forked from elastic/kibana
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Security Solution][Elastic AI Assistant] Updates ESQL Knowledge Base…
… docs to latest (elastic#169593) ## Summary In preparation for the final `8.11` BC, this PR updates the Assistant ESQL Knowledge Base docs to match that of the latest [Elasticsearch ESQL documentation](https://github.com/elastic/elasticsearch/tree/main/docs/reference/esql) and [language files](https://github.com/elastic/elasticsearch/tree/f883dd98566c1f8ffa34779c9949eaeb27596014/x-pack/plugin/esql/src/main/antlr). ## Update process To update, I deleted the `x-pack/plugins/elastic_assistant/server/knowledge_base/documentation` folder contents, then copied the latest [Elasticsearch ESQL documentation](https://github.com/elastic/elasticsearch/tree/main/docs/reference/esql) files over. Then ran the below script from that directory via terminal to rename all files/directories from `kebab-case` to `snake_case` as required by the Kibana repo: > find . -depth -name '*-*' -exec bash -c 'for f; do base=${f##*/}; mv -- "$f" "${f%/*}/${base//-/_}"; done' bash {} + For the language files, I checked those manually and copied over the entire file contents since there are only 4. When we do the next update, (and confirm these raw `asciidocs` are the best format), I will create a single script that can be run for maintenance purposes.
- Loading branch information
Showing
148 changed files
with
1,606 additions
and
304 deletions.
There are no files selected for viewing
30 changes: 0 additions & 30 deletions
30
...sistant/server/knowledge_base/esql/documentation/aggregation_functions.asciidoc
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
126 changes: 126 additions & 0 deletions
126
...ic_assistant/server/knowledge_base/esql/documentation/esql_enrich_data.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,126 @@ | ||
| [[esql-enrich-data]] | ||
| === Enrich data | ||
|
|
||
| ++++ | ||
| <titleabbrev>Enrich data</titleabbrev> | ||
| ++++ | ||
|
|
||
| You can use {esql}'s <<esql-enrich>> processing command to enrich a table with | ||
| data from indices in {es}. | ||
|
|
||
| For example, you can use `ENRICH` to: | ||
|
|
||
| * Identify web services or vendors based on known IP addresses | ||
| * Add product information to retail orders based on product IDs | ||
| * Supplement contact information based on an email address | ||
|
|
||
| [[esql-how-enrich-works]] | ||
| ==== How the `ENRICH` command works | ||
|
|
||
| The `ENRICH` command adds new columns to a table, with data from {es} indices. | ||
| It requires a few special components: | ||
|
|
||
| image::images/esql/esql-enrich.png[align="center"] | ||
|
|
||
| [[esql-enrich-policy]] | ||
| Enrich policy:: | ||
| + | ||
| -- | ||
| A set of configuration options used to add the right enrich data to the input | ||
| table. | ||
|
|
||
| An enrich policy contains: | ||
|
|
||
| include::../ingest/enrich.asciidoc[tag=enrich-policy-fields] | ||
|
|
||
| After <<esql-create-enrich-policy,creating a policy>>, it must be | ||
| <<esql-execute-enrich-policy,executed>> before it can be used. Executing an | ||
| enrich policy uses data from the policy's source indices to create a streamlined | ||
| system index called the _enrich index_. The `ENRICH` command uses this index to | ||
| match and enrich an input table. | ||
| -- | ||
|
|
||
| [[esql-source-index]] | ||
| Source index:: | ||
| An index which stores enrich data that the `ENRICH` command can add to input | ||
| tables. You can create and manage these indices just like a regular {es} index. | ||
| You can use multiple source indices in an enrich policy. You also can use the | ||
| same source index in multiple enrich policies. | ||
|
|
||
| [[esql-enrich-index]] | ||
| Enrich index:: | ||
| + | ||
| -- | ||
| A special system index tied to a specific enrich policy. | ||
|
|
||
| Directly matching rows from input tables to documents in source indices could be | ||
| slow and resource intensive. To speed things up, the `ENRICH` command uses an | ||
| enrich index. | ||
|
|
||
| include::../ingest/enrich.asciidoc[tag=enrich-index] | ||
| -- | ||
|
|
||
| [[esql-set-up-enrich-policy]] | ||
| ==== Set up an enrich policy | ||
|
|
||
| To start using `ENRICH`, follow these steps: | ||
|
|
||
| . Check the <<enrich-prereqs, prerequisites>>. | ||
| . <<esql-create-enrich-source-index>>. | ||
| . <<esql-create-enrich-policy>>. | ||
| . <<esql-execute-enrich-policy>>. | ||
| . <<esql-use-enrich>> | ||
|
|
||
| Once you have enrich policies set up, you can <<esql-update-enrich-data,update | ||
| your enrich data>> and <<esql-update-enrich-policies, update your enrich | ||
| policies>>. | ||
|
|
||
| [IMPORTANT] | ||
| ==== | ||
| The `ENRICH` command performs several operations and may impact the speed of | ||
| your query. | ||
| ==== | ||
|
|
||
| [[esql-enrich-prereqs]] | ||
| ==== Prerequisites | ||
|
|
||
| include::{es-repo-dir}/ingest/apis/enrich/put-enrich-policy.asciidoc[tag=enrich-policy-api-prereqs] | ||
|
|
||
| [[esql-create-enrich-source-index]] | ||
| ==== Add enrich data | ||
|
|
||
| include::../ingest/enrich.asciidoc[tag=create-enrich-source-index] | ||
|
|
||
| [[esql-create-enrich-policy]] | ||
| ==== Create an enrich policy | ||
|
|
||
| include::../ingest/enrich.asciidoc[tag=create-enrich-policy] | ||
|
|
||
| [[esql-execute-enrich-policy]] | ||
| ==== Execute the enrich policy | ||
|
|
||
| include::../ingest/enrich.asciidoc[tag=execute-enrich-policy1] | ||
|
|
||
| image::images/esql/esql-enrich-policy.png[align="center"] | ||
|
|
||
| include::../ingest/enrich.asciidoc[tag=execute-enrich-policy2] | ||
|
|
||
| [[esql-use-enrich]] | ||
| ==== Use the enrich policy | ||
|
|
||
| After the policy has been executed, you can use the <<esql-enrich,`ENRICH` | ||
| command>> to enrich your data. | ||
|
|
||
| image::images/esql/esql-enrich-command.png[align="center",width=50%] | ||
|
|
||
| include::processing-commands/enrich.asciidoc[tag=examples] | ||
|
|
||
| [[esql-update-enrich-data]] | ||
| ==== Update an enrich index | ||
|
|
||
| include::{es-repo-dir}/ingest/apis/enrich/execute-enrich-policy.asciidoc[tag=update-enrich-index] | ||
|
|
||
| [[esql-update-enrich-policies]] | ||
| ==== Update an enrich policy | ||
|
|
||
| include::../ingest/enrich.asciidoc[tag=update-enrich-policy] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
43 changes: 43 additions & 0 deletions
43
...tant/server/knowledge_base/esql/documentation/esql_functions_operators.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| [[esql-functions-operators]] | ||
| === {esql} functions and operators | ||
|
|
||
| ++++ | ||
| <titleabbrev>Functions and operators</titleabbrev> | ||
| ++++ | ||
|
|
||
| {esql} provides a comprehensive set of functions and operators for working with data. | ||
| The functions are divided into the following categories: | ||
|
|
||
| [[esql-functions]] | ||
| <<esql-agg-functions>>:: | ||
| include::functions/aggregation-functions.asciidoc[tag=agg_list] | ||
|
|
||
| <<esql-math-functions>>:: | ||
| include::functions/math-functions.asciidoc[tag=math_list] | ||
|
|
||
| <<esql-string-functions>>:: | ||
| include::functions/string-functions.asciidoc[tag=string_list] | ||
|
|
||
| <<esql-date-time-functions>>:: | ||
| include::functions/date-time-functions.asciidoc[tag=date_list] | ||
|
|
||
| <<esql-type-conversion-functions>>:: | ||
| include::functions/type-conversion-functions.asciidoc[tag=type_list] | ||
|
|
||
| <<esql-conditional-functions-and-expressions>>:: | ||
| include::functions/conditional-functions-and-expressions.asciidoc[tag=cond_list] | ||
|
|
||
| <<esql-mv-functions>>:: | ||
| include::functions/mv-functions.asciidoc[tag=mv_list] | ||
|
|
||
| <<esql-operators>>:: | ||
| include::functions/operators.asciidoc[tag=op_list] | ||
|
|
||
| include::functions/aggregation-functions.asciidoc[] | ||
| include::functions/math-functions.asciidoc[] | ||
| include::functions/string-functions.asciidoc[] | ||
| include::functions/date-time-functions.asciidoc[] | ||
| include::functions/type-conversion-functions.asciidoc[] | ||
| include::functions/conditional-functions-and-expressions.asciidoc[] | ||
| include::functions/mv-functions.asciidoc[] | ||
| include::functions/operators.asciidoc[] |
8 changes: 8 additions & 0 deletions
8
...ic_assistant/server/knowledge_base/esql/documentation/esql_get_started.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| [[esql-getting-started]] | ||
| == Getting started with {esql} | ||
|
|
||
| ++++ | ||
| <titleabbrev>Getting started</titleabbrev> | ||
| ++++ | ||
|
|
||
| coming::[8.11] |
15 changes: 15 additions & 0 deletions
15
...elastic_assistant/server/knowledge_base/esql/documentation/esql_kibana.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| [[esql-kibana]] | ||
| == Using {esql} in {kib} | ||
|
|
||
| ++++ | ||
| <titleabbrev>Kibana</titleabbrev> | ||
| ++++ | ||
|
|
||
|
|
||
| Use {esql} in Discover to explore a data set. From the data view dropdown, | ||
| select *Try {esql}* to get started. | ||
|
|
||
| NOTE: {esql} queries in Discover and Lens are subject to the time range selected | ||
| with the time filter. | ||
|
|
||
|
|
23 changes: 23 additions & 0 deletions
23
...astic_assistant/server/knowledge_base/esql/documentation/esql_language.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| [[esql-language]] | ||
| == Working with the {esql} language | ||
|
|
||
| ++++ | ||
| <titleabbrev>Working with the {esql} language</titleabbrev> | ||
| ++++ | ||
|
|
||
| Detailed information about the {esql} language: | ||
|
|
||
| * <<esql-syntax>> | ||
| * <<esql-commands>> | ||
| * <<esql-functions>> | ||
| * <<esql-multivalued-fields>> | ||
| * <<esql-metadata-fields>> | ||
| * <<esql-enrich-data>> | ||
|
|
||
| include::esql-syntax.asciidoc[] | ||
| include::esql-commands.asciidoc[] | ||
| include::esql-functions-operators.asciidoc[] | ||
| include::multivalued-fields.asciidoc[] | ||
| include::metadata-fields.asciidoc[] | ||
| include::esql-enrich-data.asciidoc[] | ||
|
|
Oops, something went wrong.