elasticsearch/docs/reference/eql/search.asciidoc

[role="xpack"]
[testenv="basic"]
[[eql-search]]
== Run an EQL search

experimental::[]

To start using EQL in {es}, first ensure your event data meets
<<eql-requirements,EQL requirements>>. Then ingest or add the data to an {es}
index.

The following <<docs-bulk,bulk API>> request adds some example log data to the
`sec_logs` index. This log data follows the {ecs-ref}[Elastic Common Schema
(ECS)].

[source,console]
----
PUT sec_logs/_bulk?refresh
{"index":{"_index" : "sec_logs"}}
{ "@timestamp": "2020-12-07T11:06:07.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process" }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } }
{"index":{"_index" : "sec_logs"}}
{ "@timestamp": "2020-12-07T11:07:08.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "image_load" }, "file": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" }, "process": { "name": "cmd.exe", "path": "C:\\Windows\\System32\\cmd.exe" } }
{"index":{"_index" : "sec_logs"}}
{ "@timestamp": "2020-12-07T11:07:09.000Z", "agent": { "id": "8a4f500d" }, "event": { "category": "process" }, "process": { "name": "regsvr32.exe", "path": "C:\\Windows\\System32\\regsvr32.exe" } }
----

You can now use the EQL search API to search this index using an EQL query.

The following request searches the `sec_logs` index using the EQL query
specified in the `rule` parameter. The EQL query matches events with an
`event.category` of `process` that have a `process.name` of `cmd.exe`.

[source,console]
----
GET sec_logs/_eql/search
{
  "event_type_field": "event.category",
  "rule": """
    process where process.name == "cmd.exe"
  """
}
----
// TEST[continued]

Because the `sec_log` index follows the ECS, you don't need to specify the
event type or timestamp fields. The request uses the `event.category` and
`@timestamp` fields by default.