Get EQL search results
Generally available
Returns search results for an Event Query Language (EQL) query. EQL assumes each document in a data stream or index corresponds to an event.
Query parameters
-
If true, returns partial results if there are shard failures. If false, returns an error with no partial results.
-
If true, sequence queries will return partial results in case of shard failures. If false, they will return no results at all. This flag has effect only if allow_partial_search_results is true.
-
Values are
all
,open
,closed
,hidden
, ornone
. -
Period for which the search and its results are stored on the cluster.
Values are
-1
or0
. -
If true, the search and its results are stored on the cluster.
-
Timeout duration to wait for the request to finish. Defaults to no timeout, meaning the request waits for complete search results.
Values are
-1
or0
.
Body
Required
-
EQL query you wish to run.
-
Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
-
Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
-
Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
filter
object | array[object] Query, written in Query DSL, used to filter the events on which the EQL query runs.
One of: An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
External documentation An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
External documentation -
A duration. Units can be
nanos
,micros
,ms
(milliseconds),s
(seconds),m
(minutes),h
(hours) andd
(days). Also accepts "0" without a unit and "-1" to indicate an unspecified value. -
A duration. Units can be
nanos
,micros
,ms
(milliseconds),s
(seconds),m
(minutes),h
(hours) andd
(days). Also accepts "0" without a unit and "-1" to indicate an unspecified value. -
Allow query execution also in case of shard failures. If true, the query will keep running and will return results based on the available shards. For sequences, the behavior can be further refined using allow_partial_sequence_results
-
This flag applies only to sequences and has effect only if allow_partial_search_results=true. If true, the sequence query will return results based on the available shards, ignoring the others. If false, the sequence query will return successfully, but will always have empty results.
-
Values are
tail
orhead
. -
By default, the response of a sample query contains up to
10
samples, with one sample per unique set of join keys. Use thesize
parameter to get a smaller or larger set of samples. To retrieve more than one sample per set of join keys, use themax_samples_per_key
parameter. Pipes are not supported for sample queries.
GET /my-data-stream/_eql/search
{
"query": """
process where (process.name == "cmd.exe" and process.pid != 2013)
"""
}
resp = client.eql.search(
index="my-data-stream",
query="\n process where (process.name == \"cmd.exe\" and process.pid != 2013)\n ",
)
const response = await client.eql.search({
index: "my-data-stream",
query:
'\n process where (process.name == "cmd.exe" and process.pid != 2013)\n ',
});
response = client.eql.search(
index: "my-data-stream",
body: {
"query": "\n process where (process.name == \"cmd.exe\" and process.pid != 2013)\n "
}
)
$resp = $client->eql()->search([
"index" => "my-data-stream",
"body" => [
"query" => "\n process where (process.name == \"cmd.exe\" and process.pid != 2013)\n ",
],
]);
curl -X GET -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"query":"\n process where (process.name == \"cmd.exe\" and process.pid != 2013)\n "}' "$ELASTICSEARCH_URL/my-data-stream/_eql/search"
{
"query": """
process where (process.name == "cmd.exe" and process.pid != 2013)
"""
}
{
"query": """
sequence by process.pid
[ file where file.name == "cmd.exe" and process.pid != 2013 ]
[ process where stringContains(process.executable, "regsvr32") ]
"""
}
{
"is_partial": false,
"is_running": false,
"took": 6,
"timed_out": false,
"hits": {
"total": {
"value": 1,
"relation": "eq"
},
"sequences": [
{
"join_keys": [
2012
],
"events": [
{
"_index": ".ds-my-data-stream-2099.12.07-000001",
"_id": "AtOJ4UjUBAAx3XR5kcCM",
"_source": {
"@timestamp": "2099-12-06T11:04:07.000Z",
"event": {
"category": "file",
"id": "dGCHwoeS",
"sequence": 2
},
"file": {
"accessed": "2099-12-07T11:07:08.000Z",
"name": "cmd.exe",
"path": "C:\\Windows\\System32\\cmd.exe",
"type": "file",
"size": 16384
},
"process": {
"pid": 2012,
"name": "cmd.exe",
"executable": "C:\\Windows\\System32\\cmd.exe"
}
}
},
{
"_index": ".ds-my-data-stream-2099.12.07-000001",
"_id": "OQmfCaduce8zoHT93o4H",
"_source": {
"@timestamp": "2099-12-07T11:07:09.000Z",
"event": {
"category": "process",
"id": "aR3NWVOs",
"sequence": 4
},
"process": {
"pid": 2012,
"name": "regsvr32.exe",
"command_line": "regsvr32.exe /s /u /i:https://...RegSvr32.sct scrobj.dll",
"executable": "C:\\Windows\\System32\\regsvr32.exe"
}
}
}
]
}
]
}
}