ES|QL

Elastic Stack Serverless

Elasticsearch Query Language (ES|QL) is a piped query language for filtering, transforming, and analyzing data.

You can author ES|QL queries to find specific events, perform statistical analysis, and generate visualizations. It supports a wide range of commands, functions, and operators to perform various data operations, such as filtering, aggregation, time-series analysis, and more. Today, it supports a subset of the features available in Query DSL, but it is rapidly evolving.

The Elasticsearch Query Language (ES|QL) makes use of "pipes" (|) to manipulate and transform data in a step-by-step fashion. This approach allows you to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis.

You can use it:

• In your queries to Elasticsearch APIs, using the _query endpoint that accepts queries written in ES|QL syntax.
• Within various Kibana tools such as Discover and Dashboards, to explore your data and build powerful visualizations.

Learn more about using ES|QL for Search use cases in this tutorial: Search and filter with ES|QL.

Find more details about ES|QL in the following documentation pages:

• ES|QL reference:

  • Reference documentation for the ES|QL syntax:
    • Reference for commands, and functions and operators
    • How to work with metadata fields and multivalued fields
    • How to work with DISSECT and GROK, ENRICH, and LOOKUP join

• Using ES|QL:

  • An overview of using the _query API endpoint.
  • Using ES|QL for search.
  • Using ES|QL in Kibana.
  • Using ES|QL in Elastic Security.
  • Using ES|QL with multiple indices.
  • Using ES|QL across clusters.
  • Task management.

• Limitations: The current limitations of ES|QL.

• Examples: A few examples of what you can do with ES|QL.

To get started, you can also try our ES|QL training course.