The Search AI Company

Build tailored experiences with Elastic.

Elastic Search AI Platform overview

Scale your business with Elastic Partners

Partner overview

ELK Stack

Search and analytics, data ingestion, and visualization – all at your fingertips.

ELK Stack overview

By developers, for developers

Elastic Cloud

Unlock the power of real-time insights with Elastic on your preferred cloud provider.

Elastic Cloud overview

Generative AI

Prototype and integrate with LLMs faster using search AI.

Generative AI overview

Search

Discover a world of AI possibilities — built with the power of search.

Search Labs

Search overview

Security

Protect, investigate, and respond to cyber threats with AI-driven security analytics.

Security Labs

Security overview

Observability

Unify app and infrastructure visibility to proactively resolve issues.

Observability Labs

Observability overview

By solution

See how customers search, solve, and succeed — all on one Search AI Platform.

All customer stories

Industries

Exceed customer expectations and go to market faster.

Industries overview

Customer spotlight

Cisco saves 5,000 support engineer hours per month

Sitecore automates 96 percent of security workflows with Elastic

Comcast transforms customer experiences with Elastic Observability

Research

Stay at the forefront of innovation with technical tips from the experts.

Build

Code with other developers to create a better Elastic, together.

Learn

Unleash the possibilities of your data and grow your skill set.

Connect

Keep informed about the latest tech and news from Elastic.

Have questions?

New

The executive guide to generative AI

About us Partners Support|Login

ES|QL source commands

An ES|QL source command produces a table, typically with data from Elasticsearch. An ES|QL query must start with a source command.

A source command producing a table from {{es}}

ES|QL supports these source commands:

FROM
ROW
SHOW

`FROM`

The FROM source command returns a table with data from a data stream, index, or alias.

Syntax

		FROM index_pattern [METADATA fields]

	

Parameters

index_pattern: A list of indices, data streams or aliases. Supports wildcards and date math.
fields: A comma-separated list of metadata fields to retrieve.

Description

The FROM source command returns a table with data from a data stream, index, or alias. Each row in the resulting table represents a document. Each column corresponds to a field, and can be accessed by the name of that field.

Note

By default, an ES|QL query without an explicit LIMIT uses an implicit limit of 1000. This applies to FROM too. A FROM command without LIMIT:

FROM employees

is executed as:

		FROM employees
| LIMIT 1000

Examples

FROM employees

You can use date math to refer to indices, aliases and data streams. This can be useful for time series data, for example to access today’s index:

		FROM <logs-{now/d}>

	

Use comma-separated lists or wildcards to query multiple data streams, indices, or aliases:

FROM employees-00001,other-employees-*

Use the format <remote_cluster_name>:<target> to query data streams and indices on remote clusters:

		FROM cluster_one:employees-00001,cluster_two:other-employees-*

	

Use the optional METADATA directive to enable metadata fields:

FROM employees METADATA _id

Use enclosing double quotes (") or three enclosing double quotes (""") to escape index names that contain special characters:

		FROM "this=that", """this[that"""

	

`ROW`

The ROW source command produces a row with one or more columns with values that you specify. This can be useful for testing.

Syntax

		ROW column1 = value1[, ..., columnN = valueN]

	

Parameters

columnX: The column name. In case of duplicate column names, only the rightmost duplicate creates a column.
valueX: The value for the column. Can be a literal, an expression, or a function.

Examples

		ROW a = 1, b = "two", c = null

	

a:integer	b:keyword	c:null
1	"two"	null

Use square brackets to create multi-value columns:

		ROW a = [2, 1]

	

ROW supports the use of functions:

		ROW a = ROUND(1.23, 0)

	

`SHOW`

The SHOW source command returns information about the deployment and its capabilities.

Syntax

SHOW item

Parameters

item: Can only be INFO.

Examples

Use SHOW INFO to return the deployment’s version, build date and hash.

SHOW INFO

version	date	hash
8.13.0	2024-02-23T10:04:18.123117961Z	04ba8c8db2507501c88f215e475de7b0798cb3b3