Skip to content

Commit 9c7c778

Browse files
jrodewigjrodewig
committed
[DOCS] Fix EQL required fields language
1 parent 633e00a commit 9c7c778

File tree

1 file changed

+16
-11
lines changed

1 file changed

+16
-11
lines changed

docs/reference/eql/eql.asciidoc

Lines changed: 16 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -32,15 +32,18 @@ makes it easy to describe activity that goes beyond IOCs.
3232
[[eql-required-fields]]
3333
== Required fields
3434

35+
TIP: While no schema is required to use EQL in {es}, we recommend using the
36+
{ecs-ref}[Elastic Common Schema (ECS)]. EQL search is designed to work
37+
with core ECS fields by default.
38+
3539
EQL assumes each document in a data stream or index corresponds to an event. To
36-
search using EQL, each document in the searched data stream or index must
37-
include a _timestamp_ field and an _event category_ field.
40+
run an EQL search, each document must contain a _timestamp_ and _event category_
41+
field.
3842

39-
{es} EQL uses the `@timestamp` and `event.category` fields from the
40-
{ecs-ref}[Elastic Common Schema (ECS)] as the default timestamp and event
41-
category fields. If your searched documents use a different timestamp or event
42-
category field, you must specify it in the search request. See
43-
<<specify-a-timestamp-or-event-category-field>>.
43+
EQL uses the `@timestamp` and `event.category` fields from the {ecs-ref}[ECS] as
44+
the default timestamp and event category fields. If your documents use a
45+
different timestamp or event category field, you must specify it in the search
46+
request. See <<specify-a-timestamp-or-event-category-field>>.
4447

4548
[discrete]
4649
[[run-an-eql-search]]
@@ -404,10 +407,12 @@ GET /my-index-000001/_eql/search
404407
[[specify-a-timestamp-or-event-category-field]]
405408
=== Specify a timestamp or event category field
406409

407-
By default, the EQL search API uses `@timestamp` and `event.category` as the
408-
required timestamp and event category fields. If your searched documents use
409-
a different timestamp or event category field, you must specify it in the search
410-
request using the `timestamp_field` or `event_category_field` parameters.
410+
To run an EQL search, each searched document must contain a timestamp and event
411+
category field. The EQL search API uses the `@timestamp` and `event.category`
412+
fields from the {ecs-ref}[Elastic Common Schema (ECS)] by default. If your
413+
documents use a different timestamp or event category field, you must specify it
414+
in the search request using the `timestamp_field` or `event_category_field`
415+
parameters.
411416

412417
The event category field is typically mapped as a <<keyword,`keyword`>> or
413418
<<constant-keyword,constant keyword>> field. The timestamp field is typically

0 commit comments

Comments
 (0)