EQL: Add implicit ordering on timestamp #53004
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
QL: Move Sort base class from SQL to QL
|
Pinging @elastic/es-search (:Search/EQL) |
astefan
approved these changes
Mar 2, 2020
| @@ -3,6 +3,9 @@ | |||
| "event_type" : { | |||
| "type" : "keyword" | |||
| }, | |||
| "timestamp" : { | |||
| "type" : "keyword" | |||
| @@ -3,6 +3,9 @@ | |||
| "event_type" : { | |||
| "type" : "keyword" | |||
| }, | |||
| "timestamp" : { | |||
| "type" : "keyword" | |||
aleksmaus
approved these changes
Mar 2, 2020
aleksmaus
reviewed
Mar 2, 2020
docs/reference/eql/search.asciidoc
Outdated
| @@ -27,7 +27,7 @@ PUT sec_logs/_bulk?refresh | |||
| You can now use the EQL search API to search this index using an EQL query. | |||
|
|
|||
| The following request searches the `sec_logs` index using the EQL query | |||
| specified in the `query` parameter. The EQL query matches events with an | |||
| specified in the `rule` parameter. The EQL query matches events with an | |||
There was a problem hiding this comment.
something didn't merge right, should be query
|
@elasticmachine run elasticsearch-ci/2 |
costin
commented
Mar 2, 2020
| @@ -74,7 +75,8 @@ The API returns the following response containing the matching event: | |||
| "name": "cmd.exe", | |||
| "path": "C:\\Windows\\System32\\cmd.exe" | |||
| } | |||
| } | |||
| }, | |||
| "sort" : [1607339167000] | |||
There was a problem hiding this comment.
@jrodewig Not sure whether there's a better way to match the document - essentially the score has been replaced by sort and I'd like to remove both from the result.
There was a problem hiding this comment.
@costin No worries. As long as the CI tests pass, I would not consider this a blocker. I can work on the additional doc changes as a separate PR.
costin
added a commit
that referenced
this pull request
Mar 2, 2020
QL: Move Sort base class from SQL to QL (cherry picked from commit 798015b)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
QL: Move Sort base class from SQL to QL