ES|QL

edit

Do not use ES|QL on production environments. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

The Elasticsearch Query Language (ES|QL) provides a powerful way to filter, transform, and analyze data stored in Elasticsearch, and in the future in other runtimes. It is designed to be easy to learn and use, by end users, SRE teams, application developers, and administrators.

Users can author ES|QL queries to find specific events, perform statistical analysis, and generate visualizations. It supports a wide range of commands and functions that enable users to perform various data operations, such as filtering, aggregation, time-series analysis, and more.

The Elasticsearch Query Language (ES|QL) makes use of "pipes" (|) to manipulate and transform data in a step-by-step fashion. This approach allows users to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis.

The ES|QL Compute Engine

edit

ES|QL is more than a language: it represents a significant investment in new compute capabilities within Elasticsearch. To achieve both the functional and performance requirements for ES|QL, it was necessary to build an entirely new compute architecture. ES|QL search, aggregation, and transformation functions are directly executed within Elasticsearch itself. Query expressions are not transpiled to Query DSL for execution. This approach allows ES|QL to be extremely performant and versatile.

The new ES|QL execution engine was designed with performance in mind — it operates on blocks at a time instead of per row, targets vectorization and cache locality, and embraces specialization and multi-threading. It is a separate component from the existing Elasticsearch aggregation framework with different performance characteristics.

The ES|QL documentation is organized in these sections:

Getting started
A tutorial to help you get started with ES|QL.
ES|QL reference
Reference documentation for the ES|QL syntax, commands, and functions and operators. Information about working with metadata fields and multivalued fields. And guidance for data processing with DISSECT and GROK and data enrichment with ENRICH.
Using ES|QL
An overview of using the REST API, Using ES|QL in Kibana, Using ES|QL in Elastic Security, Using ES|QL across clusters, and Task management.
Limitations
The current limitations of ES|QL.
Examples
A few examples of what you can do with ES|QL.