ES|QL
ES|QL
The Elasticsearch Query Language (ES|QL) provides a powerful way to filter, transform, and analyze data stored in Elasticsearch, and in the future in other runtimes. It is designed to be easy to learn and use, by end users, SRE teams, application developers, and administrators.
Users can author ES|QL queries to find specific events, perform statistical analysis, and generate visualizations. It supports a wide range of commands and functions that enable users to perform various data operations, such as filtering, aggregation, time-series analysis, and more.
The Elasticsearch Query Language (ES|QL) makes use of “pipes” (|) to manipulate and transform data in a step-by-step fashion. This approach allows users to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis.
The ES|QL Compute Engine
ES|QL is more than a language: it represents a significant investment in new compute capabilities within Elasticsearch. To achieve both the functional and performance requirements for ES|QL, it was necessary to build an entirely new compute architecture. ES|QL search, aggregation, and transformation functions are directly executed within Elasticsearch itself. Query expressions are not transpiled to Query DSL for execution. This approach allows ES|QL to be extremely performant and versatile.
The new ES|QL execution engine was designed with performance in mind — it operates on blocks at a time instead of per row, targets vectorization and cache locality, and embraces specialization and multi-threading. It is a separate component from the existing Elasticsearch aggregation framework with different performance characteristics.
The ES|QL documentation is organized in these sections:
A tutorial to help you get started with ES|QL.
Reference documentation for the ES|QL syntax, commands, and functions and operators. Information about working with metadata fields and multivalued fields. And guidance for data processing with DISSECT and GROK and data enrichment with ENRICH.
An overview of using the REST API, Using ES|QL in Kibana, Using ES|QL in Elastic Security, Using ES|QL across clusters, and Task management.
The current limitations of ES|QL.
A few examples of what you can do with ES|QL.