[DOCS] Using ES|QL in Kibana (#101324)

* Initial Kibana content

* More docs

* Nino's feedback

* Amy's feedback

docs/reference/esql/esql-kibana.asciidoc

@@ -2,14 +2,255 @@
 === Using {esql} in {kib}
 
 ++++
-<titleabbrev>Kibana</titleabbrev>
+<titleabbrev>Using {esql} in {kib}</titleabbrev>
 ++++
 
+You can use {esql} in {kib} to query and aggregate your data, create
+visualizations, and set up alerts. 
 
-Use {esql} in Discover to explore a data set. From the data view dropdown,
-select *Try {esql}* to get started.
+This guide shows you how to use {esql} in Kibana. To follow along with the
+queries, load the "Sample web logs" sample data set by clicking *Try sample
+data* from the {kib} Home, selecting *Other sample data sets*, and clicking *Add
+data* on the *Sample web logs* card.
 
-NOTE: {esql} queries in Discover and Lens are subject to the time range selected
-with the time filter.
+[discrete]
+[[esql-kibana-get-started]]
+=== Get started with {esql}
 
+To get started with {esql} in Discover, open the main menu and select
+*Discover*. Next, from the Data views menu, select *Try ES|QL*.
 
+image::images/esql/esql-data-view-menu.png[align="center",width=33%]
+
+The ability to select {esql} from the Data views menu can be enabled and
+disabled using the `discover:enableESQL` setting from
+{kibana-ref}/advanced-options.html[Advanced Settings].
+
+[discrete]
+[[esql-kibana-query-bar]]
+=== The query bar
+
+After switching to {esql} mode, the query bar shows a sample query. For example:
+
+[source,esql]
+----
+from kibana_sample_data_logs | limit 10
+----
+
+Every query starts with a <<esql-commands,source command>>. In this query, the
+source command is <<esql-from>>. `FROM` retrieves data from data streams, indices, or
+aliases. In this example, the data is retrieved from `kibana_sample_data_logs`.
+
+A source command can be followed by one or more <<esql-commands,processing
+commands>>. In this query, the processing command is <<esql-limit>>. `LIMIT`
+limits the number of rows that are retrieved.
+
+TIP: Click the help icon (image:images/esql/esql-icon-help.svg[]) to open the
+in-product reference documentation for all commands and functions.
+
+To make it easier to write queries, auto-complete offers suggestions with
+possible commands and functions:
+
+image::images/esql/esql-kibana-auto-complete.png[align="center"]
+
+[NOTE]
+====
+{esql} keywords are case-insensitive. The following query is identical to the
+previous one:
+
+[source,esql]
+----
+FROM kibana_sample_data_logs | LIMIT 10
+----
+====
+
+[discrete]
+==== Expand the query bar
+
+For readability, you can put each processing command on a new line. The
+following query is identical to the previous one:
+
+[source,esql]
+----
+FROM kibana_sample_data_logs 
+| LIMIT 10
+----
+
+To make it easier to write multi-line queries, click the double-headed arrow
+button (image:images/esql/esql-icon-expand-query-bar.svg[]) to expand the query
+bar:
+
+image::images/esql/esql-expanded-query-bar.png[align="center"]
+
+To return to a compact query bar, click the minimize editor button 
+(image:images/esql/esql-icon-minimize-query-bar.svg[]).
+
+[discrete]
+==== Warnings
+
+A query may result in warnings, for example when querying an unsupported field
+type. When that happens, a warning symbol is shown in the query bar. To see the
+detailed warning, expand the query bar, and click *warnings*.
+
+[discrete]
+[[esql-kibana-results-table]]
+=== The results table
+
+For the example query, the results table shows 10 rows. Omitting the `LIMIT`
+command, the results table defaults to up to 500 rows. Using `LIMIT`, you can
+increase the limit to up to 10,000 rows.
+
+NOTE: the 10,000 row limit only applies to the number of rows that are retrieved
+by the query and displayed in Discover. Any query or aggregation runs on the
+full data set.
+
+Each row shows two columns for the example query: a column with the `@timestamp`
+field and a column with the full document. To display specific fields from the
+documents, use the <<esql-keep>> command:
+
+[source,esql]
+----
+FROM kibana_sample_data_logs
+| KEEP @timestamp, bytes, geo.dest
+----
+
+To display all fields as separate columns, use `KEEP *`:
+
+[source,esql]
+----
+FROM kibana_sample_data_logs
+| KEEP *
+----
+
+NOTE: The maximum number of columns in Discover is 50. If a query returns more
+than 50 columns, Discover only shows the first 50.
+
+[discrete]
+==== Sorting
+
+To sort on one of the columns, click the column name you want to sort on and
+select the sort order. Note that this performs client-side sorting. It only
+sorts the rows that were retrieved by the query, which may not be the full
+dataset because of the (implicit) limit. To sort the full data set, use the
+<<esql-sort>> command:
+
+[source,esql]
+----
+FROM kibana_sample_data_logs
+| KEEP @timestamp, bytes, geo.dest
+| SORT bytes DESC
+----
+
+[discrete]
+[[esql-kibana-time-filter]]
+=== Time filtering
+
+To display data within a specified time range, use the
+{kibana-ref}/set-time-filter.html[time filter]. The time filter is only enabled
+when the indices you're querying have a field called `@timestamp`.
+
+If your indices do not have a timestamp field called `@timestamp`, you can limit
+the time range using the <<esql-where>> command and the <<esql-now>> function.
+For example, if the timestamp field is called `timestamp`, to query the last 15
+minutes of data:
+[source,esql]
+----
+FROM kibana_sample_data_logs
+| WHERE timestamp > NOW() - 15minutes
+----
+
+[discrete]
+[[esql-kibana-visualizations]]
+=== Analyze and visualize data
+
+Between the query bar and the results table, Discover shows a date histogram
+visualization. If the indices you're querying do not contain an `@timestamp`
+field, the histogram is not shown.
+
+The visualization adapts to the query. A query's nature determines the type of
+visualization. For example, this query aggregates the total number of bytes per
+destination country:
+
+[source,esql]
+----
+FROM kibana_sample_data_logs
+| STATS total_bytes = SUM(bytes) BY geo.dest
+| SORT total_bytes DESC
+| LIMIT 3
+----
+
+The resulting visualization is a bar chart showing the top 3 countries:
+
+image::images/esql/esql-kibana-bar-chart.png[align="center"]
+
+To change the visualization into another type, click the visualization type
+dropdown:
+
+image::images/esql/esql-kibana-visualization-type.png[align="center",width=33%]
+
+To make other changes to the visualization, like the axes and colors, click the
+pencil button (image:images/esql/esql-icon-edit-visualization.svg[]). This opens
+an in-line editor:
+
+image::images/esql/esql-kibana-in-line-editor.png[align="center"]
+
+You can save the visualization to a new or existing dashboard by clicking the
+save button (image:images/esql/esql-icon-save-visualization.svg[]). Once saved
+to a dashboard, you can continue to make changes to visualization. Click the
+options button in the top-right (image:images/esql/esql-icon-options.svg[]) and
+select *Edit ESQL visualization* to open the in-line editor:
+
+image::images/esql/esql-kibana-edit-on-dashboard.png[align="center"]
+
+[discrete]
+[[esql-kibana-enrich]]
+=== Create an enrich policy
+
+The {esql} <<esql-enrich>> command enables you to <<esql-enrich-data,enrich>>
+your query dataset with fields from another dataset. Before you can use
+`ENRICH`, you need to <<esql-set-up-enrich-policy,create and execute an enrich
+policy>>. If a policy exists, it will be suggested by auto-complete. If not,
+click *Click to create* to create one.
+
+image::images/esql/esql-kibana-enrich-autocomplete.png[align="center"]
+
+Next, you can enter a policy name, the policy type, source indices, and
+optionally a query:
+
+image::images/esql/esql-kibana-enrich-step-1.png[align="center",width="50%"]
+
+Click *Next* to select the match field and enrich fields:
+
+image::images/esql/esql-kibana-enrich-step-2.png[align="center",width="50%"]
+
+Finally, click *Create and execute*.
+
+Now, you can use the enrich policy in an {esql} query:
+
+image::images/esql/esql-kibana-enriched-data.png[align="center"]
+
+[discrete]
+[[esql-kibana-alerting-rule]]
+=== Create an alerting rule
+
+You can use {esql} queries to create alerts. From Discover, click *Alerts* and
+select *Create search threshold rule*. This opens a panel that enables you to
+create a rule using an {esql} query. Next, you can test the query, add a
+connector, and save the rule.
+
+image::images/esql/esql-kibana-create-rule.png[align="center",width=50%]
+
+[discrete]
+[[esql-kibana-limitations]]
+=== Limitations
+
+* The user interface to filter data is not enabled when Discover is in {esql}
+mode. To filter data, write a query that uses the <<esql-where>> command
+instead.
+* In {esql} mode, clicking a field in the field list in Discover does not show
+quick statistics for that field.
+* Discover shows no more than 10,000 rows. This limit only applies to the number
+of rows that are retrieved by the query and displayed in Discover. Any query or
+aggregation runs on the full data set.
+* Discover shows no more than 50 columns. If a query returns
+more than 50 columns, Discover only shows the first 50.

docs/reference/images/esql/esql-icon-edit-visualization.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16"><path d="M12.148 3.148 11 2l-9 9v3h3l9-9-1.144-1.144-8.002 7.998a.502.502 0 0 1-.708 0 .502.502 0 0 1 0-.708l8.002-7.998ZM11 1c.256 0 .512.098.707.293l3 3a.999.999 0 0 1 0 1.414l-9 9A.997.997 0 0 1 5 15H2a1 1 0 0 1-1-1v-3c0-.265.105-.52.293-.707l9-9A.997.997 0 0 1 11 1ZM5 14H2v-3l3 3Z"></path></svg>

docs/reference/images/esql/esql-icon-expand-query-bar.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="m4.354 12.354 8-8a.5.5 0 0 0-.708-.708l-8 8a.5.5 0 0 0 .708.708ZM1 10.5a.5.5 0 1 1 1 0v3a.5.5 0 0 0 .5.5h3a.5.5 0 1 1 0 1h-3A1.5 1.5 0 0 1 1 13.5v-3Zm14-5a.5.5 0 1 1-1 0v-3a.5.5 0 0 0-.5-.5h-3a.5.5 0 1 1 0-1h3A1.5 1.5 0 0 1 15 2.5v3Z"></path></svg>

docs/reference/images/esql/esql-icon-help.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16"><path d="M9 3.5a.5.5 0 1 1-1 0 .5.5 0 0 1 1 0zM9 5v3h1v1H8V6H7V5h2z"></path><path d="M13.855 14.147a1.34 1.34 0 0 1-.158-.246A1.998 1.998 0 0 1 13.5 13c0-.414.103-.713.197-.901a1.34 1.34 0 0 1 .158-.246l.003-.005A.5.5 0 0 0 14 11.5V.5a.5.5 0 0 0-.5-.5H3.461l-.083.005a2.957 2.957 0 0 0-1.102.298 2.257 2.257 0 0 0-.88.763C1.148 1.44 1 1.913 1 2.5V13c0 .463.117.843.318 1.145.2.298.462.491.708.615a2.344 2.344 0 0 0 .94.24H3v-1c-.005 0-.015 0-.029-.002a1.344 1.344 0 0 1-.498-.133.817.817 0 0 1-.323-.275C2.07 13.47 2 13.287 2 13s.07-.47.15-.59a.817.817 0 0 1 .324-.275A1.344 1.344 0 0 1 3 12h9.658c-.091.27-.158.605-.158 1s.067.73.158 1H8v1h5.5a.5.5 0 0 0 .359-.848l-.004-.005zm-.001 0 .002.002-.002-.002zM2.724 1.197c.092-.046.186-.082.276-.11C3 2.918 3.001 11 2.999 11h-.033a1.977 1.977 0 0 0-.283.03 2.344 2.344 0 0 0-.657.21L2 11.254V2.5c0-.413.102-.689.229-.879.128-.193.304-.328.495-.424zM4 11V1h9v10H4z"></path><path d="M7 13H4v2.5a.5.5 0 0 0 .854.354l.646-.647.646.647A.5.5 0 0 0 7 15.5V13z"></path></svg>

docs/reference/images/esql/esql-icon-minimize-query-bar.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16"><path d="m1.146 14.146 4-4a.5.5 0 0 1 .765.638l-.057.07-4 4a.5.5 0 0 1-.765-.638l.057-.07 4-4-4 4ZM6.5 8A1.5 1.5 0 0 1 8 9.5v3a.5.5 0 1 1-1 0v-3a.5.5 0 0 0-.5-.5h-3a.5.5 0 0 1 0-1h3Zm2-5a.5.5 0 0 1 .5.5v3a.5.5 0 0 0 .5.5h3a.5.5 0 1 1 0 1h-3A1.5 1.5 0 0 1 8 6.5v-3a.5.5 0 0 1 .5-.5Zm1.651 2.146 4-4a.5.5 0 0 1 .765.638l-.057.07-4 4a.5.5 0 0 1-.765-.638l.057-.07 4-4-4 4Z"></path></svg>

docs/reference/images/esql/esql-icon-options.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16"><path d="M0 6h4v4H0V6Zm1 1v2h2V7H1Zm5-1h4v4H6V6Zm1 1v2h2V7H7Zm5-1h4v4h-4V6Zm1 3h2V7h-2v2Z"></path></svg>

docs/reference/images/esql/esql-icon-save-visualization.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16"><path d="M5.008 2H2.282c-.181 0-.245.002-.275.007-.005.03-.007.094-.007.275v11.436c0 .181.002.245.007.275.03.005.094.007.275.007h11.436c.181 0 .245-.002.275-.007.005-.03.007-.094.007-.275V4.62c0-.13-.001-.18-.004-.204a2.654 2.654 0 0 0-.141-.147L11.73 2.145a2.654 2.654 0 0 0-.147-.141A2.654 2.654 0 0 0 11.38 2h-.388c.005.08.008.172.008.282v2.436c0 .446-.046.607-.134.77a.909.909 0 0 1-.378.378c-.163.088-.324.134-.77.134H6.282c-.446 0-.607-.046-.77-.134a.909.909 0 0 1-.378-.378C5.046 5.325 5 5.164 5 4.718V2.282c0-.11.003-.202.008-.282ZM2.282 1h9.098c.259 0 .348.01.447.032a.87.87 0 0 1 .273.113c.086.054.156.11.338.293l2.124 2.124c.182.182.239.252.293.338a.87.87 0 0 1 .113.273c.023.1.032.188.032.447v9.098c0 .446-.046.607-.134.77a.909.909 0 0 1-.378.378c-.163.088-.324.134-.77.134H2.282c-.446 0-.607-.046-.77-.134a.909.909 0 0 1-.378-.378c-.088-.163-.134-.324-.134-.77V2.282c0-.446.046-.607.134-.77a.909.909 0 0 1 .378-.378c.163-.088.324-.134.77-.134ZM6 2.282v2.436c0 .181.002.245.007.275.03.005.094.007.275.007h3.436c.181 0 .245-.002.275-.007.005-.03.007-.094.007-.275V2.282c0-.181-.002-.245-.007-.275A2.248 2.248 0 0 0 9.718 2H6.282c-.181 0-.245.002-.275.007-.005.03-.007.094-.007.275ZM8 12a2 2 0 1 1 0-4 2 2 0 0 1 0 4Zm0-1a1 1 0 1 0 0-2 1 1 0 0 0 0 2Z"></path></svg>