Adds a important admonition to the EQL syntax page noting that
the equal (`==`) operator should not be used to match `text` field
values.
Relates to #52709 and #53020
EQL functions are an easy way for users to transform indexed data
at search time. However, using multiple functions can make
queries difficult to write and slows search speeds.
Users can circumvent this by indexing fields containing the transformed
data, but that usually slows index speeds.
This adds a related tip and example covering these tradeoffs.
Adds documentation for the EQL `substring` function.
Supporting changes:
* Creates a new "EQL function reference" page
* Updates the title of the "EQL syntax reference" page for consistency
* Adds a brief "Functions" section to the EQL syntax docs
* Updates EQL limitations docs to state that only array functions are
unsupported
* [DOCS] Document `any` keyword in EQL syntax
Adds documentation for the `any` keyword to the EQL syntax docs.
Includes:
* Definition of an event type and its relationship to the event type
field.
* Example matching all event types using `any` keyword
* Example matching event types beginning with a digit
* Example using `any` with `where true`
* Remove references to `event_type_field` default
* Reuse "Events starting with digits" section
* Updates for #53073
Adds documentation for basic EQL syntax.
Joins, sequences, and other syntax to be added as its supported
in future development.
Co-Authored-By: Ross Wolf <31489089+rw-access@users.noreply.github.com>
