lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137
							[[esql]]
= {esql}

:keywords: {es}, {esql}, {es} query language
:description: {esql} is a query language that enables the iterative exploration of data.

:esql-tests: {xes-repo-dir}/../../plugin/esql/qa
:esql-specs: {esql-tests}/testFixtures/src/main/resources

[partintro]
--
The {es} Query Language ({esql}) is a query language that enables the iterative
exploration of data.

An {esql} query consists of a series of commands, separated by pipes. Each query
starts with a <<esql-source-commands,source command>>. A source command produces
a table, typically with data from {es}.

image::images/esql/source-command.svg[A source command producing a table from {es},align="center"]

A source command can be followed by one or more
<<esql-processing-commands,processing commands>>. Processing commands change an
input table by adding, removing, or changing rows and columns.

image::images/esql/processing-command.svg[A processing command changing an input table,align="center"]

You can chain processing commands, separated by a pipe character: `|`. Each
processing command works on the output table of the previous command.

image::images/esql/chaining-processing-commands.svg[Processing commands can be chained,align="center"]

The result of a query is the table produced by the final processing command.

[discrete]
[[esql-console]]
=== Run an {esql} query

[discrete]
==== The {esql} API

Use the `_esql` endpoint to run an {esql} query:

[source,console]
----
POST /_esql
{
  "query": """
    FROM library
    | EVAL year = DATE_TRUNC(release_date, 1 YEARS)
    | STATS MAX(page_count) BY year
    | SORT year
    | LIMIT 5
  """
}
----
// TEST[setup:library]

The results come back in rows:

[source,console-result]
----
{
  "columns": [
    { "name": "MAX(page_count)", "type": "integer"},
    { "name": "year"           , "type": "date"}
  ],
  "values": [
    [268, "1932-01-01T00:00:00.000Z"],
    [224, "1951-01-01T00:00:00.000Z"],
    [227, "1953-01-01T00:00:00.000Z"],
    [335, "1959-01-01T00:00:00.000Z"],
    [604, "1965-01-01T00:00:00.000Z"]
  ]
}
----

By default, results are returned as JSON. To return results formatted as text,
CSV, or TSV, use the `format` parameter:

[source,console]
----
POST /_esql?format=txt
{
  "query": """
    FROM library
    | EVAL year = DATE_TRUNC(release_date, 1 YEARS)
    | STATS MAX(page_count) BY year
    | SORT year
    | LIMIT 5
  """
}
----
// TEST[setup:library]

[discrete]
==== {kib}

{esql} can be used in Discover to explore a data set, and in Lens to visualize it.
First, enable the `enableTextBased` setting in *Advanced Settings*. Next, in
Discover or Lens, from the data view dropdown, select *{esql}*.

NOTE: {esql} queries in Discover and Lens are subject to the time range selected
with the time filter.

[discrete]
[[esql-limitations]]
=== Limitations

{esql} currently supports the following <<mapping-types,field types>>:

- `alias`
- `boolean`
- `date`
- `ip`
- `keyword` family (`keyword`, `constant_keyword`, and `wildcard`)
- `double`/`float`/`half_float` (represented as `double`)
- `long`
- `int`/`short`/`byte` (represented as `int`)
- `version`
--

include::esql-get-started.asciidoc[]

include::esql-syntax.asciidoc[]

include::esql-source-commands.asciidoc[]

include::esql-processing-commands.asciidoc[]

include::esql-functions.asciidoc[]

include::aggregation-functions.asciidoc[]

include::multivalued-fields.asciidoc[]

:esql-tests!:
:esql-specs!: