From 6b62ec53db825a7510f6a40bbca3a139a1bcae47 Mon Sep 17 00:00:00 2001 From: James Rodewig <james.rodewig@elastic.co> Date: Wed, 12 Feb 2020 08:45:15 -0500 Subject: [PATCH] [DOCS] Add EQL limitations page (#52001) Documents limitations for EQL in Elasticsearch. --- docs/reference/eql/index.asciidoc | 2 ++ docs/reference/eql/limitations.asciidoc | 29 +++++++++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 docs/reference/eql/limitations.asciidoc diff --git a/docs/reference/eql/index.asciidoc b/docs/reference/eql/index.asciidoc index a6a30ea234d6f..328f40a36a557 100644 --- a/docs/reference/eql/index.asciidoc +++ b/docs/reference/eql/index.asciidoc @@ -32,7 +32,9 @@ Consider using EQL if you: * <<eql-requirements>> * <<eql-search>> * <<eql-syntax>> +* <<eql-limitations>> include::requirements.asciidoc[] include::search.asciidoc[] include::syntax.asciidoc[] +include::limitations.asciidoc[] diff --git a/docs/reference/eql/limitations.asciidoc b/docs/reference/eql/limitations.asciidoc new file mode 100644 index 0000000000000..5e6cc74c319c2 --- /dev/null +++ b/docs/reference/eql/limitations.asciidoc @@ -0,0 +1,29 @@ +[role="xpack"] +[testenv="basic"] +[[eql-limitations]] +== EQL limitations +++++ +<titleabbrev>Limitations</titleabbrev> +++++ + +experimental::[] + +[discrete] +[[eql-unsupported-syntax]] +=== Unsupported syntax + +{es} supports a subset of {eql-ref}/index.html[EQL syntax]. {es} cannot run EQL +queries that contain: + +* {eql-ref}/functions.html[Functions] + +* {eql-ref}/joins.html[Joins] + +* {eql-ref}/basic-syntax.html#event-relationships[Lineage-related keywords]: +** `child of` +** `descendant of` +** `event of` + +* {eql-ref}/pipes.html[Pipes] + +* {eql-ref}/sequences.html[Sequences] \ No newline at end of file