lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133
							[[esql-syntax]]
== ESQL syntax reference

++++
<titleabbrev>Syntax reference</titleabbrev>
++++
:keywords: {es}, ESQL, {es} query language, syntax
:description: An ESQL query is composed of a source command followed by an optional series of processing commands, separated by a pipe character.

[discrete]
[[esql-basic-syntax]]
=== Basic syntax

An ESQL query is composed of a <<esql-source-commands,source command>> followed
by an optional series of <<esql-processing-commands,processing commands>>,
separated by a pipe character: `|`. For example:

[source,esql]
----
source-command 
| processing-command1 
| processing-command2
----

The result of a query is the table produced by the final processing command.

For readability, this documentation puts each processing command on a new line.
However, you can write an ESQL query as a single line. The following query is
identical to the previous one:

[source,esql]
----
source-command | processing-command1 | processing-command2
----

[discrete]
[[esql-comments]]
=== Comments
ESQL uses C++ style comments: 

* double slash `//` for single line comments
* `/*` and `*/` for block comments

[source,esql]
----
// Query the employees index
FROM employees
| WHERE height > 2
----

[source,esql]
----
FROM /* Query the employees index */ employees
| WHERE height > 2
----

[source,esql]
----
FROM employees
/* Query the 
*  employees
*  index */
| WHERE height > 2
----

[discrete]
[[esql-operators]]
=== Operators
These comparison operators are supported:

* equality: `==`
* inequality: `!=`
* comparison: 
** less than: `<`
** less than or equal: `<=`
** larger than: `>`
** larger than or equal: `>=`

For string comparison using wildcards or regular expressions, use `LIKE` or
`RLIKE`:

* Use `LIKE` to match strings using wildcards. The following wildcard characters
are supported:
+
--
** `*` matches zero or more characters. 
** `?` matches one character. 

[source,esql]
----
FROM employees 
| WHERE first_name LIKE "?b*" 
| PROJECT first_name, last_name
----
--

* Use `RLIKE` to match strings using <<regexp-syntax,regular expressions>>:
+
[source,esql]
----
FROM employees 
| WHERE first_name RLIKE ".leja.*" 
| PROJECT first_name, last_name
----

The following boolean operators are supported:

* `AND`
* `OR`
* `NOT`

[discrete]
[[esql-timespan-literals]]
=== Timespan literals

Datetime intervals and timespans can be expressed using timespan literals.
Timespan literals are a combination of a number and a qualifier. These
qualifiers are supported:

* `millisecond`/`milliseconds`
* `second`/`seconds`
* `minute`/`minutes`
* `hour`/`hours`
* `day`/`days`
* `week`/`weeks`
* `month`/`months`
* `year`/`years`

Timespan literals are not whitespace sensitive. These expressions are all valid:

* `1day`
* `1 day`
* `1       day`