I'm running a simple EQL query to test as follows, but NOT reporting anything back
GET winlogbeat*/_eql/search
{
"query": """
process where process.name == "services.exe"
"""
}
Quite lot of data is present and If I run an sql query to see the data it is present.
POST /_sql?format=txt
{
"query": """
SELECT "process.name", "event.category", count(*) FROM "winlogbeat*"
WHERE "process.name" = 'services.exe'
GROUP BY "process.name","event.category"
"""
}
Hi @kelk! Thanks for checking out EQL! Let's see if we can get you squared away here...
The two concepts required for EQL to work are category and time, which by default correspond to the event.category and @timestamp fields, respectively.
If your mappings are correct but your documents are missing either of these fields, the search will succeed but with no results. Since you didn't mention an error, I suspect that you're missing a timestamp field.
If your documents do have a timestamp field but it's not named @timestamp, you can specify that as part of the query rather than adding/updating your documents.
I hope that helps! But if it doesn't, sharing your winlogbeat mappings along with a few representative documents and the EQL responses/errors will help to further diagnose. Cheers!
@kelk glad you were able to get things working to a degree!
It's possible that there are mapping differences across your winlogbeat indexes; you might be able to narrow that down by starting with your concrete index, and then loosening the wildcard (winlogbeat-7.9.2-2020.10.12*, winlogbeat-7.9.2-2020.10*, etc) until you see the failure.
We also made an improvement or two to EQL's index resolution for 7.10, so that behavior will be improved soon!
thank you again.
I feel EQL have so much legs and is much simpler for aggregation/pipe/siem/event-stitch together. may be if you can develop it to the likes of Splunk SPL or similar, it would become the most important language within ELK framework
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.