Event Query Language (EQL)
- class elasticsearch.client.EqlClient
To use this client, access
client.eqlfrom anElasticsearchclient. For example:from elasticsearch import Elasticsearch # Create the client instance client = Elasticsearch(...) # Use the eql client client.eql.<method>(...)
- delete(*, id, error_trace=None, filter_path=None, human=None, pretty=None)
Delete an async EQL search.
Delete an async EQL search or a stored synchronous EQL search. The API also deletes results for the search.
https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-eql-delete
- Parameters:
- Return type:
- get(*, id, error_trace=None, filter_path=None, human=None, keep_alive=None, pretty=None, wait_for_completion_timeout=None)
Get async EQL search results.
Get the current status and available results for an async EQL search or a stored synchronous EQL search.
https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-eql-get
- Parameters:
id (str) – Identifier for the search.
keep_alive (str | Literal[-1] | ~typing.Literal[0] | None) – Period for which the search and its results are stored on the cluster. Defaults to the keep_alive value set by the search’s EQL search API request.
wait_for_completion_timeout (str | Literal[-1] | ~typing.Literal[0] | None) – Timeout duration to wait for the request to finish. Defaults to no timeout, meaning the request waits for complete search results.
error_trace (bool | None)
human (bool | None)
pretty (bool | None)
- Return type:
- get_status(*, id, error_trace=None, filter_path=None, human=None, pretty=None)
Get the async EQL status.
Get the current status for an async EQL search or a stored synchronous EQL search without returning results.
https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-eql-get-status
- search(*, index, query=None, allow_no_indices=None, allow_partial_search_results=None, allow_partial_sequence_results=None, case_sensitive=None, ccs_minimize_roundtrips=None, error_trace=None, event_category_field=None, expand_wildcards=None, fetch_size=None, fields=None, filter=None, filter_path=None, human=None, ignore_unavailable=None, keep_alive=None, keep_on_completion=None, max_samples_per_key=None, pretty=None, project_routing=None, result_position=None, runtime_mappings=None, size=None, tiebreaker_field=None, timestamp_field=None, wait_for_completion_timeout=None, body=None)
Get EQL search results.
Returns search results for an Event Query Language (EQL) query. EQL assumes each document in a data stream or index corresponds to an event.
https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-eql-search
- Parameters:
index (str | Sequence[str]) – Comma-separated list of index names to scope the operation
query (str | None) – EQL query you wish to run.
allow_no_indices (bool | None) – Whether to ignore if a wildcard indices expression resolves into no concrete indices. (This includes _all string or when no indices have been specified)
allow_partial_search_results (bool | None) – Allow query execution also in case of shard failures. If true, the query will keep running and will return results based on the available shards. For sequences, the behavior can be further refined using allow_partial_sequence_results
allow_partial_sequence_results (bool | None) – This flag applies only to sequences and has effect only if allow_partial_search_results=true. If true, the sequence query will return results based on the available shards, ignoring the others. If false, the sequence query will return successfully, but will always have empty results.
case_sensitive (bool | None)
ccs_minimize_roundtrips (bool | None) – Indicates whether network round-trips should be minimized as part of cross-cluster search requests execution
event_category_field (str | None) – Field containing the event classification, such as process, file, or network.
expand_wildcards (Sequence[str | Literal['all', 'closed', 'hidden', 'none', 'open']] | str | ~typing.Literal['all', 'closed', 'hidden', 'none', 'open'] | None) – Whether to expand wildcard expression to concrete indices that are open, closed or both.
fetch_size (int | None) – Maximum number of events to search at a time for sequence queries.
fields (Mapping[str, Any] | Sequence[Mapping[str, Any]] | None) – Array of wildcard (*) patterns. The response returns values for field names matching these patterns in the fields property of each hit.
filter (Mapping[str, Any] | Sequence[Mapping[str, Any]] | None) – Query, written in Query DSL, used to filter the events on which the EQL query runs.
ignore_unavailable (bool | None) – If true, missing or closed indices are not included in the response.
keep_on_completion (bool | None)
max_samples_per_key (int | None) – By default, the response of a sample query contains up to 10 samples, with one sample per unique set of join keys. Use the size parameter to get a smaller or larger set of samples. To retrieve more than one sample per set of join keys, use the max_samples_per_key parameter. Pipes are not supported for sample queries.
project_routing (str | None) – Specifies a subset of projects to target using project metadata tags in a subset of Lucene query syntax. Allowed Lucene queries: the _alias tag and a single value (possibly wildcarded). Examples: _alias:my-project _alias:_origin _alias:pr Supported in serverless only.
size (int | None) – For basic queries, the maximum number of matching events to return. Defaults to 10
tiebreaker_field (str | None) – Field used to sort hits with the same timestamp in ascending order
timestamp_field (str | None) – Field containing event timestamp.
wait_for_completion_timeout (str | Literal[-1] | ~typing.Literal[0] | None)
error_trace (bool | None)
human (bool | None)
pretty (bool | None)
- Return type: