Commit Graph

100 Commits

Author SHA1 Message Date
James Rodewig 771ddbf083
[DOCS] EQL: Add sequence example to tutorial (#56965) (#56966)
Adds an example using the sequence syntax to the 'Run an EQL search'
tutorial.

Supplements other examples added with #56721
2020-05-19 16:14:57 -04:00
James Rodewig cc43d67eb1 [DOCS] Add leading slashes to EQL API examples 2020-05-19 15:38:37 -04:00
James Rodewig 22f54ba205 [DOCS] EQL: Fix API example headings 2020-05-18 16:29:29 -04:00
James Rodewig c50f86fbba
[DOCS] EQL: Document `case_sensitive` param (#56697) (#56818) 2020-05-15 11:47:19 -04:00
James Rodewig 5e09762a27 [DOCS] EQL: Align comments in `between` fn examples 2020-05-15 09:20:45 -04:00
James Rodewig 24cd45345e [DOCS] EQL: Remove references to arrays/multi-value fields (#56772) 2020-05-15 09:09:07 -04:00
James Rodewig 2a943a58a4
[DOCS] EQL: Document `number` function (#56770)
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
2020-05-14 15:44:04 -04:00
James Rodewig 2921747b23
[7.x] [DOCS] EQL: Document sequences (#56721) (#56774)
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
2020-05-14 11:51:40 -04:00
James Rodewig d247e8f7a6 [DOCS] Sort EQL search API params alphabetically 2020-05-12 13:52:18 -04:00
James Rodewig 8e005db3e6
[DOCS] EQL: Document math functions (#55810) (#56337)
Documents the following EQL functions:

* `add`
* `divide`
* `module`
* `multiply`
* `subtract`
2020-05-07 09:18:43 -04:00
James Rodewig 8686200a32 [DOCS] EQL: Document `concat` function (#56239)
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
2020-05-05 16:45:29 -04:00
James Rodewig dac4ed282e [DOCS] EQL: Add collapsible sections to EQL tutorial docs (#56235)
Adds collapsible sections to the snippet examples of the EQL tutorial
docs.

Also adds a leading slash to EQL API snippet examples.
2020-05-05 16:29:51 -04:00
James Rodewig e7df8b388e [DOCS] EQL: Add collapsible sections to EQL search API response (#56232)
Add collapsible sections to the response parameter docs
of the EQL search API.

Also clarifies some language regarding documents and
events.
2020-05-05 16:01:55 -04:00
James Rodewig cd3663e5fa
[DOCS] EQL: Document `match` function (#56134) 2020-05-05 12:03:02 -04:00
James Rodewig 44414acd3b
[DOCS] EQL: Document nested field support (#56138)
Notes that you cannot use EQL in ES to search the values of `nested`
fields or their sub-fields. However, indices containing `nested` field
mappings are otherwise supported.
2020-05-05 11:46:06 -04:00
James Rodewig 4dfdd46dc3 [DOCS] EQL: Remove case sensitivity from function docs (#55063)
Per #54411, we plan to handle case sensitivity via a parameter for the
EQL search API (with the possible exception of the `between` function).

This removes references and examples related to case sensitivity from
the EQL functions docs.
2020-05-05 09:26:49 -04:00
James Rodewig 61cf646f17
[DOCS] EQL: Add advantages to overview (#53452) (#56052)
Adds a concise list of EQL advantages, based on the "EQL Advantages"
section in the [EQL for the masses][0] blog post.

The intent is to inform users how EQL could benefit at a high level.

[0]: https://www.elastic.co/blog/eql-for-the-masses

Co-Authored-By: Ross Wolf <31489089+rw-access@users.noreply.github.com>
2020-04-30 13:19:31 -04:00
James Rodewig 65b47d20a6 [DOCS] Update attribute for multi arg footnotes (#55860) 2020-04-29 10:25:36 -04:00
James Rodewig 1808a1f36b [DOCS] EQL: Correct `cidrMatch` function heading (#55935) 2020-04-29 10:02:06 -04:00
James Rodewig c16b1edae0 [DOCS] EQL: Fix whitespace in `stringContains` docs 2020-04-27 15:53:59 -04:00
James Rodewig c1b0548db0
[DOCS] Document EQL search REST API (#52384) 2020-04-24 15:36:01 -04:00
James Rodewig 5981412bf7
[DOCS] EQL: Document `stringContains` function (#54968) 2020-04-24 15:09:05 -04:00
James Rodewig e4ebe55d04
[DOCS] EQL: Document `cidrMatch` function (#54216) (#55739) 2020-04-24 14:01:11 -04:00
James Rodewig e74fdacabd
[DOCS] Add admonition for EQL exact matches on text fields (#53402) (#55670)
Adds a important admonition to the EQL syntax page noting that
the equal (`==`) operator should not be used to match `text` field
values.

Relates to #52709 and #53020
2020-04-23 10:59:50 -04:00
James Rodewig 4f2ab96f38 [DOCS] EQL: Document `indexOf` function (#55071) 2020-04-15 11:29:50 -04:00
James Rodewig 3fbd8b371f [DOCS] Use consistent line breaks in EQL function docs 2020-04-14 10:17:45 -04:00
James Rodewig 57d6493e29 [DOCS] EQL: Document `string` function (#55086) 2020-04-13 11:23:45 -04:00
James Rodewig 2655dfa2fe [DOCS] EQL: Reword field support for EQL functions (#55074)
Changes boilerplate sentence of "If using a field as the argument, this
parameter only supports..." to "...this parameter supports only...".

The latter is a bit more clear and readable.
2020-04-10 15:33:29 -04:00
James Rodewig c440754784 [DOCS] EQL: Document `wildcard` function (#54086) 2020-04-10 09:18:29 -04:00
James Rodewig 964cf565c9
[DOCS] EQL: Document `between` function (#54950) 2020-04-08 13:49:15 -04:00
James Rodewig 4982b720ef
[DOCS] EQL: Document `length` function (#54225) 2020-04-01 11:35:36 -04:00
James Rodewig b43eb5ac32
[DOCS] EQL: Document `endsWith` function (#54521) 2020-04-01 10:43:37 -04:00
James Rodewig 95622d8782
[DOCS] EQL: Document `startsWith` function (#54518) (#54578) 2020-04-01 09:30:27 -04:00
James Rodewig 92d570d6f3
[DOCS] EQL: Add search/index speed tip for functions (#54346) (#54575)
EQL functions are an easy way for users to transform indexed data
at search time. However, using multiple functions can make
queries difficult to write and slows search speeds.

Users can circumvent this by indexing fields containing the transformed
data, but that usually slows index speeds.

This adds a related tip and example covering these tradeoffs.
2020-04-01 08:39:04 -04:00
James Rodewig 30a32040d3
[DOCS] EQL: Document `substring` function (#53867)
Adds documentation for the EQL `substring` function.

Supporting changes:

* Creates a new "EQL function reference" page
* Updates the title of the "EQL syntax reference" page for consistency
* Adds a brief "Functions" section to the EQL syntax docs
* Updates EQL limitations docs to state that only array functions are
  unsupported
2020-03-25 12:23:59 -04:00
James Rodewig 5e3df18d56 [DOCS] Adds Beats tip to EQL search docs (#53292)
Adds a tip admonition to the basic example in the EQL search docs.

This tip lets users know they can set up a Beat to automatically
index data in ES, rather than manually indexing using the bulk or index
APIs.
2020-03-10 05:16:18 -04:00
James Rodewig e46bb54c7b
[DOCS] Document `any` keyword in EQL syntax (#52821) (#53157)
Adds documentation for the `any` keyword to the EQL syntax docs.

Includes:

* Definition of an event category and its relationship to the event
   category field.
* Example matching all event categories using `any` keyword
* Example using `any` with `where true`
2020-03-05 05:02:47 -05:00
James Rodewig 801e50203e [DOCS] Add missing doc type to EQL search results 2020-03-04 10:26:11 -05:00
James Rodewig e3d3c3400c [DOCS] Update EQL default event category and timestamp values (#53102)
Updates the documented default `event_category_field` and `timestamp_field`
values for the EQL search API. Also updates related guidance in the
EQL requirement docs.

Relates to #53073.
2020-03-04 09:17:37 -05:00
Aleksandr Maus b47bffba24
EQL: consistent naming for event type vs event category (#53073) (#53090)
Related to https://github.com/elastic/elasticsearch/issues/52941
2020-03-04 08:02:38 -05:00
James Rodewig bcb68c860c [DOCS] Reorganize EQL requirements page 2020-03-03 07:02:30 -05:00
James Rodewig 5cffa14f45 [DOCS] Fix typo in EQL docs 2020-03-02 16:09:03 -05:00
Costin Leau 712e0c05cd EQL: Add implicit ordering on timestamp (#53004)
QL: Move Sort base class from SQL to QL
(cherry picked from commit 798015b7bbd565e9c4222724614baeb432c7c2b3)
2020-03-02 22:41:36 +02:00
James Rodewig db64029919
[7.x] [DOCS] Add parameter examples to EQL search tutorial (#52953)
Makes the following updates to the EQL search tutorial:

* Adds an API response to the basic tutorial
* Adds an example using the `event_type_field` parm
* Adds an example using the `timestamp_field`parm
* Adds an example using the `query` parm
* Updates example dataset to support more EQL query variety
2020-03-02 10:08:03 -05:00
Aleksandr Maus 89ed857c79
EQL: Change request parameter query to filter and rule to query (#52971) (#53006)
Related to https://github.com/elastic/elasticsearch/issues/52911
2020-03-02 09:26:23 -05:00
Costin Leau 40bc06f6ad EQL: Hook engine to Elasticsearch (#52828)
Add query execution and return actual results returned from
Elasticsearch inside the tests

(cherry picked from commit 3e039282bf991af87604a6d4f8eada19d5e33842)
2020-02-27 11:22:22 +02:00
James Rodewig ca34817659 [DOCS] Add EQL limitations page (#52001)
Documents limitations for EQL in Elasticsearch.
2020-02-12 08:45:43 -05:00
James Rodewig 20453d3ac8 [DOCS] Add basic EQL search tutorial docs (#51574)
I plan to add additional sections to this page with future PRs:

* Specify timestamp and event type fields
* Specify a join key field
* Filter using query DSL
* Paginate a large response

See #51057.
2020-02-12 08:42:09 -05:00
James Rodewig b70cbc97aa [DOCS] Add EQL syntax page (#51821)
Adds documentation for basic EQL syntax.

Joins, sequences, and other syntax to be added as its supported
in future development.

Co-Authored-By: Ross Wolf <31489089+rw-access@users.noreply.github.com>
2020-02-05 08:14:07 -05:00
James Rodewig 65f49d0bba [DOCS] Add top-level EQL docs page. Adds EQL requirements page. (#51334)
* Creates a top-level page for EQL in the ES reference.
   This page contains a high-level introduction and will include a nav for other EQL docs pages as they're built.

* Creates a requirements page.
  This page outlines the fields needed to use EQL in ES.
2020-01-27 16:04:47 -05:00