Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 1d6f1a0223
Branches Tags
elasticsearch
/
docs
/
reference
/
esql
/
esql-multi-index.asciidoc

esql-multi-index.asciidoc 6.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175 
  1. [[esql-multi-index]]
    2. 

  2. === Using {esql} to query multiple indices
    3. 

  3. ++++
    4. 

  4. <titleabbrev>Using {esql} to query multiple indices</titleabbrev>
    5. 

  5. ++++
    6. 

  6. 

  7. With {esql}, you can execute a single query across multiple indices, data streams, or aliases.
    8. 

  8. To do so, use wildcards and date arithmetic. The following example uses a comma-separated list and a wildcard:
    9. 

  9. 

  10. [source,esql]
    11. 

  11. ----
    12. 

  12. FROM employees-00001,other-employees-*
    13. 

  13. ----
    14. 

  14. 

  15. Use the format `<remote_cluster_name>:<target>` to <<esql-cross-clusters, query data streams and indices
    16. 

  16. on remote clusters>>:
    17. 

  17. 

  18. [source,esql]
    19. 

  19. ----
    20. 

  20. FROM cluster_one:employees-00001,cluster_two:other-employees-*
    21. 

  21. ----
    22. 

  22. 

  23. [discrete]
    24. 

  24. [[esql-multi-index-invalid-mapping]]
    25. 

  25. === Field type mismatches
    26. 

  26. 

  27. When querying multiple indices, data streams, or aliases, you might find that the same field is mapped to multiple different types.
    28. 

  28. For example, consider the two indices with the following field mappings:
    29. 

  29. 

  30. *index: events_ip*
    31. 

  31. ```
    32. 

  32. {
    33. 

  33.   "mappings": {
    34. 

  34.     "properties": {
    35. 

  35.       "@timestamp":     { "type": "date" },
    36. 

  36.       "client_ip":      { "type": "ip" },
    37. 

  37.       "event_duration": { "type": "long" },
    38. 

  38.       "message":        { "type": "keyword" }
    39. 

  39.     }
    40. 

  40.   }
    41. 

  41. }
    42. 

  42. ```
    43. 

  43. 

  44. *index: events_keyword*
    45. 

  45. ```
    46. 

  46. {
    47. 

  47.   "mappings": {
    48. 

  48.     "properties": {
    49. 

  49.       "@timestamp":     { "type": "date" },
    50. 

  50.       "client_ip":      { "type": "keyword" },
    51. 

  51.       "event_duration": { "type": "long" },
    52. 

  52.       "message":        { "type": "keyword" }
    53. 

  53.     }
    54. 

  54.   }
    55. 

  55. }
    56. 

  56. ```
    57. 

  57. 

  58. When you query each of these individually with a simple query like `FROM events_ip`, the results are provided with type-specific columns:
    59. 

  59. 

  60. [source.merge.styled,esql]
    61. 

  61. ----
    62. 

  62. FROM events_ip
    63. 

  63. | SORT @timestamp DESC
    64. 

  64. ----
    65. 

  65. [%header.monospaced.styled,format=dsv,separator=|]
    66. 

  66. |===
    67. 

  67. @timestamp:date | client_ip:ip | event_duration:long | message:keyword
    68. 

  68. 2023-10-23T13:55:01.543Z | 172.21.3.15  | 1756467 | Connected to 10.1.0.1
    69. 

  69. 2023-10-23T13:53:55.832Z | 172.21.3.15  | 5033755 | Connection error
    70. 

  70. 2023-10-23T13:52:55.015Z | 172.21.3.15  | 8268153 | Connection error
    71. 

  71. |===
    72. 

  72. 

  73. Note how the `client_ip` column is correctly identified as type `ip`, and all values are displayed.
    74. 

  74. However, if instead the query sources two conflicting indices with `FROM events_*`, the type of the `client_ip` column cannot be determined
    75. 

  75. and is reported as `unsupported` with all values returned as `null`.
    76. 

  76. 

  77. [[query-unsupported]]
    78. 

  78. [source.merge.styled,esql]
    79. 

  79. ----
    80. 

  80. FROM events_*
    81. 

  81. | SORT @timestamp DESC
    82. 

  82. ----
    83. 

  83. [%header.monospaced.styled,format=dsv,separator=|]
    84. 

  84. |===
    85. 

  85. @timestamp:date | client_ip:unsupported | event_duration:long | message:keyword
    86. 

  86. 2023-10-23T13:55:01.543Z | null  | 1756467 | Connected to 10.1.0.1
    87. 

  87. 2023-10-23T13:53:55.832Z | null  | 5033755 | Connection error
    88. 

  88. 2023-10-23T13:52:55.015Z | null  | 8268153 | Connection error
    89. 

  89. 2023-10-23T13:51:54.732Z | null  | 725448  | Connection error
    90. 

  90. 2023-10-23T13:33:34.937Z | null  | 1232382 | Disconnected
    91. 

  91. 2023-10-23T12:27:28.948Z | null  | 2764889 | Connected to 10.1.0.2
    92. 

  92. 2023-10-23T12:15:03.360Z | null  | 3450233 | Connected to 10.1.0.3
    93. 

  93. |===
    94. 

  94. 

  95. In addition, if the query refers to this unsupported field directly, the query fails:
    96. 

  96. 

  97. [source.merge.styled,esql]
    98. 

  98. ----
    99. 

  99. FROM events_*
    100. 

  100. | KEEP @timestamp, client_ip, event_duration, message
    101. 

  101. | SORT @timestamp DESC
    102. 

  102. ----
    103. 

  103. 

  104. [source,bash]
    105. 

  105. ----
    106. 

  106. Cannot use field [client_ip] due to ambiguities being mapped as 
    107. 

  107. [2] incompatible types:
    108. 

  108.     [ip] in [events_ip],
    109. 

  109.     [keyword] in [events_keyword]
    110. 

  110. ----
    111. 

  111. 

  112. [discrete]
    113. 

  113. [[esql-multi-index-union-types]]
    114. 

  114. === Union types
    115. 

  115. 

  116. {esql} has a way to handle <<esql-multi-index-invalid-mapping, field type mismatches>>. When the same field is mapped to multiple types in multiple indices,
    117. 

  117. the type of the field is understood to be a _union_ of the various types in the index mappings.
    118. 

  118. As seen in the preceding examples, this _union type_ cannot be used in the results,
    119. 

  119. and cannot be referred to by the query
    120. 

  120. -- except when it's passed to a type conversion function that accepts all the types in the _union_ and converts the field
    121. 

  121. to a single type. {esql} offers a suite of <<esql-type-conversion-functions,type conversion functions>> to achieve this. 
    122. 

  122. 

  123. In the above examples, the query can use a command like `EVAL client_ip = TO_IP(client_ip)` to resolve
    124. 

  124. the union of `ip` and `keyword` to just `ip`.
    125. 

  125. You can also use the type-conversion syntax `EVAL client_ip = client_ip::IP`.
    126. 

  126. Alternatively, the query could use <<esql-to_string,`TO_STRING`>> to convert all supported types into `KEYWORD`.
    127. 

  127. 

  128. For example, the <<query-unsupported,query>> that returned `client_ip:unsupported` with `null` values can be improved using the `TO_IP` function or the equivalent `field::ip` syntax.
    129. 

  129. These changes also resolve the error message.
    130. 

  130. As long as the only reference to the original field is to pass it to a conversion function that resolves the type ambiguity, no error results.
    131. 

  131. 

  132. [source.merge.styled,esql]
    133. 

  133. ----
    134. 

  134. FROM events_*
    135. 

  135. | EVAL client_ip = TO_IP(client_ip)
    136. 

  136. | KEEP @timestamp, client_ip, event_duration, message
    137. 

  137. | SORT @timestamp DESC
    138. 

  138. ----
    139. 

  139. [%header.monospaced.styled,format=dsv,separator=|]
    140. 

  140. |===
    141. 

  141. @timestamp:date | client_ip:ip | event_duration:long | message:keyword
    142. 

  142. 2023-10-23T13:55:01.543Z | 172.21.3.15  | 1756467 | Connected to 10.1.0.1
    143. 

  143. 2023-10-23T13:53:55.832Z | 172.21.3.15  | 5033755 | Connection error
    144. 

  144. 2023-10-23T13:52:55.015Z | 172.21.3.15  | 8268153 | Connection error
    145. 

  145. 2023-10-23T13:51:54.732Z | 172.21.3.15  | 725448  | Connection error
    146. 

  146. 2023-10-23T13:33:34.937Z | 172.21.0.5   | 1232382 | Disconnected
    147. 

  147. 2023-10-23T12:27:28.948Z | 172.21.2.113 | 2764889 | Connected to 10.1.0.2
    148. 

  148. 2023-10-23T12:15:03.360Z | 172.21.2.162 | 3450233 | Connected to 10.1.0.3
    149. 

  149. |===
    150. 

  150. 

  151. [discrete]
    152. 

  152. [[esql-multi-index-index-metadata]]
    153. 

  153. === Index metadata
    154. 

  154. 

  155. It can be helpful to know the particular index from which each row is sourced.
    156. 

  156. To get this information, use the <<esql-metadata-fields,`METADATA`>> option on the <<esql-from,`FROM`>> command.
    157. 

  157. 

  158. [source.merge.styled,esql]
    159. 

  159. ----
    160. 

  160. FROM events_* METADATA _index
    161. 

  161. | EVAL client_ip = TO_IP(client_ip)
    162. 

  162. | KEEP _index, @timestamp, client_ip, event_duration, message
    163. 

  163. | SORT @timestamp DESC
    164. 

  164. ----
    165. 

  165. [%header.monospaced.styled,format=dsv,separator=|]
    166. 

  166. |===
    167. 

  167. _index:keyword | @timestamp:date | client_ip:ip | event_duration:long | message:keyword
    168. 

  168. events_ip | 2023-10-23T13:55:01.543Z | 172.21.3.15  | 1756467 | Connected to 10.1.0.1
    169. 

  169. events_ip | 2023-10-23T13:53:55.832Z | 172.21.3.15  | 5033755 | Connection error
    170. 

  170. events_ip | 2023-10-23T13:52:55.015Z | 172.21.3.15  | 8268153 | Connection error
    171. 

  171. events_keyword | 2023-10-23T13:51:54.732Z | 172.21.3.15  | 725448  | Connection error
    172. 

  172. events_keyword | 2023-10-23T13:33:34.937Z | 172.21.0.5   | 1232382 | Disconnected
    173. 

  173. events_keyword | 2023-10-23T12:27:28.948Z | 172.21.2.113 | 2764889 | Connected to 10.1.0.2
    174. 

  174. events_keyword | 2023-10-23T12:15:03.360Z | 172.21.2.162 | 3450233 | Connected to 10.1.0.3
    175. 

  175. |===
    176.