Event Query Language (EQL)

class elasticsearch.client.EqlClient

To use this client, access client.eql from an Elasticsearch client. For example:

from elasticsearch import Elasticsearch

# Create the client instance
client = Elasticsearch(...)
# Use the eql client
client.eql.<method>(...)

delete(*, id, error_trace=None, filter_path=None, human=None, pretty=None)

Delete an async EQL search. Delete an async EQL search or a stored synchronous EQL search. The API also deletes results for the search.

https://www.elastic.co/docs/api/doc/elasticsearch/v8/operation/operation-eql-delete

Parameters:

• id (str) – Identifier for the search to delete. A search ID is provided in the EQL search API’s response for an async search. A search ID is also provided if the request’s keep_on_completion parameter is true.

• error_trace (bool | None)

• filter_path (str | Sequence[str] | None)

• human (bool | None)

• pretty (bool | None)

Return type:

ObjectApiResponse[Any]

get(*, id, error_trace=None, filter_path=None, human=None, keep_alive=None, pretty=None, wait_for_completion_timeout=None)

Get async EQL search results. Get the current status and available results for an async EQL search or a stored synchronous EQL search.

https://www.elastic.co/guide/en/elasticsearch/reference/8.18/get-async-eql-search-api.html

Parameters:

• id (str) – Identifier for the search.

• keep_alive (str | Literal[-1] | ~typing.Literal[0] | None) – Period for which the search and its results are stored on the cluster. Defaults to the keep_alive value set by the search’s EQL search API request.

• wait_for_completion_timeout (str | Literal[-1] | ~typing.Literal[0] | None) – Timeout duration to wait for the request to finish. Defaults to no timeout, meaning the request waits for complete search results.

• error_trace (bool | None)

• filter_path (str | Sequence[str] | None)

• human (bool | None)

• pretty (bool | None)

Return type:

ObjectApiResponse[Any]

get_status(*, id, error_trace=None, filter_path=None, human=None, pretty=None)

Get the async EQL status. Get the current status for an async EQL search or a stored synchronous EQL search without returning results.

https://www.elastic.co/guide/en/elasticsearch/reference/8.18/get-async-eql-status-api.html

Parameters:

• id (str) – Identifier for the search.

• error_trace (bool | None)

• filter_path (str | Sequence[str] | None)

• human (bool | None)

• pretty (bool | None)

Return type:

ObjectApiResponse[Any]

search(*, index, query=None, allow_no_indices=None, allow_partial_search_results=None, allow_partial_sequence_results=None, case_sensitive=None, error_trace=None, event_category_field=None, expand_wildcards=None, fetch_size=None, fields=None, filter=None, filter_path=None, human=None, ignore_unavailable=None, keep_alive=None, keep_on_completion=None, max_samples_per_key=None, pretty=None, result_position=None, runtime_mappings=None, size=None, tiebreaker_field=None, timestamp_field=None, wait_for_completion_timeout=None, body=None)

Get EQL search results. Returns search results for an Event Query Language (EQL) query. EQL assumes each document in a data stream or index corresponds to an event.

https://www.elastic.co/guide/en/elasticsearch/reference/8.18/eql-search-api.html

Parameters:

• index (str | Sequence[str]) – The name of the index to scope the operation

• query (str | None) – EQL query you wish to run.

• allow_no_indices (bool | None)

• allow_partial_search_results (bool | None) – Allow query execution also in case of shard failures. If true, the query will keep running and will return results based on the available shards. For sequences, the behavior can be further refined using allow_partial_sequence_results

• allow_partial_sequence_results (bool | None) – This flag applies only to sequences and has effect only if allow_partial_search_results=true. If true, the sequence query will return results based on the available shards, ignoring the others. If false, the sequence query will return successfully, but will always have empty results.

• case_sensitive (bool | None)

• event_category_field (str | None) – Field containing the event classification, such as process, file, or network.

• expand_wildcards (Sequence[str | Literal['all', 'closed', 'hidden', 'none', 'open']] | str | ~typing.Literal['all', 'closed', 'hidden', 'none', 'open'] | None)

• fetch_size (int | None) – Maximum number of events to search at a time for sequence queries.

• fields (Mapping[str, Any] | Sequence[Mapping[str, Any]] | None) – Array of wildcard (*) patterns. The response returns values for field names matching these patterns in the fields property of each hit.

• filter (Mapping[str, Any] | Sequence[Mapping[str, Any]] | None) – Query, written in Query DSL, used to filter the events on which the EQL query runs.

• ignore_unavailable (bool | None) – If true, missing or closed indices are not included in the response.

• keep_alive (str | Literal[-1] | ~typing.Literal[0] | None)

• keep_on_completion (bool | None)

• max_samples_per_key (int | None) – By default, the response of a sample query contains up to 10 samples, with one sample per unique set of join keys. Use the size parameter to get a smaller or larger set of samples. To retrieve more than one sample per set of join keys, use the max_samples_per_key parameter. Pipes are not supported for sample queries.

• result_position (str | Literal['head', 'tail'] | None)

• runtime_mappings (Mapping[str, Mapping[str, Any]] | None)

• size (int | None) – For basic queries, the maximum number of matching events to return. Defaults to 10

• tiebreaker_field (str | None) – Field used to sort hits with the same timestamp in ascending order

• timestamp_field (str | None) – Field containing event timestamp. Default “@timestamp”

• wait_for_completion_timeout (str | Literal[-1] | ~typing.Literal[0] | None)

• error_trace (bool | None)

• filter_path (str | Sequence[str] | None)

• human (bool | None)

• pretty (bool | None)

• body (Dict[str, Any] | None)

Return type:

ObjectApiResponse[Any]