Skip to content

Commit

Permalink
[DOCS] EQL: Change result_position default to tail (#66550)
Browse files Browse the repository at this point in the history
  • Loading branch information
jrodewig authored Dec 18, 2020
1 parent bf78062 commit 14b381a
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 6 deletions.
8 changes: 4 additions & 4 deletions docs/reference/eql/eql-search-api.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -235,13 +235,13 @@ Set of matching events or sequences to return.
.Valid values for `result_position`
[%collapsible%open]
====
`head`::
`tail`::
(Default)
Return the earliest matches, similar to the {wikipedia}/Head_(Unix)[Unix head
Return the most recent matches, similar to the {wikipedia}/Tail_(Unix)[Unix tail
command].
`tail`::
Return the most recent matches, similar to the {wikipedia}/Tail_(Unix)[Unix tail
`head`::
Return the earliest matches, similar to the {wikipedia}/Head_(Unix)[Unix head
command].
====
+
Expand Down
5 changes: 3 additions & 2 deletions docs/reference/eql/eql.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ GET /my-index-000001/_eql/search
----
// TEST[setup:sec_logs]

By default, basic EQL queries return the top 10 matching events in the
By default, basic EQL queries return the 10 most recent matching events in the
`hits.events` property. These hits are sorted by timestamp, converted to
milliseconds since the {wikipedia}/Unix_time[Unix epoch], in ascending order.

Expand Down Expand Up @@ -155,7 +155,8 @@ GET /my-index-000001/_eql/search
----
// TEST[setup:sec_logs]

Matching sequences are returned in the `hits.sequences` property.
The response's `hits.sequences` property contains the 10 most recent matching
sequences.

[source,console-result]
----
Expand Down

0 comments on commit 14b381a

Please sign in to comment.