# Get EQL search results
**POST /{index}/_eql/search**
**All methods and paths for this operation:**
GET
/{index}/_eql/search
POST
/{index}/_eql/search
Returns search results for an Event Query Language (EQL) query.
EQL assumes each document in a data stream or index corresponds to an event.
[Learn more about EQL](https://www.elastic.co/docs/explore-analyze/query-filter/languages/eql)
## Servers
- http://api.example.com: http://api.example.com ()
## Authentication methods
- Api key auth
- Basic auth
- Bearer auth
## Parameters
### Path parameters
- **index** (string | array[string])
Comma-separated list of index names to scope the operation
### Query parameters
- **allow_no_indices** (boolean)
A setting that does two separate checks on the index expression.
If `false`, the request returns an error (1) if any wildcard expression
(including `_all` and `*`) resolves to zero matching indices or (2) if the
complete set of resolved indices, aliases or data streams is empty after all
expressions are evaluated. If `true`, index expressions that resolve to no
indices are allowed and the request returns an empty result.
- **allow_partial_search_results** (boolean)
If true, returns partial results if there are shard failures. If false, returns an error with no partial results.
- **allow_partial_sequence_results** (boolean)
If true, sequence queries will return partial results in case of shard failures. If false, they will return no results at all.
This flag has effect only if allow_partial_search_results is true.
- **expand_wildcards** (string | array[string])
Whether to expand wildcard expression to concrete indices that are open, closed or both.
Supported values include:
- `all`: Match any data stream or index, including hidden ones.
- `open`: Match open, non-hidden indices. Also matches any non-hidden data stream.
- `closed`: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- `hidden`: Match hidden data streams and hidden indices. Must be combined with `open`, `closed`, or `both`.
- `none`: Wildcard expressions are not accepted.
- **ccs_minimize_roundtrips** (boolean)
Indicates whether network round-trips should be minimized as part of cross-cluster search requests execution
- **ignore_unavailable** (boolean)
If `false`, the request returns an error if it targets a concrete (non-wildcarded)
index, alias, or data stream that is missing, closed, or otherwise unavailable.
If `true`, unavailable concrete targets are silently ignored.
- **keep_alive** (string)
Period for which the search and its results are stored on the cluster.
- **keep_on_completion** (boolean)
If true, the search and its results are stored on the cluster.
- **wait_for_completion_timeout** (string)
Timeout duration to wait for the request to finish. Defaults to no timeout, meaning the request waits for complete search results.
### Body: application/json (object)
- **query** (string)
EQL query you wish to run.
- **case_sensitive** (boolean)
- **event_category_field** (string)
Field containing the event classification, such as process, file, or network.
- **tiebreaker_field** (string)
Field used to sort hits with the same timestamp in ascending order
- **timestamp_field** (string)
Field containing event timestamp.
- **fetch_size** (number)
Maximum number of events to search at a time for sequence queries.
- **filter** (object | array[object])
Query, written in Query DSL, used to filter the events on which the EQL query runs.
- **keep_alive** (string)
- **keep_on_completion** (boolean)
- **wait_for_completion_timeout** (string)
- **allow_partial_search_results** (boolean)
Allow query execution also in case of shard failures.
If true, the query will keep running and will return results based on the available shards.
For sequences, the behavior can be further refined using allow_partial_sequence_results
- **allow_partial_sequence_results** (boolean)
This flag applies only to sequences and has effect only if allow_partial_search_results=true.
If true, the sequence query will return results based on the available shards, ignoring the others.
If false, the sequence query will return successfully, but will always have empty results.
- **size** (number)
For basic queries, the maximum number of matching events to return. Defaults to 10
- **fields** (object | array[object])
Array of wildcard (*) patterns. The response returns values for field names matching these patterns in the fields property of each hit.
- **result_position** (string)
Supported values include:
- `tail`: Return the most recent matches, similar to the Unix tail command.
- `head`: Return the earliest matches, similar to the Unix head command.
- **runtime_mappings** (object)
- **max_samples_per_key** (number)
By default, the response of a sample query contains up to `10` samples, with one sample per unique set of join keys. Use the `size`
parameter to get a smaller or larger set of samples. To retrieve more than one sample per set of join keys, use the
`max_samples_per_key` parameter. Pipes are not supported for sample queries.
## Responses
### 200
#### Body: application/json (object)
- **id** (string)
Identifier for the search.
- **is_partial** (boolean)
If true, the response does not contain complete search results.
- **is_running** (boolean)
If true, the search request is still executing.
- **took** (number)
Milliseconds it took Elasticsearch to execute the request.
- **timed_out** (boolean)
If true, the request timed out before completion.
- **hits** (object)
Contains matching events and sequences. Also contains related metadata.
- **shard_failures** (array[object])
Contains information about shard failures (if any), in case allow_partial_search_results=true
[Powered by Bump.sh](https://bump.sh)