Returns results matching a query expressed in Event Query Language (EQL)

POST /{index}/_eql/search

Path parameters

  • index string | array[string] Required

    The name of the index to scope the operation

Query parameters

application/json

Body Required

  • query string Required

    EQL query you wish to run.

  • case_sensitive boolean
  • event_category_field string

    Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

  • tiebreaker_field string

    Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

  • timestamp_field string

    Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

  • fetch_size number

  • filter object | array[object]

    Query, written in Query DSL, used to filter the events on which the EQL query runs.

    One of:
    query_dsl:QueryContainer object array-2 array[object]
    Hide attributes Show attributes object
    • bool object
      Hide bool attributes Show bool attributes object
    • boosting object
      Hide boosting attributes Show boosting attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • negative_boost number Required

        Floating point number between 0 and 1.0 used to decrease the relevance scores of documents matching the negative query.

      • negative object Required
      • positive object Required
    • common object Deprecated
    • combined_fields object
      Hide combined_fields attributes Show combined_fields attributes object
    • constant_score object
      Hide constant_score attributes Show constant_score attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • filter object Required
    • dis_max object
      Hide dis_max attributes Show dis_max attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • queries array[object] Required

        One or more query clauses. Returned documents must match one or more of these queries. If a document matches multiple queries, Elasticsearch uses the highest relevance score.

      • tie_breaker number

        Floating point number between 0 and 1.0 used to increase the relevance scores of documents matching multiple query clauses.

    • distance_feature object

      One of:
      query_dsl:UntypedDistanceFeatureQuery object query_dsl:GeoDistanceFeatureQuery object query_dsl:DateDistanceFeatureQuery object
    • exists object
      Hide exists attributes Show exists attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • field string Required

        Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

    • function_score object
      Hide function_score attributes Show function_score attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • boost_mode string

        Values are multiply, replace, sum, avg, max, or min.

      • functions array[object]

        One or more functions that compute a new score for each document returned by the query.

      • max_boost number

        Restricts the new score to not exceed the provided limit.

      • min_score number

        Excludes documents that do not meet the provided score threshold.

      • query object
      • score_mode string

        Values are multiply, sum, avg, first, max, or min.

    • fuzzy object

      Returns documents that contain terms similar to the search term, as measured by a Levenshtein edit distance.

    • geo_bounding_box object
      Hide geo_bounding_box attributes Show geo_bounding_box attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • type string

        Values are memory or indexed.

      • validation_method string

        Values are coerce, ignore_malformed, or strict.

      • ignore_unmapped boolean

        Set to true to ignore an unmapped field and not match any documents for this query. Set to false to throw an exception if the field is not mapped.

    • geo_distance object
      Hide geo_distance attributes Show geo_distance attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • distance string Required
      • distance_type string

        Values are arc or plane.

      • validation_method string

        Values are coerce, ignore_malformed, or strict.

      • ignore_unmapped boolean

        Set to true to ignore an unmapped field and not match any documents for this query. Set to false to throw an exception if the field is not mapped.

    • geo_polygon object
      Hide geo_polygon attributes Show geo_polygon attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • validation_method string

        Values are coerce, ignore_malformed, or strict.

      • ignore_unmapped boolean
    • geo_shape object
      Hide geo_shape attributes Show geo_shape attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • ignore_unmapped boolean

        Set to true to ignore an unmapped field and not match any documents for this query. Set to false to throw an exception if the field is not mapped.

    • has_child object
      Hide has_child attributes Show has_child attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • ignore_unmapped boolean

        Indicates whether to ignore an unmapped type and not return any documents instead of an error.

      • inner_hits object
        Hide inner_hits attributes Show inner_hits attributes object
      • max_children number

        Maximum number of child documents that match the query allowed for a returned parent document. If the parent document exceeds this limit, it is excluded from the search results.

      • min_children number

        Minimum number of child documents that match the query required to match the query for a returned parent document. If the parent document does not meet this limit, it is excluded from the search results.

      • query object Required
      • score_mode string

        Values are none, avg, sum, max, or min.

      • type string Required
    • has_parent object
      Hide has_parent attributes Show has_parent attributes object
    • ids object
      Hide ids attributes Show ids attributes object
    • intervals object

      Returns documents based on the order and proximity of matching terms.

    • knn object
      Hide knn attributes Show knn attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • field string Required

        Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

      • query_vector array[number]
      • query_vector_builder object
        Hide query_vector_builder attribute Show query_vector_builder attribute object
      • num_candidates number

        The number of nearest neighbor candidates to consider per shard

      • k number

        The final number of nearest neighbors to return as top hits

      • filter object | array[object]

        Filters for the kNN search query

        One of:
        query_dsl:QueryContainer object array-2 array[object]
      • similarity number

        The minimum similarity for a vector to be considered a match

    • match object

      Returns documents that match a provided text, number, date or boolean value. The provided text is analyzed before matching.

    • match_all object
      Hide match_all attributes Show match_all attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
    • match_bool_prefix object

      Analyzes its input and constructs a bool query from the terms. Each term except the last is used in a term query. The last term is used in a prefix query.

    • match_none object
      Hide match_none attributes Show match_none attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
    • match_phrase object

      Analyzes the text and creates a phrase query out of the analyzed text.

    • match_phrase_prefix object

      Returns documents that contain the words of a provided text, in the same order as provided. The last term of the provided text is treated as a prefix, matching any words that begin with that term.

    • more_like_this object
      Hide more_like_this attributes Show more_like_this attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • analyzer string

        The analyzer that is used to analyze the free form text. Defaults to the analyzer associated with the first field in fields.

      • boost_terms number

        Each term in the formed query could be further boosted by their tf-idf score. This sets the boost factor to use when using this feature. Defaults to deactivated (0).

      • fail_on_unsupported_field boolean

        Controls whether the query should fail (throw an exception) if any of the specified fields are not of the supported types (text or keyword).

      • fields array[string]

        Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

      • include boolean

        Specifies whether the input documents should also be included in the search results returned.

      • like array[string | object] Required
      • max_doc_freq number

        The maximum document frequency above which the terms are ignored from the input document.

      • max_query_terms number

        The maximum number of query terms that can be selected.

      • max_word_length number

        The maximum word length above which the terms are ignored. Defaults to unbounded (0).

      • min_doc_freq number

        The minimum document frequency below which the terms are ignored from the input document.

      • minimum_should_match number | string

        The minimum number of terms that should match as integer, percentage or range

        One of:
        _types:MinimumShouldMatch number _types:MinimumShouldMatch string
      • min_term_freq number

        The minimum term frequency below which the terms are ignored from the input document.

      • min_word_length number

        The minimum word length below which the terms are ignored.

      • routing string

      • stop_words string | array[string]

        Language value, such as arabic or thai. Defaults to english. Each language value corresponds to a predefined list of stop words in Lucene. See Stop words by language for supported language values and their stop words. Also accepts an array of stop words.

        One of:
        analysis:StopWords string analysis:StopWords array[string]
      • unlike array[string | object]
      • version number
      • version_type string

        Values are internal, external, external_gte, or force.

    • multi_match object
      Hide multi_match attributes Show multi_match attributes object
    • nested object
      Hide nested attributes Show nested attributes object
    • parent_id object
      Hide parent_id attributes Show parent_id attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • id string
      • ignore_unmapped boolean

        Indicates whether to ignore an unmapped type and not return any documents instead of an error.

      • type string
    • percolate object
      Hide percolate attributes Show percolate attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • document object

        The source of the document being percolated.

      • documents array[object]

        An array of sources of the documents being percolated.

      • field string Required

        Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

      • id string
      • index string
      • name string

        The suffix used for the _percolator_document_slot field when multiple percolate queries are specified.

      • preference string

        Preference used to fetch document to percolate.

      • routing string
      • version number
    • pinned object
      Hide pinned attributes Show pinned attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • organic object Required
      • ids array[string]

        Document IDs listed in the order they are to appear in results. Required if docs is not specified.

      • docs array[object]

        Documents listed in the order they are to appear in results. Required if ids is not specified.

    • prefix object

      Returns documents that contain a specific prefix in a provided field.

    • query_string object
      Hide query_string attributes Show query_string attributes object
    • range object

      Returns documents that contain terms within a provided range.

    • rank_feature object
      Hide rank_feature attributes Show rank_feature attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • field string Required

        Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

      • saturation object
      • log object
      • linear object
      • sigmoid object
    • regexp object

      Returns documents that contain terms matching a regular expression.

    • rule object
      Hide rule attributes Show rule attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • organic object Required
      • ruleset_ids array[string] Required
      • match_criteria object Required
    • script object
      Hide script attributes Show script attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • script object Required
        Hide script attributes Show script attributes object
        • source string

          The script source.

        • id string
        • params object

          Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.

        • lang
        • options object
    • script_score object
      Hide script_score attributes Show script_score attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • min_score number

        Documents with a score lower than this floating point number are excluded from the search results.

      • query object Required
      • script object Required
        Hide script attributes Show script attributes object
        • source string

          The script source.

        • id string
        • params object

          Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.

        • lang
        • options object
    • semantic object
      Hide semantic attributes Show semantic attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • field string Required

        The field to query, which must be a semantic_text field type

      • query string Required

        The query text

    • shape object
      Hide shape attributes Show shape attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • ignore_unmapped boolean

        When set to true the query ignores an unmapped field and will not match any documents.

    • simple_query_string object
      Hide simple_query_string attributes Show simple_query_string attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • analyzer string

        Analyzer used to convert text in the query string into tokens.

      • analyze_wildcard boolean

        If true, the query attempts to analyze wildcard terms in the query string.

      • auto_generate_synonyms_phrase_query boolean

        If true, the parser creates a match_phrase query for each multi-position token.

      • default_operator string

        Values are and, AND, or, or OR.

      • fields array[string]

        Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

      • flags
      • fuzzy_max_expansions number

        Maximum number of terms to which the query expands for fuzzy matching.

      • fuzzy_prefix_length number

        Number of beginning characters left unchanged for fuzzy matching.

      • fuzzy_transpositions boolean

        If true, edits for fuzzy matching include transpositions of two adjacent characters (for example, ab to ba).

      • lenient boolean

        If true, format-based errors, such as providing a text value for a numeric field, are ignored.

      • minimum_should_match number | string

        The minimum number of terms that should match as integer, percentage or range

        One of:
        _types:MinimumShouldMatch number _types:MinimumShouldMatch string
      • query string Required

        Query string in the simple query string syntax you wish to parse and use for search.

      • quote_field_suffix string

        Suffix appended to quoted text in the query string.

    • span_containing object
      Hide span_containing attributes Show span_containing attributes object
    • span_field_masking object
      Hide span_field_masking attributes Show span_field_masking attributes object
    • span_first object
      Hide span_first attributes Show span_first attributes object
    • span_multi object
      Hide span_multi attributes Show span_multi attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • match object Required
    • span_near object
      Hide span_near attributes Show span_near attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • clauses array[object] Required

        Array of one or more other span type queries.

      • in_order boolean

        Controls whether matches are required to be in-order.

      • slop number

        Controls the maximum number of intervening unmatched positions permitted.

    • span_not object
      Hide span_not attributes Show span_not attributes object
    • span_or object
      Hide span_or attributes Show span_or attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • clauses array[object] Required

        Array of one or more other span type queries.

    • span_term object

      Matches spans containing a term.

    • span_within object
      Hide span_within attributes Show span_within attributes object
    • sparse_vector object
      Hide sparse_vector attributes Show sparse_vector attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • field string Required

        Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

      • query string

        The query text you want to use for search. If inference_id is specified, query must also be specified.

      • prune boolean

        Whether to perform pruning, omitting the non-significant tokens from the query to improve query performance. If prune is true but the pruning_config is not specified, pruning will occur but default values will be used. Default: false

      • pruning_config object
      • query_vector object

        Dictionary of precomputed sparse vectors and their associated weights. Only one of inference_id or query_vector may be supplied in a request.

      • inference_id string
    • term object

      Returns documents that contain an exact term in a provided field. To return a document, the query term must exactly match the queried field's value, including whitespace and capitalization.

    • terms object
      Hide terms attributes Show terms attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
    • terms_set object

      Returns documents that contain a minimum number of exact terms in a provided field. To return a document, a required number of terms must exactly match the field values, including whitespace and capitalization.

    • text_expansion object Deprecated

      Uses a natural language processing model to convert the query text into a list of token-weight pairs which are then used in a query against a sparse vector or rank features field.

    • weighted_tokens object Deprecated

      Supports returning text_expansion query results by sending in precomputed tokens with the query.

    • wildcard object

      Returns documents that contain terms matching a wildcard pattern.

    • wrapper object
      Hide wrapper attributes Show wrapper attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • query string Required

        A base64 encoded query. The binary data format can be any of JSON, YAML, CBOR or SMILE encodings

    • type object
      Hide type attributes Show type attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • value string Required
  • keep_alive string

    A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

  • keep_on_completion boolean
  • wait_for_completion_timeout string

    A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

  • size number

  • fields object | array[object]

    Array of wildcard (*) patterns. The response returns values for field names matching these patterns in the fields property of each hit.

    One of:
    query_dsl:FieldAndFormat object array-2 array[object]
    Hide attributes Show attributes object
    • field string Required

      Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

    • format string

      Format in which the values are returned.

    • include_unmapped boolean
  • result_position string

    Values are tail or head.

  • runtime_mappings object
    Hide runtime_mappings attributes Show runtime_mappings attributes object

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • id string
    • is_partial boolean

      If true, the response does not contain complete search results.

    • is_running boolean

      If true, the search request is still executing.

    • took number

      Time unit for milliseconds

    • timed_out boolean

      If true, the request timed out before completion.

    • hits object Required
      Hide hits attributes Show hits attributes object
      • total object
        Hide total attributes Show total attributes object
      • events array[object]

        Contains events matching the query. Each object represents a matching event.

        Hide events attributes Show events attributes object
      • sequences array[object]

        Contains event sequences matching the query. Each object represents a matching sequence. This parameter is only returned for EQL queries containing a sequence.

        Hide sequences attributes Show sequences attributes object
        • events array[object] Required

          Contains events matching the query. Each object represents a matching event.

          Hide events attributes Show events attributes object
          • _index string Required
          • _id string Required
          • _source object Required

            Original JSON body passed for the event at index time.

          • missing boolean

            Set to true for events in a timespan-constrained sequence that do not meet a given condition.

          • fields object
        • join_keys array[object]

          Shared field values used to constrain matches in the sequence. These are defined using the by keyword in the EQL query syntax.
POST /{index}/_eql/search 
curl \
 -X POST http://api.example.com/{index}/_eql/search \
 -H "Content-Type: application/json" \
 -d '{"query":"string","case_sensitive":true,"event_category_field":"string","tiebreaker_field":"string","timestamp_field":"string","fetch_size":42.0,"filter":{"":{"boost":42.0,"_name":"string","value":"string"},"common":{},"fuzzy":{},"intervals":{},"match":{},"match_bool_prefix":{},"match_phrase":{},"match_phrase_prefix":{},"prefix":{},"range":{},"regexp":{},"span_term":{},"term":{},"terms_set":{},"text_expansion":{},"weighted_tokens":{},"wildcard":{}},"keep_alive":"string","keep_on_completion":true,"wait_for_completion_timeout":"string","size":42.0,"fields":{"field":"string","format":"string","include_unmapped":true},"result_position":"tail","":{"fields":{"type":"boolean"},"fetch_fields":[{"field":"string","format":"string"}],"format":"string","input_field":"string","target_field":"string","target_index":"string","script":{"source":"string","id":"string","params":{"key":{}},"":"painless","options":{"key":"string"}},"type":"boolean"}}'