This functionality is in development and may be changed or removed completely in a future release. These features are unsupported and not subject to the support SLA of official GA features.
EQL is schema-less and works well with most common log formats.
While no schema is required to use EQL in Elasticsearch, we recommend the Elastic Common Schema (ECS). The EQL search API is designed to work with core ECS fields by default.
In Elasticsearch, EQL assumes each document in an index corresponds to an event.
To search an index using EQL, each document in the index must contain the following field archetypes: