Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.11] [Request] [8.11.4 & 8.12][ESS] Remove mention of default query in the ES|QL tab docs (backport #4578) #4595

Merged
merged 1 commit into from
Jan 11, 2024
Merged

[8.11] [Request] [8.11.4 & 8.12][ESS] Remove mention of default query in the ES|QL tab docs (backport #4578) #4595

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 19 additions & 1 deletion docs/events/timeline-ui-overview.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -191,7 +191,25 @@ The {ref}/esql.html[Elasticsearch Query Language ({esql})] provides a powerful w

You can use {esql} in Timeline by opening the **{esql}** tab. From there, you can:

- Explore your events using the default query, or create a custom one. The default query searches documents within the Security alert index (`.alerts-security.alerts-default`) and indices specified in the <<update-sec-indices,Security data view>>, then returns 10 events from the defined time range.
- Write an {esql} query to explore your events. For example, start with the following query, then iterate on it to tailor your results:
+
[source,esql]
----
FROM .alerts-security.alerts-default,apm-*-transaction*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,traces-apm*,winlogbeat-*,-*elastic-cloud-logs-*
| LIMIT 10
| KEEP @timestamp, message, event.category, event.action, host.name, source.ip, destination.ip, user.name
----
+
This query does the following:

** It starts by querying documents within the Security alert index (`.alerts-security.alerts-default`) and indices specified in the <<update-sec-indices,Security data view>>.
** Then, the query limits the output to the top 10 results.
** Finally, it keeps the default Timeline fields (`@timestamp`, `message`, `event.category`, `event.action`, `host.name`, `source.ip`, `destination.ip`, and `user.name`) in the output.
+
TIP: When querying indices that tend to be large (for example, `logs-*`), performance can be impacted by the number of fields returned in the output. To optimize performance, we recommend using the {ref}/esql-commands.html#esql-keep[`KEEP`] command to specify fields that you want returned. For example, add the clause `KEEP @timestamp, user.name` to the end of your query to specify that you only want the `@timestamp` and `user.name` fields returned.

NOTE: An error message displays when the query bar is empty.

- Click the help icon (image:images/esql-ref-button.png[Click the ES|QL reference button,20,20]) on the far right side of the query editor to open the in-product reference documentation for all {esql} commands and functions.
- Visualize query results using {kibana-ref}/discover.html[Discover] functionality.

Expand Down