Event Query Language (EQL)
- class elasticsearch.client.EqlClient(client)
- Parameters:
client (BaseClient) –
- delete(*, id, error_trace=None, filter_path=None, human=None, pretty=None)
Deletes an async EQL search by ID. If the search is still running, the search request will be cancelled. Otherwise, the saved search results are deleted.
https://www.elastic.co/guide/en/elasticsearch/reference/8.12/eql-search-api.html
- Parameters:
- Return type:
ObjectApiResponse[Any]
- get(*, id, error_trace=None, filter_path=None, human=None, keep_alive=None, pretty=None, wait_for_completion_timeout=None)
Returns async results from previously executed Event Query Language (EQL) search
https://www.elastic.co/guide/en/elasticsearch/reference/8.12/get-async-eql-search-api.html
- Parameters:
id (str) – Identifier for the search.
keep_alive (Literal[-1] | ~typing.Literal[0] | str | None) – Period for which the search and its results are stored on the cluster. Defaults to the keep_alive value set by the search’s EQL search API request.
wait_for_completion_timeout (Literal[-1] | ~typing.Literal[0] | str | None) – Timeout duration to wait for the request to finish. Defaults to no timeout, meaning the request waits for complete search results.
error_trace (bool | None) –
human (bool | None) –
pretty (bool | None) –
- Return type:
ObjectApiResponse[Any]
- get_status(*, id, error_trace=None, filter_path=None, human=None, pretty=None)
Returns the status of a previously submitted async or stored Event Query Language (EQL) search
https://www.elastic.co/guide/en/elasticsearch/reference/8.12/get-async-eql-status-api.html
- search(*, index, query=None, allow_no_indices=None, case_sensitive=None, error_trace=None, event_category_field=None, expand_wildcards=None, fetch_size=None, fields=None, filter=None, filter_path=None, human=None, ignore_unavailable=None, keep_alive=None, keep_on_completion=None, pretty=None, result_position=None, runtime_mappings=None, size=None, tiebreaker_field=None, timestamp_field=None, wait_for_completion_timeout=None, body=None)
Returns results matching a query expressed in Event Query Language (EQL)
https://www.elastic.co/guide/en/elasticsearch/reference/8.12/eql-search-api.html
- Parameters:
index (str | Sequence[str]) – The name of the index to scope the operation
query (str | None) – EQL query you wish to run.
allow_no_indices (bool | None) –
case_sensitive (bool | None) –
event_category_field (str | None) – Field containing the event classification, such as process, file, or network.
expand_wildcards (Sequence[Literal['all', 'closed', 'hidden', 'none', 'open'] | str] | ~typing.Literal['all', 'closed', 'hidden', 'none', 'open'] | str | None) –
fetch_size (int | None) – Maximum number of events to search at a time for sequence queries.
fields (Mapping[str, Any] | Sequence[Mapping[str, Any]] | None) – Array of wildcard (*) patterns. The response returns values for field names matching these patterns in the fields property of each hit.
filter (Mapping[str, Any] | Sequence[Mapping[str, Any]] | None) – Query, written in Query DSL, used to filter the events on which the EQL query runs.
ignore_unavailable (bool | None) – If true, missing or closed indices are not included in the response.
keep_alive (Literal[-1] | ~typing.Literal[0] | str | None) –
keep_on_completion (bool | None) –
result_position (Literal['head', 'tail'] | str | None) –
size (int | None) – For basic queries, the maximum number of matching events to return. Defaults to 10
tiebreaker_field (str | None) – Field used to sort hits with the same timestamp in ascending order
timestamp_field (str | None) – Field containing event timestamp. Default “@timestamp”
wait_for_completion_timeout (Literal[-1] | ~typing.Literal[0] | str | None) –
error_trace (bool | None) –
human (bool | None) –
pretty (bool | None) –
- Return type:
ObjectApiResponse[Any]