ac1dbb7ffd
[DOCS] EQL: Remove outdated wildcard ref ( #65684 )
2020-12-01 11:30:17 -05:00
a18b87ddc1
[DOCS] Flatten EQL syntax headings ( #65497 )
2020-11-25 10:30:24 -05:00
b9ee0b3b48
[DOCS] EQL: Add lookup support to `:` operator ( #65262 )
2020-11-24 10:48:41 -05:00
ce644909dc
[DOCS] EQL: Add wildcard support to `:` operator ( #65237 )
2020-11-19 08:26:13 -05:00
36d308bc23
[DOCS] EQL: Update docs for null tiebreakers ( #65078 )
2020-11-17 09:31:49 -05:00
254807956f
[DOCS] EQL: Document result_position param ( #65075 )
2020-11-17 09:07:51 -05:00
fb1936bed1
[DOCS] EQL: Fix tiebreaker field docs ( #64671 )
...
Corrects the EQL docs to remove `event.sequence` as the default `tiebreaker_field` value.
2020-11-06 09:05:18 -05:00
b2b676d7d6
[DOCS] Remove italics formatting
2020-11-03 15:49:52 -05:00
1ea83359bb
[DOCS] Fix case for 'Boolean' ( #64299 )
2020-10-29 09:04:43 -04:00
1c0380dc21
[DOCS] EQL: Fix operator docs ( #64286 )
2020-10-28 10:27:17 -04:00
5953a90505
[DOCS] Remove unneeded words in EQL docs
2020-10-24 20:27:34 -04:00
4c22ca3eed
[DOCS] Tighten async EQL copy ( #64106 )
2020-10-24 14:14:30 -04:00
f6bce6194f
[DOCS] Tighten EQL copy ( #64081 )
2020-10-24 10:49:05 -04:00
3deebc2804
[DOCS] Fix typo
2020-10-19 14:44:12 -04:00
71aaa4ae0a
[DOCS] EQL: Update `allow_no_indices` default ( #63748 )
...
Co-authored-by: Adam Locke <adam.locke@elastic.co>
2020-10-19 12:14:23 -04:00
505b03768a
[DOCS] Reword EQL intro
2020-10-14 10:02:45 -04:00
c6a13d1cee
[DOCS] EQL: Remove `match` fn ( #63271 )
2020-10-14 09:57:29 -04:00
857c2d1cd4
[DOCS] Update `ignore_unavailable` default for EQL search API ( #63210 )
2020-10-14 09:36:11 -04:00
f41de1bdce
[DOCS] EQL: Add `:` operator, remove wildcard operator ( #63195 )
2020-10-14 09:06:37 -04:00
8527183f91
[DOCS] EQL: Remove Endgame EQL refs ( #63636 )
2020-10-14 08:34:11 -04:00
d7c5d37697
[DOCS] Remove unneeded word in EQL docs
2020-10-13 13:56:56 -04:00
e0cc841a60
[DOCS] EQL: Document multi-value field support ( #63622 )
2020-10-13 12:26:07 -04:00
04c8ad3ced
[DOCS] EQL: Move to beta ( #63284 )
2020-10-12 08:55:16 -04:00
0aa0811aba
[DOCS] Make EQL case-sensitive by default ( #63270 )
2020-10-05 15:29:48 -04:00
7550e0664c
Remove case_sensitive request option ( #63218 )
...
Make EQL case sensitive by default and adapt some of the string functions
Remove the case sensitive option from Between string function
Add case_insensitive option to term and wildcard queries usage
2020-10-05 16:53:25 +03:00
cb9e61fae5
[DOCS] EQL: Update grammary for escaped event categories ( #63202 )
2020-10-02 15:03:29 -04:00
daef606de7
[DOCS] EQL: Replace ?"..." with """...""" for raw strings ( #63191 )
2020-10-02 11:20:24 -04:00
1b878c8775
[DOCS] EQL: Reorganize EQL syntax sections ( #63179 )
2020-10-02 09:46:27 -04:00
15d4d9597c
[DOCS] EQL: date_nanos timestamp is not supported ( #63101 )
2020-09-30 17:31:24 -04:00
d8cfd569e6
[DOCS] Document escaped backticks for identifiers ( #63079 )
2020-09-30 11:56:23 -04:00
844558069b
[DOCS] EQL: Clarify EQL docs ( #62961 )
2020-09-28 15:29:35 -04:00
acac14a35f
[DOCS] EQL: Note = is not an equality operator
2020-09-22 13:54:19 -04:00
ad5ae4d887
EQL: Remove support for `=` for comparisons ( #62756 )
...
Since `=` is rarely used and is undocumented we its support for
equality comparisons keeping `==` as the only option. `=` is now only
used for assignments like in `maxspan=10m`.
Closes : #62650
2020-09-22 17:37:37 +02:00
74ffbe7dcc
[DOCS] EQL: Style fixes
2020-09-21 19:43:19 -04:00
79a0a6406a
[DOCS] EQL: Style fixes
2020-09-21 18:41:21 -04:00
543919cea7
[DOCS] EQL: Improve regsvr32 misuse explanation ( #62722 )
...
Expands the introduction to better explain what regsvr32 misuse is and
how it works at a high level.
2020-09-21 18:36:35 -04:00
6b36be281a
[DOCS] EQL: Disallow chained comparisons ( #62570 )
2020-09-18 08:26:48 -04:00
0e1aa14bc8
[DOCS] EQL: Remove support for single quote strings ( #62479 )
2020-09-17 09:19:04 -04:00
86a0f15733
[DOCS] EQL: Use consistent string notation ( #62472 )
2020-09-16 11:29:52 -04:00
db52f8485b
[DOCS] EQL: Clarify wildcard operator
2020-09-16 11:05:00 -04:00
9e325bb810
[DOCS] EQL: Make operator refs consistent
2020-09-16 11:03:09 -04:00
7274b42a14
[DOCS] EQL: Move comparison operator defs
2020-09-16 10:54:02 -04:00
7630064a25
[DOCS] EQL: Add xrefs to EQL intro
2020-09-16 10:41:56 -04:00
09547886b0
[DOCS] EQL: Update keyword family field types ( #62254 )
...
Updates several keyword/constant keyword references to use any field type in the
keyword family.
2020-09-14 09:35:23 -04:00
b5fc25cf1f
[DOCS] Remove collapsible examples in EQL syntax docs ( #62220 )
2020-09-10 09:39:17 -04:00
f881a695e1
[DOCS] Add redirects for wildcard and constant keyword ( #61815 )
2020-09-01 15:32:35 -04:00
21deb3b7ea
[DOCS] EQL: Clarify until keyword docs ( #61794 )
2020-09-01 13:37:24 -04:00
904c866060
[DOCS] Fix EQL syntax admon
2020-08-26 13:39:23 -04:00
f79d70225b
[DOCS] Remove dupe EQl fn/pipe TOC
2020-08-26 12:44:51 -04:00
35b35148b9
[DOCS] Remove response params for #61428 ( #61524 )
2020-08-25 09:30:38 -04:00
997376fbe6
EQL: Replace SearchHit in response with Event ( #61428 )
...
The building block of the eql response is currently the SearchHit. This
is a problem since it is tied to an actual search, and thus has scoring,
highlighting, shard information and a lot of other things that are not
relevant for EQL.
This becomes a problem when doing sequence queries since the response is
not generated from one search query and thus there are no SearchHits to
speak of.
Emulating one is not just conceptually incorrect but also problematic
since most of the data is missed or made-up.
As such this PR introduces a simple class, Event, that maps nicely to
the terminology while hiding the ES internals (the use of SearchHit or
GetResult/GetResponse depending on the API used).
Fix #59764
Fix #59779
Co-authored-by: Igor Motov <igor@motovs.org>
2020-08-25 14:27:56 +03:00
a7d4e8b148
[DOCS] Remove collapsible sections in EQL fn docs ( #61498 )
2020-08-24 14:19:29 -04:00
c688cb6bfd
[DOCS] Fix hyphenation for "time series" ( #61472 )
2020-08-24 10:34:41 -04:00
77bb7320dd
[DOCS] Fix EQL threat detection example ( #61367 )
2020-08-20 09:55:49 -04:00
d54957d61f
EQL: Return sequence join keys in the original type ( #61268 )
2020-08-18 18:20:43 +03:00
a94e5cb7c4
[DOCS] Replace Wikipedia links with attribute ( #61171 )
2020-08-17 09:44:24 -04:00
36f02c7869
[DOCS] Reword in EQL threat detection example
2020-08-14 15:50:31 -04:00
46c438f16b
[DOCS] Reword EQL example
2020-08-14 13:24:05 -04:00
e8a907e34a
[DOCS] EQL: Add threat detection example ( #59105 )
2020-08-14 13:00:34 -04:00
fcc3b6c80c
[DOCS] Fix EQL required fields language
2020-08-12 09:47:37 -04:00
7c494434d6
[DOCS] Remove unneeded word in EQL docs
2020-08-11 12:18:46 -04:00
d09a6cfc7c
[DOCS] Make EQL example snippets more realistic ( #60971 )
2020-08-11 11:38:46 -04:00
dca46c29ff
[DOCS] Refactor EQL docs ( #60700 )
...
Changes:
* Moves sample data to reusable rest test
* Combines EQL index, requirements, and run a search pages
* Combines EQL syntax and limitations pages
* Adds related redirects
2020-08-05 10:11:02 -04:00
ae01606785
[DOCS] Replace `twitter` dataset in docs ( #60604 )
2020-08-03 12:49:56 -04:00
441c3a21b1
[DOCS] Update my-index examples ( #60132 )
...
Changes the following example index names to `my-index-000001` for consistency:
* `my-index`
* `my_index`
* `myindex`
2020-07-27 14:46:39 -04:00
2774cd6938
[DOCS] Swap `[float]` for `[discrete]` ( #60124 )
...
Changes instances of `[float]` in our docs for `[discrete]`.
Asciidoctor prefers the `[discrete]` tag for floating headings:
https://asciidoctor.org/docs/asciidoc-asciidoctor-diffs/#blocks
2020-07-23 11:48:22 -04:00
861892add4
[DOCS] EQL: Remove collapsible sections from EQL search docs ( #59819 )
2020-07-20 08:50:19 -04:00
5be36b41d4
[DOCS] EQL: Update EQL search response format ( #59554 )
2020-07-15 16:52:32 -04:00
d250f94374
[DOCS] Fix syntax and wording in EQL docs ( #59623 )
2020-07-15 14:27:02 -04:00
adc520b7c2
[DOCS] Note that EQL timestamp field can also be date_nanos
2020-07-15 09:53:43 -04:00
bccfbcd81f
EQL: Improve retrieval of results ( #59552 )
...
Instead of retrieving an entire SearchHit, get just a reference and
postpone the document retrieval when assembling the final results.
Remove sort information from results to make them consistent.
Move TumblingWindow under the sequence package.
Co-authored-by: James Rodewig <james.rodewig@elastic.co>
2020-07-14 23:26:25 +03:00
25c6a125c5
[DOCS] EQL: Document `until` keyword support ( #59320 )
2020-07-13 08:42:27 -04:00
747e61508a
[DOCS] EQL: Prepare docs for release ( #59259 )
...
Changes:
* Swaps the `dev` admonitions for `experimental` admonitions
* Removes `ifdef` statements preventing the docs from appearing in
released branches
2020-07-13 08:40:38 -04:00
284ee85efd
[DOCS] Add data streams to EQL search docs ( #58611 )
2020-07-13 08:38:01 -04:00
6ede6c59ef
Remove search_after and implicit_join_key_field ( #59232 )
2020-07-09 11:17:37 +03:00
52bfe9eb9a
[DOCS] EQL: Document `size` limit for pipes ( #59085 )
...
Changes:
* Documents the `size` default as `10`.
* Updates `size` param def to note its relation to pipes.
* Updates the `head` and `tail` pipe docs to modify sequences.
* Documents the `fetch_size` parameter.
Relates to #59014 and #59063
2020-07-08 11:52:45 -04:00
c5df35eba1
[DOCS] EQL: Document unsupported var comparison ( #58941 )
...
ES EQL queries do not support the comparison of a variable, such as
a field value, to another variable.
This adds a related para and example to the EQL syntax docs.
2020-07-08 08:54:22 -04:00
7c23933ec7
[DOCS] EQL: Document `maxspan` keyword ( #58931 )
2020-07-08 08:52:36 -04:00
2be9db01c8
[DOCS] Replace `datatype` with `data type` ( #58972 )
2020-07-07 13:52:10 -04:00
b5e374d958
[DOCS] Change Beats links to refactored getting started docs ( #58790 )
2020-07-02 17:10:09 -07:00
f18e136400
[DOCS] Fix xref format in async EQL search docs
2020-06-30 09:36:08 -04:00
cc3bd3974f
[DOCS] EQL: Document `head` and `tail` pipes ( #58673 )
2020-06-30 08:35:37 -04:00
29da275b0a
[DOCS] EQL: Remove fields from EQL search response ( #58667 )
2020-06-29 09:19:07 -04:00
d6731d659d
Update JSON results in EQL docs
2020-06-27 09:45:50 +03:00
4521ca3367
EQL: Add Head/Tail pipe support ( #58536 )
...
Introduce pipe support, in particular head and tail
(which can also be chained).
2020-06-27 09:08:03 +03:00
d14b7d5399
[DOCS] EQL: Remove references to partial async EQL results ( #58548 )
...
Removes references to partial results from the async EQL search docs.
If an EQL search does not complete during the `wait_for_completion_timeout`
timeout period, it returns no results.
2020-06-26 10:27:30 -04:00
662cf81bbc
[DOCS] Fix EQL search snippet for tiebreaker example ( #58545 )
2020-06-25 09:23:50 -04:00
07874ec357
[DOCS] EQL: Document search API's `tiebreaker_field` param ( #57935 )
2020-06-25 08:44:34 -04:00
7f5b72741e
[DOCS] EQL: Correct EQL search API's `size` param def
...
The `size` parameter can be used to limit matching events or sequences.
2020-06-10 10:13:18 -04:00
6d7acd0d94
[DOCS] EQL: Document delete async search API ( #57732 )
2020-06-05 12:45:09 -04:00
d197a85ee5
Merge remote-tracking branch 'elastic/master' into feature/async-eql
2020-06-04 15:50:40 -04:00
b30cc2b399
[DOCS] EQL: Add `dev` admonition to EQL pages ( #57531 ) ( #57534 )
...
Adds the `dev` admonition to EQL features, which are in development
under a feature flag.
2020-06-02 11:04:56 -04:00
982f168fd8
[DOCS] EQL: Add `dev` admonition to EQL pages ( #57531 )
...
Adds the `dev` admonition to EQL features, which are in development
under a feature flag.
2020-06-02 10:47:53 -04:00
34c4505a2f
[DOCS] EQL: Fix hits param for sequences ( #57410 ) ( #57525 )
2020-06-02 09:38:21 -04:00
f1b8df93cd
[DOCS] EQL: Fix hits param for sequences ( #57410 )
2020-06-02 09:22:14 -04:00
8b9293b3bf
[DOCS] Replace docdir attribute with es-repo-dir ( #57489 )
2020-06-01 15:55:05 -07:00
78146bbca9
[DOCS] EQL: Document get async EQL search API ( #57366 )
2020-05-30 08:42:30 -04:00
39df45e156
Fix EQL doc tests after master merge
2020-05-27 09:19:50 -04:00
a301eab85b
Merge remote-tracking branch 'elastic/master' into feature/async-eql
2020-05-27 08:55:02 -04:00
8a086ba05d
[DOCS] EQL: Fix whitespace in EQL snippet
2020-05-19 17:04:20 -04:00
James Rodewig
Andrei Stefan
Marios Trivyzas
Costin Leau
James Rodewig
DeDe Morton
Costin Leau
Igor Motov
Lisa Cawley