EQL: Sequence improvements #56768

costin · 2020-05-14T12:23:26Z

This is a meta ticket for must-have improvements now that EQL supports sequences.

tie-breaker support
Due to the distributed nature of ingestion it is quite possible for events to occur at the same time which does require a user-defined tie-breaker to establish serialization, separate from the document-based one in Elasticsearch (_doc).
Further more this is used by the existing EQL test suite - without it some fails will surely fail.
internal pagination
In order to find X results, the sequence runtime must go through multiple internal pages before sending out the current results. Regardless of the client pagination, the algorithm needs to be able to handle its own pagination which is the norm for large datasets.

The text was updated successfully, but these errors were encountered:

elasticmachine · 2020-05-14T12:23:29Z

Pinging @elastic/es-ql (:Query Languages/EQL)

costin · 2020-07-02T14:04:12Z

Completed by #58859 (internal pagination) and #57787 (tiebreaker support).

costin added >enhancement :Analytics/EQL EQL querying labels May 14, 2020

elasticmachine added the Team:QL (Deprecated) Meta label for query languages team label May 14, 2020

costin mentioned this issue May 15, 2020

EQL sequence and join execution #49594

Closed

costin closed this as completed Jul 2, 2020

costin mentioned this issue Jul 16, 2020

EQL - query language for event data in Elasticsearch #59686

Closed

18 tasks

Provide feedback