EQL limitationsedit

This functionality is experimental and may be changed or removed completely in a future release. Elastic will take a best effort approach to fix any issues, but experimental features are not subject to the support SLA of official GA features.

EQL search on nested fields is not supportededit

You cannot use EQL to search the values of a nested field or the sub-fields of a nested field. However, data streams and indices containing nested field mappings are otherwise supported.

Unsupported syntaxedit

Elasticsearch supports a subset of EQL syntax. Elasticsearch cannot run EQL queries that contain: