From 76c5e3d5d888401350a1432acc4ec00d91d0dd6b Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 5 Jan 2024 16:53:29 -0500 Subject: [PATCH 1/9] First draft --- docs/events/timeline-ui-overview.asciidoc | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index c3d6226b95..e9855df167 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -202,7 +202,23 @@ The {ref}/esql.html[Elasticsearch Query Language ({esql})] provides a powerful w You can use {esql} in Timeline by opening the **{esql}** tab. From there, you can: -- Explore your events using the default query, or create a custom one. The default query searches documents within the Security alert index (`.alerts-security.alerts-default`) and indices specified in the <>, then returns 10 events from the defined time range. +- Explore your events by writing an {esql} query. ++ +NOTE: An empty query bar will return an error message. ++ +For example, start the following query and iterate on it to fine tune your results: ++ +[source,esql] +---- +FROM .alerts-security.alerts-default,apm-*-transaction*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,traces-apm*,winlogbeat-*,-*elastic-cloud-logs-* +| LIMIT 10 +| KEEP @timestamp, message, event.category, event.action, host.name, source.ip, destination.ip, user.name +---- ++ +** This query starts by querying documents within the Security alert index (`.alerts-security.alerts-default`) and indices specified in the <>. +** Then, the query limits the output to the top 10 results. +** Next, it keeps the `@timestamp`, `message`, `event.category`, `event.action`, `host.name`, `source.ip`, `destination.ip`, and `user.name` fields in the output. + - Click the help icon (image:images/esql-ref-button.png[Click the ES|QL reference button,20,20]) on the far right side of the query editor to open the in-product reference documentation for all {esql} commands and functions. - Visualize query results using {kibana-ref}/discover.html[Discover] functionality. From e95c7b96d62e6bfca9b671c99df1b114100f2a42 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 5 Jan 2024 16:56:52 -0500 Subject: [PATCH 2/9] Small edits --- docs/events/timeline-ui-overview.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index e9855df167..e4beee0087 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -202,11 +202,11 @@ The {ref}/esql.html[Elasticsearch Query Language ({esql})] provides a powerful w You can use {esql} in Timeline by opening the **{esql}** tab. From there, you can: -- Explore your events by writing an {esql} query. +- Write an {esql} query to explore your events. + NOTE: An empty query bar will return an error message. + -For example, start the following query and iterate on it to fine tune your results: +For example, start the following query and iterate on it to fine-tune your results: + [source,esql] ---- From 9982ed7198e42de02056ebfc49434b2ad4d9c03f Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 8 Jan 2024 15:21:21 -0500 Subject: [PATCH 3/9] Minor tweaks --- docs/events/timeline-ui-overview.asciidoc | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index e4beee0087..ad3b278833 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -202,11 +202,7 @@ The {ref}/esql.html[Elasticsearch Query Language ({esql})] provides a powerful w You can use {esql} in Timeline by opening the **{esql}** tab. From there, you can: -- Write an {esql} query to explore your events. -+ -NOTE: An empty query bar will return an error message. -+ -For example, start the following query and iterate on it to fine-tune your results: +- Write an {esql} query to explore your events. For example, start with the following query, then iterate on it to tailor your results: + [source,esql] ---- @@ -215,10 +211,14 @@ FROM .alerts-security.alerts-default,apm-*-transaction*,auditbeat-*,endgame-*,fi | KEEP @timestamp, message, event.category, event.action, host.name, source.ip, destination.ip, user.name ---- + -** This query starts by querying documents within the Security alert index (`.alerts-security.alerts-default`) and indices specified in the <>. +This query does the following: + +** It starts by querying documents within the Security alert index (`.alerts-security.alerts-default`) and indices specified in the <>. ** Then, the query limits the output to the top 10 results. ** Next, it keeps the `@timestamp`, `message`, `event.category`, `event.action`, `host.name`, `source.ip`, `destination.ip`, and `user.name` fields in the output. +NOTE: An error message displays when the query bar is empty. + - Click the help icon (image:images/esql-ref-button.png[Click the ES|QL reference button,20,20]) on the far right side of the query editor to open the in-product reference documentation for all {esql} commands and functions. - Visualize query results using {kibana-ref}/discover.html[Discover] functionality. From d3f97f4c0507864554413bd1b176c0b957a1d553 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 9 Jan 2024 11:34:19 -0500 Subject: [PATCH 4/9] Update docs/events/timeline-ui-overview.asciidoc --- docs/events/timeline-ui-overview.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index ad3b278833..c4edf7e9d2 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -215,7 +215,7 @@ This query does the following: ** It starts by querying documents within the Security alert index (`.alerts-security.alerts-default`) and indices specified in the <>. ** Then, the query limits the output to the top 10 results. -** Next, it keeps the `@timestamp`, `message`, `event.category`, `event.action`, `host.name`, `source.ip`, `destination.ip`, and `user.name` fields in the output. +** Finally, it keeps the default `@timestamp`, `message`, `event.category`, `event.action`, `host.name`, `source.ip`, `destination.ip`, and `user.name` Timeline fields in the output. NOTE: An error message displays when the query bar is empty. From dbbff141b5cb1a4ac50a0c30a1a13dfbcb440e92 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 9 Jan 2024 16:06:20 -0500 Subject: [PATCH 5/9] Potential revision --- docs/events/timeline-ui-overview.asciidoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index c4edf7e9d2..fd4e4f63a4 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -216,6 +216,8 @@ This query does the following: ** It starts by querying documents within the Security alert index (`.alerts-security.alerts-default`) and indices specified in the <>. ** Then, the query limits the output to the top 10 results. ** Finally, it keeps the default `@timestamp`, `message`, `event.category`, `event.action`, `host.name`, `source.ip`, `destination.ip`, and `user.name` Timeline fields in the output. ++ +TIP: When querying indices with a large number of fields (for example, `logs-*`), performance can be impacted by the number of fields being returned in the output. If your query is taking a long time to complete, try using the {ref}/esql-commands.html#esql-keep[`KEEP`] command and specifying the fields you want returned. For example, add the clause `KEEP @timestamp, user.name` to the end of your query to specify that you only want the `@timestamp` and `user.name` fields returned. NOTE: An error message displays when the query bar is empty. From bf27e88bc613eaf00396833dffdd6e872f7c23c9 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 9 Jan 2024 16:12:41 -0500 Subject: [PATCH 6/9] Wording --- docs/events/timeline-ui-overview.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index fd4e4f63a4..f6da72d586 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -217,7 +217,7 @@ This query does the following: ** Then, the query limits the output to the top 10 results. ** Finally, it keeps the default `@timestamp`, `message`, `event.category`, `event.action`, `host.name`, `source.ip`, `destination.ip`, and `user.name` Timeline fields in the output. + -TIP: When querying indices with a large number of fields (for example, `logs-*`), performance can be impacted by the number of fields being returned in the output. If your query is taking a long time to complete, try using the {ref}/esql-commands.html#esql-keep[`KEEP`] command and specifying the fields you want returned. For example, add the clause `KEEP @timestamp, user.name` to the end of your query to specify that you only want the `@timestamp` and `user.name` fields returned. +TIP: When querying large indices (for example, `logs-*`), performance can be impacted by the number of fields being returned in the output. If your query is taking a long time to complete, try using the {ref}/esql-commands.html#esql-keep[`KEEP`] command and specifying the fields you want returned. For example, add the clause `KEEP @timestamp, user.name` to the end of your query to specify that you only want the `@timestamp` and `user.name` fields returned. NOTE: An error message displays when the query bar is empty. From 19844c2540999c223a771bc259a6d59dc2650e48 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 9 Jan 2024 17:24:00 -0500 Subject: [PATCH 7/9] Update docs/events/timeline-ui-overview.asciidoc --- docs/events/timeline-ui-overview.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index f6da72d586..2bcd9426ca 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -217,7 +217,7 @@ This query does the following: ** Then, the query limits the output to the top 10 results. ** Finally, it keeps the default `@timestamp`, `message`, `event.category`, `event.action`, `host.name`, `source.ip`, `destination.ip`, and `user.name` Timeline fields in the output. + -TIP: When querying large indices (for example, `logs-*`), performance can be impacted by the number of fields being returned in the output. If your query is taking a long time to complete, try using the {ref}/esql-commands.html#esql-keep[`KEEP`] command and specifying the fields you want returned. For example, add the clause `KEEP @timestamp, user.name` to the end of your query to specify that you only want the `@timestamp` and `user.name` fields returned. +TIP: When querying indices that tend to be large (for example, `logs-*`), performance can be impacted by the number of fields being returned in the output. To optimize performance, we recommend using the {ref}/esql-commands.html#esql-keep[`KEEP`] command to specify fields that you want returned. For example, add the clause `KEEP @timestamp, user.name` to the end of your query to specify that you only want the `@timestamp` and `user.name` fields returned. NOTE: An error message displays when the query bar is empty. From a510e9b733d58e28ee96bd2c7a2fd212780e523e Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 10 Jan 2024 12:00:14 -0500 Subject: [PATCH 8/9] Update docs/events/timeline-ui-overview.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> --- docs/events/timeline-ui-overview.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index 2bcd9426ca..bfc2050cae 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -217,7 +217,7 @@ This query does the following: ** Then, the query limits the output to the top 10 results. ** Finally, it keeps the default `@timestamp`, `message`, `event.category`, `event.action`, `host.name`, `source.ip`, `destination.ip`, and `user.name` Timeline fields in the output. + -TIP: When querying indices that tend to be large (for example, `logs-*`), performance can be impacted by the number of fields being returned in the output. To optimize performance, we recommend using the {ref}/esql-commands.html#esql-keep[`KEEP`] command to specify fields that you want returned. For example, add the clause `KEEP @timestamp, user.name` to the end of your query to specify that you only want the `@timestamp` and `user.name` fields returned. +TIP: When querying indices that tend to be large (for example, `logs-*`), performance can be impacted by the number of fields returned in the output. To optimize performance, we recommend using the {ref}/esql-commands.html#esql-keep[`KEEP`] command to specify fields that you want returned. For example, add the clause `KEEP @timestamp, user.name` to the end of your query to specify that you only want the `@timestamp` and `user.name` fields returned. NOTE: An error message displays when the query bar is empty. From d3e5656ab66757f745bc55348787375aa5edf7ef Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 10 Jan 2024 15:52:29 -0500 Subject: [PATCH 9/9] Update docs/events/timeline-ui-overview.asciidoc --- docs/events/timeline-ui-overview.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index bfc2050cae..1890b6c183 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -215,7 +215,7 @@ This query does the following: ** It starts by querying documents within the Security alert index (`.alerts-security.alerts-default`) and indices specified in the <>. ** Then, the query limits the output to the top 10 results. -** Finally, it keeps the default `@timestamp`, `message`, `event.category`, `event.action`, `host.name`, `source.ip`, `destination.ip`, and `user.name` Timeline fields in the output. +** Finally, it keeps the default Timeline fields (`@timestamp`, `message`, `event.category`, `event.action`, `host.name`, `source.ip`, `destination.ip`, and `user.name`) in the output. + TIP: When querying indices that tend to be large (for example, `logs-*`), performance can be impacted by the number of fields returned in the output. To optimize performance, we recommend using the {ref}/esql-commands.html#esql-keep[`KEEP`] command to specify fields that you want returned. For example, add the clause `KEEP @timestamp, user.name` to the end of your query to specify that you only want the `@timestamp` and `user.name` fields returned.