Commit Graph

85 Commits

Author SHA1 Message Date
James Rodewig 290adcd25e [DOCS] Reword in EQL threat detection example 2020-08-14 15:50:58 -04:00
James Rodewig 3fef26bfb0
[DOCS] EQL: Add threat detection example (#59105) (#61161) 2020-08-14 13:40:44 -04:00
James Rodewig bc37b1b2a7 [DOCS] Fix EQL required fields language 2020-08-12 09:48:11 -04:00
James Rodewig 7d4117426a [DOCS] Remove unneeded word in EQL docs 2020-08-11 12:19:08 -04:00
James Rodewig c0fa582df4
[DOCS] Make EQL example snippets more realistic (#60971) (#60974) 2020-08-11 12:01:31 -04:00
James Rodewig a1c27b0833
[DOCS] Refactor EQL docs (#60700) (#60745)
Changes:

* Moves sample data to reusable rest test
* Combines EQL index, requirements, and run a search pages
* Combines EQL syntax and limitations pages
* Adds related redirects
2020-08-05 11:25:18 -04:00
James Rodewig 26d51089da
[DOCS] Replace `twitter` dataset in docs (#60604) (#60609) 2020-08-03 13:31:19 -04:00
James Rodewig aba785cb6e
[DOCS] Update my-index examples (#60132) (#60248)
Changes the following example index names to `my-index-000001` for consistency:

* `my-index`
* `my_index`
* `myindex`
2020-07-27 15:58:26 -04:00
James Rodewig 988e8c8fc6
[DOCS] Swap `[float]` for `[discrete]` (#60134)
Changes instances of `[float]` in our docs for `[discrete]`.

Asciidoctor prefers the `[discrete]` tag for floating headings:
https://asciidoctor.org/docs/asciidoc-asciidoctor-diffs/#blocks
2020-07-23 12:42:33 -04:00
James Rodewig 828aa6f640
[DOCS] EQL: Remove collapsible sections from EQL search docs (#59819) (#59861) 2020-07-20 09:26:32 -04:00
James Rodewig 43481441e9
[DOCS] EQL: Update EQL search response format (#59554) (#59668) 2020-07-15 17:23:48 -04:00
James Rodewig e30af2fc35
[DOCS] Fix syntax and wording in EQL docs (#59623) (#59650) 2020-07-15 14:45:56 -04:00
James Rodewig 8cac702171 [DOCS] Note that EQL timestamp field can also be date_nanos 2020-07-15 09:55:55 -04:00
Costin Leau 679619c798 EQL: Improve retrieval of results (#59552)
Instead of retrieving an entire SearchHit, get just a reference and
postpone the document retrieval when assembling the final results.
Remove sort information from results to make them consistent.
Move TumblingWindow under the sequence package.

Co-authored-by: James Rodewig <james.rodewig@elastic.co>
(cherry picked from commit bccfbcd81f2f1d3552e95e4a9ee2618fb3059bd9)
2020-07-14 23:53:57 +03:00
James Rodewig 2629a95e14
[DOCS] EQL: Document `until` keyword support (#59320) (#59408) 2020-07-13 09:05:47 -04:00
James Rodewig 896d0ffd9b
[DOCS] EQL: Prepare docs for release (#59259) (#59407)
Changes:

* Swaps the `dev` admonitions for `experimental` admonitions
* Removes `ifdef` statements preventing the docs from appearing in
  released branches
2020-07-13 09:04:15 -04:00
James Rodewig 9d5c091f7a
[DOCS] Add data streams to EQL search docs (#58611) (#59404) 2020-07-13 09:03:55 -04:00
Andrei Stefan c0e0bca84c
Remove search_after and implicit_join_key_field (#59232) (#59280)
(cherry picked from commit 6ede6c59eff321b9fedad30e19508b9e4f788b54)
2020-07-09 12:34:01 +03:00
James Rodewig 93a5eb0688
[DOCS] EQL: Document `size` limit for pipes (#59085) (#59236)
Changes:
* Documents the `size` default as `10`.
* Updates `size` param def to note its relation to pipes.
* Updates the `head` and `tail` pipe docs to modify sequences.
* Documents the `fetch_size` parameter.

Relates to #59014 and #59063
2020-07-08 12:22:57 -04:00
James Rodewig b27de36b5d
[DOCS] EQL: Document `maxspan` keyword (#58931) (#59223) 2020-07-08 11:04:28 -04:00
James Rodewig 37be56ab97
[DOCS] EQL: Document unsupported var comparison (#58941) (#59224)
ES EQL queries do not support the comparison of a variable, such as
a field value, to another variable.

This adds a related para and example to the EQL syntax docs.
2020-07-08 11:04:05 -04:00
James Rodewig 6ed356ffc3
[DOCS] Replace `datatype` with `data type` (#58972) (#59184) 2020-07-07 14:59:35 -04:00
DeDe Morton 2c43421208 [DOCS] Change Beats links to refactored getting started docs (#58790) 2020-07-02 17:11:25 -07:00
James Rodewig 770f9f11af [DOCS] Fix xref format in async EQL search docs 2020-06-30 09:37:47 -04:00
James Rodewig d8731853a3
[DOCS] EQL: Document `head` and `tail` pipes (#58673) (#58739) 2020-06-30 09:12:54 -04:00
James Rodewig 735a3f344d
[DOCS] EQL: Remove fields from EQL search response (#58667) (#58669) 2020-06-29 09:34:20 -04:00
Costin Leau 3c81b91474 EQL: Add Head/Tail pipe support (#58536)
Introduce pipe support, in particular head and tail
(which can also be chained).

(cherry picked from commit 4521ca3367147d4d6531cf0ab975d8d705f400ea)
(cherry picked from commit d6731d659d012c96b19879d13cfc9e1eaf4745a4)
2020-06-27 09:49:14 +03:00
James Rodewig b37b318d0d
[DOCS] EQL: Remove references to partial async EQL results (#58548) (#58609)
Removes references to partial results from the async EQL search docs.
If an EQL search does not complete during the `wait_for_completion_timeout`
timeout period, it returns no results.
2020-06-26 11:11:55 -04:00
James Rodewig c613e0915a
[DOCS] EQL: Document search API's `tiebreaker_field` param (#57935) (#58540) 2020-06-26 09:25:24 -04:00
Igor Motov 20af856abd
[7.x] EQL: Adds an ability to execute an asynchronous EQL search (#58192)
Adds async support to EQL searches

Closes #49638

Co-authored-by: James Rodewig james.rodewig@elastic.co
2020-06-25 14:11:57 -04:00
James Rodewig 44c3bb29e2 [DOCS] EQL: Correct EQL search API's `size` param def
The `size` parameter can be used to limit matching events or sequences.
2020-06-10 10:12:54 -04:00
James Rodewig 641ed484d8
[DOCS] EQL: Add `dev` admonition to EQL pages (#57531) (#57533)
Adds the `dev` admonition to EQL features, which are in development
under a feature flag.
2020-06-02 11:03:12 -04:00
James Rodewig fd6dabf158
[DOCS] EQL: Fix hits param for sequences (#57410) (#57524) 2020-06-02 09:38:00 -04:00
Lisa Cawley db5bf92acf
[7.x][DOCS] Replace docdir attribute with es-repo-dir (#57489) (#57494) 2020-06-01 16:42:53 -07:00
James Rodewig cc12361a82 [DOCS] EQL: Fix whitespace in EQL snippet 2020-05-19 17:04:49 -04:00
James Rodewig 771ddbf083
[DOCS] EQL: Add sequence example to tutorial (#56965) (#56966)
Adds an example using the sequence syntax to the 'Run an EQL search'
tutorial.

Supplements other examples added with #56721
2020-05-19 16:14:57 -04:00
James Rodewig cc43d67eb1 [DOCS] Add leading slashes to EQL API examples 2020-05-19 15:38:37 -04:00
James Rodewig 22f54ba205 [DOCS] EQL: Fix API example headings 2020-05-18 16:29:29 -04:00
James Rodewig c50f86fbba
[DOCS] EQL: Document `case_sensitive` param (#56697) (#56818) 2020-05-15 11:47:19 -04:00
James Rodewig 5e09762a27 [DOCS] EQL: Align comments in `between` fn examples 2020-05-15 09:20:45 -04:00
James Rodewig 24cd45345e [DOCS] EQL: Remove references to arrays/multi-value fields (#56772) 2020-05-15 09:09:07 -04:00
James Rodewig 2a943a58a4
[DOCS] EQL: Document `number` function (#56770)
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
2020-05-14 15:44:04 -04:00
James Rodewig 2921747b23
[7.x] [DOCS] EQL: Document sequences (#56721) (#56774)
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
2020-05-14 11:51:40 -04:00
James Rodewig d247e8f7a6 [DOCS] Sort EQL search API params alphabetically 2020-05-12 13:52:18 -04:00
James Rodewig 8e005db3e6
[DOCS] EQL: Document math functions (#55810) (#56337)
Documents the following EQL functions:

* `add`
* `divide`
* `module`
* `multiply`
* `subtract`
2020-05-07 09:18:43 -04:00
James Rodewig 8686200a32 [DOCS] EQL: Document `concat` function (#56239)
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
2020-05-05 16:45:29 -04:00
James Rodewig dac4ed282e [DOCS] EQL: Add collapsible sections to EQL tutorial docs (#56235)
Adds collapsible sections to the snippet examples of the EQL tutorial
docs.

Also adds a leading slash to EQL API snippet examples.
2020-05-05 16:29:51 -04:00
James Rodewig e7df8b388e [DOCS] EQL: Add collapsible sections to EQL search API response (#56232)
Add collapsible sections to the response parameter docs
of the EQL search API.

Also clarifies some language regarding documents and
events.
2020-05-05 16:01:55 -04:00
James Rodewig cd3663e5fa
[DOCS] EQL: Document `match` function (#56134) 2020-05-05 12:03:02 -04:00
James Rodewig 44414acd3b
[DOCS] EQL: Document nested field support (#56138)
Notes that you cannot use EQL in ES to search the values of `nested`
fields or their sub-fields. However, indices containing `nested` field
mappings are otherwise supported.
2020-05-05 11:46:06 -04:00