Event Query Language (EQL)

class elasticsearch.client.EqlClient(client)
Parameters:

client (BaseClient)

delete(*, id, error_trace=None, filter_path=None, human=None, pretty=None)

Deletes an async EQL search or a stored synchronous EQL search. The API also deletes results for the search.

https://www.elastic.co/guide/en/elasticsearch/reference/8.16/eql-search-api.html

Parameters:
  • id (str) – Identifier for the search to delete. A search ID is provided in the EQL search API’s response for an async search. A search ID is also provided if the request’s keep_on_completion parameter is true.

  • error_trace (bool | None)

  • filter_path (str | Sequence[str] | None)

  • human (bool | None)

  • pretty (bool | None)

Return type:

ObjectApiResponse[Any]

get(*, id, error_trace=None, filter_path=None, human=None, keep_alive=None, pretty=None, wait_for_completion_timeout=None)

Returns the current status and available results for an async EQL search or a stored synchronous EQL search.

https://www.elastic.co/guide/en/elasticsearch/reference/8.16/get-async-eql-search-api.html

Parameters:
  • id (str) – Identifier for the search.

  • keep_alive (str | Literal[-1] | ~typing.Literal[0] | None) – Period for which the search and its results are stored on the cluster. Defaults to the keep_alive value set by the search’s EQL search API request.

  • wait_for_completion_timeout (str | Literal[-1] | ~typing.Literal[0] | None) – Timeout duration to wait for the request to finish. Defaults to no timeout, meaning the request waits for complete search results.

  • error_trace (bool | None)

  • filter_path (str | Sequence[str] | None)

  • human (bool | None)

  • pretty (bool | None)

Return type:

ObjectApiResponse[Any]

get_status(*, id, error_trace=None, filter_path=None, human=None, pretty=None)

Returns the current status for an async EQL search or a stored synchronous EQL search without returning results.

https://www.elastic.co/guide/en/elasticsearch/reference/8.16/get-async-eql-status-api.html

Parameters:
  • id (str) – Identifier for the search.

  • error_trace (bool | None)

  • filter_path (str | Sequence[str] | None)

  • human (bool | None)

  • pretty (bool | None)

Return type:

ObjectApiResponse[Any]

search(*, index, query=None, allow_no_indices=None, case_sensitive=None, error_trace=None, event_category_field=None, expand_wildcards=None, fetch_size=None, fields=None, filter=None, filter_path=None, human=None, ignore_unavailable=None, keep_alive=None, keep_on_completion=None, pretty=None, result_position=None, runtime_mappings=None, size=None, tiebreaker_field=None, timestamp_field=None, wait_for_completion_timeout=None, body=None)

Returns results matching a query expressed in Event Query Language (EQL)

https://www.elastic.co/guide/en/elasticsearch/reference/8.16/eql-search-api.html

Parameters:
  • index (str | Sequence[str]) – The name of the index to scope the operation

  • query (str | None) – EQL query you wish to run.

  • allow_no_indices (bool | None)

  • case_sensitive (bool | None)

  • event_category_field (str | None) – Field containing the event classification, such as process, file, or network.

  • expand_wildcards (Sequence[str | Literal['all', 'closed', 'hidden', 'none', 'open']] | str | ~typing.Literal['all', 'closed', 'hidden', 'none', 'open'] | None)

  • fetch_size (int | None) – Maximum number of events to search at a time for sequence queries.

  • fields (Mapping[str, Any] | Sequence[Mapping[str, Any]] | None) – Array of wildcard (*) patterns. The response returns values for field names matching these patterns in the fields property of each hit.

  • filter (Mapping[str, Any] | Sequence[Mapping[str, Any]] | None) – Query, written in Query DSL, used to filter the events on which the EQL query runs.

  • ignore_unavailable (bool | None) – If true, missing or closed indices are not included in the response.

  • keep_alive (str | Literal[-1] | ~typing.Literal[0] | None)

  • keep_on_completion (bool | None)

  • result_position (str | Literal['head', 'tail'] | None)

  • runtime_mappings (Mapping[str, Mapping[str, Any]] | None)

  • size (int | None) – For basic queries, the maximum number of matching events to return. Defaults to 10

  • tiebreaker_field (str | None) – Field used to sort hits with the same timestamp in ascending order

  • timestamp_field (str | None) – Field containing event timestamp. Default “@timestamp”

  • wait_for_completion_timeout (str | Literal[-1] | ~typing.Literal[0] | None)

  • error_trace (bool | None)

  • filter_path (str | Sequence[str] | None)

  • human (bool | None)

  • pretty (bool | None)

  • body (Dict[str, Any] | None)

Return type:

ObjectApiResponse[Any]