mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-05 20:48:22 +00:00
e3d3c3400c
Updates the documented default `event_category_field` and `timestamp_field` values for the EQL search API. Also updates related guidance in the EQL requirement docs. Relates to #53073.
37 lines
923 B
Plaintext
37 lines
923 B
Plaintext
[role="xpack"]
|
|
[testenv="basic"]
|
|
[[eql-requirements]]
|
|
== EQL requirements
|
|
++++
|
|
<titleabbrev>Requirements</titleabbrev>
|
|
++++
|
|
|
|
experimental::[]
|
|
|
|
EQL is schema-less and works well with most common log formats.
|
|
|
|
|
|
[TIP]
|
|
====
|
|
While no schema is required to use EQL in {es}, we recommend the
|
|
{ecs-ref}[Elastic Common Schema (ECS)]. The EQL search API is designed to work
|
|
with core ECS fields by default.
|
|
====
|
|
|
|
[discrete]
|
|
[[eql-required-fields]]
|
|
=== Required fields
|
|
|
|
In {es}, EQL assumes each document in an index corresponds to an event.
|
|
|
|
To search an index using EQL, each document in the index must contain the
|
|
following field archetypes:
|
|
|
|
Event category::
|
|
A field containing the event classification, such as `process`, `file`, or
|
|
`network`. This is typically mapped as a <<keyword,`keyword`>> field.
|
|
|
|
Timestamp::
|
|
A field containing the date and/or time the event occurred. This is typically
|
|
mapped as a <<date,`date`>> field.
|