ES|QLedit

The Elasticsearch Query Language (ES|QL) is a query language that enables the iterative exploration of data.

An ES|QL query consists of a series of commands, separated by pipes. Each query starts with a source command. A source command produces a table, typically with data from Elasticsearch.

A source command can be followed by one or more processing commands. Processing commands change an input table by adding, removing, or changing rows and columns.

You can chain processing commands, separated by a pipe character: |. Each processing command works on the output table of the previous command.

The result of a query is the table produced by the final processing command.

Run an ES|QL queryedit

The ES|QL APIedit

Use the _query endpoint to run an ES|QL query:

POST /_query
{
  "query": """
    FROM library
    | EVAL year = DATE_TRUNC(1 YEARS, release_date)
    | STATS MAX(page_count) BY year
    | SORT year
    | LIMIT 5
  """
}

The results come back in rows:

{
  "columns": [
    { "name": "MAX(page_count)", "type": "integer"},
    { "name": "year"           , "type": "date"}
  ],
  "values": [
    [268, "1932-01-01T00:00:00.000Z"],
    [224, "1951-01-01T00:00:00.000Z"],
    [227, "1953-01-01T00:00:00.000Z"],
    [335, "1959-01-01T00:00:00.000Z"],
    [604, "1965-01-01T00:00:00.000Z"]
  ]
}

By default, results are returned as JSON. To return results formatted as text, CSV, or TSV, use the format parameter:

POST /_query?format=txt
{
  "query": """
    FROM library
    | EVAL year = DATE_TRUNC(1 YEARS, release_date)
    | STATS MAX(page_count) BY year
    | SORT year
    | LIMIT 5
  """
}

Kibanaedit

Use ES|QL in Discover to explore a data set. From the data view dropdown, select Try ES|QL to get started.

Limitationsedit

ES|QL currently supports the following field types: