EQL limitationsedit

This functionality is in development and may be changed or removed completely in a future release. These features are unsupported and not subject to the support SLA of official GA features.

EQL search on nested fields is not supportededit

You cannot use EQL to search the values of a nested field or the sub-fields of a nested field. However, indices containing nested field mappings are otherwise supported.

Unsupported syntaxedit

Elasticsearch supports a subset of EQL syntax. Elasticsearch cannot run EQL queries that contain: