanos timestamp is not supported ( #63101 ) ( #63103 )
2020-09-30 17:45:00 -04:00
e91e5ff6d7
[DOCS] Document escaped backticks for identifiers ( #63079 ) ( #63084 )
2020-09-30 12:26:20 -04:00
fa98e30c81
[DOCS] EQL: Clarify EQL docs ( #62961 ) ( #62980 )
2020-09-28 15:46:30 -04:00
2366c1443b
[DOCS] EQL: Note = is not an equality operator
2020-09-22 13:54:38 -04:00
7b2010de81
[DOCS] Fix EQL search API example
2020-09-22 12:09:38 -04:00
21d5236173
[DOCS] EQL: Style fixes
2020-09-21 19:44:21 -04:00
00bfc2d684
[7.x] [DOCS] EQL: Improve regsvr32 misuse explanation ( #62722 ) ( #62738 )
...
* [DOCS] EQL: Improve regsvr32 misuse explanation (#62722 )
Expands the introduction to better explain what regsvr32 misuse is and
how it works at a high level.
* [DOCS] EQL: Style fixes
2020-09-21 19:02:10 -04:00
9d6f94ffa3
[DOCS] EQL: Disallow chained comparisons ( #62570 ) ( #62625 )
2020-09-18 08:47:27 -04:00
cd953272cd
[DOCS] EQL: Remove support for single quote strings ( #62479 ) ( #62543 )
2020-09-17 09:34:40 -04:00
f347f0207f
[DOCS] EQL: Use consistent string notation ( #62472 ) ( #62477 )
2020-09-16 11:43:37 -04:00
e92b237dd5
[DOCS] EQL: Clarify wildcard operator
2020-09-16 11:05:29 -04:00
ed072404ff
[DOCS] EQL: Make operator refs consistent
2020-09-16 11:03:48 -04:00
65bb679c56
[DOCS] EQL: Move comparison operator defs
2020-09-16 10:54:31 -04:00
9b10d0b3af
[DOCS] EQL: Add xrefs to EQL intro
2020-09-16 10:44:01 -04:00
3ab28e84c6
[DOCS] EQL: Update keyword family field types ( #62254 ) ( #62310 )
...
Updates several keyword/constant keyword references to use any field type in the
keyword family.
2020-09-14 09:51:34 -04:00
c9d2d4b306
[DOCS] Remove collapsible examples in EQL syntax docs ( #62220 ) ( #62226 )
2020-09-10 10:55:00 -04:00
8613bde780
[DOCS] Combine keyword family docs ( #61662 ) ( #61813 )
2020-09-01 15:32:56 -04:00
fd976e668c
[DOCS] EQL: Clarify until keyword docs ( #61794 ) ( #61808 )
2020-09-01 13:56:51 -04:00
8a6ecd5bfc
[DOCS] Fix EQL syntax admon
2020-08-26 13:39:42 -04:00
20053bfd8c
[DOCS] Remove dupe EQl fn/pipe TOC
2020-08-26 12:45:09 -04:00
5ad0ce49e1
[DOCS] Remove response params for #61428 ( #61524 ) ( #61534 )
2020-08-25 11:17:56 -04:00
bff3c7470e
EQL: Replace SearchHit in response with Event ( #61428 ) ( #61522 )
...
The building block of the eql response is currently the SearchHit. This
is a problem since it is tied to an actual search, and thus has scoring,
highlighting, shard information and a lot of other things that are not
relevant for EQL.
This becomes a problem when doing sequence queries since the response is
not generated from one search query and thus there are no SearchHits to
speak of.
Emulating one is not just conceptually incorrect but also problematic
since most of the data is missed or made-up.
As such this PR introduces a simple class, Event, that maps nicely to
the terminology while hiding the ES internals (the use of SearchHit or
GetResult/GetResponse depending on the API used).
Fix #59764
Fix #59779
Co-authored-by: Igor Motov <igor@motovs.org>
(cherry picked from commit 997376fbe6ef2894038968842f5e0635731ede65)
2020-08-25 17:32:42 +03:00
439fa46735
[DOCS] Remove collapsible sections in EQL fn docs ( #61498 ) ( #61499 )
2020-08-24 14:41:27 -04:00
2b852388c5
[DOCS] Fix hyphenation for "time series" ( #61472 ) ( #61481 )
2020-08-24 11:18:07 -04:00
039b306e7d
[DOCS] Fix EQL threat detection example ( #61367 ) ( #61373 )
2020-08-20 10:45:01 -04:00
5de0f19cc3
EQL: Return sequence join keys in the original type ( #61268 ) ( #61282 )
...
(cherry picked from commit d54957d61faa0d502387656e3cace594017b6ea0)
2020-08-18 19:37:15 +03:00
60876a0e32
[DOCS] Replace Wikipedia links with attribute ( #61171 ) ( #61209 )
2020-08-17 11:27:04 -04:00
290adcd25e
[DOCS] Reword in EQL threat detection example
2020-08-14 15:50:58 -04:00
3fef26bfb0
[DOCS] EQL: Add threat detection example ( #59105 ) ( #61161 )
2020-08-14 13:40:44 -04:00
bc37b1b2a7
[DOCS] Fix EQL required fields language
2020-08-12 09:48:11 -04:00
7d4117426a
[DOCS] Remove unneeded word in EQL docs
2020-08-11 12:19:08 -04:00
c0fa582df4
[DOCS] Make EQL example snippets more realistic ( #60971 ) ( #60974 )
2020-08-11 12:01:31 -04:00
a1c27b0833
[DOCS] Refactor EQL docs ( #60700 ) ( #60745 )
...
Changes:
* Moves sample data to reusable rest test
* Combines EQL index, requirements, and run a search pages
* Combines EQL syntax and limitations pages
* Adds related redirects
2020-08-05 11:25:18 -04:00
26d51089da
[DOCS] Replace `twitter` dataset in docs ( #60604 ) ( #60609 )
2020-08-03 13:31:19 -04:00
aba785cb6e
[DOCS] Update my-index examples ( #60132 ) ( #60248 )
...
Changes the following example index names to `my-index-000001` for consistency:
* `my-index`
* `my_index`
* `myindex`
2020-07-27 15:58:26 -04:00
988e8c8fc6
[DOCS] Swap `[float]` for `[discrete]` ( #60134 )
...
Changes instances of `[float]` in our docs for `[discrete]`.
Asciidoctor prefers the `[discrete]` tag for floating headings:
https://asciidoctor.org/docs/asciidoc-asciidoctor-diffs/#blocks
2020-07-23 12:42:33 -04:00
828aa6f640
[DOCS] EQL: Remove collapsible sections from EQL search docs ( #59819 ) ( #59861 )
2020-07-20 09:26:32 -04:00
43481441e9
[DOCS] EQL: Update EQL search response format ( #59554 ) ( #59668 )
2020-07-15 17:23:48 -04:00
e30af2fc35
[DOCS] Fix syntax and wording in EQL docs ( #59623 ) ( #59650 )
2020-07-15 14:45:56 -04:00
8cac702171
[DOCS] Note that EQL timestamp field can also be date_nanos
2020-07-15 09:55:55 -04:00
679619c798
EQL: Improve retrieval of results ( #59552 )
...
Instead of retrieving an entire SearchHit, get just a reference and
postpone the document retrieval when assembling the final results.
Remove sort information from results to make them consistent.
Move TumblingWindow under the sequence package.
Co-authored-by: James Rodewig <james.rodewig@elastic.co>
(cherry picked from commit bccfbcd81f2f1d3552e95e4a9ee2618fb3059bd9)
2020-07-14 23:53:57 +03:00
2629a95e14
[DOCS] EQL: Document `until` keyword support ( #59320 ) ( #59408 )
2020-07-13 09:05:47 -04:00
896d0ffd9b
[DOCS] EQL: Prepare docs for release ( #59259 ) ( #59407 )
...
Changes:
* Swaps the `dev` admonitions for `experimental` admonitions
* Removes `ifdef` statements preventing the docs from appearing in
released branches
2020-07-13 09:04:15 -04:00
9d5c091f7a
[DOCS] Add data streams to EQL search docs ( #58611 ) ( #59404 )
2020-07-13 09:03:55 -04:00
c0e0bca84c
Remove search_after and implicit_join_key_field ( #59232 ) ( #59280 )
...
(cherry picked from commit 6ede6c59eff321b9fedad30e19508b9e4f788b54)
2020-07-09 12:34:01 +03:00
James Rodewig
Andrei Stefan
Costin Leau
James Rodewig