Package co.elastic.clients.elasticsearch.eql

Class EqlSearchRequest

java.lang.Object
co.elastic.clients.elasticsearch._types.RequestBase
co.elastic.clients.elasticsearch.eql.EqlSearchRequest
All Implemented Interfaces:
JsonpSerializable
@JsonpDeserializable public class EqlSearchRequest extends RequestBase implements JsonpSerializable
Get EQL search results. Returns search results for an Event Query Language (EQL) query. EQL assumes each document in a data stream or index corresponds to an event.
See Also:

  • Field Details

  • Method Details

    • of

      public static EqlSearchRequest of(Function<EqlSearchRequest.Builder,ObjectBuilder<EqlSearchRequest>> fn)

    • allowNoIndices

      @Nullable public final Boolean allowNoIndices()
      Whether to ignore if a wildcard indices expression resolves into no concrete indices. (This includes _all string or when no indices have been specified)

      API name: allow_no_indices

    • allowPartialSearchResults

      @Nullable public final Boolean allowPartialSearchResults()
      Allow query execution also in case of shard failures. If true, the query will keep running and will return results based on the available shards. For sequences, the behavior can be further refined using allow_partial_sequence_results

      API name: allow_partial_search_results

    • allowPartialSequenceResults

      @Nullable public final Boolean allowPartialSequenceResults()
      This flag applies only to sequences and has effect only if allow_partial_search_results=true. If true, the sequence query will return results based on the available shards, ignoring the others. If false, the sequence query will return successfully, but will always have empty results.

      API name: allow_partial_sequence_results

    • caseSensitive

      @Nullable public final Boolean caseSensitive()
      API name: case_sensitive

    • ccsMinimizeRoundtrips

      @Nullable public final Boolean ccsMinimizeRoundtrips()
      Indicates whether network round-trips should be minimized as part of cross-cluster search requests execution

      API name: ccs_minimize_roundtrips

    • eventCategoryField

      @Nullable public final String eventCategoryField()
      Field containing the event classification, such as process, file, or network.

      API name: event_category_field

    • expandWildcards

      public final List<ExpandWildcard> expandWildcards()
      Whether to expand wildcard expression to concrete indices that are open, closed or both.

      API name: expand_wildcards

    • fetchSize

      @Nullable public final Number fetchSize()
      Maximum number of events to search at a time for sequence queries.

      API name: fetch_size

    • fields

      public final List<FieldAndFormat> fields()
      Array of wildcard (*) patterns. The response returns values for field names matching these patterns in the fields property of each hit.

      API name: fields

    • filter

      public final List<Query> filter()
      Query, written in Query DSL, used to filter the events on which the EQL query runs.

      API name: filter

    • ignoreUnavailable

      @Nullable public final Boolean ignoreUnavailable()
      If true, missing or closed indices are not included in the response.

      API name: ignore_unavailable

    • index

      public final List<String> index()
      Required - The name of the index to scope the operation

      API name: index

    • keepAlive

      @Nullable public final Time keepAlive()
      API name: keep_alive

    • keepOnCompletion

      @Nullable public final Boolean keepOnCompletion()
      API name: keep_on_completion

    • maxSamplesPerKey

      @Nullable public final Integer maxSamplesPerKey()
      By default, the response of a sample query contains up to 10 samples, with one sample per unique set of join keys. Use the size parameter to get a smaller or larger set of samples. To retrieve more than one sample per set of join keys, use the max_samples_per_key parameter. Pipes are not supported for sample queries.

      API name: max_samples_per_key

    • query

      public final String query()
      Required - EQL query you wish to run.

      API name: query

    • resultPosition

      @Nullable public final ResultPosition resultPosition()
      API name: result_position

    • runtimeMappings

      public final Map<String,RuntimeField> runtimeMappings()
      API name: runtime_mappings

    • size

      @Nullable public final Number size()
      For basic queries, the maximum number of matching events to return. Defaults to 10

      API name: size

    • tiebreakerField

      @Nullable public final String tiebreakerField()
      Field used to sort hits with the same timestamp in ascending order

      API name: tiebreaker_field

    • timestampField

      @Nullable public final String timestampField()
      Field containing event timestamp. Default "@timestamp"

      API name: timestamp_field

    • waitForCompletionTimeout

      @Nullable public final Time waitForCompletionTimeout()
      API name: wait_for_completion_timeout

    • serialize

      public void serialize(jakarta.json.stream.JsonGenerator generator, JsonpMapper mapper)
      Serialize this object to JSON.
      Specified by:
      serialize in interface JsonpSerializable

    • serializeInternal

      protected void serializeInternal(jakarta.json.stream.JsonGenerator generator, JsonpMapper mapper)

    • setupEqlSearchRequestDeserializer

      protected static void setupEqlSearchRequestDeserializer(ObjectDeserializer<EqlSearchRequest.Builder> op)

    • createSearchEndpoint

      public static <TEvent> Endpoint<EqlSearchRequest,EqlSearchResponse<TEvent>,ErrorResponse> createSearchEndpoint(JsonpDeserializer<TEvent> tEventDeserializer)
      Create an "eql.search" endpoint.