search

package
v9.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 17, 2025 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Overview

Get EQL search results. Returns search results for an Event Query Language (EQL) query. EQL assumes each document in a data stream or index corresponds to an event.

Index

Constants

This section is empty.

Variables

View Source 
var ErrBuildPath = errors.New("cannot build path, check for missing path parameters")

ErrBuildPath is returned in case of missing parameters within the build of the request.

Functions

This section is empty.

Types

type NewSearch 

type NewSearch func(index string) *Search

NewSearch type alias for index.

func NewSearchFunc 

func NewSearchFunc(tp elastictransport.Interface) NewSearch

NewSearchFunc returns a new instance of Search with the provided transport. Used in the index of the library this allows to retrieve every apis in once place.

type Request 

type Request struct {

	// AllowPartialSearchResults Allow query execution also in case of shard failures.
	// If true, the query will keep running and will return results based on the
	// available shards.
	// For sequences, the behavior can be further refined using
	// allow_partial_sequence_results
	AllowPartialSearchResults *bool `json:"allow_partial_search_results,omitempty"`
	// AllowPartialSequenceResults This flag applies only to sequences and has effect only if
	// allow_partial_search_results=true.
	// If true, the sequence query will return results based on the available
	// shards, ignoring the others.
	// If false, the sequence query will return successfully, but will always have
	// empty results.
	AllowPartialSequenceResults *bool `json:"allow_partial_sequence_results,omitempty"`
	CaseSensitive               *bool `json:"case_sensitive,omitempty"`
	// EventCategoryField Field containing the event classification, such as process, file, or network.
	EventCategoryField *string `json:"event_category_field,omitempty"`
	// FetchSize Maximum number of events to search at a time for sequence queries.
	FetchSize *uint `json:"fetch_size,omitempty"`
	// Fields Array of wildcard (*) patterns. The response returns values for field names
	// matching these patterns in the fields property of each hit.
	Fields []types.FieldAndFormat `json:"fields,omitempty"`
	// Filter Query, written in Query DSL, used to filter the events on which the EQL query
	// runs.
	Filter           []types.Query  `json:"filter,omitempty"`
	KeepAlive        types.Duration `json:"keep_alive,omitempty"`
	KeepOnCompletion *bool          `json:"keep_on_completion,omitempty"`
	// MaxSamplesPerKey By default, the response of a sample query contains up to `10` samples, with
	// one sample per unique set of join keys. Use the `size`
	// parameter to get a smaller or larger set of samples. To retrieve more than
	// one sample per set of join keys, use the
	// `max_samples_per_key` parameter. Pipes are not supported for sample queries.
	MaxSamplesPerKey *int `json:"max_samples_per_key,omitempty"`
	// Query EQL query you wish to run.
	Query           string                         `json:"query"`
	ResultPosition  *resultposition.ResultPosition `json:"result_position,omitempty"`
	RuntimeMappings types.RuntimeFields            `json:"runtime_mappings,omitempty"`
	// Size For basic queries, the maximum number of matching events to return. Defaults
	// to 10
	Size *uint `json:"size,omitempty"`
	// TiebreakerField Field used to sort hits with the same timestamp in ascending order
	TiebreakerField *string `json:"tiebreaker_field,omitempty"`
	// TimestampField Field containing event timestamp. Default "@timestamp"
	TimestampField           *string        `json:"timestamp_field,omitempty"`
	WaitForCompletionTimeout types.Duration `json:"wait_for_completion_timeout,omitempty"`
}

Request holds the request body struct for the package search

https://github.com/elastic/elasticsearch-specification/blob/52c473efb1fb5320a5bac12572d0b285882862fb/specification/eql/search/EqlSearchRequest.ts#L28-L161

func NewRequest 

func NewRequest() *Request

NewRequest returns a Request

func (*Request) FromJSON 

func (r *Request) FromJSON(data string) (*Request, error)

FromJSON allows to load an arbitrary json into the request structure

func (*Request) UnmarshalJSON 

func (s *Request) UnmarshalJSON(data []byte) error

type Response 

type Response struct {

	// Hits Contains matching events and sequences. Also contains related metadata.
	Hits types.EqlHits `json:"hits"`
	// Id Identifier for the search.
	Id *string `json:"id,omitempty"`
	// IsPartial If true, the response does not contain complete search results.
	IsPartial *bool `json:"is_partial,omitempty"`
	// IsRunning If true, the search request is still executing.
	IsRunning *bool `json:"is_running,omitempty"`
	// ShardFailures Contains information about shard failures (if any), in case
	// allow_partial_search_results=true
	ShardFailures []types.ShardFailure `json:"shard_failures,omitempty"`
	// TimedOut If true, the request timed out before completion.
	TimedOut *bool `json:"timed_out,omitempty"`
	// Took Milliseconds it took Elasticsearch to execute the request.
	Took *int64 `json:"took,omitempty"`
}

Response holds the response body struct for the package search

https://github.com/elastic/elasticsearch-specification/blob/52c473efb1fb5320a5bac12572d0b285882862fb/specification/eql/search/EqlSearchResponse.ts#L22-L25

func NewResponse 

func NewResponse() *Response

NewResponse returns a Response 

type Search struct {
	// contains filtered or unexported fields
}

func New 

func New(tp elastictransport.Interface) *Search

Get EQL search results. Returns search results for an Event Query Language (EQL) query. EQL assumes each document in a data stream or index corresponds to an event.

https://www.elastic.co/docs/api/doc/elasticsearch/v9/operation/operation-eql-search

func (*Search) AllowNoIndices 

func (r *Search) AllowNoIndices(allownoindices bool) *Search

API name: allow_no_indices

func (*Search) AllowPartialSearchResults 

func (r *Search) AllowPartialSearchResults(allowpartialsearchresults bool) *Search

Allow query execution also in case of shard failures. If true, the query will keep running and will return results based on the available shards. For sequences, the behavior can be further refined using allow_partial_sequence_results API name: allow_partial_search_results

func (*Search) AllowPartialSequenceResults 

func (r *Search) AllowPartialSequenceResults(allowpartialsequenceresults bool) *Search

This flag applies only to sequences and has effect only if allow_partial_search_results=true. If true, the sequence query will return results based on the available shards, ignoring the others. If false, the sequence query will return successfully, but will always have empty results. API name: allow_partial_sequence_results

func (*Search) CaseSensitive 

func (r *Search) CaseSensitive(casesensitive bool) *Search

API name: case_sensitive

func (Search) Do 

func (r Search) Do(providedCtx context.Context) (*Response, error)

Do runs the request through the transport, handle the response and returns a search.Response

func (*Search) ErrorTrace 

func (r *Search) ErrorTrace(errortrace bool) *Search

ErrorTrace When set to `true` Elasticsearch will include the full stack trace of errors when they occur. API name: error_trace

func (*Search) EventCategoryField 

func (r *Search) EventCategoryField(field string) *Search

Field containing the event classification, such as process, file, or network. API name: event_category_field

func (*Search) ExpandWildcards 

func (r *Search) ExpandWildcards(expandwildcards ...expandwildcard.ExpandWildcard) *Search

API name: expand_wildcards

func (*Search) FetchSize 

func (r *Search) FetchSize(fetchsize uint) *Search

Maximum number of events to search at a time for sequence queries. API name: fetch_size

func (*Search) Fields 

func (r *Search) Fields(fields ...types.FieldAndFormatVariant) *Search

Array of wildcard (*) patterns. The response returns values for field names matching these patterns in the fields property of each hit. API name: fields

func (*Search) Filter 

func (r *Search) Filter(filters ...types.QueryVariant) *Search

Query, written in Query DSL, used to filter the events on which the EQL query runs. API name: filter

func (*Search) FilterPath 

func (r *Search) FilterPath(filterpaths ...string) *Search

FilterPath Comma-separated list of filters in dot notation which reduce the response returned by Elasticsearch. API name: filter_path

func (*Search) Header 

func (r *Search) Header(key, value string) *Search

Header set a key, value pair in the Search headers map.

func (*Search) HttpRequest 

func (r *Search) HttpRequest(ctx context.Context) (*http.Request, error)

HttpRequest returns the http.Request object built from the given parameters.

func (*Search) Human 

func (r *Search) Human(human bool) *Search

Human When set to `true` will return statistics in a format suitable for humans. For example `"exists_time": "1h"` for humans and `"eixsts_time_in_millis": 3600000` for computers. When disabled the human readable values will be omitted. This makes sense for responses being consumed only by machines. API name: human

func (*Search) IgnoreUnavailable 

func (r *Search) IgnoreUnavailable(ignoreunavailable bool) *Search

IgnoreUnavailable If true, missing or closed indices are not included in the response. API name: ignore_unavailable

func (*Search) KeepAlive 

func (r *Search) KeepAlive(duration types.DurationVariant) *Search

API name: keep_alive

func (*Search) KeepOnCompletion 

func (r *Search) KeepOnCompletion(keeponcompletion bool) *Search

API name: keep_on_completion

func (*Search) MaxSamplesPerKey 

func (r *Search) MaxSamplesPerKey(maxsamplesperkey int) *Search

By default, the response of a sample query contains up to `10` samples, with one sample per unique set of join keys. Use the `size` parameter to get a smaller or larger set of samples. To retrieve more than one sample per set of join keys, use the `max_samples_per_key` parameter. Pipes are not supported for sample queries. API name: max_samples_per_key

func (Search) Perform 

func (r Search) Perform(providedCtx context.Context) (*http.Response, error)

Perform runs the http.Request through the provided transport and returns an http.Response.

func (*Search) Pretty 

func (r *Search) Pretty(pretty bool) *Search

Pretty If set to `true` the returned JSON will be "pretty-formatted". Only use this option for debugging only. API name: pretty

func (*Search) Query 

func (r *Search) Query(query string) *Search

EQL query you wish to run. API name: query

func (*Search) Raw 

func (r *Search) Raw(raw io.Reader) *Search

Raw takes a json payload as input which is then passed to the http.Request If specified Raw takes precedence on Request method.

func (*Search) Request 

func (r *Search) Request(req *Request) *Search

Request allows to set the request property with the appropriate payload.

func (*Search) ResultPosition 

func (r *Search) ResultPosition(resultposition resultposition.ResultPosition) *Search

API name: result_position

func (*Search) RuntimeMappings 

func (r *Search) RuntimeMappings(runtimefields types.RuntimeFieldsVariant) *Search

API name: runtime_mappings

func (*Search) Size 

func (r *Search) Size(size uint) *Search

For basic queries, the maximum number of matching events to return. Defaults to 10 API name: size

func (*Search) TiebreakerField 

func (r *Search) TiebreakerField(field string) *Search

Field used to sort hits with the same timestamp in ascending order API name: tiebreaker_field

func (*Search) TimestampField 

func (r *Search) TimestampField(field string) *Search

Field containing event timestamp. Default "@timestamp" API name: timestamp_field

func (*Search) WaitForCompletionTimeout 

func (r *Search) WaitForCompletionTimeout(duration types.DurationVariant) *Search

API name: wait_for_completion_timeout

Source Files

View all Source files
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.