I was trying to match some lines using EQL, but no match was found in-spite of having lines which matches the criteria in Elasticsearch. Kindly provide some leads about the same.
Thanks in advance
EQL QUERY:
GET /index/_eql/search
{
"event_category_field": "logLevel",
"timestamp_field": "dateTime",
"query": """
sequence with maxspan = 11s
[ INFO where logLine : "xyz not found"]
[ INFO where logLine : "Install abc success"]
""",
"size": 100
}
Lines for which eql query is being executed:
2021-01-07 10:39:10.115021 INFO xyz not found
2021-01-07 10:39:10.118425 INFO Install abc success