[role="xpack"] [testenv="basic"] [[eql-requirements]] == EQL requirements ++++ Requirements ++++ experimental::[] EQL is schema-less and works well with most common log formats. [TIP] ==== While no schema is required to use EQL in {es}, we recommend the {ecs-ref}[Elastic Common Schema (ECS)]. The EQL search API is designed to work with core ECS fields by default. ==== [discrete] [[eql-required-fields]] === Required fields In {es}, EQL assumes each document in an index corresponds to an event. To search an index using EQL, each document in the index must contain the following field archetypes: Event category:: A field containing the event classification, such as `process`, `file`, or `network`. This is typically mapped as a <> field. Timestamp:: A field containing the date and/or time the event occurred. This is typically mapped as a <> field. [NOTE] ==== You cannot use a <> field datatype or the sub-fields of a `nested` field dataype as the timestamp or event category field. See <>. ====