This functionality is experimental and may be changed or removed completely in a future release. Elastic will take a best effort approach to fix any issues, but experimental features are not subject to the support SLA of official GA features.
EQL is schema-less and works well with most common log formats.
In Elasticsearch, EQL assumes each document in a data stream or index corresponds to an event.
To search a data stream or index using EQL, each document in the data stream or index must contain the following field archetypes: