diff --git a/explore-analyze/alerts/kibana/rule-type-es-query.md b/explore-analyze/alerts/kibana/rule-type-es-query.md index ebf5fdb75d..727b658712 100644 --- a/explore-analyze/alerts/kibana/rule-type-es-query.md +++ b/explore-analyze/alerts/kibana/rule-type-es-query.md @@ -37,7 +37,7 @@ When you create an {{es}} query rule, your choice of query type affects the info If you use [KQL](../../query-filter/languages/kql.md) or [Lucene](../../query-filter/languages/lucene-query-syntax.md), you must specify a data view then define a text-based query. For example, `http.request.referrer: "https://example.com"`. - If you use [ES|QL](../../query-filter/languages/esorql.md), you must provide a source command followed by an optional series of processing commands, separated by pipe characters (|). [8.16.0] For example: + If you use [ES|QL](../../query-filter/languages/esql.md), you must provide a source command followed by an optional series of processing commands, separated by pipe characters (|). [8.16.0] For example: ```sh FROM kibana_sample_data_logs diff --git a/explore-analyze/discover/try-esql.md b/explore-analyze/discover/try-esql.md index 5fa8c554d6..91b7a75a0e 100644 --- a/explore-analyze/discover/try-esql.md +++ b/explore-analyze/discover/try-esql.md @@ -10,7 +10,7 @@ The Elasticsearch Query Language, {{esql}}, makes it easier to explore your data In this tutorial we’ll use the {{kib}} sample web logs in Discover and Lens to explore the data and create visualizations. ::::{tip} -For the complete {{esql}} documentation, including tutorials, examples and the full syntax reference, refer to the [{{es}} documentation](../query-filter/languages/esorql.md). For a more detailed overview of {{esql}} in {{kib}}, refer to [Use {{esql}} in Kibana](../query-filter/languages/esql-kibana.md). +For the complete {{esql}} documentation, including tutorials, examples and the full syntax reference, refer to the [{{es}} documentation](../query-filter/languages/esql.md). For a more detailed overview of {{esql}} in {{kib}}, refer to [Use {{esql}} in Kibana](../query-filter/languages/esql-kibana.md). :::: diff --git a/explore-analyze/geospatial-analysis.md b/explore-analyze/geospatial-analysis.md index ddee42ece6..7100bc159e 100644 --- a/explore-analyze/geospatial-analysis.md +++ b/explore-analyze/geospatial-analysis.md @@ -34,7 +34,7 @@ Data is often messy and incomplete. [Ingest pipelines](../manage-data/ingest/tra ## ES|QL [esql-query] -[ES|QL](query-filter/languages/esorql.md) has support for [Geospatial Search](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html#esql-spatial-functions) functions, enabling efficient index searching for documents that intersect with, are within, are contained by, or are disjoint from a query geometry. In addition, the `ST_DISTANCE` function calculates the distance between two points. +[ES|QL](query-filter/languages/esql.md) has support for [Geospatial Search](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html#esql-spatial-functions) functions, enabling efficient index searching for documents that intersect with, are within, are contained by, or are disjoint from a query geometry. In addition, the `ST_DISTANCE` function calculates the distance between two points. * [`ST_INTERSECTS`](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html#esql-st_intersects) * [`ST_DISJOINT`](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html#esql-st_disjoint) diff --git a/explore-analyze/query-filter.md b/explore-analyze/query-filter.md index ec370a8f3b..d06f85129c 100644 --- a/explore-analyze/query-filter.md +++ b/explore-analyze/query-filter.md @@ -7,88 +7,20 @@ mapped_pages: You can use {{es}} as a basic document store to retrieve documents and their metadata. However, the real power of {{es}} comes from its advanced search and analytics capabilities. -You’ll use a combination of an API endpoint and a query language to interact with your data. - - -## REST API [search-analyze-rest-api] - -Use REST APIs to manage your {{es}} cluster, and to index and search your data. For testing purposes, you can submit requests directly from the command line or through the Dev Tools [Console](query-filter/tools/console.md) in {{kib}}. From your applications, you can use a [client](https://www.elastic.co/guide/en/elasticsearch/client/index.md) in your programming language of choice. - -Refer to [first steps with Elasticsearch](../solutions/search/get-started.md) for a hands-on example of using the `_search` endpoint, adding data to {{es}}, and running basic searches in Query DSL syntax. - - -## Query languages [search-analyze-query-languages] - -{{es}} provides a number of query languages for interacting with your data. - -**Query DSL** is the primary query language for {{es}} today. - -**{{esql}}** is a new piped query language and compute engine which was first added in version **8.11**. - -{{esql}} does not yet support all the features of Query DSL. Look forward to new {{esql}} features and functionalities in each release. - -Refer to [Query languages](#search-analyze-query-languages) for a full overview of the query languages available in {{es}}. - - -### Query DSL [search-analyze-query-dsl] - -[Query DSL](query-filter/languages/querydsl.md) is a full-featured JSON-style query language that enables complex searching, filtering, and aggregations. It is the original and most powerful query language for {{es}} today. - -The [`_search` endpoint](../solutions/search/querying-for-search.md) accepts queries written in Query DSL syntax. - +## Querying -#### Search and filter with Query DSL [search-analyze-query-dsl-search-filter] - -Query DSL support a wide range of search techniques, including the following: - -* [**Full-text search**](../solutions/search/full-text.md): Search text that has been analyzed and indexed to support phrase or proximity queries, fuzzy matches, and more. -* [**Keyword search**](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html): Search for exact matches using `keyword` fields. -* [**Semantic search**](../solutions/search/semantic-search/semantic-search-semantic-text.md): Search `semantic_text` fields using dense or sparse vector search on embeddings generated in your {{es}} cluster. -* [**Vector search**](../solutions/search/vector/knn.md): Search for similar dense vectors using the kNN algorithm for embeddings generated outside of {{es}}. -* [**Geospatial search**](https://www.elastic.co/guide/en/elasticsearch/reference/current/geo-queries.html): Search for locations and calculate spatial relationships using geospatial queries. - -Learn about the full range of queries supported by [Query DSL](query-filter/languages/querydsl.md). - -You can also filter data using Query DSL. Filters enable you to include or exclude documents by retrieving documents that match specific field-level criteria. A query that uses the `filter` parameter indicates [filter context](query-filter/languages/querydsl.md#filter-context). - - -#### Analyze with Query DSL [search-analyze-data-query-dsl] - -[Aggregations](aggregations.md) are the primary tool for analyzing {{es}} data using Query DSL. Aggregrations enable you to build complex summaries of your data and gain insight into key metrics, patterns, and trends. - -Because aggregations leverage the same data structures used for search, they are also very fast. This enables you to analyze and visualize your data in real time. You can search documents, filter results, and perform analytics at the same time, on the same data, in a single request. That means aggregations are calculated in the context of the search query. - -The folowing aggregation types are available: - -* [Metric](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics.html): Calculate metrics, such as a sum or average, from field values. -* [Bucket](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket.html): Group documents into buckets based on field values, ranges, or other criteria. -* [Pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-pipeline.html): Run aggregations on the results of other aggregations. - -Run aggregations by specifying the [search API](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html)'s `aggs` parameter. Learn more in [Run an aggregation](aggregations.md#run-an-agg). - - -### {{esql}} [search-analyze-data-esql] - -[Elasticsearch Query Language ({{esql}})](query-filter/languages/esorql.md) is a piped query language for filtering, transforming, and analyzing data. {{esql}} is built on top of a new compute engine, where search, aggregation, and transformation functions are directly executed within {{es}} itself. {{esql}} syntax can also be used within various {{kib}} tools. - -The [`_query` endpoint](query-filter/languages/esql-rest.md) accepts queries written in {{esql}} syntax. - -Today, it supports a subset of the features available in Query DSL, but it is rapidly evolving. +You’ll use a combination of an API endpoint and a query language to interact with your data. -It comes with a comprehensive set of [functions and operators](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html) for working with data and has robust integration with {{kib}}'s Discover, dashboards and visualizations. +- Elasticsearch provides a number of [query languages](/explore-analyze/query-filter/languages.md). From Query DSL to the newest ES|QL, find the one that's most appropriate for you. -Learn more in [Getting started with {{esql}}](../solutions/search/get-started.md), or try [our training course](https://www.elastic.co/training/introduction-to-esql). +- You can call Elasticsearch's REST APIs by submitting requests directly from the command line or through the Dev Tools [Console](/explore-analyze/query-filter/tools/console.md) in {{kib}}. From your applications, you can use a [client](https://www.elastic.co/guide/en/elasticsearch/client/index.md) in your programming language of choice. +- A number of [tools](/explore-analyze/query-filter/tools.md) are available for you to save, debug, and optimize your queries. -## List of available query languages [search-analyze-data-query-languages-table] +% todo: update link to the best target +If you're just getting started with Elasticsearch, try the hands-on [API quickstart](/solutions/search/elasticsearch-basics-quickstart.md) to learn how to add data and run basic searches using Query DSL and the `_search` endpoint. -The following table summarizes all available {{es}} query languages, to help you choose the right one for your use case. +## Filtering -| Name | Description | Use cases | API endpoint | -| --- | --- | --- | --- | -| [Query DSL](query-filter/languages/querydsl.md) | The primary query language for {{es}}. A powerful and flexible JSON-style language that enables complex queries. | Full-text search, semantic search, keyword search, filtering, aggregations, and more. | [`_search`](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html) | -| [{{esql}}](query-filter/languages/esorql.md) | Introduced in **8.11**, the Elasticsearch Query Language ({{esql}}) is a piped query language language for filtering, transforming, and analyzing data. | Initially tailored towards working with time series data like logs and metrics.Robust integration with {{kib}} for querying, visualizing, and analyzing data.Does not yet support full-text search. | [`_query`](query-filter/languages/esql-rest.md) | -| [EQL](query-filter/languages/eql.md) | Event Query Language (EQL) is a query language for event-based time series data. Data must contain the `@timestamp` field to use EQL. | Designed for the threat hunting security use case. | [`_eql`](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql-apis.html) | -| [Elasticsearch SQL](query-filter/languages/sql.md) | Allows native, real-time SQL-like querying against {{es}} data. JDBC and ODBC drivers are available for integration with business intelligence (BI) tools. | Enables users familiar with SQL to query {{es}} data using familiar syntax for BI and reporting. | [`_sql`](https://www.elastic.co/guide/en/elasticsearch/reference/current/sql-apis.html) | -| [Kibana Query Language (KQL)](query-filter/languages/kql.md) | {{kib}} Query Language (KQL) is a text-based query language for filtering data when you access it through the {{kib}} UI. | Use KQL to filter documents where a value for a field exists, matches a given value, or is within a given range. | N/A | +When querying your data in Kibana, additional options let you filter the results to just the subset you need. Some of these options are common to most Elastic apps. Check [Filtering in Kibana](/explore-analyze/query-filter/filtering.md) for more details on how to recognize and use them in the UI. diff --git a/explore-analyze/query-filter/filtering.md b/explore-analyze/query-filter/filtering.md index d39dfff4a5..9b6e623227 100644 --- a/explore-analyze/query-filter/filtering.md +++ b/explore-analyze/query-filter/filtering.md @@ -25,25 +25,25 @@ Some apps provide more options, such as [Dashboards](../dashboards.md). Display data within a specified time range when your index contains time-based events, and a time-field is configured for the selected [{{data-source}}](../find-and-organize/data-views.md). The default time range is 15 minutes, but you can customize it in [Advanced Settings](https://www.elastic.co/guide/en/kibana/current/advanced-options.html). -1. Click ![calendar icon](../../images/kibana-time-filter-icon.png). +1. Click ![calendar icon](../../../images/kibana-time-filter-icon.png). 2. Choose one of the following: * **Quick select**. Set a time based on the last or next number of seconds, minutes, hours, or other time unit. * **Commonly used**. Select a time range from options such as **Last 15 minutes**, **Today**, and **Week to date**. * **Recently used date ranges**. Use a previously selected data range. * **Refresh every**. Specify an automatic refresh rate. - - :::{image} ../../../images/kibana-time-filter.png - :alt: Time filter menu - :width: 300px - ::: + +:::{image} ../../images/kibana-time-filter.png +:alt: Time filter menu +:width: 300px +::: 3. To set start and end times, click the bar next to the time filter. In the popup, select **Absolute**, **Relative** or **Now**, then specify the required options. - - :::{image} ../../../images/kibana-time-relative.png - :alt: Time filter showing relative time - :class: screenshot - ::: + +:::{image} ../../images/kibana-time-relative.png +:alt: Time filter showing relative time +:width: 350px +::: The global time filter limits the time range of data displayed. In most cases, the time filter applies to the time field in the data view, but some apps allow you to use a different time field. @@ -55,4 +55,4 @@ To manually resubmit a search, click the **Refresh** button. This is useful when Structured filters are a more interactive way to create {{es}} queries, and are commonly used when building dashboards that are shared by multiple analysts. Each filter can be disabled, inverted, or pinned across all apps. Each of the structured filters is combined with AND logic on the rest of the query. -![Add filter popup](../../images/kibana-add-filter-popup.png "") \ No newline at end of file +![Add filter popup](../../../images/kibana-add-filter-popup.png "") \ No newline at end of file diff --git a/explore-analyze/query-filter/languages.md b/explore-analyze/query-filter/languages.md index 5a91d75c56..832fe2ebb0 100644 --- a/explore-analyze/query-filter/languages.md +++ b/explore-analyze/query-filter/languages.md @@ -3,92 +3,18 @@ mapped_pages: - https://www.elastic.co/guide/en/elasticsearch/reference/current/search-analyze.html --- -# Query languages [search-analyze] - -You can use {{es}} as a basic document store to retrieve documents and their metadata. However, the real power of {{es}} comes from its advanced search and analytics capabilities. - -You’ll use a combination of an API endpoint and a query language to interact with your data. - - -## REST API [search-analyze-rest-api] - -Use REST APIs to manage your {{es}} cluster, and to index and search your data. For testing purposes, you can submit requests directly from the command line or through the Dev Tools [Console](tools/console.md) in {{kib}}. From your applications, you can use a [client](https://www.elastic.co/guide/en/elasticsearch/client/index.html) in your programming language of choice. - -Refer to [first steps with Elasticsearch](../../solutions/search/get-started.md) for a hands-on example of using the `_search` endpoint, adding data to {{es}}, and running basic searches in Query DSL syntax. - - -## Query languages [search-analyze-query-languages] +# Query languages [search-analyze-query-languages] {{es}} provides a number of query languages for interacting with your data. -**Query DSL** is the primary query language for {{es}} today. - -**{{esql}}** is a new piped query language and compute engine which was first added in version **8.11**. - -{{esql}} does not yet support all the features of Query DSL. Look forward to new {{esql}} features and functionalities in each release. - -Refer to [Query languages](../query-filter.md#search-analyze-query-languages) for a full overview of the query languages available in {{es}}. - - -### Query DSL [search-analyze-query-dsl] - -[Query DSL](languages/querydsl.md) is a full-featured JSON-style query language that enables complex searching, filtering, and aggregations. It is the original and most powerful query language for {{es}} today. - -The [`_search` endpoint](../../solutions/search/querying-for-search.md) accepts queries written in Query DSL syntax. - - -#### Search and filter with Query DSL [search-analyze-query-dsl-search-filter] - -Query DSL support a wide range of search techniques, including the following: - -* [**Full-text search**](../../solutions/search/full-text.md): Search text that has been analyzed and indexed to support phrase or proximity queries, fuzzy matches, and more. -* [**Keyword search**](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html): Search for exact matches using `keyword` fields. -* [**Semantic search**](../../solutions/search/semantic-search/semantic-search-semantic-text.md): Search `semantic_text` fields using dense or sparse vector search on embeddings generated in your {{es}} cluster. -* [**Vector search**](../../solutions/search/vector/knn.md): Search for similar dense vectors using the kNN algorithm for embeddings generated outside of {{es}}. -* [**Geospatial search**](https://www.elastic.co/guide/en/elasticsearch/reference/current/geo-queries.html): Search for locations and calculate spatial relationships using geospatial queries. - -Learn about the full range of queries supported by [Query DSL](languages/querydsl.md). - -You can also filter data using Query DSL. Filters enable you to include or exclude documents by retrieving documents that match specific field-level criteria. A query that uses the `filter` parameter indicates [filter context](languages/querydsl.md#filter-context). - - -#### Analyze with Query DSL [search-analyze-data-query-dsl] - -[Aggregations](../aggregations.md) are the primary tool for analyzing {{es}} data using Query DSL. Aggregrations enable you to build complex summaries of your data and gain insight into key metrics, patterns, and trends. - -Because aggregations leverage the same data structures used for search, they are also very fast. This enables you to analyze and visualize your data in real time. You can search documents, filter results, and perform analytics at the same time, on the same data, in a single request. That means aggregations are calculated in the context of the search query. - -The folowing aggregation types are available: - -* [Metric](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics.html): Calculate metrics, such as a sum or average, from field values. -* [Bucket](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket.html): Group documents into buckets based on field values, ranges, or other criteria. -* [Pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-pipeline.html): Run aggregations on the results of other aggregations. - -Run aggregations by specifying the [search API](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html)'s `aggs` parameter. Learn more in [Run an aggregation](../aggregations.md#run-an-agg). - - -### {{esql}} [search-analyze-data-esql] - -[Elasticsearch Query Language ({{esql}})](languages/esorql.md) is a piped query language for filtering, transforming, and analyzing data. {{esql}} is built on top of a new compute engine, where search, aggregation, and transformation functions are directly executed within {{es}} itself. {{esql}} syntax can also be used within various {{kib}} tools. - -The [`_query` endpoint](languages/esql-rest.md) accepts queries written in {{esql}} syntax. - -Today, it supports a subset of the features available in Query DSL, but it is rapidly evolving. - -It comes with a comprehensive set of [functions and operators](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html) for working with data and has robust integration with {{kib}}'s Discover, dashboards and visualizations. - -Learn more in [Getting started with {{esql}}](../../solutions/search/get-started.md), or try [our training course](https://www.elastic.co/training/introduction-to-esql). - - -## List of available query languages [search-analyze-data-query-languages-table] - -The following table summarizes all available {{es}} query languages, to help you choose the right one for your use case. | Name | Description | Use cases | API endpoint | | --- | --- | --- | --- | | [Query DSL](languages/querydsl.md) | The primary query language for {{es}}. A powerful and flexible JSON-style language that enables complex queries. | Full-text search, semantic search, keyword search, filtering, aggregations, and more. | [`_search`](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html) | -| [{{esql}}](languages/esorql.md) | Introduced in **8.11**, the Elasticsearch Query Language ({{esql}}) is a piped query language language for filtering, transforming, and analyzing data. | Initially tailored towards working with time series data like logs and metrics.Robust integration with {{kib}} for querying, visualizing, and analyzing data.Does not yet support full-text search. | [`_query`](languages/esql-rest.md) | +| [{{esql}}](languages/esql.md) | Introduced in **8.11**, the Elasticsearch Query Language ({{esql}}) is a piped query language language for filtering, transforming, and analyzing data. | Initially tailored towards working with time series data like logs and metrics.Robust integration with {{kib}} for querying, visualizing, and analyzing data.Does not yet support full-text search. | [`_query`](languages/esql-rest.md) | | [EQL](languages/eql.md) | Event Query Language (EQL) is a query language for event-based time series data. Data must contain the `@timestamp` field to use EQL. | Designed for the threat hunting security use case. | [`_eql`](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql-apis.html) | | [Elasticsearch SQL](languages/sql.md) | Allows native, real-time SQL-like querying against {{es}} data. JDBC and ODBC drivers are available for integration with business intelligence (BI) tools. | Enables users familiar with SQL to query {{es}} data using familiar syntax for BI and reporting. | [`_sql`](https://www.elastic.co/guide/en/elasticsearch/reference/current/sql-apis.html) | | [Kibana Query Language (KQL)](languages/kql.md) | {{kib}} Query Language (KQL) is a text-based query language for filtering data when you access it through the {{kib}} UI. | Use KQL to filter documents where a value for a field exists, matches a given value, or is within a given range. | N/A | +> {{esql}} does not yet support all the features of Query DSL. Look forward to new {{esql}} features and functionalities in each release. + diff --git a/explore-analyze/query-filter/languages/esorql.md b/explore-analyze/query-filter/languages/esorql.md deleted file mode 100644 index dfd353ce73..0000000000 --- a/explore-analyze/query-filter/languages/esorql.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -mapped_urls: - - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html - - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-getting-started.html - - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-using.html - - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-examples.html - - https://www.elastic.co/guide/en/kibana/current/esql.html ---- - -# ES|QL - -% What needs to be done: Refine - -% Scope notes: everything but language reference. Merge the pages about Kibana. Add links to reference's new location - -% Use migrated content from existing pages that map to this page: - -% - [ ] ./raw-migrated-files/elasticsearch/elasticsearch-reference/esql.md -% - [ ] ./raw-migrated-files/elasticsearch/elasticsearch-reference/esql-getting-started.md -% - [ ] ./raw-migrated-files/elasticsearch/elasticsearch-reference/esql-using.md -% - [ ] ./raw-migrated-files/elasticsearch/elasticsearch-reference/esql-examples.md -% - [ ] ./raw-migrated-files/kibana/kibana/esql.md \ No newline at end of file diff --git a/raw-migrated-files/elasticsearch/elasticsearch-reference/esql-examples.md b/explore-analyze/query-filter/languages/esql-examples.md similarity index 100% rename from raw-migrated-files/elasticsearch/elasticsearch-reference/esql-examples.md rename to explore-analyze/query-filter/languages/esql-examples.md diff --git a/raw-migrated-files/elasticsearch/elasticsearch-reference/esql-getting-started.md b/explore-analyze/query-filter/languages/esql-getting-started.md similarity index 99% rename from raw-migrated-files/elasticsearch/elasticsearch-reference/esql-getting-started.md rename to explore-analyze/query-filter/languages/esql-getting-started.md index de5f1450c9..2bf5d6b684 100644 --- a/raw-migrated-files/elasticsearch/elasticsearch-reference/esql-getting-started.md +++ b/explore-analyze/query-filter/languages/esql-getting-started.md @@ -421,5 +421,5 @@ For more about data processing with {{esql}}, refer to [Data processing with DIS ## Learn more [esql-getting-learn-more] -To learn more about {{esql}}, refer to [{{esql}} reference](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-language.html) and [*Using {{esql}}*](../../../explore-analyze/query-filter/languages/esorql.md). +To learn more about {{esql}}, refer to [{{esql}} reference](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-language.html). diff --git a/explore-analyze/query-filter/languages/esql-kibana.md b/explore-analyze/query-filter/languages/esql-kibana.md index 30253d483b..f965e5bc71 100644 --- a/explore-analyze/query-filter/languages/esql-kibana.md +++ b/explore-analyze/query-filter/languages/esql-kibana.md @@ -4,13 +4,15 @@ mapped_pages: - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-kibana.html --- - - # Using ES|QL in Kibana [esql-kibana] - You can use {{esql}} in {{kib}} to query and aggregate your data, create visualizations, and set up alerts. +More specifically, {{esql}} is a powerful tool in Kibana that can help you with specific solution use cases. For example: + +- {{observability}}: {{esql}} makes it much easier to analyze metrics, logs and traces from a single query. Find performance issues fast by defining fields on the fly, enriching data with lookups, and using simultaneous query processing. Combining {{esql}} with {{ml}} and AiOps can improve detection accuracy and use aggregated value thresholds. +- Security: Use {{esql}} to retrieve important information for investigation by using lookups. Enrich data and create new fields on the go to gain valuable insight for faster decision-making and actions. For example, perform a lookup on an IP address to identify its geographical location, its association with known malicious entities, or whether it belongs to a known cloud service provider all from one search bar. {{esql}} ensures more accurate alerts by incorporating aggregated values in detection rules. + This guide shows you how to use {{esql}} in Kibana. To follow along with the queries, load the "Sample web logs" sample data set by selecting **Sample Data** from the **Integrations** page in {{kib}}, selecting **Other sample data sets**, and clicking **Add data** on the **Sample web logs** card. @@ -21,12 +23,12 @@ This guide shows you how to use {{esql}} in Kibana. To follow along with the que This will hide the {{esql}} user interface from various applications. However, users will be able to access existing {{esql}} artifacts like saved searches and visualizations. -## Get started with {{esql}} [esql-kibana-get-started] +## The {{esql}} editor [esql-kibana-get-started] -To get started with {{esql}} in Discover, open the main menu and select **Discover**. Next, select **Try ES|QL** from the application menu bar. +To get started with {{esql}}, go to **Discover**. Next, select **Try ES|QL** from the application menu bar. -## The query bar [esql-kibana-query-bar] +### The query bar [esql-kibana-query-bar] After switching to {{esql}} mode, the query bar shows a sample query. For example: @@ -93,6 +95,12 @@ You can then scroll through your recent queries: :alt: esql discover query history ::: +### Query help + +{{esql}} features in-app help and suggestions, so you can get started faster and don’t have to leave the application to check syntax. + +![The ES|QL syntax reference and the autocomplete menu](../../../images/kibana-esql-in-app-help.png "") + ### Starred queries [esql-kibana-starred-queries] @@ -109,7 +117,7 @@ In the **Starred** tab, find all the queries you have previously starred. ::: -## The results table [esql-kibana-results-table] +### Organizing the query results [esql-kibana-results-table] For the example query, the results table shows 10 rows. Omitting the `LIMIT` command, the results table defaults to up to 1000 rows. Using `LIMIT`, you can increase the limit to up to 10,000 rows. @@ -149,17 +157,17 @@ FROM kibana_sample_data_logs ``` -## Time filtering [esql-kibana-time-filter] +### Time filtering [esql-kibana-time-filter] To display data within a specified time range, you can use the standard time filter, custom time parameters, or a WHERE command. -### Standard time filter [_standard_time_filter] +#### Standard time filter [_standard_time_filter] The standard [time filter](../filtering.md) is enabled when the indices you’re querying have a field named `@timestamp`. -### Custom time parameters [_custom_time_parameters] +#### Custom time parameters [_custom_time_parameters] If your indices do not have a field named `@timestamp`, you can use the `?_tstart` and `?_tend` parameters to specify a time range. These parameters work with any timestamp field and automatically sync with the [time filter](../filtering.md). @@ -178,7 +186,7 @@ FROM kibana_sample_data_logs This example uses `50` buckets, which is the maximum number of buckets. -### WHERE command [_where_command] +#### WHERE command [_where_command] You can also limit the time range using the [`WHERE`](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-commands.html#esql-where) command and the [`NOW`](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html#esql-now) function. For example, if the timestamp field is called `timestamp`, to query the last 15 minutes of data: diff --git a/explore-analyze/query-filter/languages/esql-rest.md b/explore-analyze/query-filter/languages/esql-rest.md index be37009767..9b95063eca 100644 --- a/explore-analyze/query-filter/languages/esql-rest.md +++ b/explore-analyze/query-filter/languages/esql-rest.md @@ -1,12 +1,12 @@ --- -navigation_title: "REST API" +navigation_title: "{{esql}} query API" mapped_pages: - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-rest.html --- -# REST API [esql-rest] +# {{esql}} query API [esql-rest] @@ -36,7 +36,7 @@ James S.A. Corey |Leviathan Wakes |561 |2011-06-02T00:00:00.000Z ### Kibana Console [esql-kibana-console] -If you are using [Kibana Console](../tools/console.md) (which is highly recommended), take advantage of the triple quotes `"""` when creating the query. This not only automatically escapes double quotes (`"`) inside the query string but also supports multi-line requests: +If you are using [Kibana Console](/explore-analyze/query-filter/tools/console.md) (which is highly recommended), take advantage of the triple quotes `"""` when creating the query. This not only automatically escapes double quotes (`"`) inside the query string but also supports multi-line requests: ```console POST /_query?format=txt @@ -72,7 +72,7 @@ The URL parameter takes precedence over the HTTP headers. If neither is specifie | Binary | | `cbor` | `application/cbor` | [Concise Binary Object Representation](https://cbor.io/) | | `smile` | `application/smile` | [Smile](https://en.wikipedia.org/wiki/Smile_(data_interchange_format)) binary data format similarto CBOR | -| `arrow` | `application/vnd.apache.arrow.stream` | **Experimental.** [Apache Arrow](https://arrow.apache.org/) dataframes, [IPC streaming format](https://arrow.apache.org/docs/format/Columnar.md#ipc-streaming-format) | +| `arrow` | `application/vnd.apache.arrow.stream` | **Experimental.** [Apache Arrow](https://arrow.apache.org/) dataframes, [IPC streaming format](https://arrow.apache.org/docs/format/Columnar.html#ipc-streaming-format) | The `csv` format accepts a formatting URL query attribute, `delimiter`, which indicates which character should be used to separate the CSV values. It defaults to comma (`,`) and cannot take any of the following values: double quote (`"`), carriage-return (`\r`) and new-line (`\n`). The tab (`\t`) can also not be used. Use the `tsv` format instead. @@ -151,7 +151,7 @@ Which returns: ### Returning localized results [esql-locale-param] -Use the `locale` parameter in the request body to return results (especially dates) formatted per the conventions of the locale. If `locale` is not specified, defaults to `en-US` (English). Refer to [JDK Supported Locales](https://www.oracle.com/java/technologies/javase/jdk17-suported-locales.md). +Use the `locale` parameter in the request body to return results (especially dates) formatted per the conventions of the locale. If `locale` is not specified, defaults to `en-US` (English). Refer to [JDK Supported Locales](https://www.oracle.com/java/technologies/javase/jdk17-suported-locales.html). Syntax: the `locale` parameter accepts language tags in the (case-insensitive) format `xy` and `xy-XY`. diff --git a/explore-analyze/query-filter/languages/esql.md b/explore-analyze/query-filter/languages/esql.md new file mode 100644 index 0000000000..2b5c9a8edb --- /dev/null +++ b/explore-analyze/query-filter/languages/esql.md @@ -0,0 +1,68 @@ +--- +mapped_urls: + - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html + - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-getting-started.html + - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-using.html + - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-examples.html + - https://www.elastic.co/guide/en/kibana/current/esql.html +--- + +# ES|QL [esql] + +% What needs to be done: Refine + +% Scope notes: everything but language reference. Merge the pages about Kibana. Add links to reference's new location + +% Use migrated content from existing pages that map to this page: + +% - [ ] ./raw-migrated-files/elasticsearch/elasticsearch-reference/esql.md +% - [ ] ./raw-migrated-files/elasticsearch/elasticsearch-reference/esql-getting-started.md +% - [ ] ./raw-migrated-files/elasticsearch/elasticsearch-reference/esql-using.md +% - [ ] ./raw-migrated-files/elasticsearch/elasticsearch-reference/esql-examples.md +% - [ ] ./raw-migrated-files/kibana/kibana/esql.md + +## What's {{esql}}? [_the_esql_compute_engine] + +**Elasticsearch Query Language ({{esql}})** is a piped query language for filtering, transforming, and analyzing data. + +You can author {{esql}} queries to find specific events, perform statistical analysis, and generate visualizations. It supports a wide range of [commands, functions and operators](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html) to perform various data operations, such as filtering, aggregation, time-series analysis, and more. Today, it supports a subset of the features available in Query DSL, but it is rapidly evolving. + +::::{note} +**{{esql}}'s compute architecture** + +{{esql}} is built on top of a new compute architecture within {{es}}, designed to achieve high functional and performance requirements for {{esql}}. {{esql}} search, aggregation, and transformation functions are directly executed within Elasticsearch itself. Query expressions are not transpiled to Query DSL for execution. This approach allows {{esql}} to be extremely performant and versatile. + +The new {{esql}} execution engine was designed with performance in mind — it operates on blocks at a time instead of per row, targets vectorization and cache locality, and embraces specialization and multi-threading. It is a separate component from the existing Elasticsearch aggregation framework with different performance characteristics. +:::: + + +## How does it work? [search-analyze-data-esql] + +The {{es}} Query Language ({{esql}}) makes use of "pipes" (|) to manipulate and transform data in a step-by-step fashion. This approach allows you to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis. + +You can use it: +- In your queries to {{es}} APIs, using the [`_query` endpoint](/explore-analyze/query-filter/languages/esql-rest.md) that accepts queries written in {{esql}} syntax. +- Within various {{kib}} tools such as Discover and Dashboards, to explore your data and build powerful visualizations. + +% Learn more in [Getting started with {{esql}}](/solutions/search/get-started.md), or try [our training course](https://www.elastic.co/training/introduction-to-esql). + +## Next steps + +Find more details about {{esql}} in the following documentation pages: +- [{{esql}} reference](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-language.html): + - Reference documentation for the [{{esql}} syntax](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-syntax.html), [commands](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-commands.html), and [functions and operators](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html). + - Information about working with [metadata fields](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-metadata-fields.html) and [multivalued fields](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-multivalued-fields.html). + - Guidance for [data processing with DISSECT and GROK](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-process-data-with-dissect-and-grok.html) and [data enrichment with ENRICH](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-enrich-data.html). + +- Using {{esql}}: + - An overview of using the [`_query` API endpoint](/explore-analyze/query-filter/languages/esql-rest.md). + - [Using {{esql}} in {{kib}}](../../../explore-analyze/query-filter/languages/esql-kibana.md). + - [Using {{esql}} in {{elastic-sec}}](/explore-analyze/query-filter/languages/esql-elastic-security.md). + - [Using {{esql}} across clusters](/explore-analyze/query-filter/languages/esql-cross-clusters.md). + - [Task management](/explore-analyze/query-filter/languages/esql-task-management.md). + +- [Limitations](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-limitations.html): The current limitations of {{esql}}. + +- [Examples](/explore-analyze/query-filter/languages/esql.md): A few examples of what you can do with {{esql}}. + +To get started, you can also try [our ES|QL training course](https://www.elastic.co/training/introduction-to-esql). \ No newline at end of file diff --git a/explore-analyze/query-filter/languages/querydsl.md b/explore-analyze/query-filter/languages/querydsl.md index d0b95c1987..fb149ea09a 100644 --- a/explore-analyze/query-filter/languages/querydsl.md +++ b/explore-analyze/query-filter/languages/querydsl.md @@ -22,4 +22,167 @@ $$$filter-context$$$ $$$query-dsl-allow-expensive-queries$$$ -$$$relevance-scores$$$ \ No newline at end of file +$$$relevance-scores$$$ + +## What's Query DSL? [search-analyze-query-dsl] + +**Query DSL** is a full-featured JSON-style query language that enables complex searching, filtering, and aggregations. It is the original and most powerful query language for {{es}} today. + +The [`_search` endpoint](/solutions/search/querying-for-search-searching-with-the-search-api.md) accepts queries written in Query DSL syntax. + + +### Search and filter with Query DSL [search-analyze-query-dsl-search-filter] + +Query DSL support a wide range of search techniques, including the following: + +* [**Full-text search**](/solutions/search/full-text.md): Search text that has been analyzed and indexed to support phrase or proximity queries, fuzzy matches, and more. +* [**Keyword search**](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html): Search for exact matches using `keyword` fields. +* [**Semantic search**](/solutions/search/semantic-search/semantic-search-semantic-text.md): Search `semantic_text` fields using dense or sparse vector search on embeddings generated in your {{es}} cluster. +* [**Vector search**](/solutions/search/vector/knn.md): Search for similar dense vectors using the kNN algorithm for embeddings generated outside of {{es}}. +* [**Geospatial search**](https://www.elastic.co/guide/en/elasticsearch/reference/current/geo-queries.html): Search for locations and calculate spatial relationships using geospatial queries. + +You can also filter data using Query DSL. Filters enable you to include or exclude documents by retrieving documents that match specific field-level criteria. A query that uses the `filter` parameter indicates [filter context](#filter-context). + +### Analyze with Query DSL [search-analyze-data-query-dsl] + +[Aggregations](/explore-analyze/aggregations.md) are the primary tool for analyzing {{es}} data using Query DSL. Aggregations enable you to build complex summaries of your data and gain insight into key metrics, patterns, and trends. + +Because aggregations leverage the same data structures used for search, they are also very fast. This enables you to analyze and visualize your data in real time. You can search documents, filter results, and perform analytics at the same time, on the same data, in a single request. That means aggregations are calculated in the context of the search query. + +The following aggregation types are available: + +* [Metric](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics.html): Calculate metrics, such as a sum or average, from field values. +* [Bucket](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket.html): Group documents into buckets based on field values, ranges, or other criteria. +* [Pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-pipeline.html): Run aggregations on the results of other aggregations. + +Run aggregations by specifying the [search API](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html)'s `aggs` parameter. Learn more in [Run an aggregation](/explore-analyze/aggregations.md#run-an-agg). + + +## How does it work? [query-dsl] + +Think of the Query DSL as an AST (Abstract Syntax Tree) of queries, consisting of two types of clauses: + +**Leaf query clauses**: Leaf query clauses look for a particular value in a particular field, such as the [`match`](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-match-query.html), [`term`](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-term-query.html) or [`range`](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-range-query.html) queries. These queries can be used by themselves. + +**Compound query clauses**: Compound query clauses wrap other leaf **or** compound queries and are used to combine multiple queries in a logical fashion (such as the [`bool`](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-bool-query.html) or [`dis_max`](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-dis-max-query.html) query), or to alter their behavior (such as the [`constant_score`](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-constant-score-query.html) query). + +Query clauses behave differently depending on whether they are used in [query context or filter context](#query-filter-context). + +$$$query-dsl-allow-expensive-queries$$$ + +**Allow expensive queries**: Certain types of queries will generally execute slowly due to the way they are implemented, which can affect the stability of the cluster. Those queries can be categorized as follows: + + - Queries that need to do linear scans to identify matches: + + - [`script` queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-script-query.html) + - queries on [numeric](https://www.elastic.co/guide/en/elasticsearch/reference/current/number.html), [date](https://www.elastic.co/guide/en/elasticsearch/reference/current/date.html), [boolean](https://www.elastic.co/guide/en/elasticsearch/reference/current/boolean.html), [ip](https://www.elastic.co/guide/en/elasticsearch/reference/current/ip.html), [geo_point](https://www.elastic.co/guide/en/elasticsearch/reference/current/geo-point.html) or [keyword](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html) fields that are not indexed but have [doc values](https://www.elastic.co/guide/en/elasticsearch/reference/current/doc-values.html) enabled + + - Queries that have a high up-front cost: + + - [`fuzzy` queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-fuzzy-query.html) (except on [`wildcard`](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#wildcard-field-type) fields) + - [`regexp` queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-regexp-query.html) (except on [`wildcard`](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#wildcard-field-type) fields) + - [`prefix` queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-prefix-query.html) (except on [`wildcard`](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#wildcard-field-type) fields or those without [`index_prefixes`](https://www.elastic.co/guide/en/elasticsearch/reference/current/index-prefixes.html)) + - [`wildcard` queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-wildcard-query.html) (except on [`wildcard`](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#wildcard-field-type) fields) + - [`range` queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-range-query.html) on [`text`](https://www.elastic.co/guide/en/elasticsearch/reference/current/text.html) and [`keyword`](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html) fields + + - [Joining queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/joining-queries.html) + - Queries that may have a high per-document cost: + + - [`script_score` queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-script-score-query.html) + - [`percolate` queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-percolate-query.html) + + +The execution of such queries can be prevented by setting the value of the `search.allow_expensive_queries` setting to `false` (defaults to `true`). + +## Query and filter context [query-filter-context] + +### Relevance scores [relevance-scores] + +By default, Elasticsearch sorts matching search results by **relevance score**, which measures how well each document matches a query. + +The relevance score is a positive floating point number, returned in the `_score` metadata field of the [search](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html) API. The higher the `_score`, the more relevant the document. While each query type can calculate relevance scores differently, score calculation also depends on whether the query clause is run in a **query** or **filter** context. + + +### Query context [query-context] + +In the query context, a query clause answers the question *How well does this document match this query clause?* Besides deciding whether or not the document matches, the query clause also calculates a relevance score in the `_score` metadata field. + +Query context is in effect whenever a query clause is passed to a `query` parameter, such as the `query` parameter in the [search](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html#request-body-search-query) API. + + +### Filter context [filter-context] + +A filter answers the binary question “Does this document match this query clause?”. The answer is simply "yes" or "no". Filtering has several benefits: + +1. **Simple binary logic**: In a filter context, a query clause determines document matches based on a yes/no criterion, without score calculation. +2. **Performance**: Because they don’t compute relevance scores, filters execute faster than queries. +3. **Caching**: {{es}} automatically caches frequently used filters, speeding up subsequent search performance. +4. **Resource efficiency**: Filters consume less CPU resources compared to full-text queries. +5. **Query combination**: Filters can be combined with scored queries to refine result sets efficiently. + +Filters are particularly effective for querying structured data and implementing "must have" criteria in complex searches. + +Structured data refers to information that is highly organized and formatted in a predefined manner. In the context of Elasticsearch, this typically includes: + +* Numeric fields (integers, floating-point numbers) +* Dates and timestamps +* Boolean values +* Keyword fields (exact match strings) +* Geo-points and geo-shapes + +Unlike full-text fields, structured data has a consistent, predictable format, making it ideal for precise filtering operations. + +Common filter applications include: + +* Date range checks: for example is the `timestamp` field between 2015 and 2016 +* Specific field value checks: for example is the `status` field equal to "published" or is the `author` field equal to "John Doe" + +Filter context applies when a query clause is passed to a `filter` parameter, such as: + +* `filter` or `must_not` parameters in [`bool`](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-bool-query.html) queries +* `filter` parameter in [`constant_score`](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-constant-score-query.html) queries +* [`filter`](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-filter-aggregation.html) aggregations + +Filters optimize query performance and efficiency, especially for structured data queries and when combined with full-text searches. + + +### Example of query and filter contexts [query-filter-context-ex] + +Below is an example of query clauses being used in query and filter context in the `search` API. This query will match documents where all of the following conditions are met: + +* The `title` field contains the word `search`. +* The `content` field contains the word `elasticsearch`. +* The `status` field contains the exact word `published`. +* The `publish_date` field contains a date from 1 Jan 2015 onwards. + +```console +GET /_search +{ + "query": { <1> + "bool": { <2> + "must": [ + { "match": { "title": "Search" }}, + { "match": { "content": "Elasticsearch" }} + ], + "filter": [ <3> + { "term": { "status": "published" }}, + { "range": { "publish_date": { "gte": "2015-01-01" }}} + ] + } + } +} +``` + +1. The `query` parameter indicates query context. +2. The `bool` and two `match` clauses are used in query context, which means that they are used to score how well each document matches. +3. The `filter` parameter indicates filter context. Its `term` and `range` clauses are used in filter context. They will filter out documents which do not match, but they will not affect the score for matching documents. + + +::::{warning} +Scores calculated for queries in query context are represented as single precision floating point numbers; they have only 24 bits for significand’s precision. Score calculations that exceed the significand’s precision will be converted to floats with loss of precision. +:::: + + +::::{tip} +Use query clauses in query context for conditions which should affect the score of matching documents (i.e. how well does the document match), and use all other query clauses in filter context. +:::: \ No newline at end of file diff --git a/explore-analyze/toc.yml b/explore-analyze/toc.yml index 484812b055..8f8033285a 100644 --- a/explore-analyze/toc.yml +++ b/explore-analyze/toc.yml @@ -9,14 +9,16 @@ toc: - file: query-filter/languages.md children: - file: query-filter/languages/querydsl.md - - file: query-filter/languages/esorql.md + - file: query-filter/languages/esql.md children: + - file: query-filter/languages/esql-getting-started.md - file: query-filter/languages/esql-rest.md - file: query-filter/languages/esql-kibana.md - file: query-filter/languages/esql-elastic-security.md - file: query-filter/languages/esql-multi-index.md - file: query-filter/languages/esql-cross-clusters.md - file: query-filter/languages/esql-task-management.md + - file: query-filter/languages/esql-examples.md - file: query-filter/languages/sql.md children: - file: query-filter/languages/sql-overview.md diff --git a/raw-migrated-files/docs-content/serverless/security-about-rules.md b/raw-migrated-files/docs-content/serverless/security-about-rules.md index 095ef26249..72176598d7 100644 --- a/raw-migrated-files/docs-content/serverless/security-about-rules.md +++ b/raw-migrated-files/docs-content/serverless/security-about-rules.md @@ -33,7 +33,7 @@ You can create the following types of rules: :::: * [**New terms**](../../../solutions/security/detect-and-alert/create-detection-rule.md#create-new-terms-rule): Generates an alert for each new term detected in source documents within a specified time range. You can also detect a combination of up to three new terms (for example, a `host.ip` and `host.id` that have never been observed together before). -* [**{{esql}}**](../../../solutions/security/detect-and-alert/create-detection-rule.md#create-esql-rule): Searches the defined indices and creates an alert when results match an [{{esql}} query](../../../explore-analyze/query-filter/languages/esorql.md). +* [**{{esql}}**](../../../solutions/security/detect-and-alert/create-detection-rule.md#create-esql-rule): Searches the defined indices and creates an alert when results match an [{{esql}} query](../../../explore-analyze/query-filter/languages/esql.md). :::{image} ../../../images/serverless--detections-all-rules.png :alt: Shows the Rules page diff --git a/raw-migrated-files/docs-content/serverless/security-rules-create.md b/raw-migrated-files/docs-content/serverless/security-rules-create.md index e6de254508..12e218d31e 100644 --- a/raw-migrated-files/docs-content/serverless/security-rules-create.md +++ b/raw-migrated-files/docs-content/serverless/security-rules-create.md @@ -352,7 +352,7 @@ You uploaded a value list of known ransomware domains, and you want to be notifi ## Create an {{esql}} rule [create-esql-rule] -Use [{{esql}}](../../../explore-analyze/query-filter/languages/esorql.md) to query your source events and aggregate event data. Query results are returned in a table with rows and columns. Each row becomes an alert. +Use [{{esql}}](../../../explore-analyze/query-filter/languages/esql.md) to query your source events and aggregate event data. Query results are returned in a table with rows and columns. Each row becomes an alert. To create an {{esql}} rule: diff --git a/raw-migrated-files/docs-content/serverless/security-timelines-ui.md b/raw-migrated-files/docs-content/serverless/security-timelines-ui.md index fe76645bd9..f91cd01447 100644 --- a/raw-migrated-files/docs-content/serverless/security-timelines-ui.md +++ b/raw-migrated-files/docs-content/serverless/security-timelines-ui.md @@ -219,7 +219,7 @@ From the **Correlation** tab, you can also do the following: ## Use {{esql}} to investigate events [esql-in-timeline] -The [Elasticsearch Query Language ({{esql}})](../../../explore-analyze/query-filter/languages/esorql.md) provides a powerful way to filter, transform, and analyze event data stored in {{es}}. {{esql}} queries use "pipes" to manipulate and transform data in a step-by-step fashion. This approach allows you to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis. +The [Elasticsearch Query Language ({{esql}})](../../../explore-analyze/query-filter/languages/esql.md) provides a powerful way to filter, transform, and analyze event data stored in {{es}}. {{esql}} queries use "pipes" to manipulate and transform data in a step-by-step fashion. This approach allows you to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis. You can use {{esql}} in Timeline by opening the **{{esql}}** tab. From there, you can: diff --git a/raw-migrated-files/elasticsearch/elasticsearch-reference/esql.md b/raw-migrated-files/elasticsearch/elasticsearch-reference/esql.md deleted file mode 100644 index 43faa205f3..0000000000 --- a/raw-migrated-files/elasticsearch/elasticsearch-reference/esql.md +++ /dev/null @@ -1,32 +0,0 @@ -# {{esql}} [esql] - -The {{es}} Query Language ({{esql}}) provides a powerful way to filter, transform, and analyze data stored in {{es}}, and in the future in other runtimes. It is designed to be easy to learn and use, by end users, SRE teams, application developers, and administrators. - -Users can author {{esql}} queries to find specific events, perform statistical analysis, and generate visualizations. It supports a wide range of commands and functions that enable users to perform various data operations, such as filtering, aggregation, time-series analysis, and more. - -The {{es}} Query Language ({{esql}}) makes use of "pipes" (|) to manipulate and transform data in a step-by-step fashion. This approach allows users to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis. - - -## The {{esql}} Compute Engine [_the_esql_compute_engine] - -{{esql}} is more than a language: it represents a significant investment in new compute capabilities within {{es}}. To achieve both the functional and performance requirements for {{esql}}, it was necessary to build an entirely new compute architecture. {{esql}} search, aggregation, and transformation functions are directly executed within Elasticsearch itself. Query expressions are not transpiled to Query DSL for execution. This approach allows {{esql}} to be extremely performant and versatile. - -The new {{esql}} execution engine was designed with performance in mind — it operates on blocks at a time instead of per row, targets vectorization and cache locality, and embraces specialization and multi-threading. It is a separate component from the existing Elasticsearch aggregation framework with different performance characteristics. - -The {{esql}} documentation is organized in these sections: - -[Getting started](../../../explore-analyze/query-filter/languages/esorql.md) -: A tutorial to help you get started with {{esql}}. - -[{{esql}} reference](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-language.html) -: Reference documentation for the [{{esql}} syntax](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-syntax.html), [commands](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-commands.html), and [functions and operators](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html). Information about working with [metadata fields](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-metadata-fields.html) and [multivalued fields](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-multivalued-fields.html). And guidance for [data processing with DISSECT and GROK](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-process-data-with-dissect-and-grok.html) and [data enrichment with ENRICH](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-enrich-data.html). - -[*Using {{esql}}*](../../../explore-analyze/query-filter/languages/esorql.md) -: An overview of using the [REST API](../../../explore-analyze/query-filter/languages/esql-rest.md), [Using {{esql}} in {{kib}}](../../../explore-analyze/query-filter/languages/esql-kibana.md), [Using {{esql}} in {{elastic-sec}}](../../../explore-analyze/query-filter/languages/esql-elastic-security.md), [Using {{esql}} across clusters](../../../explore-analyze/query-filter/languages/esql-cross-clusters.md), and [Task management](../../../explore-analyze/query-filter/languages/esql-task-management.md). - -[Limitations](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-limitations.html) -: The current limitations of {{esql}}. - -[Examples](../../../explore-analyze/query-filter/languages/esorql.md) -: A few examples of what you can do with {{esql}}. - diff --git a/raw-migrated-files/elasticsearch/elasticsearch-reference/query-dsl.md b/raw-migrated-files/elasticsearch/elasticsearch-reference/query-dsl.md deleted file mode 100644 index 8e8d076926..0000000000 --- a/raw-migrated-files/elasticsearch/elasticsearch-reference/query-dsl.md +++ /dev/null @@ -1,39 +0,0 @@ -# Query DSL [query-dsl] - -Elasticsearch provides a full Query DSL (Domain Specific Language) based on JSON to define queries. Think of the Query DSL as an AST (Abstract Syntax Tree) of queries, consisting of two types of clauses: - -Leaf query clauses -: Leaf query clauses look for a particular value in a particular field, such as the [`match`](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-match-query.html), [`term`](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-term-query.html) or [`range`](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-range-query.html) queries. These queries can be used by themselves. - -Compound query clauses -: Compound query clauses wrap other leaf **or** compound queries and are used to combine multiple queries in a logical fashion (such as the [`bool`](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-bool-query.html) or [`dis_max`](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-dis-max-query.html) query), or to alter their behaviour (such as the [`constant_score`](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-constant-score-query.html) query). - -Query clauses behave differently depending on whether they are used in [query context or filter context](../../../explore-analyze/query-filter/languages/querydsl.md). - -$$$query-dsl-allow-expensive-queries$$$ - -Allow expensive queries -: Certain types of queries will generally execute slowly due to the way they are implemented, which can affect the stability of the cluster. Those queries can be categorised as follows: - - * Queries that need to do linear scans to identify matches: - - * [`script` queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-script-query.html) - * queries on [numeric](https://www.elastic.co/guide/en/elasticsearch/reference/current/number.html), [date](https://www.elastic.co/guide/en/elasticsearch/reference/current/date.html), [boolean](https://www.elastic.co/guide/en/elasticsearch/reference/current/boolean.html), [ip](https://www.elastic.co/guide/en/elasticsearch/reference/current/ip.html), [geo_point](https://www.elastic.co/guide/en/elasticsearch/reference/current/geo-point.html) or [keyword](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html) fields that are not indexed but have [doc values](https://www.elastic.co/guide/en/elasticsearch/reference/current/doc-values.html) enabled - - * Queries that have a high up-front cost: - - * [`fuzzy` queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-fuzzy-query.html) (except on [`wildcard`](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#wildcard-field-type) fields) - * [`regexp` queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-regexp-query.html) (except on [`wildcard`](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#wildcard-field-type) fields) - * [`prefix` queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-prefix-query.html) (except on [`wildcard`](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#wildcard-field-type) fields or those without [`index_prefixes`](https://www.elastic.co/guide/en/elasticsearch/reference/current/index-prefixes.html)) - * [`wildcard` queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-wildcard-query.html) (except on [`wildcard`](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html#wildcard-field-type) fields) - * [`range` queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-range-query.html) on [`text`](https://www.elastic.co/guide/en/elasticsearch/reference/current/text.html) and [`keyword`](https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html) fields - - * [Joining queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/joining-queries.html) - * Queries that may have a high per-document cost: - - * [`script_score` queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-script-score-query.html) - * [`percolate` queries](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-percolate-query.html) - - -The execution of such queries can be prevented by setting the value of the `search.allow_expensive_queries` setting to `false` (defaults to `true`). - diff --git a/raw-migrated-files/elasticsearch/elasticsearch-reference/query-filter-context.md b/raw-migrated-files/elasticsearch/elasticsearch-reference/query-filter-context.md deleted file mode 100644 index bd1b294f24..0000000000 --- a/raw-migrated-files/elasticsearch/elasticsearch-reference/query-filter-context.md +++ /dev/null @@ -1,93 +0,0 @@ -# Query and filter context [query-filter-context] - - -## Relevance scores [relevance-scores] - -By default, Elasticsearch sorts matching search results by **relevance score**, which measures how well each document matches a query. - -The relevance score is a positive floating point number, returned in the `_score` metadata field of the [search](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html) API. The higher the `_score`, the more relevant the document. While each query type can calculate relevance scores differently, score calculation also depends on whether the query clause is run in a **query** or **filter** context. - - -## Query context [query-context] - -In the query context, a query clause answers the question *How well does this document match this query clause?* Besides deciding whether or not the document matches, the query clause also calculates a relevance score in the `_score` metadata field. - -Query context is in effect whenever a query clause is passed to a `query` parameter, such as the `query` parameter in the [search](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html#request-body-search-query) API. - - -## Filter context [filter-context] - -A filter answers the binary question “Does this document match this query clause?”. The answer is simply "yes" or "no". Filtering has several benefits: - -1. **Simple binary logic**: In a filter context, a query clause determines document matches based on a yes/no criterion, without score calculation. -2. **Performance**: Because they don’t compute relevance scores, filters execute faster than queries. -3. **Caching**: {{es}} automatically caches frequently used filters, speeding up subsequent search performance. -4. **Resource efficiency**: Filters consume less CPU resources compared to full-text queries. -5. **Query combination**: Filters can be combined with scored queries to refine result sets efficiently. - -Filters are particularly effective for querying structured data and implementing "must have" criteria in complex searches. - -Structured data refers to information that is highly organized and formatted in a predefined manner. In the context of Elasticsearch, this typically includes: - -* Numeric fields (integers, floating-point numbers) -* Dates and timestamps -* Boolean values -* Keyword fields (exact match strings) -* Geo-points and geo-shapes - -Unlike full-text fields, structured data has a consistent, predictable format, making it ideal for precise filtering operations. - -Common filter applications include: - -* Date range checks: for example is the `timestamp` field between 2015 and 2016 -* Specific field value checks: for example is the `status` field equal to "published" or is the `author` field equal to "John Doe" - -Filter context applies when a query clause is passed to a `filter` parameter, such as: - -* `filter` or `must_not` parameters in [`bool`](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-bool-query.html) queries -* `filter` parameter in [`constant_score`](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-constant-score-query.html) queries -* [`filter`](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-filter-aggregation.html) aggregations - -Filters optimize query performance and efficiency, especially for structured data queries and when combined with full-text searches. - - -## Example of query and filter contexts [query-filter-context-ex] - -Below is an example of query clauses being used in query and filter context in the `search` API. This query will match documents where all of the following conditions are met: - -* The `title` field contains the word `search`. -* The `content` field contains the word `elasticsearch`. -* The `status` field contains the exact word `published`. -* The `publish_date` field contains a date from 1 Jan 2015 onwards. - -```console -GET /_search -{ - "query": { <1> - "bool": { <2> - "must": [ - { "match": { "title": "Search" }}, - { "match": { "content": "Elasticsearch" }} - ], - "filter": [ <3> - { "term": { "status": "published" }}, - { "range": { "publish_date": { "gte": "2015-01-01" }}} - ] - } - } -} -``` - -1. The `query` parameter indicates query context. -2. The `bool` and two `match` clauses are used in query context, which means that they are used to score how well each document matches. -3. The `filter` parameter indicates filter context. Its `term` and `range` clauses are used in filter context. They will filter out documents which do not match, but they will not affect the score for matching documents. - - -::::{warning} -Scores calculated for queries in query context are represented as single precision floating point numbers; they have only 24 bits for significand’s precision. Score calculations that exceed the significand’s precision will be converted to floats with loss of precision. -:::: - - -::::{tip} -Use query clauses in query context for conditions which should affect the score of matching documents (i.e. how well does the document match), and use all other query clauses in filter context. -:::: diff --git a/raw-migrated-files/elasticsearch/elasticsearch-reference/search-analyze.md b/raw-migrated-files/elasticsearch/elasticsearch-reference/search-analyze.md index 23d90b0b5f..7e69570d00 100644 --- a/raw-migrated-files/elasticsearch/elasticsearch-reference/search-analyze.md +++ b/raw-migrated-files/elasticsearch/elasticsearch-reference/search-analyze.md @@ -64,7 +64,7 @@ Run aggregations by specifying the [search API](https://www.elastic.co/guide/en/ ### {{esql}} [search-analyze-data-esql] -[Elasticsearch Query Language ({{esql}})](../../../explore-analyze/query-filter/languages/esorql.md) is a piped query language for filtering, transforming, and analyzing data. {{esql}} is built on top of a new compute engine, where search, aggregation, and transformation functions are directly executed within {{es}} itself. {{esql}} syntax can also be used within various {{kib}} tools. +[Elasticsearch Query Language ({{esql}})](../../../explore-analyze/query-filter/languages/esql.md) is a piped query language for filtering, transforming, and analyzing data. {{esql}} is built on top of a new compute engine, where search, aggregation, and transformation functions are directly executed within {{es}} itself. {{esql}} syntax can also be used within various {{kib}} tools. The [`_query` endpoint](../../../explore-analyze/query-filter/languages/esql-rest.md) accepts queries written in {{esql}} syntax. @@ -82,7 +82,7 @@ The following table summarizes all available {{es}} query languages, to help you | Name | Description | Use cases | API endpoint | | --- | --- | --- | --- | | [Query DSL](../../../explore-analyze/query-filter/languages/querydsl.md) | The primary query language for {{es}}. A powerful and flexible JSON-style language that enables complex queries. | Full-text search, semantic search, keyword search, filtering, aggregations, and more. | [`_search`](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html) | -| [{{esql}}](../../../explore-analyze/query-filter/languages/esorql.md) | Introduced in **8.11**, the Elasticsearch Query Language ({{esql}}) is a piped query language language for filtering, transforming, and analyzing data. | Initially tailored towards working with time series data like logs and metrics.Robust integration with {{kib}} for querying, visualizing, and analyzing data.Does not yet support full-text search. | [`_query`](../../../explore-analyze/query-filter/languages/esql-rest.md) | +| [{{esql}}](../../../explore-analyze/query-filter/languages/esql.md) | Introduced in **8.11**, the Elasticsearch Query Language ({{esql}}) is a piped query language language for filtering, transforming, and analyzing data. | Initially tailored towards working with time series data like logs and metrics.Robust integration with {{kib}} for querying, visualizing, and analyzing data.Does not yet support full-text search. | [`_query`](../../../explore-analyze/query-filter/languages/esql-rest.md) | | [EQL](../../../explore-analyze/query-filter/languages/eql.md) | Event Query Language (EQL) is a query language for event-based time series data. Data must contain the `@timestamp` field to use EQL. | Designed for the threat hunting security use case. | [`_eql`](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql-apis.html) | | [Elasticsearch SQL](../../../explore-analyze/query-filter/languages/sql.md) | Allows native, real-time SQL-like querying against {{es}} data. JDBC and ODBC drivers are available for integration with business intelligence (BI) tools. | Enables users familiar with SQL to query {{es}} data using familiar syntax for BI and reporting. | [`_sql`](https://www.elastic.co/guide/en/elasticsearch/reference/current/sql-apis.html) | | [Kibana Query Language (KQL)](../../../explore-analyze/query-filter/languages/kql.md) | {{kib}} Query Language (KQL) is a text-based query language for filtering data when you access it through the {{kib}} UI. | Use KQL to filter documents where a value for a field exists, matches a given value, or is within a given range. | N/A | diff --git a/raw-migrated-files/kibana/kibana/esql.md b/raw-migrated-files/kibana/kibana/esql.md index be29244d6b..fa3369a3ad 100644 --- a/raw-migrated-files/kibana/kibana/esql.md +++ b/raw-migrated-files/kibana/kibana/esql.md @@ -37,6 +37,6 @@ Use {{esql}} to retrieve important information for investigation by using lookup ## What’s next? [esql-whats-next] -The main documentation for {{esql}} lives in the [{{es}} docs](../../../explore-analyze/query-filter/languages/esorql.md). +The main documentation for {{esql}} lives in the [{{es}} docs](../../../explore-analyze/query-filter/languages/esql.md). We also have a short tutorial in the **Discover** docs: [Using {{esql}}](../../../explore-analyze/discover/try-esql.md). diff --git a/raw-migrated-files/kibana/kibana/managing-data-views.md b/raw-migrated-files/kibana/kibana/managing-data-views.md index 795042fbd8..c117d6d62c 100644 --- a/raw-migrated-files/kibana/kibana/managing-data-views.md +++ b/raw-migrated-files/kibana/kibana/managing-data-views.md @@ -137,7 +137,7 @@ Edit the settings for runtime fields, or remove runtime fields from data views. ::::{admonition} Deprecated in 7.13. :class: warning -Use [runtime fields](../../../manage-data/data-store/mapping/runtime-fields.md) instead of scripted fields. Runtime fields support Painless scripting and provide greater flexibility. You can also use the [Elasticsearch Query Language (ES|QL)](../../../explore-analyze/query-filter/languages/esorql.md) to compute values directly at query time. +Use [runtime fields](../../../manage-data/data-store/mapping/runtime-fields.md) instead of scripted fields. Runtime fields support Painless scripting and provide greater flexibility. You can also use the [Elasticsearch Query Language (ES|QL)](../../../explore-analyze/query-filter/languages/esql.md) to compute values directly at query time. :::: diff --git a/raw-migrated-files/kibana/kibana/search-ai-assistant.md b/raw-migrated-files/kibana/kibana/search-ai-assistant.md index 848bef5d3b..9b2c02ea0d 100644 --- a/raw-migrated-files/kibana/kibana/search-ai-assistant.md +++ b/raw-migrated-files/kibana/kibana/search-ai-assistant.md @@ -22,7 +22,7 @@ Refer to the [Observability documentation](../../../solutions/observability/obse 4. **Using Elasticsearch APIs**: Calls Elasticsearch APIs on your behalf if you need specific operations performed. 5. **Generating Sample Data**: Helps you create sample data for testing and development purposes. 6. **Visualizing and Analyzing Data**: Assists you in creating visualizations and analyzing your data using Kibana. -7. **Explaining ES|QL**: Explains how ES|QL works and help you convert queries from other languages to [ES|QL.](../../../explore-analyze/query-filter/languages/esorql.md) +7. **Explaining ES|QL**: Explains how ES|QL works and help you convert queries from other languages to [ES|QL.](../../../explore-analyze/query-filter/languages/esql.md) ## Requirements [ai-assistant-requirements] diff --git a/raw-migrated-files/security-docs/security/about-rules.md b/raw-migrated-files/security-docs/security/about-rules.md index 513ef0e3ed..0a750b33db 100644 --- a/raw-migrated-files/security-docs/security/about-rules.md +++ b/raw-migrated-files/security-docs/security/about-rules.md @@ -27,7 +27,7 @@ You can create the following types of rules: :::: * [**New terms**](../../../solutions/security/detect-and-alert/create-detection-rule.md#create-new-terms-rule): Generates an alert for each new term detected in source documents within a specified time range. You can also detect a combination of up to three new terms (for example, a `host.ip` and `host.id` that have never been observed together before). -* [**ES|QL**](../../../solutions/security/detect-and-alert/create-detection-rule.md#create-esql-rule): Searches the defined indices and creates an alert when results match an [Elasticsearch Query Language (ES|QL)](../../../explore-analyze/query-filter/languages/esorql.md) query. +* [**ES|QL**](../../../solutions/security/detect-and-alert/create-detection-rule.md#create-esql-rule): Searches the defined indices and creates an alert when results match an [Elasticsearch Query Language (ES|QL)](../../../explore-analyze/query-filter/languages/esql.md) query. ::::{note} {{esql}} is enabled by default in {{kib}}. It can be disabled using the `enableESQL` setting from the [Advanced Settings](https://www.elastic.co/guide/en/kibana/current/advanced-options.html). This will hide the {{esql}} user interface from various applications. However, users will be able to access existing {{esql}} artifacts like saved searches and visualizations. diff --git a/raw-migrated-files/security-docs/security/rules-ui-create.md b/raw-migrated-files/security-docs/security/rules-ui-create.md index 629d3dd96c..03dd68dc03 100644 --- a/raw-migrated-files/security-docs/security/rules-ui-create.md +++ b/raw-migrated-files/security-docs/security/rules-ui-create.md @@ -353,7 +353,7 @@ You uploaded a value list of known ransomware domains, and you want to be notifi ## Create an {{esql}} rule [create-esql-rule] -Use [{{esql}}](../../../explore-analyze/query-filter/languages/esorql.md) to query your source events and aggregate event data. Query results are returned in a table with rows and columns. Each row becomes an alert. +Use [{{esql}}](../../../explore-analyze/query-filter/languages/esql.md) to query your source events and aggregate event data. Query results are returned in a table with rows and columns. Each row becomes an alert. To create an {{esql}} rule: diff --git a/raw-migrated-files/security-docs/security/timelines-ui.md b/raw-migrated-files/security-docs/security/timelines-ui.md index 6c96fe9e23..45ce6e4da0 100644 --- a/raw-migrated-files/security-docs/security/timelines-ui.md +++ b/raw-migrated-files/security-docs/security/timelines-ui.md @@ -219,7 +219,7 @@ From the **Correlation** tab, you can also do the following: :::: -The [Elasticsearch Query Language ({{esql}})](../../../explore-analyze/query-filter/languages/esorql.md) provides a powerful way to filter, transform, and analyze event data stored in {{es}}. {{esql}} queries use "pipes" to manipulate and transform data in a step-by-step fashion. This approach allows you to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis. +The [Elasticsearch Query Language ({{esql}})](../../../explore-analyze/query-filter/languages/esql.md) provides a powerful way to filter, transform, and analyze event data stored in {{es}}. {{esql}} queries use "pipes" to manipulate and transform data in a step-by-step fashion. This approach allows you to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis. You can use {{esql}} in Timeline by opening the **{{esql}}** tab. From there, you can: diff --git a/solutions/observability/incident-management/create-an-elasticsearch-query-rule.md b/solutions/observability/incident-management/create-an-elasticsearch-query-rule.md index 7f4f2c3c3c..f0d8ae63d8 100644 --- a/solutions/observability/incident-management/create-an-elasticsearch-query-rule.md +++ b/solutions/observability/incident-management/create-an-elasticsearch-query-rule.md @@ -49,7 +49,7 @@ When you create an {{es}} query rule, your choice of query type affects the info If you use [KQL](../../../explore-analyze/query-filter/languages/kql.md) or [Lucene](../../../explore-analyze/query-filter/languages/lucene-query-syntax.md), you must specify a data view then define a text-based query. For example, `http.request.referrer: "https://example.com"`. - If you use [ES|QL](../../../explore-analyze/query-filter/languages/esorql.md), you must provide a source command followed by an optional series of processing commands, separated by pipe characters (|). For example: + If you use [ES|QL](../../../explore-analyze/query-filter/languages/esql.md), you must provide a source command followed by an optional series of processing commands, separated by pipe characters (|). For example: ```sh FROM kibana_sample_data_logs