EQL requirementsedit

This functionality is in development and may be changed or removed completely in a future release. These features are unsupported and not subject to the support SLA of official GA features.

EQL is schema-less and works well with most common log formats.

While no schema is required to use EQL in Elasticsearch, we recommend the Elastic Common Schema (ECS). The EQL search API is designed to work with core ECS fields by default.

Required fieldsedit

In Elasticsearch, EQL assumes each document in an index corresponds to an event.

To search an index using EQL, each document in the index must contain the following field archetypes:

Event category
A field containing the event classification, such as process, file, or network. This is typically mapped as a keyword field.
Timestamp
A field containing the date and/or time the event occurred. This is typically mapped as a date field.

You cannot use a nested field datatype or the sub-fields of a nested field dataype as the timestamp or event category field. See EQL search on nested fields is not supported.