- Java REST Client (deprecated): other versions:
- Overview
- Java Low Level REST Client
- Java High Level REST Client
- Getting started
- Document APIs
- Search APIs
- Async Search APIs
- Miscellaneous APIs
- Index APIs
- Analyze API
- Create Index API
- Delete Index API
- Index Exists API
- Open Index API
- Close Index API
- Shrink Index API
- Split Index API
- Clone Index API
- Refresh API
- Flush API
- Flush Synced API
- Clear Cache API
- Force Merge API
- Rollover Index API
- Update mapping API
- Get Mappings API
- Get Field Mappings API
- Index Aliases API
- Delete Alias API
- Exists Alias API
- Get Alias API
- Update Indices Settings API
- Get Settings API
- Create or update index template API
- Validate Query API
- Get Templates API
- Templates Exist API
- Get Index API
- Freeze Index API
- Unfreeze Index API
- Delete Template API
- Reload Search Analyzers API
- Get Composable Index Templates API
- Create or update composable index template API
- Delete Composable Index Template API
- Optional arguments
- Simulate Index Template API
- Cluster APIs
- Ingest APIs
- Snapshot APIs
- Tasks APIs
- Script APIs
- Licensing APIs
- Machine Learning APIs
- Close anomaly detection jobs API
- Delete anomaly detection jobs API
- Delete anomaly detection jobs from calendar API
- Delete calendar events API
- Delete calendars API
- Delete data frame analytics jobs API
- Delete datafeeds API
- Delete expired data API
- Delete filters API
- Delete forecasts API
- Delete model snapshots API
- Delete trained models API
- Delete trained model alias API
- Estimate anomaly detection job model memory API
- Evaluate data frame analytics API
- Explain data frame analytics API
- Flush jobs API
- Forecast jobs API
- Get anomaly detection jobs API
- Get anomaly detection job stats API
- Get buckets API
- Get calendar events API
- Get calendars API
- Get categories API
- Get data frame analytics jobs API
- Get data frame analytics jobs stats API
- Get datafeeds API
- Get datafeed stats API
- Get filters API
- Get influencers API
- Get machine learning info API
- Get model snapshots API
- Get overall buckets API
- Get records API
- Get trained models API
- Get trained models stats API
- Open anomaly detection jobs API
- Post calendar events API
- Post data API
- Preview datafeeds API
- Create anomaly detection jobs API
- Add anomaly detection jobs to calendar API
- Create calendars API
- Create data frame analytics jobs API
- Create datafeeds API
- Create filters API
- Create trained models API
- Create or update trained model alias API
- Reset anomaly detection jobs API
- Revert model snapshots API
- Set upgrade mode API
- Start data frame analytics jobs API
- Start datafeeds API
- Stop data frame analytics jobs API
- Stop datafeeds API
- Update anomaly detection jobs API
- Update data frame analytics jobs API
- Update datafeeds API
- Update filters API
- Update model snapshots API
- Upgrade job snapshot API
- Migration APIs
- Rollup APIs
- Security APIs
- Create or update user API
- Get Users API
- Delete User API
- Enable User API
- Disable User API
- Change Password API
- Create or update role API
- Get Roles API
- Delete Role API
- Delete Privileges API
- Get Builtin Privileges API
- Get Application Privileges API
- Clear Roles Cache API
- Clear Privileges Cache API
- Clear Realm Cache API
- Clear API Key Cache API
- Clear Service Account Token Cache API
- Authenticate API
- Has Privileges API
- Get User Privileges API
- SSL Certificate API
- Create or update role mapping API
- Get Role Mappings API
- Delete Role Mapping API
- Create Token API
- Invalidate Token API
- Create or update privileges API
- Create API Key API
- Grant API key API
- Get API Key information API
- Invalidate API Key API
- Query API Key information API
- Get Service Accounts API
- Create Service Account Token API
- Delete Service Account Token API
- Get Service Account Credentials API
- Text Structure APIs
- Watcher APIs
- Graph APIs
- CCR APIs
- Index Lifecycle Management APIs
- Snapshot Lifecycle Management APIs
- Create or update snapshot lifecycle policy API
- Delete Snapshot Lifecycle Policy API
- Get Snapshot Lifecycle Policy API
- Start Snapshot Lifecycle Management API
- Stop Snapshot Lifecycle Management API
- Snapshot Lifecycle Management Status API
- Execute Snapshot Lifecycle Policy API
- Execute Snapshot Lifecycle Retention API
- Searchable Snapshots APIs
- Transform APIs
- Enrich APIs
- EQL APIs
- Using Java Builders
- Migration Guide
- License
WARNING: Deprecated in 7.15.0.
The Java REST Client is deprecated in favor of the Java API Client.
EQL Search API
editEQL Search API
editRequest
editA EqlSearchRequest allows to submit an EQL search request. Required arguments are the indices to search against and the query itself:
Optional arguments
editThe following arguments can optionally be provided:
request.eventCategoryField("event_category"); request.fetchSize(50); request.size(15); request.tiebreakerField("tie"); request.timestampField("timestamp"); request.filter(QueryBuilders.matchAllQuery()); request.resultPosition("head"); List<FieldAndFormat> fields = new ArrayList<>(); fields.add(new FieldAndFormat("hostname", null)); request.fetchFields(fields); IndicesOptions op = IndicesOptions.fromOptions(true, true, true, false); request.indicesOptions(op); Map<String, Object> settings = new HashMap<>(); settings.put("type", "keyword"); settings.put("script", "emit(doc['host.keyword'].value)"); Map<String, Object> field = new HashMap<>(); field.put("hostname", settings); request.runtimeMappings(field); request.waitForCompletionTimeout(TimeValue.timeValueMinutes(1)); request.keepOnCompletion(true); request.keepAlive(TimeValue.timeValueHours(12));
|
Field containing the event classification. Defaults to |
|
|
Maximum number of events to search at a time for sequence queries (defaults to 1000). |
|
|
For basic queries, the maximum number of matching events to return. For sequence queries, the maximum number of matching sequences to return. Defaults to 10. |
|
|
Field used to sort hits with the same timestamp in ascending order. |
|
|
Field containing the event timestamp. Defaults to |
|
|
Query, written in Query DSL, used to filter the events on which the EQL query runs. |
|
|
Set of matching events or sequences to return. Accepts |
|
|
Array of wildcard (*) patterns. The response returns values for field names matching these patterns in the fields property of each hit. |
|
|
Value of |
|
|
Defines one or more runtime fields in the search request. These fields take precedence over mapped fields with the same name. |
|
|
Timeout duration to wait for the request to finish. Defaults to no timeout, meaning the request waits for complete search results. If the request does not complete during this period, the search becomes an async search. |
|
|
If |
|
|
Period for which the search and its results are stored on the cluster. Defaults to |
Response
editThe returned EqlSearchResponse allows to retrieve information about the executed
operation as follows:
EqlSearchResponse response = client.eql().search(request, options); response.id(); response.isPartial(); response.isRunning(); response.isTimeout(); response.took(); Hits hits = response.hits(); hits.totalHits(); List<Event> events = hits.events(); List<Sequence> sequences = hits.sequences(); Map<String, Object> event = events.get(0).sourceAsMap(); Map<String, DocumentField> fetchField = events.get(0).fetchFields(); fetchField.get("hostname").getValues();
|
The id of the async search request, |
|
|
|
|
|
|
|
|
|
|
|
Milliseconds it took Elasticsearch to execute the request. |
|
|
Contains matching events and sequences. Also contains related metadata. The response will contain either `Event`s or `Sequence`s, not both, depending on the query. |
|
|
Metadata about the number of matching events or sequences. |
|
|
Contains events matching the query. Each object represents a matching event. |
|
|
Contains event sequences matching the query. Each object represents a matching sequence. |
|
|
Access the value of a runtime field. |
On this page