From 401605a3d92a587df139ae8bb5965a835006b3e1 Mon Sep 17 00:00:00 2001 From: James Rodewig <40268737+jrodewig@users.noreply.github.com> Date: Fri, 18 Dec 2020 10:24:32 -0500 Subject: [PATCH] [DOCS] EQL: Change `result_position` default to `tail` (#66550) (#66594) --- docs/reference/eql/eql-search-api.asciidoc | 8 ++++---- docs/reference/eql/eql.asciidoc | 5 +++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/reference/eql/eql-search-api.asciidoc b/docs/reference/eql/eql-search-api.asciidoc index 48a1fb6425d37..f6d73e38e9801 100644 --- a/docs/reference/eql/eql-search-api.asciidoc +++ b/docs/reference/eql/eql-search-api.asciidoc @@ -235,13 +235,13 @@ Set of matching events or sequences to return. .Valid values for `result_position` [%collapsible%open] ==== -`head`:: +`tail`:: (Default) -Return the earliest matches, similar to the {wikipedia}/Head_(Unix)[Unix head +Return the most recent matches, similar to the {wikipedia}/Tail_(Unix)[Unix tail command]. -`tail`:: -Return the most recent matches, similar to the {wikipedia}/Tail_(Unix)[Unix tail +`head`:: +Return the earliest matches, similar to the {wikipedia}/Head_(Unix)[Unix head command]. ==== + diff --git a/docs/reference/eql/eql.asciidoc b/docs/reference/eql/eql.asciidoc index 2b2449e47bb08..6851403cf79f3 100644 --- a/docs/reference/eql/eql.asciidoc +++ b/docs/reference/eql/eql.asciidoc @@ -59,7 +59,7 @@ GET /my-index-000001/_eql/search ---- // TEST[setup:sec_logs] -By default, basic EQL queries return the top 10 matching events in the +By default, basic EQL queries return the 10 most recent matching events in the `hits.events` property. These hits are sorted by timestamp, converted to milliseconds since the {wikipedia}/Unix_time[Unix epoch], in ascending order. @@ -155,7 +155,8 @@ GET /my-index-000001/_eql/search ---- // TEST[setup:sec_logs] -Matching sequences are returned in the `hits.sequences` property. +The response's `hits.sequences` property contains the 10 most recent matching +sequences. [source,console-result] ----