diff --git a/docs/reference/eql/index.asciidoc b/docs/reference/eql/index.asciidoc index a6a30ea234d6f..328f40a36a557 100644 --- a/docs/reference/eql/index.asciidoc +++ b/docs/reference/eql/index.asciidoc @@ -32,7 +32,9 @@ Consider using EQL if you: * <> * <> * <> +* <> include::requirements.asciidoc[] include::search.asciidoc[] include::syntax.asciidoc[] +include::limitations.asciidoc[] diff --git a/docs/reference/eql/limitations.asciidoc b/docs/reference/eql/limitations.asciidoc new file mode 100644 index 0000000000000..5e6cc74c319c2 --- /dev/null +++ b/docs/reference/eql/limitations.asciidoc @@ -0,0 +1,29 @@ +[role="xpack"] +[testenv="basic"] +[[eql-limitations]] +== EQL limitations +++++ +Limitations +++++ + +experimental::[] + +[discrete] +[[eql-unsupported-syntax]] +=== Unsupported syntax + +{es} supports a subset of {eql-ref}/index.html[EQL syntax]. {es} cannot run EQL +queries that contain: + +* {eql-ref}/functions.html[Functions] + +* {eql-ref}/joins.html[Joins] + +* {eql-ref}/basic-syntax.html#event-relationships[Lineage-related keywords]: +** `child of` +** `descendant of` +** `event of` + +* {eql-ref}/pipes.html[Pipes] + +* {eql-ref}/sequences.html[Sequences] \ No newline at end of file