EQL scenario doesn't match

ateethrigvedi · December 23, 2021, 6:20am

I was trying to match some lines using EQL, but no match was found in-spite of having lines which matches the criteria in Elasticsearch. Kindly provide some leads about the same.

Thanks in advance

EQL QUERY:

GET /index/_eql/search
{
"event_category_field": "logLevel",
"timestamp_field": "dateTime",
"query": """
sequence with maxspan = 11s
[ INFO where logLine : "xyz not found"]
[ INFO where logLine : "Install abc success"]
""",
"size": 100
}

Lines for which eql query is being executed:

2021-01-07 10:39:10.115021 INFO xyz not found
2021-01-07 10:39:10.118425 INFO Install abc success

system · January 20, 2022, 6:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
What is the point of the match_all and match_none queries? Elasticsearch eql-elastic-query-language	1	491	March 18, 2022
Match query not returning results Elasticsearch eql-elastic-query-language	7	798	August 21, 2023
Problem with EQL queries Elasticsearch	1	323	October 26, 2020
EQL syntax error? Elastic Security eql-elastic-query-language	4	1485	July 28, 2021
Question about EQL capabilities Elasticsearch eql-elastic-query-language	1	277	August 4, 2022

EQL scenario doesn't match

Related topics