Event Query Language (EQL)
- class elasticsearch.client.EqlClient(client)
- Parameters:
client (BaseClient)
- delete(*, id, error_trace=None, filter_path=None, human=None, pretty=None)
Deletes an async EQL search or a stored synchronous EQL search. The API also deletes results for the search.
https://www.elastic.co/guide/en/elasticsearch/reference/8.16/eql-search-api.html
- Parameters:
- Return type:
- get(*, id, error_trace=None, filter_path=None, human=None, keep_alive=None, pretty=None, wait_for_completion_timeout=None)
Returns the current status and available results for an async EQL search or a stored synchronous EQL search.
https://www.elastic.co/guide/en/elasticsearch/reference/8.16/get-async-eql-search-api.html
- Parameters:
id (str) – Identifier for the search.
keep_alive (str | Literal[-1] | ~typing.Literal[0] | None) – Period for which the search and its results are stored on the cluster. Defaults to the keep_alive value set by the search’s EQL search API request.
wait_for_completion_timeout (str | Literal[-1] | ~typing.Literal[0] | None) – Timeout duration to wait for the request to finish. Defaults to no timeout, meaning the request waits for complete search results.
error_trace (bool | None)
human (bool | None)
pretty (bool | None)
- Return type:
- get_status(*, id, error_trace=None, filter_path=None, human=None, pretty=None)
Returns the current status for an async EQL search or a stored synchronous EQL search without returning results.
https://www.elastic.co/guide/en/elasticsearch/reference/8.16/get-async-eql-status-api.html
- search(*, index, query=None, allow_no_indices=None, case_sensitive=None, error_trace=None, event_category_field=None, expand_wildcards=None, fetch_size=None, fields=None, filter=None, filter_path=None, human=None, ignore_unavailable=None, keep_alive=None, keep_on_completion=None, pretty=None, result_position=None, runtime_mappings=None, size=None, tiebreaker_field=None, timestamp_field=None, wait_for_completion_timeout=None, body=None)
Returns results matching a query expressed in Event Query Language (EQL)
https://www.elastic.co/guide/en/elasticsearch/reference/8.16/eql-search-api.html
- Parameters:
index (str | Sequence[str]) – The name of the index to scope the operation
query (str | None) – EQL query you wish to run.
allow_no_indices (bool | None)
case_sensitive (bool | None)
event_category_field (str | None) – Field containing the event classification, such as process, file, or network.
expand_wildcards (Sequence[str | Literal['all', 'closed', 'hidden', 'none', 'open']] | str | ~typing.Literal['all', 'closed', 'hidden', 'none', 'open'] | None)
fetch_size (int | None) – Maximum number of events to search at a time for sequence queries.
fields (Mapping[str, Any] | Sequence[Mapping[str, Any]] | None) – Array of wildcard (*) patterns. The response returns values for field names matching these patterns in the fields property of each hit.
filter (Mapping[str, Any] | Sequence[Mapping[str, Any]] | None) – Query, written in Query DSL, used to filter the events on which the EQL query runs.
ignore_unavailable (bool | None) – If true, missing or closed indices are not included in the response.
keep_on_completion (bool | None)
size (int | None) – For basic queries, the maximum number of matching events to return. Defaults to 10
tiebreaker_field (str | None) – Field used to sort hits with the same timestamp in ascending order
timestamp_field (str | None) – Field containing event timestamp. Default “@timestamp”
wait_for_completion_timeout (str | Literal[-1] | ~typing.Literal[0] | None)
error_trace (bool | None)
human (bool | None)
pretty (bool | None)
- Return type: