This functionality is experimental and may be changed or removed completely in a future release. Elastic will take a best effort approach to fix any issues, but experimental features are not subject to the support SLA of official GA features.
EQL search on nested fields is not supportededit
You cannot use EQL to search the values of a
nested field or the
sub-fields of a
nested field. However, data streams and indices containing
nested field mappings are otherwise supported.
Elasticsearch supports a subset of EQL syntax. Elasticsearch cannot run EQL queries that contain: