|
|
@@ -156,21 +156,21 @@ The API returns the following response.
|
|
|
[source,console-result]
|
|
|
----
|
|
|
{
|
|
|
- "hits" : {
|
|
|
- "events" : [
|
|
|
+ "hits": {
|
|
|
+ "events": [
|
|
|
{
|
|
|
- "_source" : {
|
|
|
- "@timestamp" : "2099-12-07T11:07:09.000Z",
|
|
|
- "process" : {
|
|
|
- "pid" : 2012
|
|
|
+ "_source": {
|
|
|
+ "@timestamp": "2099-12-07T11:07:09.000Z",
|
|
|
+ "process": {
|
|
|
+ "pid": 2012
|
|
|
}
|
|
|
}
|
|
|
},
|
|
|
{
|
|
|
- "_source" : {
|
|
|
- "@timestamp" : "2099-12-07T11:07:10.000Z",
|
|
|
- "process" : {
|
|
|
- "pid" : 2012
|
|
|
+ "_source": {
|
|
|
+ "@timestamp": "2099-12-07T11:07:10.000Z",
|
|
|
+ "process": {
|
|
|
+ "pid": 2012
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
@@ -468,10 +468,10 @@ which an EQL query runs.
|
|
|
GET /my-index-000001/_eql/search
|
|
|
{
|
|
|
"filter": {
|
|
|
- "range" : {
|
|
|
- "file.size" : {
|
|
|
- "gte" : 1,
|
|
|
- "lte" : 1000000
|
|
|
+ "range": {
|
|
|
+ "file.size": {
|
|
|
+ "gte": 1,
|
|
|
+ "lte": 1000000
|
|
|
}
|
|
|
}
|
|
|
},
|
|
|
@@ -582,7 +582,7 @@ GET /_eql/search/status/FmNJRUZ1YWZCU3dHY1BIOUhaenVSRkEaaXFlZ3h4c1RTWFNocDdnY2FS
|
|
|
"id": "FmNJRUZ1YWZCU3dHY1BIOUhaenVSRkEaaXFlZ3h4c1RTWFNocDdnY2FSaERnUTozNDE=",
|
|
|
"is_running": false,
|
|
|
"is_partial": false,
|
|
|
- "expiration_time_in_millis" : 1611690295000,
|
|
|
+ "expiration_time_in_millis": 1611690295000,
|
|
|
"completion_status": 200
|
|
|
}
|
|
|
----
|
James Rodewig