ES|QL

Elasticsearch Query Language (ES|QL) is a piped query language for filtering, transforming, and analyzing data.

What's ES|QL?

You can author ES|QL queries to find specific events, perform statistical analysis, and create visualizations. It supports a wide range of commands, functions, and operators to perform various data operations, such as filter, aggregation, time-series analysis, and more. It initially supported a subset of the features available in Query DSL, but it is rapidly evolving with every Elastic Cloud Serverless and Stack release.

ES|QL is designed to be easy to read and write, making it accessible for users with varying levels of technical expertise. It is particularly useful for data analysts, security professionals, and developers who need to work with large datasets in Elasticsearch.

How does it work?

ES|QL uses pipes (|) to manipulate and transform data in a step-by-step fashion. This approach allows you to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis.

Here's a simple example of an ES|QL query:

		FROM sample_data
| SORT @timestamp DESC
| LIMIT 3

	

Note that each line in the query represents a step in the data processing pipeline:

The FROM clause specifies the index or data stream to query
The SORT clause sorts the data by the @timestamp field in descending order
The LIMIT clause restricts the output to the top 3 results

User interfaces

You can interact with ES|QL in two ways:

Programmatic access: Use ES|QL syntax with the Elasticsearch _query endpoint.
Interactive interfaces: Work with ES|QL through Elastic user interfaces including Kibana Discover, Dashboards, Dev Tools, and analysis tools in Elastic Security and Observability.

Documentation

Usage guides

Get started
- Get started in docs
- Training course
ES|QL interfaces
ES|QL for search use cases
- ES|QL for search landing page
- ES|QL for search tutorial
Query multiple sources
- Query multiple indices
- Query across clusters

Reference documentation

Note

The ES|QL reference documentation lives in the Elasticsearch reference section of the Elastic docs.

Core references

Commands, functions, and operators

Field types

Advanced features

Limitations

Limitations

Note

ES|QL's compute architecture

ES|QL is built on top of a new compute architecture within Elasticsearch, designed to achieve high functional and performance requirements for ES|QL. ES|QL search, aggregation, and transformation functions are directly executed within Elasticsearch itself. Query expressions are not transpiled to Query DSL for execution. This approach allows ES|QL to be extremely performant and versatile.

The new ES|QL execution engine was designed with performance in mind — it operates on blocks at a time instead of per row, targets vectorization and cache locality, and embraces specialization and multi-threading. It is a separate component from the existing Elasticsearch aggregation framework with different performance characteristics.

The Search AI Company

ELK Stack

Elastic Cloud

Generative AI

Search

Security

Observability

By solution

Industries

Customer spotlight

Research

Build

Learn

Connect

ES|QL

What's ES|QL?

How does it work?

User interfaces

Documentation

Usage guides

Reference documentation

Core references

Commands, functions, and operators

Field types

Advanced features

Limitations