|
|
@@ -45,8 +45,10 @@ default.
|
|
|
[[run-an-eql-search]]
|
|
|
== Run an EQL search
|
|
|
|
|
|
-Use the <<eql-search-api,EQL search API>> to run a <<eql-basic-syntax,basic
|
|
|
-EQL query>>:
|
|
|
+Use the <<eql-search-api,EQL search API>> to run a <<eql-basic-syntax,basic EQL
|
|
|
+query>>. If the {es} {security-features} are enabled, you must have the `read`
|
|
|
+<<privileges-list-indices,index privilege>> for the target data stream, index,
|
|
|
+or index alias.
|
|
|
|
|
|
[source,console]
|
|
|
----
|
|
|
@@ -493,7 +495,9 @@ requests.
|
|
|
|
|
|
To check the progress of an async search, use the <<get-async-eql-search-api,get
|
|
|
async EQL search API>> with the search ID. Specify how long you'd like for
|
|
|
-complete results in the `wait_for_completion_timeout` parameter.
|
|
|
+complete results in the `wait_for_completion_timeout` parameter. If the {es}
|
|
|
+{security-features} are enabled, only the user who first submitted the EQL
|
|
|
+search can retrieve the search using this API.
|
|
|
|
|
|
[source,console]
|
|
|
----
|
|
|
@@ -553,7 +557,9 @@ GET /_eql/search/FmNJRUZ1YWZCU3dHY1BIOUhaenVSRkEaaXFlZ3h4c1RTWFNocDdnY2FSaERnUTo
|
|
|
|
|
|
Use the <<delete-async-eql-search-api,delete async EQL search API>> to
|
|
|
manually delete an async EQL search before the `keep_alive` period ends. If the
|
|
|
-search is still ongoing, {es} cancels the search request.
|
|
|
+search is still ongoing, {es} cancels the search request. If the {es}
|
|
|
+{security-features} are enabled, only the user who first submitted the EQL
|
|
|
+search can delete the search using this API.
|
|
|
|
|
|
[source,console]
|
|
|
----
|
James Rodewig