Skip to content

[DOCS] EQL: Document nested field support #56138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 5, 2020
Merged

[DOCS] EQL: Document nested field support #56138

merged 2 commits into from
May 5, 2020

Conversation

jrodewig
Copy link
Contributor

@jrodewig jrodewig commented May 4, 2020

Notes that you cannot use EQL in ES to search the values of nested
fields or their sub-fields. However, indices containing nested field
mappings are otherwise supported.

Relates to #55721

@jrodewig
[DOCS] EQL: Document nested field support
8cffa7f 
Notes that you cannot use EQL in ES to search the values of `nested`
fields or their sub-fields. However, indices containing `nested` field
mappings are otherwise supported.
@jrodewig jrodewig added >docs General docs changes :Analytics/EQL EQL querying labels May 4, 2020
@jrodewig jrodewig requested a review from astefan May 4, 2020 17:56
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-docs (>docs)

@elasticmachine elasticmachine added the Team:Docs Meta label for docs team label May 4, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-ql (:Query Languages/EQL)

@elasticmachine elasticmachine added the Team:QL (Deprecated) Meta label for query languages team label May 4, 2020
astefan
astefan approved these changes May 5, 2020
View reviewed changes
Copy link
Contributor

@astefan astefan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Left one comment.

docs/reference/eql/requirements.asciidoc
@@ -34,3 +33,10 @@ A field containing the event classification, such as `process`, `file`, or
Timestamp::
A field containing the date and/or time the event occurred. This is typically
mapped as a <<date,`date`>> field.

[NOTE]
====
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if this note is necessary in this section, as well.
Maybe have it reworded differently. Since the section is about required fields, how about something around "a <<nested,nested>> field or the sub-fields of a nested field cannot be used as a Timestamp or Event category".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @astefan. I updated this note per your suggestion with 644d84d.

@jrodewig jrodewig merged commit e12419b into elastic:master May 5, 2020
@jrodewig jrodewig deleted the docs__eql-nested-fields branch May 5, 2020 15:26
@jrodewig jrodewig mentioned this pull request May 5, 2020
Merged
jrodewig added a commit that referenced this pull request May 5, 2020
@jrodewig
[DOCS] EQL: Document nested field support (#56138)
44414ac 
Notes that you cannot use EQL in ES to search the values of `nested`
fields or their sub-fields. However, indices containing `nested` field
mappings are otherwise supported.
@jrodewig
Copy link
Contributor Author

jrodewig commented May 5, 2020

Backport commits

master e12419b
7.x 44414ac

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@astefan astefan astefan approved these changes

Assignees
No one assigned
Labels
:Analytics/EQL EQL querying >docs General docs changes Team:Docs Meta label for docs team Team:QL (Deprecated) Meta label for query languages team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jrodewig @elasticmachine @astefan