James Rodewig
290adcd25e
[DOCS] Reword in EQL threat detection example
2020-08-14 15:50:58 -04:00
James Rodewig
3fef26bfb0
[DOCS] EQL: Add threat detection example ( #59105 ) ( #61161 )
2020-08-14 13:40:44 -04:00
James Rodewig
bc37b1b2a7
[DOCS] Fix EQL required fields language
2020-08-12 09:48:11 -04:00
James Rodewig
7d4117426a
[DOCS] Remove unneeded word in EQL docs
2020-08-11 12:19:08 -04:00
James Rodewig
c0fa582df4
[DOCS] Make EQL example snippets more realistic ( #60971 ) ( #60974 )
2020-08-11 12:01:31 -04:00
James Rodewig
a1c27b0833
[DOCS] Refactor EQL docs ( #60700 ) ( #60745 )
...
Changes:
* Moves sample data to reusable rest test
* Combines EQL index, requirements, and run a search pages
* Combines EQL syntax and limitations pages
* Adds related redirects
2020-08-05 11:25:18 -04:00
James Rodewig
26d51089da
[DOCS] Replace `twitter` dataset in docs ( #60604 ) ( #60609 )
2020-08-03 13:31:19 -04:00
James Rodewig
aba785cb6e
[DOCS] Update my-index examples ( #60132 ) ( #60248 )
...
Changes the following example index names to `my-index-000001` for consistency:
* `my-index`
* `my_index`
* `myindex`
2020-07-27 15:58:26 -04:00
James Rodewig
988e8c8fc6
[DOCS] Swap `[float]` for `[discrete]` ( #60134 )
...
Changes instances of `[float]` in our docs for `[discrete]`.
Asciidoctor prefers the `[discrete]` tag for floating headings:
https://asciidoctor.org/docs/asciidoc-asciidoctor-diffs/#blocks
2020-07-23 12:42:33 -04:00
James Rodewig
828aa6f640
[DOCS] EQL: Remove collapsible sections from EQL search docs ( #59819 ) ( #59861 )
2020-07-20 09:26:32 -04:00
James Rodewig
43481441e9
[DOCS] EQL: Update EQL search response format ( #59554 ) ( #59668 )
2020-07-15 17:23:48 -04:00
James Rodewig
e30af2fc35
[DOCS] Fix syntax and wording in EQL docs ( #59623 ) ( #59650 )
2020-07-15 14:45:56 -04:00
James Rodewig
8cac702171
[DOCS] Note that EQL timestamp field can also be date_nanos
2020-07-15 09:55:55 -04:00
Costin Leau
679619c798
EQL: Improve retrieval of results ( #59552 )
...
Instead of retrieving an entire SearchHit, get just a reference and
postpone the document retrieval when assembling the final results.
Remove sort information from results to make them consistent.
Move TumblingWindow under the sequence package.
Co-authored-by: James Rodewig <james.rodewig@elastic.co>
(cherry picked from commit bccfbcd81f2f1d3552e95e4a9ee2618fb3059bd9)
2020-07-14 23:53:57 +03:00
James Rodewig
2629a95e14
[DOCS] EQL: Document `until` keyword support ( #59320 ) ( #59408 )
2020-07-13 09:05:47 -04:00
James Rodewig
896d0ffd9b
[DOCS] EQL: Prepare docs for release ( #59259 ) ( #59407 )
...
Changes:
* Swaps the `dev` admonitions for `experimental` admonitions
* Removes `ifdef` statements preventing the docs from appearing in
released branches
2020-07-13 09:04:15 -04:00
James Rodewig
9d5c091f7a
[DOCS] Add data streams to EQL search docs ( #58611 ) ( #59404 )
2020-07-13 09:03:55 -04:00
Andrei Stefan
c0e0bca84c
Remove search_after and implicit_join_key_field ( #59232 ) ( #59280 )
...
(cherry picked from commit 6ede6c59eff321b9fedad30e19508b9e4f788b54)
2020-07-09 12:34:01 +03:00
James Rodewig
93a5eb0688
[DOCS] EQL: Document `size` limit for pipes ( #59085 ) ( #59236 )
...
Changes:
* Documents the `size` default as `10`.
* Updates `size` param def to note its relation to pipes.
* Updates the `head` and `tail` pipe docs to modify sequences.
* Documents the `fetch_size` parameter.
Relates to #59014 and #59063
2020-07-08 12:22:57 -04:00
James Rodewig
b27de36b5d
[DOCS] EQL: Document `maxspan` keyword ( #58931 ) ( #59223 )
2020-07-08 11:04:28 -04:00
James Rodewig
37be56ab97
[DOCS] EQL: Document unsupported var comparison ( #58941 ) ( #59224 )
...
ES EQL queries do not support the comparison of a variable, such as
a field value, to another variable.
This adds a related para and example to the EQL syntax docs.
2020-07-08 11:04:05 -04:00
James Rodewig
6ed356ffc3
[DOCS] Replace `datatype` with `data type` ( #58972 ) ( #59184 )
2020-07-07 14:59:35 -04:00
DeDe Morton
2c43421208
[DOCS] Change Beats links to refactored getting started docs ( #58790 )
2020-07-02 17:11:25 -07:00
James Rodewig
770f9f11af
[DOCS] Fix xref format in async EQL search docs
2020-06-30 09:37:47 -04:00
James Rodewig
d8731853a3
[DOCS] EQL: Document `head` and `tail` pipes ( #58673 ) ( #58739 )
2020-06-30 09:12:54 -04:00
James Rodewig
735a3f344d
[DOCS] EQL: Remove fields from EQL search response ( #58667 ) ( #58669 )
2020-06-29 09:34:20 -04:00
Costin Leau
3c81b91474
EQL: Add Head/Tail pipe support ( #58536 )
...
Introduce pipe support, in particular head and tail
(which can also be chained).
(cherry picked from commit 4521ca3367147d4d6531cf0ab975d8d705f400ea)
(cherry picked from commit d6731d659d012c96b19879d13cfc9e1eaf4745a4)
2020-06-27 09:49:14 +03:00
James Rodewig
b37b318d0d
[DOCS] EQL: Remove references to partial async EQL results ( #58548 ) ( #58609 )
...
Removes references to partial results from the async EQL search docs.
If an EQL search does not complete during the `wait_for_completion_timeout`
timeout period, it returns no results.
2020-06-26 11:11:55 -04:00
James Rodewig
c613e0915a
[DOCS] EQL: Document search API's `tiebreaker_field` param ( #57935 ) ( #58540 )
2020-06-26 09:25:24 -04:00
Igor Motov
20af856abd
[7.x] EQL: Adds an ability to execute an asynchronous EQL search ( #58192 )
...
Adds async support to EQL searches
Closes #49638
Co-authored-by: James Rodewig james.rodewig@elastic.co
2020-06-25 14:11:57 -04:00
James Rodewig
44c3bb29e2
[DOCS] EQL: Correct EQL search API's `size` param def
...
The `size` parameter can be used to limit matching events or sequences.
2020-06-10 10:12:54 -04:00
James Rodewig
641ed484d8
[DOCS] EQL: Add `dev` admonition to EQL pages ( #57531 ) ( #57533 )
...
Adds the `dev` admonition to EQL features, which are in development
under a feature flag.
2020-06-02 11:03:12 -04:00
James Rodewig
fd6dabf158
[DOCS] EQL: Fix hits param for sequences ( #57410 ) ( #57524 )
2020-06-02 09:38:00 -04:00
Lisa Cawley
db5bf92acf
[7.x][DOCS] Replace docdir attribute with es-repo-dir ( #57489 ) ( #57494 )
2020-06-01 16:42:53 -07:00
James Rodewig
cc12361a82
[DOCS] EQL: Fix whitespace in EQL snippet
2020-05-19 17:04:49 -04:00
James Rodewig
771ddbf083
[DOCS] EQL: Add sequence example to tutorial ( #56965 ) ( #56966 )
...
Adds an example using the sequence syntax to the 'Run an EQL search'
tutorial.
Supplements other examples added with #56721
2020-05-19 16:14:57 -04:00
James Rodewig
cc43d67eb1
[DOCS] Add leading slashes to EQL API examples
2020-05-19 15:38:37 -04:00
James Rodewig
22f54ba205
[DOCS] EQL: Fix API example headings
2020-05-18 16:29:29 -04:00
James Rodewig
c50f86fbba
[DOCS] EQL: Document `case_sensitive` param ( #56697 ) ( #56818 )
2020-05-15 11:47:19 -04:00
James Rodewig
5e09762a27
[DOCS] EQL: Align comments in `between` fn examples
2020-05-15 09:20:45 -04:00
James Rodewig
24cd45345e
[DOCS] EQL: Remove references to arrays/multi-value fields ( #56772 )
2020-05-15 09:09:07 -04:00
James Rodewig
2a943a58a4
[DOCS] EQL: Document `number` function ( #56770 )
...
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
2020-05-14 15:44:04 -04:00
James Rodewig
2921747b23
[7.x] [DOCS] EQL: Document sequences ( #56721 ) ( #56774 )
...
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
2020-05-14 11:51:40 -04:00
James Rodewig
d247e8f7a6
[DOCS] Sort EQL search API params alphabetically
2020-05-12 13:52:18 -04:00
James Rodewig
8e005db3e6
[DOCS] EQL: Document math functions ( #55810 ) ( #56337 )
...
Documents the following EQL functions:
* `add`
* `divide`
* `module`
* `multiply`
* `subtract`
2020-05-07 09:18:43 -04:00
James Rodewig
8686200a32
[DOCS] EQL: Document `concat` function ( #56239 )
...
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
2020-05-05 16:45:29 -04:00
James Rodewig
dac4ed282e
[DOCS] EQL: Add collapsible sections to EQL tutorial docs ( #56235 )
...
Adds collapsible sections to the snippet examples of the EQL tutorial
docs.
Also adds a leading slash to EQL API snippet examples.
2020-05-05 16:29:51 -04:00
James Rodewig
e7df8b388e
[DOCS] EQL: Add collapsible sections to EQL search API response ( #56232 )
...
Add collapsible sections to the response parameter docs
of the EQL search API.
Also clarifies some language regarding documents and
events.
2020-05-05 16:01:55 -04:00
James Rodewig
cd3663e5fa
[DOCS] EQL: Document `match` function ( #56134 )
2020-05-05 12:03:02 -04:00
James Rodewig
44414acd3b
[DOCS] EQL: Document nested field support ( #56138 )
...
Notes that you cannot use EQL in ES to search the values of `nested`
fields or their sub-fields. However, indices containing `nested` field
mappings are otherwise supported.
2020-05-05 11:46:06 -04:00