ES|QL syntax referenceedit
Basic syntaxedit
An ES|QL query is composed of a source command followed
by an optional series of processing commands,
separated by a pipe character: |. For example:
source-command | processing-command1 | processing-command2
The result of a query is the table produced by the final processing command.
For readability, this documentation puts each processing command on a new line. However, you can write an ES|QL query as a single line. The following query is identical to the previous one:
source-command | processing-command1 | processing-command2
Commentsedit
ES|QL uses C++ style comments:
-
double slash
//for single line comments -
/*and*/for block comments
// Query the employees index FROM employees | WHERE height > 2
FROM /* Query the employees index */ employees | WHERE height > 2
FROM employees /* Query the * employees * index */ | WHERE height > 2
Operatorsedit
These binary comparison operators are supported:
-
equality:
== -
inequality:
!= -
less than:
< -
less than or equal:
<= -
larger than:
> -
larger than or equal:
>=
The IN operator allows testing whether a field or expression equals
an element in a list of literals, fields or expressions:
ROW a = 1, b = 4, c = 3 | WHERE c-a IN (3, b / 2, a)
For string comparison using wildcards or regular expressions, use LIKE or
RLIKE:
-
Use
LIKEto match strings using wildcards. The following wildcard characters are supported:-
*matches zero or more characters. -
?matches one character.
FROM employees | WHERE first_name LIKE "?b*" | KEEP first_name, last_name
-
-
Use
RLIKEto match strings using regular expressions:FROM employees | WHERE first_name RLIKE ".leja.*" | KEEP first_name, last_name
The following boolean operators are supported:
-
AND -
OR -
NOT
Predicatesedit
For NULL comparison use the IS NULL and IS NOT NULL predicates:
FROM employees | WHERE birth_date IS NULL | KEEP first_name, last_name | SORT first_name | LIMIT 3
| first_name:keyword | last_name:keyword |
|---|---|
Basil |
Tramer |
Florian |
Syrotiuk |
Lucien |
Rosenbaum |
FROM employees | WHERE is_rehired IS NOT NULL | STATS count(emp_no)
| count(emp_no):long |
|---|
84 |
Timespan literalsedit
Datetime intervals and timespans can be expressed using timespan literals. Timespan literals are a combination of a number and a qualifier. These qualifiers are supported:
-
millisecond/milliseconds -
second/seconds -
minute/minutes -
hour/hours -
day/days -
week/weeks -
month/months -
year/years
Timespan literals are not whitespace sensitive. These expressions are all valid:
-
1day -
1 day -
1 day