[DOCS] EQL: Document runs keyword

[jrodewig]

Documents the runs keyword for running the same event criteria successively in a sequence query.

Relates to #75082.

Targeting 7.x to include the release highlight. I'll remove the highlight from the 8.0/master port.

Preview

• Release highlight: https://elasticsearch_78478.docs-preview.app.elstc.co/guide/en/elasticsearch/reference/7.x/release-highlights.html#_eql_runs_keyword_for_repeated_events
• runs keyword docs: https://elasticsearch_78478.docs-preview.app.elstc.co/guide/en/elasticsearch/reference/7.x/eql-syntax.html#eql-runs-keyword

[elasticmachine]

Pinging @elastic/es-docs (Team:Docs)

[elasticmachine]

Pinging @elastic/es-ql (Team:QL)

[costin]

Use a runs statement to repeat an event within a sequence query. For example:

This statement is unclear since it suggests a matching event is going to be repeated in the response, which is not the case.
Rather when trying to match an event that occurs multiple times in succession, to avoid having to redeclare a query filter multiple times, one can use the runs option to indicate how many times said statement should run.
It is syntactic sugar so that instead of writing:

sequence
 [queryA]
 [queryB]
 [queryB]

one can write

sequence
  [queryA]
  [queryB] [runs=2]

[jrodewig]

Thanks for the feedback @costin. I've pushed some changes to clarify the wording based on your feedback.

Let me know if any further changes are needed.

[costin]

LGTM. The only remark is criteria is the plural for criterion so the first paragraph should read:
"the same event criteria criterion"

[costin]

LGTM

[jrodewig]

Thanks @costin!

LGTM. The only remark is criteria is the plural for criterion so the first paragraph should read:
"the same event criteria criterion"

IMO the event category and event condition(s) are each a criterion. The "criteria" here is a set that consists of those components. It's certainly debatable tho.