f02b10d68a
[DOCS] EQL: Remove multi-value field limitation ( #76663 )
...
Changes:
* Removes the limitation for multi-value fields.
* Adds a recommendation to avoid complex expressions for Boolean comparisons to the `string` fn.
Relates to #76610 .
2021-08-19 09:20:48 -04:00
7a5ac3e4a9
EQL: Minimise CCS roundtrips ( #76076 )
...
This introduces an optimisation of the EQL requests when these target
one remote cluster only (i.e. no mixed local and remote indices or
multiple remote clusters). In this case, the EQL request is forwarded
to the remote cluster and executed there, instead of having the local
cluster perform multiple queries to the remote cluster.
2021-08-18 14:01:43 +02:00
96c4ee3e5c
[DOCS] Document `_mvt` API ( #75384 )
...
* [DOCS] Document `_mvt` API
Documents the `_mvt` API endpoint added with #73872 .
Relates to #75242 .
* Reword
* Rename API
* Fix doc.url in JSON spec
* Reword
* Reword
* Add content type to JSON spec
* Edits
* Fix typo
* Reword
* Update docs after meeting
* Fix typos
* Fix `size` default
* Updates for #75522
* Fixes
* Clean up JSON spec
* Fix extent tag
* [DOCS] Add `<field>` constraints
* Minor clarification
* Update for #75697
* Reword
* Update for #75621
* Reword default sort
* Update for #75367
* Remove unneeded whitespace
* Add experimental admon and if flags
* [DOCS] Remove ifdefs
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2021-08-05 15:04:07 -04:00
d9597da0ef
[DOCS] Update security prereqs for delete async EQL API ( #75091 )
2021-07-12 08:49:55 -04:00
4e005c041c
[DOCS] EQL: Fix delete async EQL search snippet ( #75093 )
...
The delete async EQL search API doesn't support the `keep_alive` query parameter.
2021-07-07 16:49:22 -04:00
3971522c65
[DOCS] EQL: Document cross-cluster search support ( #74995 ) ( #75045 )
...
Closes #74842 .
2021-07-07 09:41:07 -04:00
dd302dcfef
EQL: [Docs] Add documentation for the CircuitBreaker ( #74897 )
...
Add documentation for the newly introduced CircuitBreaker, which is
used to restrict the memory usage for an EQL sequence query to avoid
OutOfMemory exceptions.
Follows: #74381
2021-07-07 09:20:25 +02:00
845446aec3
[DOCS] EQL: Remove erroneous CSS reference
2021-07-01 17:05:44 -04:00
70764de4b6
[DOCS] Move EQL APIs to separate page ( #74846 )
...
In preparation for #74845 , we need to create formal API reference documentation for our SQL APIs.
Due to the number of SQL APIs, we'll likely need to create a separate nested page for them. For parity, this PR moves
our EQL APIs to a separate page as well. Previously, they were listed under our search APIs.
2021-07-01 13:59:35 -04:00
d522c28533
[DOCS] Reword EQL limitations intro.
2021-07-01 10:24:32 -04:00
c7d59f0a4d
[DOCS] EQL: Note EQL uses `fields` parameter ( #74194 )
2021-06-16 13:01:02 -04:00
975ae227fc
[DOCS] Fix typo in modulo example
2021-06-03 08:21:29 -04:00
5729bb8d49
[DOCS] Update alias references ( #73427 )
...
Updates several `index aliases` references to `aliases`.
2021-05-27 16:00:57 -04:00
39a0314d30
[DOCS] Update alias xrefs ( #73380 )
...
Updates several internal 'alias' xrefs to point to the aliases guide rather than
API docs.
2021-05-25 16:19:00 -04:00
dc1bf6eff9
[DOCS] EQL: Note CCS is not supported ( #72975 )
2021-05-12 09:19:29 -04:00
965baad5c4
[DOCS] EQL: Update tiebreaker docs for implicit tiebreaker ( #72808 )
2021-05-06 14:48:46 -04:00
44f3551786
[DOCS] EQL: Use ECS example in EQL syntax docs ( #72414 )
2021-04-28 14:02:12 -04:00
889197f8d0
[DOCS] Fix formatting
2021-04-28 11:40:33 -04:00
13179c71b6
[DOCS] EQL: Shorten response snippets ( #72330 )
...
Shortens several lengthy response snippets to better highlight the
relevant parts.
2021-04-27 16:02:45 -04:00
f8d2578ede
[DOCS] EQL: Remove wildcard function ( #72121 )
2021-04-22 15:49:07 -04:00
3f2eb32afc
[DOCS] Sync EQL docs with `fields` param updates ( #72008 )
2021-04-21 09:13:27 -04:00
6dfd92c46f
[DOCS] Focus retrieving selected fields on fields parameter ( #71506 )
...
* [DOCS] Focus retrieving selected fields on fields parameter
* Incorporating changes from reviews
* Adding clarifications from review feedback
* Slight wording revisions.
* Clarify language around format parameter and move text out of callout.
2021-04-20 15:11:35 -04:00
07fade1d27
[DOCS] EQL/SQL: Document `runtime_fields` parameter ( #71487 )
2021-04-19 09:15:12 -04:00
de228ee153
[DOCS] Reorder EQL sections. Remove duplicated content. ( #71477 )
2021-04-08 10:45:33 -04:00
f41320616c
[DOCS] Refactor data stream setup tutorial ( #71074 )
2021-03-31 17:28:55 -04:00
693807a6d3
[DOCS] Fix double spaces ( #71082 )
2021-03-31 09:57:47 -04:00
fdbea16e15
[DOCS] Move EQL event category section ( #70955 )
...
Combines the basic syntax and event category sections for better visibility.
2021-03-29 09:40:34 -04:00
6504b541e9
[DOCS] EQL: Use data streams in docs ( #70822 )
2021-03-25 09:41:06 -04:00
321f46e187
[DOCS] EQL: Document Unicode escape sequences ( #70694 )
2021-03-23 08:10:03 -04:00
cbfe969634
[DOCS] EQL: Remove unneded words in escape sequence table
2021-03-22 16:45:49 -04:00
75b0917ca1
[DOCS] Fix EQL heading levels ( #70255 )
...
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2021-03-10 14:20:22 -05:00
5bf7a0a995
[DOCS] Add fields param xref
2021-03-08 16:40:11 -05:00
783769d8d9
[DOCS] Add `fields` parameter to EQL search API ( #69634 )
2021-03-01 12:00:27 -05:00
593cac391d
[DOCS] Make whitespace consistent in JSON snippets
2021-02-25 16:12:47 -05:00
3ff1a17a79
[DOCS] EQL: Document field existence checks ( #69614 )
2021-02-25 12:04:22 -05:00
8e09c3d7bd
[DOCS] EQL: Clarify support for text fields ( #69229 )
2021-02-18 18:57:49 -05:00
31fc59efdf
[DOCS] Fix capitalization for Query DSL ( #69236 )
2021-02-18 18:57:19 -05:00
13a077bd59
[DOCS] EQL: Update differences from Endgame EQL syntax ( #69124 )
2021-02-17 10:11:51 -05:00
5eb0a9528a
[DOCS] EQL: Document `like` and `regex` keywords ( #68932 ) ( #69052 )
2021-02-16 11:34:03 -05:00
293fcd4c41
[DOCS] EQL: Minor doc fixes ( #68927 )
2021-02-11 13:44:01 -05:00
6521d2af27
Introduce eql search status API ( #68065 )
...
Introduce eql search status API,
that reports the status of eql stored or async search.
GET _eql/search/status/<id>
The API is restricted to the monitoring_user role.
For a running eql search, a response has the following format:
{
"id" : <id>,
"is_running" : true,
"is_partial" : true,
"start_time_in_millis" : 1611690235000,
"expiration_time_in_millis" : 1611690295000
}
For a completed eql search, a response has the following format:
{
"id" : <id>,
"is_running" : false,
"is_partial" : false,
"expiration_time_in_millis" : 1611690295000,
"completion_status" : 200
}
Closes #66955
2021-02-11 09:30:13 -05:00
babf3eb081
[DOCS] EQL: Remove duplicate case-sensitivity info ( #68860 )
2021-02-10 14:27:29 -05:00
6378c57ca0
[DOCS] EQL: Add `filter_path` param to EQL search API docs ( #68537 )
2021-02-04 13:39:01 -05:00
ab3f8f5067
[DOCS] EQL: Add case-insensitive `~` operator ( #68217 )
...
Documents the case-insensitive `~` operator for `in` and string functions.
Relates to #67869 and #68176
2021-01-29 13:50:57 -05:00
c4ab89f3f7
[DOCS] EQL: Add security privileges to EQL search docs ( #68017 )
2021-01-27 16:25:05 -05:00
cb3e0051e0
[DOCS] Make cat API verbose query param explicit ( #67300 )
2021-01-11 17:19:23 -05:00
14b381a2ad
[DOCS] EQL: Change `result_position` default to `tail` ( #66550 )
2020-12-18 08:38:45 -05:00
9b3bb56179
[DOCS] EQL: Move to GA ( #65955 )
2020-12-09 08:48:23 -05:00
6a09df8520
[DOCS] EQL: Add diagrams for sequence matching ( #65898 )
2020-12-07 07:55:38 -05:00
ef6fb59ec3
[DOCS] EQL: Document how sequence queries handle matches ( #65794 )
...
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
2020-12-04 09:34:38 -05:00
James Rodewig
Bogdan Pintea
Marios Trivyzas
Adam Locke
Mayya Sharipova