fb1936bed1
[DOCS] EQL: Fix tiebreaker field docs ( #64671 )
...
Corrects the EQL docs to remove `event.sequence` as the default `tiebreaker_field` value.
2020-11-06 09:05:18 -05:00
b2b676d7d6
[DOCS] Remove italics formatting
2020-11-03 15:49:52 -05:00
1ea83359bb
[DOCS] Fix case for 'Boolean' ( #64299 )
2020-10-29 09:04:43 -04:00
1c0380dc21
[DOCS] EQL: Fix operator docs ( #64286 )
2020-10-28 10:27:17 -04:00
5953a90505
[DOCS] Remove unneeded words in EQL docs
2020-10-24 20:27:34 -04:00
4c22ca3eed
[DOCS] Tighten async EQL copy ( #64106 )
2020-10-24 14:14:30 -04:00
f6bce6194f
[DOCS] Tighten EQL copy ( #64081 )
2020-10-24 10:49:05 -04:00
3deebc2804
[DOCS] Fix typo
2020-10-19 14:44:12 -04:00
71aaa4ae0a
[DOCS] EQL: Update `allow_no_indices` default ( #63748 )
...
Co-authored-by: Adam Locke <adam.locke@elastic.co>
2020-10-19 12:14:23 -04:00
505b03768a
[DOCS] Reword EQL intro
2020-10-14 10:02:45 -04:00
c6a13d1cee
[DOCS] EQL: Remove `match` fn ( #63271 )
2020-10-14 09:57:29 -04:00
857c2d1cd4
[DOCS] Update `ignore_unavailable` default for EQL search API ( #63210 )
2020-10-14 09:36:11 -04:00
f41de1bdce
[DOCS] EQL: Add `:` operator, remove wildcard operator ( #63195 )
2020-10-14 09:06:37 -04:00
8527183f91
[DOCS] EQL: Remove Endgame EQL refs ( #63636 )
2020-10-14 08:34:11 -04:00
d7c5d37697
[DOCS] Remove unneeded word in EQL docs
2020-10-13 13:56:56 -04:00
e0cc841a60
[DOCS] EQL: Document multi-value field support ( #63622 )
2020-10-13 12:26:07 -04:00
04c8ad3ced
[DOCS] EQL: Move to beta ( #63284 )
2020-10-12 08:55:16 -04:00
0aa0811aba
[DOCS] Make EQL case-sensitive by default ( #63270 )
2020-10-05 15:29:48 -04:00
7550e0664c
Remove case_sensitive request option ( #63218 )
...
Make EQL case sensitive by default and adapt some of the string functions
Remove the case sensitive option from Between string function
Add case_insensitive option to term and wildcard queries usage
2020-10-05 16:53:25 +03:00
cb9e61fae5
[DOCS] EQL: Update grammary for escaped event categories ( #63202 )
2020-10-02 15:03:29 -04:00
daef606de7
[DOCS] EQL: Replace ?"..." with """...""" for raw strings ( #63191 )
2020-10-02 11:20:24 -04:00
1b878c8775
[DOCS] EQL: Reorganize EQL syntax sections ( #63179 )
2020-10-02 09:46:27 -04:00
15d4d9597c
[DOCS] EQL: date_nanos timestamp is not supported ( #63101 )
2020-09-30 17:31:24 -04:00
d8cfd569e6
[DOCS] Document escaped backticks for identifiers ( #63079 )
2020-09-30 11:56:23 -04:00
844558069b
[DOCS] EQL: Clarify EQL docs ( #62961 )
2020-09-28 15:29:35 -04:00
acac14a35f
[DOCS] EQL: Note = is not an equality operator
2020-09-22 13:54:19 -04:00
ad5ae4d887
EQL: Remove support for `=` for comparisons ( #62756 )
...
Since `=` is rarely used and is undocumented we its support for
equality comparisons keeping `==` as the only option. `=` is now only
used for assignments like in `maxspan=10m`.
Closes : #62650
2020-09-22 17:37:37 +02:00
74ffbe7dcc
[DOCS] EQL: Style fixes
2020-09-21 19:43:19 -04:00
79a0a6406a
[DOCS] EQL: Style fixes
2020-09-21 18:41:21 -04:00
543919cea7
[DOCS] EQL: Improve regsvr32 misuse explanation ( #62722 )
...
Expands the introduction to better explain what regsvr32 misuse is and
how it works at a high level.
2020-09-21 18:36:35 -04:00
6b36be281a
[DOCS] EQL: Disallow chained comparisons ( #62570 )
2020-09-18 08:26:48 -04:00
0e1aa14bc8
[DOCS] EQL: Remove support for single quote strings ( #62479 )
2020-09-17 09:19:04 -04:00
86a0f15733
[DOCS] EQL: Use consistent string notation ( #62472 )
2020-09-16 11:29:52 -04:00
db52f8485b
[DOCS] EQL: Clarify wildcard operator
2020-09-16 11:05:00 -04:00
9e325bb810
[DOCS] EQL: Make operator refs consistent
2020-09-16 11:03:09 -04:00
7274b42a14
[DOCS] EQL: Move comparison operator defs
2020-09-16 10:54:02 -04:00
7630064a25
[DOCS] EQL: Add xrefs to EQL intro
2020-09-16 10:41:56 -04:00
09547886b0
[DOCS] EQL: Update keyword family field types ( #62254 )
...
Updates several keyword/constant keyword references to use any field type in the
keyword family.
2020-09-14 09:35:23 -04:00
b5fc25cf1f
[DOCS] Remove collapsible examples in EQL syntax docs ( #62220 )
2020-09-10 09:39:17 -04:00
f881a695e1
[DOCS] Add redirects for wildcard and constant keyword ( #61815 )
2020-09-01 15:32:35 -04:00
21deb3b7ea
[DOCS] EQL: Clarify until keyword docs ( #61794 )
2020-09-01 13:37:24 -04:00
904c866060
[DOCS] Fix EQL syntax admon
2020-08-26 13:39:23 -04:00
f79d70225b
[DOCS] Remove dupe EQl fn/pipe TOC
2020-08-26 12:44:51 -04:00
35b35148b9
[DOCS] Remove response params for #61428 ( #61524 )
2020-08-25 09:30:38 -04:00
997376fbe6
EQL: Replace SearchHit in response with Event ( #61428 )
...
The building block of the eql response is currently the SearchHit. This
is a problem since it is tied to an actual search, and thus has scoring,
highlighting, shard information and a lot of other things that are not
relevant for EQL.
This becomes a problem when doing sequence queries since the response is
not generated from one search query and thus there are no SearchHits to
speak of.
Emulating one is not just conceptually incorrect but also problematic
since most of the data is missed or made-up.
As such this PR introduces a simple class, Event, that maps nicely to
the terminology while hiding the ES internals (the use of SearchHit or
GetResult/GetResponse depending on the API used).
Fix #59764
Fix #59779
Co-authored-by: Igor Motov <igor@motovs.org>
2020-08-25 14:27:56 +03:00
a7d4e8b148
[DOCS] Remove collapsible sections in EQL fn docs ( #61498 )
2020-08-24 14:19:29 -04:00
c688cb6bfd
[DOCS] Fix hyphenation for "time series" ( #61472 )
2020-08-24 10:34:41 -04:00
77bb7320dd
[DOCS] Fix EQL threat detection example ( #61367 )
2020-08-20 09:55:49 -04:00
d54957d61f
EQL: Return sequence join keys in the original type ( #61268 )
2020-08-18 18:20:43 +03:00
a94e5cb7c4
[DOCS] Replace Wikipedia links with attribute ( #61171 )
2020-08-17 09:44:24 -04:00
James Rodewig
Andrei Stefan
Marios Trivyzas
Costin Leau