bff3c7470e
The building block of the eql response is currently the SearchHit. This is a problem since it is tied to an actual search, and thus has scoring, highlighting, shard information and a lot of other things that are not relevant for EQL. This becomes a problem when doing sequence queries since the response is not generated from one search query and thus there are no SearchHits to speak of. Emulating one is not just conceptually incorrect but also problematic since most of the data is missed or made-up. As such this PR introduces a simple class, Event, that maps nicely to the terminology while hiding the ES internals (the use of SearchHit or GetResult/GetResponse depending on the API used). Fix #59764 Fix #59779 Co-authored-by: Igor Motov <igor@motovs.org> (cherry picked from commit 997376fbe6ef2894038968842f5e0635731ede65) |
||
|---|---|---|
| .. | ||
| delete-async-eql-search-api.asciidoc | ||
| detect-threats-with-eql.asciidoc | ||
| eql-search-api.asciidoc | ||
| eql.asciidoc | ||
| functions.asciidoc | ||
| get-async-eql-search-api.asciidoc | ||
| pipes.asciidoc | ||
| syntax.asciidoc | ||