elasticsearch/docs/reference/eql/requirements.asciidoc

[role="xpack"]
[testenv="basic"]
[[eql-requirements]]
== EQL requirements
++++
<titleabbrev>Requirements</titleabbrev>
++++

experimental::[]

EQL is schema-less and works well with most common log formats.

[TIP]
====
While no schema is required to use EQL in {es}, we recommend the
{ecs-ref}[Elastic Common Schema (ECS)]. The EQL search API is designed to work
with core ECS fields by default.
====

[discrete]
[[eql-required-fields]]
=== Required fields

In {es}, EQL assumes each document in an index corresponds to an event.

To search an index using EQL, each document in the index must contain the
following field archetypes:

Event category::
A field containing the event classification, such as `process`, `file`, or
`network`. This is typically mapped as a <<keyword,`keyword`>> field.

Timestamp::
A field containing the date and/or time the event occurred. This is typically
mapped as a <<date,`date`>> field.

[NOTE]
====
You cannot use a <<nested,`nested`>> field datatype or the sub-fields of a
`nested` field dataype as the timestamp or event category field. See
<<eql-nested-fields>>.
====