EQL requirementsedit

This functionality is experimental and may be changed or removed completely in a future release. Elastic will take a best effort approach to fix any issues, but experimental features are not subject to the support SLA of official GA features.

EQL is schema-less and works well with most common log formats.

While no schema is required to use EQL in Elasticsearch, we recommend the Elastic Common Schema (ECS). The EQL search API is designed to work with core ECS fields by default.

Required fieldsedit

In Elasticsearch, EQL assumes each document in a data stream or index corresponds to an event.

To search a data stream or index using EQL, each document in the data stream or index must contain the following field archetypes:

Event category
A field containing the event classification, such as process, file, or network. This is typically mapped as a keyword field.
Timestamp
A field containing the date and/or time the event occurred. This is typically mapped as a date or date_nanos field.

You cannot use a nested field data type or the sub-fields of a nested field as the timestamp or event category field. See EQL search on nested fields is not supported.