Commit Graph

99 Commits

Author SHA1 Message Date
James Rodewig 9b10d0b3af [DOCS] EQL: Add xrefs to EQL intro 2020-09-16 10:44:01 -04:00
James Rodewig 3ab28e84c6
[DOCS] EQL: Update keyword family field types (#62254) (#62310)
Updates several keyword/constant keyword references to use any field type in the
keyword family.
2020-09-14 09:51:34 -04:00
James Rodewig c9d2d4b306
[DOCS] Remove collapsible examples in EQL syntax docs (#62220) (#62226) 2020-09-10 10:55:00 -04:00
James Rodewig 8613bde780
[DOCS] Combine keyword family docs (#61662) (#61813) 2020-09-01 15:32:56 -04:00
James Rodewig fd976e668c
[DOCS] EQL: Clarify until keyword docs (#61794) (#61808) 2020-09-01 13:56:51 -04:00
James Rodewig 8a6ecd5bfc [DOCS] Fix EQL syntax admon 2020-08-26 13:39:42 -04:00
James Rodewig 20053bfd8c [DOCS] Remove dupe EQl fn/pipe TOC 2020-08-26 12:45:09 -04:00
James Rodewig 5ad0ce49e1
[DOCS] Remove response params for #61428 (#61524) (#61534) 2020-08-25 11:17:56 -04:00
Costin Leau bff3c7470e
EQL: Replace SearchHit in response with Event (#61428) (#61522)
The building block of the eql response is currently the SearchHit. This
is a problem since it is tied to an actual search, and thus has scoring,
highlighting, shard information and a lot of other things that are not
relevant for EQL.
This becomes a problem when doing sequence queries since the response is
not generated from one search query and thus there are no SearchHits to
speak of.
Emulating one is not just conceptually incorrect but also problematic
since most of the data is missed or made-up.

As such this PR introduces a simple class, Event, that maps nicely to
the terminology while hiding the ES internals (the use of SearchHit or
GetResult/GetResponse depending on the API used).

Fix #59764
Fix #59779

Co-authored-by: Igor Motov <igor@motovs.org>
(cherry picked from commit 997376fbe6ef2894038968842f5e0635731ede65)
2020-08-25 17:32:42 +03:00
James Rodewig 439fa46735
[DOCS] Remove collapsible sections in EQL fn docs (#61498) (#61499) 2020-08-24 14:41:27 -04:00
James Rodewig 2b852388c5
[DOCS] Fix hyphenation for "time series" (#61472) (#61481) 2020-08-24 11:18:07 -04:00
James Rodewig 039b306e7d
[DOCS] Fix EQL threat detection example (#61367) (#61373) 2020-08-20 10:45:01 -04:00
Andrei Stefan 5de0f19cc3
EQL: Return sequence join keys in the original type (#61268) (#61282)
(cherry picked from commit d54957d61faa0d502387656e3cace594017b6ea0)
2020-08-18 19:37:15 +03:00
James Rodewig 60876a0e32
[DOCS] Replace Wikipedia links with attribute (#61171) (#61209) 2020-08-17 11:27:04 -04:00
James Rodewig 290adcd25e [DOCS] Reword in EQL threat detection example 2020-08-14 15:50:58 -04:00
James Rodewig 3fef26bfb0
[DOCS] EQL: Add threat detection example (#59105) (#61161) 2020-08-14 13:40:44 -04:00
James Rodewig bc37b1b2a7 [DOCS] Fix EQL required fields language 2020-08-12 09:48:11 -04:00
James Rodewig 7d4117426a [DOCS] Remove unneeded word in EQL docs 2020-08-11 12:19:08 -04:00
James Rodewig c0fa582df4
[DOCS] Make EQL example snippets more realistic (#60971) (#60974) 2020-08-11 12:01:31 -04:00
James Rodewig a1c27b0833
[DOCS] Refactor EQL docs (#60700) (#60745)
Changes:

* Moves sample data to reusable rest test
* Combines EQL index, requirements, and run a search pages
* Combines EQL syntax and limitations pages
* Adds related redirects
2020-08-05 11:25:18 -04:00
James Rodewig 26d51089da
[DOCS] Replace `twitter` dataset in docs (#60604) (#60609) 2020-08-03 13:31:19 -04:00
James Rodewig aba785cb6e
[DOCS] Update my-index examples (#60132) (#60248)
Changes the following example index names to `my-index-000001` for consistency:

* `my-index`
* `my_index`
* `myindex`
2020-07-27 15:58:26 -04:00
James Rodewig 988e8c8fc6
[DOCS] Swap `[float]` for `[discrete]` (#60134)
Changes instances of `[float]` in our docs for `[discrete]`.

Asciidoctor prefers the `[discrete]` tag for floating headings:
https://asciidoctor.org/docs/asciidoc-asciidoctor-diffs/#blocks
2020-07-23 12:42:33 -04:00
James Rodewig 828aa6f640
[DOCS] EQL: Remove collapsible sections from EQL search docs (#59819) (#59861) 2020-07-20 09:26:32 -04:00
James Rodewig 43481441e9
[DOCS] EQL: Update EQL search response format (#59554) (#59668) 2020-07-15 17:23:48 -04:00
James Rodewig e30af2fc35
[DOCS] Fix syntax and wording in EQL docs (#59623) (#59650) 2020-07-15 14:45:56 -04:00
James Rodewig 8cac702171 [DOCS] Note that EQL timestamp field can also be date_nanos 2020-07-15 09:55:55 -04:00
Costin Leau 679619c798 EQL: Improve retrieval of results (#59552)
Instead of retrieving an entire SearchHit, get just a reference and
postpone the document retrieval when assembling the final results.
Remove sort information from results to make them consistent.
Move TumblingWindow under the sequence package.

Co-authored-by: James Rodewig <james.rodewig@elastic.co>
(cherry picked from commit bccfbcd81f2f1d3552e95e4a9ee2618fb3059bd9)
2020-07-14 23:53:57 +03:00
James Rodewig 2629a95e14
[DOCS] EQL: Document `until` keyword support (#59320) (#59408) 2020-07-13 09:05:47 -04:00
James Rodewig 896d0ffd9b
[DOCS] EQL: Prepare docs for release (#59259) (#59407)
Changes:

* Swaps the `dev` admonitions for `experimental` admonitions
* Removes `ifdef` statements preventing the docs from appearing in
  released branches
2020-07-13 09:04:15 -04:00
James Rodewig 9d5c091f7a
[DOCS] Add data streams to EQL search docs (#58611) (#59404) 2020-07-13 09:03:55 -04:00
Andrei Stefan c0e0bca84c
Remove search_after and implicit_join_key_field (#59232) (#59280)
(cherry picked from commit 6ede6c59eff321b9fedad30e19508b9e4f788b54)
2020-07-09 12:34:01 +03:00
James Rodewig 93a5eb0688
[DOCS] EQL: Document `size` limit for pipes (#59085) (#59236)
Changes:
* Documents the `size` default as `10`.
* Updates `size` param def to note its relation to pipes.
* Updates the `head` and `tail` pipe docs to modify sequences.
* Documents the `fetch_size` parameter.

Relates to #59014 and #59063
2020-07-08 12:22:57 -04:00
James Rodewig b27de36b5d
[DOCS] EQL: Document `maxspan` keyword (#58931) (#59223) 2020-07-08 11:04:28 -04:00
James Rodewig 37be56ab97
[DOCS] EQL: Document unsupported var comparison (#58941) (#59224)
ES EQL queries do not support the comparison of a variable, such as
a field value, to another variable.

This adds a related para and example to the EQL syntax docs.
2020-07-08 11:04:05 -04:00
James Rodewig 6ed356ffc3
[DOCS] Replace `datatype` with `data type` (#58972) (#59184) 2020-07-07 14:59:35 -04:00
DeDe Morton 2c43421208 [DOCS] Change Beats links to refactored getting started docs (#58790) 2020-07-02 17:11:25 -07:00
James Rodewig 770f9f11af [DOCS] Fix xref format in async EQL search docs 2020-06-30 09:37:47 -04:00
James Rodewig d8731853a3
[DOCS] EQL: Document `head` and `tail` pipes (#58673) (#58739) 2020-06-30 09:12:54 -04:00
James Rodewig 735a3f344d
[DOCS] EQL: Remove fields from EQL search response (#58667) (#58669) 2020-06-29 09:34:20 -04:00
Costin Leau 3c81b91474 EQL: Add Head/Tail pipe support (#58536)
Introduce pipe support, in particular head and tail
(which can also be chained).

(cherry picked from commit 4521ca3367147d4d6531cf0ab975d8d705f400ea)
(cherry picked from commit d6731d659d012c96b19879d13cfc9e1eaf4745a4)
2020-06-27 09:49:14 +03:00
James Rodewig b37b318d0d
[DOCS] EQL: Remove references to partial async EQL results (#58548) (#58609)
Removes references to partial results from the async EQL search docs.
If an EQL search does not complete during the `wait_for_completion_timeout`
timeout period, it returns no results.
2020-06-26 11:11:55 -04:00
James Rodewig c613e0915a
[DOCS] EQL: Document search API's `tiebreaker_field` param (#57935) (#58540) 2020-06-26 09:25:24 -04:00
Igor Motov 20af856abd
[7.x] EQL: Adds an ability to execute an asynchronous EQL search (#58192)
Adds async support to EQL searches

Closes #49638

Co-authored-by: James Rodewig james.rodewig@elastic.co
2020-06-25 14:11:57 -04:00
James Rodewig 44c3bb29e2 [DOCS] EQL: Correct EQL search API's `size` param def
The `size` parameter can be used to limit matching events or sequences.
2020-06-10 10:12:54 -04:00
James Rodewig 641ed484d8
[DOCS] EQL: Add `dev` admonition to EQL pages (#57531) (#57533)
Adds the `dev` admonition to EQL features, which are in development
under a feature flag.
2020-06-02 11:03:12 -04:00
James Rodewig fd6dabf158
[DOCS] EQL: Fix hits param for sequences (#57410) (#57524) 2020-06-02 09:38:00 -04:00
Lisa Cawley db5bf92acf
[7.x][DOCS] Replace docdir attribute with es-repo-dir (#57489) (#57494) 2020-06-01 16:42:53 -07:00
James Rodewig cc12361a82 [DOCS] EQL: Fix whitespace in EQL snippet 2020-05-19 17:04:49 -04:00
James Rodewig 771ddbf083
[DOCS] EQL: Add sequence example to tutorial (#56965) (#56966)
Adds an example using the sequence syntax to the 'Run an EQL search'
tutorial.

Supplements other examples added with #56721
2020-05-19 16:14:57 -04:00