From df2dbac09b95d089b5dd21588abf65647415b4dd Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 10 Jan 2024 17:45:54 -0500 Subject: [PATCH] [Request] [8.11.4 & 8.12][ESS] Remove mention of default query in the ES|QL tab docs (#4578) * First draft * Small edits * Minor tweaks * Update docs/events/timeline-ui-overview.asciidoc * Potential revision * Wording * Update docs/events/timeline-ui-overview.asciidoc * Update docs/events/timeline-ui-overview.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update docs/events/timeline-ui-overview.asciidoc --------- Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> (cherry picked from commit 8332e3f4c461c5972c67e2b98eb5510cb650290e) --- docs/events/timeline-ui-overview.asciidoc | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index 8a21211cf1..9f85ee4a2d 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -191,7 +191,25 @@ The {ref}/esql.html[Elasticsearch Query Language ({esql})] provides a powerful w You can use {esql} in Timeline by opening the **{esql}** tab. From there, you can: -- Explore your events using the default query, or create a custom one. The default query searches documents within the Security alert index (`.alerts-security.alerts-default`) and indices specified in the <>, then returns 10 events from the defined time range. +- Write an {esql} query to explore your events. For example, start with the following query, then iterate on it to tailor your results: ++ +[source,esql] +---- +FROM .alerts-security.alerts-default,apm-*-transaction*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,traces-apm*,winlogbeat-*,-*elastic-cloud-logs-* +| LIMIT 10 +| KEEP @timestamp, message, event.category, event.action, host.name, source.ip, destination.ip, user.name +---- ++ +This query does the following: + +** It starts by querying documents within the Security alert index (`.alerts-security.alerts-default`) and indices specified in the <>. +** Then, the query limits the output to the top 10 results. +** Finally, it keeps the default Timeline fields (`@timestamp`, `message`, `event.category`, `event.action`, `host.name`, `source.ip`, `destination.ip`, and `user.name`) in the output. ++ +TIP: When querying indices that tend to be large (for example, `logs-*`), performance can be impacted by the number of fields returned in the output. To optimize performance, we recommend using the {ref}/esql-commands.html#esql-keep[`KEEP`] command to specify fields that you want returned. For example, add the clause `KEEP @timestamp, user.name` to the end of your query to specify that you only want the `@timestamp` and `user.name` fields returned. + +NOTE: An error message displays when the query bar is empty. + - Click the help icon (image:images/esql-ref-button.png[Click the ES|QL reference button,20,20]) on the far right side of the query editor to open the in-product reference documentation for all {esql} commands and functions. - Visualize query results using {kibana-ref}/discover.html[Discover] functionality.