ES|QL functions and operators

The STATS ... BY function supports these aggregate functions:

The average of a numeric field.

FROM employees
| STATS AVG(height)

The result is always a double not matter the input type.

Counts field values.

FROM employees
| STATS COUNT(height)

Can take any field type as input and the result is always a long not matter the input type.

To count the number of rows, use COUNT(*):

FROM employees
| STATS count = COUNT(*) BY languages
| SORT languages DESC

The approximate number of distinct values.

FROM hosts
| STATS COUNT_DISTINCT(ip0), COUNT_DISTINCT(ip1)

Can take any field type as input and the result is always a long not matter the input type.

Computing exact counts requires loading values into a set and returning its size. This doesn’t scale when working on high-cardinality sets and/or large values as the required memory usage and the need to communicate those per-shard sets between nodes would utilize too many resources of the cluster.

This COUNT_DISTINCT function is based on the HyperLogLog++ algorithm, which counts based on the hashes of the values with some interesting properties:

For a precision threshold of c, the implementation that we are using requires about c * 8 bytes.

The following chart shows how the error varies before and after the threshold:

For all 3 thresholds, counts have been accurate up to the configured threshold. Although not guaranteed, this is likely to be the case. Accuracy in practice depends on the dataset in question. In general, most datasets show consistently good accuracy. Also note that even with a threshold as low as 100, the error remains very low (1-6% as seen in the above graph) even when counting millions of items.

The HyperLogLog++ algorithm depends on the leading zeros of hashed values, the exact distributions of hashes in a dataset can affect the accuracy of the cardinality.

The COUNT_DISTINCT function takes an optional second parameter to configure the precision discussed previously.

FROM hosts
| STATS COUNT_DISTINCT(ip0, 80000), COUNT_DISTINCT(ip1, 5)

The maximum value of a numeric field.

FROM employees
| STATS MAX(languages)

The value that is greater than half of all values and less than half of all values, also known as the 50% PERCENTILE.

FROM employees
| STATS MEDIAN(salary), PERCENTILE(salary, 50)

The median absolute deviation, a measure of variability. It is a robust statistic, meaning that it is useful for describing data that may have outliers, or may not be normally distributed. For such data it can be more descriptive than standard deviation.

It is calculated as the median of each data point’s deviation from the median of the entire sample. That is, for a random variable X, the median absolute deviation is median(|median(X) - Xi|).

FROM employees
| STATS MEDIAN(salary), MEDIAN_ABSOLUTE_DEVIATION(salary)

The minimum value of a numeric field.

FROM employees
| STATS MIN(languages)

The value at which a certain percentage of observed values occur. For example, the 95th percentile is the value which is greater than 95% of the observed values and the 50th percentile is the MEDIAN.

FROM employees
| STATS p0 = PERCENTILE(salary,  0)
     , p50 = PERCENTILE(salary, 50)
     , p99 = PERCENTILE(salary, 99)

There are many different algorithms to calculate percentiles. The naive implementation simply stores all the values in a sorted array. To find the 50th percentile, you simply find the value that is at my_array[count(my_array) * 0.5].

Clearly, the naive implementation does not scale — the sorted array grows linearly with the number of values in your dataset. To calculate percentiles across potentially billions of values in an Elasticsearch cluster, approximate percentiles are calculated.

The algorithm used by the percentile metric is called TDigest (introduced by Ted Dunning in Computing Accurate Quantiles using T-Digests).

When using this metric, there are a few guidelines to keep in mind:

The following chart shows the relative error on a uniform distribution depending on the number of collected values and the requested percentile:

It shows how precision is better for extreme percentiles. The reason why error diminishes for large number of values is that the law of large numbers makes the distribution of values more and more uniform and the t-digest tree can do a better job at summarizing it. It would not be the case on more skewed distributions.

The sum of a numeric field.

FROM employees
| STATS SUM(languages)

ES|QL supports these mathematical functions:

Returns the absolute value.

FROM employees
| KEEP first_name, last_name, height
| EVAL abs_height = ABS(0.0 - height)

Supported types:

Syntax

Parameters

Description

Returns the arccosine of n as an angle, expressed in radians.

Supported types

Example

ROW a=.9
| EVAL acos=ACOS(a)

Inverse sine trigonometric function.

ROW a=.9
| EVAL asin=ASIN(a)

Supported types:

Inverse tangent trigonometric function.

ROW a=12.9
| EVAL atan=ATAN(a)

Supported types:

The angle between the positive x-axis and the ray from the origin to the point (x , y) in the Cartesian plane.

ROW y=12.9, x=.6
| EVAL atan2=ATAN2(y, x)

Supported types:

Round a number up to the nearest integer.

ROW a=1.8
| EVAL a=CEIL(a)

Supported types:

Cosine trigonometric function.

ROW a=1.8
| EVAL cos=COS(a)

Supported types:

Cosine hyperbolic function.

ROW a=1.8
| EVAL cosh=COSH(a)

Supported types:

Euler’s number.

ROW E()

Round a number down to the nearest integer.

ROW a=1.8
| EVAL a=FLOOR(a)

Supported types:

Returns the log base 10. The input can be any numeric value, the return value is always a double.

Logs of negative numbers are NaN. Logs of infinites are infinite, as is the log of 0.

ROW d = 1000.0
| EVAL s = LOG10(d)

Supported types:

The ratio of a circle’s circumference to its diameter.

ROW PI()

Returns the value of a base (first argument) raised to the power of an exponent (second argument). Both arguments must be numeric.

ROW base = 2.0, exponent = 2
| EVAL result = POW(base, exponent)

The type of the returned value is determined by the types of the base and exponent. The following rules are applied to determine the result type:

For example, using simple integers as arguments will lead to an integer result:

ROW base = 2, exponent = 2
| EVAL s = POW(base, exponent)

Arithmetic errors and numeric overflow do not result in an error. Instead, the result will be null and a warning for the ArithmeticException added. For example:

ROW x = POW(9223372036854775808, 2)

If it is desired to protect against numerical overruns, use TO_DOUBLE on either of the arguments:

ROW x = POW(9223372036854775808, TO_DOUBLE(1))

The exponent can be a fraction, which is similar to performing a root. For example, the exponent of 0.5 will give the square root of the base:

ROW base = 4, exponent = 0.5
| EVAL s = POW(base, exponent)

For clarity, the following table describes the output result type for all combinations of numeric input types:

Rounds a number to the closest number with the specified number of digits. Defaults to 0 digits if no number of digits is provided. If the specified number of digits is negative, rounds to the number of digits left of the decimal point.

FROM employees
| KEEP first_name, last_name, height
| EVAL height_ft = ROUND(height * 3.281, 1)

Sine trigonometric function.

ROW a=1.8
| EVAL sin=SIN(a)

Supported types:

Sine hyperbolic function.

ROW a=1.8
| EVAL sinh=SINH(a)

Supported types:

Returns the square root of a number. The input can be any numeric value, the return value is always a double.

Square roots of negative numbers are NaN. Square roots of infinites are infinite.

ROW d = 100.0
| EVAL s = SQRT(d)

Supported types:

Tangent trigonometric function.

ROW a=1.8
| EVAL tan=TAN(a)

Supported types:

Tangent hyperbolic function.

ROW a=1.8
| EVAL tanh=TANH(a)

Supported types:

The ratio of a circle’s circumference to its radius.

ROW TAU()

ES|QL supports these string functions:

Concatenates two or more strings.

FROM employees
| KEEP first_name, last_name, height
| EVAL fullname = CONCAT(first_name, " ", last_name)

Return the substring that extracts length chars from the string starting from the left.

FROM employees
| KEEP last_name
| EVAL left = LEFT(last_name, 3)
| SORT last_name ASC
| LIMIT 5

Supported types:

Returns the character length of a string.

FROM employees
| KEEP first_name, last_name, height
| EVAL fn_length = LENGTH(first_name)

Removes leading whitespaces from strings.

ROW message = "   some text  ",  color = " red "
| EVAL message = LTRIM(message)
| EVAL color = LTRIM(color)
| EVAL message = CONCAT("'", message, "'")
| EVAL color = CONCAT("'", color, "'")

The function substitutes in the string (1st argument) any match of the regular expression (2nd argument) with the replacement string (3rd argument).

If any of the arguments are NULL, the result is NULL.

ROW str = "Hello World"
| EVAL str = REPLACE(str, "World", "Universe")
| KEEP str

Return the substring that extracts length chars from the string starting from the right.

FROM employees
| KEEP last_name
| EVAL right = RIGHT(last_name, 3)
| SORT last_name ASC
| LIMIT 5

Supported types:

Removes trailing whitespaces from strings.

ROW message = "   some text  ",  color = " red "
| EVAL message = RTRIM(message)
| EVAL color = RTRIM(color)
| EVAL message = CONCAT("'", message, "'")
| EVAL color = CONCAT("'", color, "'")

Split a single valued string into multiple strings. For example:

ROW words="foo;bar;baz;qux;quux;corge"
| EVAL word = SPLIT(words, ";")

Which splits "foo;bar;baz;qux;quux;corge" on ; and returns an array:

Returns a substring of a string, specified by a start position and an optional length. This example returns the first three characters of every last name:

FROM employees
| KEEP last_name
| EVAL ln_sub = SUBSTRING(last_name, 1, 3)

A negative start position is interpreted as being relative to the end of the string. This example returns the last three characters of of every last name:

FROM employees
| KEEP last_name
| EVAL ln_sub = SUBSTRING(last_name, -3, 3)

If length is omitted, substring returns the remainder of the string. This example returns all characters except for the first:

FROM employees
| KEEP last_name
| EVAL ln_sub = SUBSTRING(last_name, 2)

Removes leading and trailing whitespaces from strings.

ROW message = "   some text  ",  color = " red "
| EVAL message = TRIM(message)
| EVAL color = TRIM(color)

Supported types:

ES|QL supports these date-time functions:

Creates human-friendly buckets and returns a datetime value for each row that corresponds to the resulting bucket the row falls into. Combine AUTO_BUCKET with STATS ... BY to create a date histogram.

You provide a target number of buckets, a start date, and an end date, and it picks an appropriate bucket size to generate the target number of buckets or fewer. For example, this asks for at most 20 buckets over a whole year, which picks monthly buckets:

ROW date=TO_DATETIME("1985-07-09T00:00:00.000Z")
| EVAL bucket=AUTO_BUCKET(date, 20, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z")

The goal isn’t to provide exactly the target number of buckets, it’s to pick a range that people are comfortable with that provides at most the target number of buckets.

If you ask for more buckets then AUTO_BUCKET can pick a smaller range. For example, asking for at most 100 buckets in a year will get you week long buckets:

ROW date=TO_DATETIME("1985-07-09T00:00:00.000Z")
| EVAL bucket=AUTO_BUCKET(date, 100, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z")

AUTO_BUCKET does not filter any rows. It only uses the provided time range to pick a good bucket size. For rows with a date outside of the range, it returns a datetime that corresponds to a bucket outside the range. Combine AUTO_BUCKET with WHERE to filter rows.

A more complete example might look like:

FROM employees
| WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z"
| EVAL bucket = AUTO_BUCKET(hire_date, 20, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z")
| STATS AVG(salary) BY bucket
| SORT bucket

auto_bucket can also operate on numeric fields like this:

FROM employees
| WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z"
| EVAL bs = AUTO_BUCKET(salary, 20, 25324, 74999)
| SORT hire_date, salary
| KEEP hire_date, salary, bs

Unlike the example above where you are intentionally filtering on a date range, you rarely want to filter on a numeric range. So you have find the min and max separately. We don’t yet have an easy way to do that automatically. Improvements coming!

Extracts parts of a date, like year, month, day, hour. The supported field types are those provided by java.time.temporal.ChronoField.

ROW date = DATE_PARSE("yyyy-MM-dd", "2022-05-06")
| EVAL year = DATE_EXTRACT("year", date)

Returns a string representation of a date in the provided format. If no format is specified, the yyyy-MM-dd'T'HH:mm:ss.SSSZ format is used.

FROM employees
| KEEP first_name, last_name, hire_date
| EVAL hired = DATE_FORMAT("YYYY-MM-dd", hire_date)

Syntax

DATE_PARSE([format,] date_string)

Parameters

Description

Returns a date by parsing the second argument using the format specified in the first argument.

Example

ROW date_string = "2022-05-06"
| EVAL date = DATE_PARSE("yyyy-MM-dd", date_string)

Rounds down a date to the closest interval. Intervals can be expressed using the timespan literal syntax.

FROM employees
| EVAL year_hired = DATE_TRUNC(1 year, hire_date)
| STATS COUNT(emp_no) BY year_hired
| SORT year_hired

Returns current date and time.

ROW current_date = NOW()

ES|QL supports these type conversion functions:

Converts an input value to a boolean value.

The input can be a single- or multi-valued field or an expression. The input type must be of a string or numeric type.

A string value of "true" will be case-insensitive converted to the Boolean true. For anything else, including the empty string, the function will return false. For example:

ROW str = ["true", "TRuE", "false", "", "yes", "1"]
| EVAL bool = TO_BOOLEAN(str)

The numerical value of 0 will be converted to false, anything else will be converted to true.

Alias: TO_BOOL

Converts an input value to a date value.

The input can be a single- or multi-valued field or an expression. The input type must be of a string or numeric type.

A string will only be successfully converted if it’s respecting the format yyyy-MM-dd'T'HH:mm:ss.SSS'Z' (to convert dates in other formats, use DATE_PARSE). For example:

ROW string = ["1953-09-02T00:00:00.000Z", "1964-06-02T00:00:00.000Z", "1964-06-02 00:00:00"]
| EVAL datetime = TO_DATETIME(string)

Note that in this example, the last value in the source multi-valued field has not been converted. The reason being that if the date format is not respected, the conversion will result in a null value. When this happens a Warning header is added to the response. The header will provide information on the source of the failure:

"Line 1:112: evaluation of [TO_DATETIME(string)] failed, treating result as null. Only first 20 failures recorded."

A following header will contain the failure reason and the offending value:

"java.lang.IllegalArgumentException: failed to parse date field [1964-06-02 00:00:00] with format [yyyy-MM-dd'T'HH:mm:ss.SSS'Z']"

If the input parameter is of a numeric type, its value will be interpreted as milliseconds since the Unix epoch. For example:

ROW int = [0, 1]
| EVAL dt = TO_DATETIME(int)

Alias: TO_DT

Converts a number in radians to degrees.

The input can be a single- or multi-valued field or an expression. The input type must be of a numeric type and result is always double.

Example:

ROW rad = [1.57, 3.14, 4.71]
| EVAL deg = TO_DEGREES(rad)

Converts an input value to a double value.

The input can be a single- or multi-valued field or an expression. The input type must be of a boolean, date, string or numeric type.

Example:

ROW str1 = "5.20128E11", str2 = "foo"
| EVAL dbl = TO_DOUBLE("520128000000"), dbl1 = TO_DOUBLE(str1), dbl2 = TO_DOUBLE(str2)

Note that in this example, the last conversion of the string isn’t possible. When this happens, the result is a null value. In this case a Warning header is added to the response. The header will provide information on the source of the failure:

"Line 1:115: evaluation of [TO_DOUBLE(str2)] failed, treating result as null. Only first 20 failures recorded."

A following header will contain the failure reason and the offending value:

"java.lang.NumberFormatException: For input string: \"foo\""

If the input parameter is of a date type, its value will be interpreted as milliseconds since the Unix epoch, converted to double.

Boolean true will be converted to double 1.0, false to 0.0.

Alias: TO_DBL

Converts an input value to an integer value.

The input can be a single- or multi-valued field or an expression. The input type must be of a boolean, date, string or numeric type.

Example:

ROW long = [5013792, 2147483647, 501379200000]
| EVAL int = TO_INTEGER(long)

Note that in this example, the last value of the multi-valued field cannot be converted as an integer. When this happens, the result is a null value. In this case a Warning header is added to the response. The header will provide information on the source of the failure:

"Line 1:61: evaluation of [TO_INTEGER(long)] failed, treating result as null. Only first 20 failures recorded."

A following header will contain the failure reason and the offending value:

"org.elasticsearch.xpack.ql.QlIllegalArgumentException: [501379200000] out of [integer] range"

If the input parameter is of a date type, its value will be interpreted as milliseconds since the Unix epoch, converted to integer.

Boolean true will be converted to integer 1, false to 0.

Alias: TO_INT

Converts an input string to an IP value.

The input can be a single- or multi-valued field or an expression.

Example:

ROW str1 = "1.1.1.1", str2 = "foo"
| EVAL ip1 = TO_IP(str1), ip2 = TO_IP(str2)
| WHERE CIDR_MATCH(ip1, "1.0.0.0/8")

Note that in the example above the last conversion of the string isn’t possible. When this happens, the result is a null value. In this case a Warning header is added to the response. The header will provide information on the source of the failure:

"Line 1:68: evaluation of [TO_IP(str2)] failed, treating result as null. Only first 20 failures recorded."

A following header will contain the failure reason and the offending value:

"java.lang.IllegalArgumentException: 'foo' is not an IP string literal."

Converts an input value to a long value.

The input can be a single- or multi-valued field or an expression. The input type must be of a boolean, date, string or numeric type.

Example:

ROW str1 = "2147483648", str2 = "2147483648.2", str3 = "foo"
| EVAL long1 = TO_LONG(str1), long2 = TO_LONG(str2), long3 = TO_LONG(str3)

Note that in this example, the last conversion of the string isn’t possible. When this happens, the result is a null value. In this case a Warning header is added to the response. The header will provide information on the source of the failure:

"Line 1:113: evaluation of [TO_LONG(str3)] failed, treating result as null. Only first 20 failures recorded."

A following header will contain the failure reason and the offending value:

"java.lang.NumberFormatException: For input string: \"foo\""

If the input parameter is of a date type, its value will be interpreted as milliseconds since the Unix epoch, converted to long.

Boolean true will be converted to long 1, false to 0.

Converts a number in degrees to radians.

The input can be a single- or multi-valued field or an expression. The input type must be of a numeric type and result is always double.

Example:

ROW deg = [90.0, 180.0, 270.0]
| EVAL rad = TO_RADIANS(deg)

Converts a field into a string. For example:

ROW a=10
| EVAL j = TO_STRING(a)

It also works fine on multivalued fields:

ROW a=[10, 9, 8]
| EVAL j = TO_STRING(a)

Alias: TO_STR

Supported types:

Converts an input value to an unsigned long value.

The input can be a single- or multi-valued field or an expression. The input type must be of a boolean, date, string or numeric type.

Example:

ROW str1 = "2147483648", str2 = "2147483648.2", str3 = "foo"
| EVAL long1 = TO_UNSIGNED_LONG(str1), long2 = TO_ULONG(str2), long3 = TO_UL(str3)

Note that in this example, the last conversion of the string isn’t possible. When this happens, the result is a null value. In this case a Warning header is added to the response. The header will provide information on the source of the failure:

"Line 1:133: evaluation of [TO_UL(str3)] failed, treating result as null. Only first 20 failures recorded."

A following header will contain the failure reason and the offending value:

"java.lang.NumberFormatException: Character f is neither a decimal digit number, decimal point, nor \"e\" notation exponential mark."

If the input parameter is of a date type, its value will be interpreted as milliseconds since the Unix epoch, converted to unsigned long.

Boolean true will be converted to unsigned long 1, false to 0.

Alias: TO_ULONG, TO_UL

Converts an input string to a version value. For example:

ROW v = TO_VERSION("1.2.3")

The input can be a single- or multi-valued field or an expression.

Alias: TO_VER

Supported types:

Conditional functions return one of their arguments by evaluating in an if-else manner. ES|QL supports these conditional functions:

Syntax

CASE(condition1, value1[, ..., conditionN, valueN][, default_value])

Parameters

Description

Accepts pairs of conditions and values. The function returns the value that belongs to the first condition that evaluates to true.

If the number of arguments is odd, the last argument is the default value which is returned when no condition matches.

Example

FROM employees
| EVAL type = CASE(
    languages <= 1, "monolingual",
    languages <= 2, "bilingual",
     "polyglot")
| KEEP emp_no, languages, type

Returns the first non-null value.

ROW a=null, b="b"
| EVAL COALESCE(a, b)

Returns the maximum value from many columns. This is similar to MV_MAX except it’s intended to run on multiple columns at once.

ROW a = 10, b = 20
| EVAL g = GREATEST(a, b)

Supported types:

Returns the minimum value from many columns. This is similar to MV_MIN except it’s intended to run on multiple columns at once.

ROW a = 10, b = 20
| EVAL l = LEAST(a, b)

Supported types:

ES|QL supports these multivalue functions:

Converts a multivalued field into a single valued field containing the average of all of the values. For example:

ROW a=[3, 5, 1, 6]
| EVAL avg_a = MV_AVG(a)

Converts a multivalued string field into a single valued field containing the concatenation of all values separated by a delimiter:

ROW a=["foo", "zoo", "bar"]
| EVAL j = MV_CONCAT(a, ", ")

If you want to concat non-string fields call TO_STRING on them first:

ROW a=[10, 9, 8]
| EVAL j = MV_CONCAT(TO_STRING(a), ", ")

Converts a multivalued field into a single valued field containing a count of the number of values:

ROW a=["foo", "zoo", "bar"]
| EVAL count_a = MV_COUNT(a)

Removes duplicates from a multivalued field. For example:

ROW a=["foo", "foo", "bar", "foo"]
| EVAL dedupe_a = MV_DEDUPE(a)

Converts a multivalued field into a single valued field containing the maximum value. For example:

ROW a=[3, 5, 1]
| EVAL max_a = MV_MAX(a)

It can be used by any field type, including keyword fields. In that case picks the last string, comparing their utf-8 representation byte by byte:

ROW a=["foo", "zoo", "bar"]
| EVAL max_a = MV_MAX(a)

Converts a multivalued field into a single valued field containing the median value. For example:

ROW a=[3, 5, 1]
| EVAL median_a = MV_MEDIAN(a)

It can be used by any numeric field type and returns a value of the same type. If the row has an even number of values for a column the result will be the average of the middle two entries. If the field is not floating point then the average rounds down:

ROW a=[3, 7, 1, 6]
| EVAL median_a = MV_MEDIAN(a)

Converts a multivalued field into a single valued field containing the minimum value. For example:

ROW a=[2, 1]
| EVAL min_a = MV_MIN(a)

It can be used by any field type, including keyword fields. In that case picks the first string, comparing their utf-8 representation byte by byte:

ROW a=["foo", "bar"]
| EVAL min_a = MV_MIN(a)

Converts a multivalued field into a single valued field containing the sum of all of the values. For example:

ROW a=[3, 5, 6]
| EVAL sum_a = MV_SUM(a)

Boolean operators for comparing against one or multiple expressions.

These binary comparison operators are supported:

The following logical operators are supported:

For NULL comparison, use the IS NULL and IS NOT NULL predicates:

FROM employees
| WHERE birth_date IS NULL
| KEEP first_name, last_name
| SORT first_name
| LIMIT 3

FROM employees
| WHERE is_rehired IS NOT NULL
| STATS COUNT(emp_no)

Returns true if the provided IP is contained in one of the provided CIDR blocks.

CIDR_MATCH accepts two or more arguments. The first argument is the IP address of type ip (both IPv4 and IPv6 are supported). Subsequent arguments are the CIDR blocks to test the IP against.

FROM hosts
| WHERE CIDR_MATCH(ip, "127.0.0.2/32", "127.0.0.3/32")

Returns a boolean that indicates whether a keyword string ends with another string:

FROM employees
| KEEP last_name
| EVAL ln_E = ENDS_WITH(last_name, "d")

Supported types:

The IN operator allows testing whether a field or expression equals an element in a list of literals, fields or expressions:

ROW a = 1, b = 4, c = 3
| WHERE c-a IN (3, b / 2, a)

Returns a boolean that indicates whether its input is a finite number.

ROW d = 1.0
| EVAL s = IS_FINITE(d/0)

Returns a boolean that indicates whether its input is infinite.

ROW d = 1.0
| EVAL s = IS_INFINITE(d/0)

Returns a boolean that indicates whether its input is not a number.

ROW d = 1.0
| EVAL s = IS_NAN(d)

Use LIKE to filter data based on string patterns using wildcards. LIKE usually acts on a field placed on the left-hand side of the operator, but it can also act on a constant (literal) expression. The right-hand side of the operator represents the pattern.

The following wildcard characters are supported:

FROM employees
| WHERE first_name LIKE "?b*"
| KEEP first_name, last_name