Split commands into multiple pages

Author: craigtaverner

docs/reference/query-languages/esql/_snippets/commands/layout/dissect.md

@@ -0,0 +1,55 @@
+## `DISSECT` [esql-dissect]
+
+`DISSECT` enables you to [extract structured data out of a string](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md).
+
+**Syntax**
+
+```esql
+DISSECT input "pattern" [APPEND_SEPARATOR="<separator>"]
+```
+
+**Parameters**
+
+`input`
+:   The column that contains the string you want to structure.  If the column has multiple values, `DISSECT` will process each value.
+
+`pattern`
+:   A [dissect pattern](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md#esql-dissect-patterns). If a field name conflicts with an existing column, the existing column is dropped. If a field name is used more than once, only the rightmost duplicate creates a column.
+
+`<separator>`
+:   A string used as the separator between appended values, when using the [append modifier](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md#esql-append-modifier).
+
+**Description**
+
+`DISSECT` enables you to [extract structured data out of a string](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md). `DISSECT` matches the string against a delimiter-based pattern, and extracts the specified keys as columns.
+
+Refer to [Process data with `DISSECT`](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md#esql-process-data-with-dissect) for the syntax of dissect patterns.
+
+**Examples**
+
+The following example parses a string that contains a timestamp, some text, and an IP address:
+
+```esql
+ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1"
+| DISSECT a """%{date} - %{msg} - %{ip}"""
+| KEEP date, msg, ip
+```
+
+| date:keyword | msg:keyword | ip:keyword |
+| --- | --- | --- |
+| 2023-01-23T12:15:00.000Z | some text | 127.0.0.1 |
+
+By default, `DISSECT` outputs keyword string columns. To convert to another type, use [Type conversion functions](/reference/query-languages/esql/functions-operators/type-conversion-functions.md):
+
+```esql
+ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1"
+| DISSECT a """%{date} - %{msg} - %{ip}"""
+| KEEP date, msg, ip
+| EVAL date = TO_DATETIME(date)
+```
+
+| msg:keyword | ip:keyword | date:date |
+| --- | --- | --- |
+| some text | 127.0.0.1 | 2023-01-23T12:15:00.000Z |
+
+

docs/reference/query-languages/esql/_snippets/commands/layout/drop.md

@@ -0,0 +1,30 @@
+## `DROP` [esql-drop]
+
+The `DROP` processing command removes one or more columns.
+
+**Syntax**
+
+```esql
+DROP columns
+```
+
+**Parameters**
+
+`columns`
+:   A comma-separated list of columns to remove. Supports wildcards.
+
+**Examples**
+
+```esql
+FROM employees
+| DROP height
+```
+
+Rather than specify each column by name, you can use wildcards to drop all columns with a name that matches a pattern:
+
+```esql
+FROM employees
+| DROP height*
+```
+
+

docs/reference/query-languages/esql/_snippets/commands/layout/enrich.md

@@ -0,0 +1,89 @@
+## `ENRICH` [esql-enrich]
+
+`ENRICH` enables you to add data from existing indices as new columns using an enrich policy.
+
+**Syntax**
+
+```esql
+ENRICH policy [ON match_field] [WITH [new_name1 = ]field1, [new_name2 = ]field2, ...]
+```
+
+**Parameters**
+
+`policy`
+:   The name of the enrich policy. You need to [create](/reference/query-languages/esql/esql-enrich-data.md#esql-set-up-enrich-policy) and [execute](/reference/query-languages/esql/esql-enrich-data.md#esql-execute-enrich-policy) the enrich policy first.
+
+`mode`
+:   The mode of the enrich command in cross cluster {{esql}}. See [enrich across clusters](docs-content://explore-analyze/query-filter/languages/esql-cross-clusters.md#ccq-enrich).
+
+`match_field`
+:   The match field. `ENRICH` uses its value to look for records in the enrich index. If not specified, the match will be performed on the column with the same name as the `match_field` defined in the [enrich policy](/reference/query-languages/esql/esql-enrich-data.md#esql-enrich-policy).
+
+`fieldX`
+:   The enrich fields from the enrich index that are added to the result as new columns. If a column with the same name as the enrich field already exists, the existing column will be replaced by the new column. If not specified, each of the enrich fields defined in the policy is added. A column with the same name as the enrich field will be dropped unless the enrich field is renamed.
+
+`new_nameX`
+:   Enables you to change the name of the column that’s added for each of the enrich fields. Defaults to the enrich field name. If a column has the same name as the new name, it will be discarded. If a name (new or original) occurs more than once, only the rightmost duplicate creates a new column.
+
+**Description**
+
+`ENRICH` enables you to add data from existing indices as new columns using an enrich policy. Refer to [Data enrichment](/reference/query-languages/esql/esql-enrich-data.md) for information about setting up a policy.
+
+:::{image} /reference/query-languages/images/esql-enrich.png
+:alt: esql enrich
+:::
+
+::::{tip}
+Before you can use `ENRICH`, you need to [create and execute an enrich policy](/reference/query-languages/esql/esql-enrich-data.md#esql-set-up-enrich-policy).
+::::
+
+
+**Examples**
+
+The following example uses the `languages_policy` enrich policy to add a new column for each enrich field defined in the policy. The match is performed using the `match_field` defined in the [enrich policy](/reference/query-languages/esql/esql-enrich-data.md#esql-enrich-policy) and requires that the input table has a column with the same name (`language_code` in this example). `ENRICH` will look for records in the [enrich index](/reference/query-languages/esql/esql-enrich-data.md#esql-enrich-index) based on the match field value.
+
+```esql
+ROW language_code = "1"
+| ENRICH languages_policy
+```
+
+| language_code:keyword | language_name:keyword |
+| --- | --- |
+| 1 | English |
+
+To use a column with a different name than the `match_field` defined in the policy as the match field, use `ON <column-name>`:
+
+```esql
+ROW a = "1"
+| ENRICH languages_policy ON a
+```
+
+| a:keyword | language_name:keyword |
+| --- | --- |
+| 1 | English |
+
+By default, each of the enrich fields defined in the policy is added as a column. To explicitly select the enrich fields that are added, use `WITH <field1>, <field2>, ...`:
+
+```esql
+ROW a = "1"
+| ENRICH languages_policy ON a WITH language_name
+```
+
+| a:keyword | language_name:keyword |
+| --- | --- |
+| 1 | English |
+
+You can rename the columns that are added using `WITH new_name=<field1>`:
+
+```esql
+ROW a = "1"
+| ENRICH languages_policy ON a WITH name = language_name
+```
+
+| a:keyword | name:keyword |
+| --- | --- |
+| 1 | English |
+
+In case of name collisions, the newly created columns will override existing columns.
+
+

docs/reference/query-languages/esql/_snippets/commands/layout/eval.md

@@ -0,0 +1,80 @@
+## `EVAL` [esql-eval]
+
+The `EVAL` processing command enables you to append new columns with calculated values.
+
+**Syntax**
+
+```esql
+EVAL [column1 =] value1[, ..., [columnN =] valueN]
+```
+
+**Parameters**
+
+`columnX`
+:   The column name. If a column with the same name already exists, the existing column is dropped. If a column name is used more than once, only the rightmost duplicate creates a column.
+
+`valueX`
+:   The value for the column. Can be a literal, an expression, or a [function](/reference/query-languages/esql/esql-functions-operators.md#esql-functions). Can use columns defined left of this one.
+
+**Description**
+
+The `EVAL` processing command enables you to append new columns with calculated values. `EVAL` supports various functions for calculating values. Refer to [Functions](/reference/query-languages/esql/esql-functions-operators.md#esql-functions) for more information.
+
+**Examples**
+
+```esql
+FROM employees
+| SORT emp_no
+| KEEP first_name, last_name, height
+| EVAL height_feet = height * 3.281, height_cm = height * 100
+```
+
+| first_name:keyword | last_name:keyword | height:double | height_feet:double | height_cm:double |
+| --- | --- | --- | --- | --- |
+| Georgi | Facello | 2.03 | 6.66043 | 202.99999999999997 |
+| Bezalel | Simmel | 2.08 | 6.82448 | 208.0 |
+| Parto | Bamford | 1.83 | 6.004230000000001 | 183.0 |
+
+If the specified column already exists, the existing column will be dropped, and the new column will be appended to the table:
+
+```esql
+FROM employees
+| SORT emp_no
+| KEEP first_name, last_name, height
+| EVAL height = height * 3.281
+```
+
+| first_name:keyword | last_name:keyword | height:double |
+| --- | --- | --- |
+| Georgi | Facello | 6.66043 |
+| Bezalel | Simmel | 6.82448 |
+| Parto | Bamford | 6.004230000000001 |
+
+Specifying the output column name is optional. If not specified, the new column name is equal to the expression. The following query adds a column named `height*3.281`:
+
+```esql
+FROM employees
+| SORT emp_no
+| KEEP first_name, last_name, height
+| EVAL height * 3.281
+```
+
+| first_name:keyword | last_name:keyword | height:double | height * 3.281:double |
+| --- | --- | --- | --- |
+| Georgi | Facello | 2.03 | 6.66043 |
+| Bezalel | Simmel | 2.08 | 6.82448 |
+| Parto | Bamford | 1.83 | 6.004230000000001 |
+
+Because this name contains special characters, [it needs to be quoted](/reference/query-languages/esql/esql-syntax.md#esql-identifiers) with backticks (```) when using it in subsequent commands:
+
+```esql
+FROM employees
+| EVAL height * 3.281
+| STATS avg_height_feet = AVG(`height * 3.281`)
+```
+
+| avg_height_feet:double |
+| --- |
+| 5.801464200000001 |
+
+

docs/reference/query-languages/esql/_snippets/commands/layout/from.md

@@ -0,0 +1,76 @@
+## `FROM` [esql-from]
+
+The `FROM` source command returns a table with data from a data stream, index, or alias.
+
+**Syntax**
+
+```esql
+FROM index_pattern [METADATA fields]
+```
+
+**Parameters**
+
+`index_pattern`
+:   A list of indices, data streams or aliases. Supports wildcards and date math.
+
+`fields`
+:   A comma-separated list of [metadata fields](/reference/query-languages/esql/esql-metadata-fields.md) to retrieve.
+
+**Description**
+
+The `FROM` source command returns a table with data from a data stream, index, or alias. Each row in the resulting table represents a document. Each column corresponds to a field, and can be accessed by the name of that field.
+
+::::{note}
+By default, an {{esql}} query without an explicit [`LIMIT`](#esql-limit) uses an implicit limit of 1000. This applies to `FROM` too. A `FROM` command without `LIMIT`:
+
+```esql
+FROM employees
+```
+
+is executed as:
+
+```esql
+FROM employees
+| LIMIT 1000
+```
+
+::::
+
+
+**Examples**
+
+```esql
+FROM employees
+```
+
+You can use [date math](/reference/elasticsearch/rest-apis/api-conventions.md#api-date-math-index-names) to refer to indices, aliases and data streams. This can be useful for time series data, for example to access today’s index:
+
+```esql
+FROM <logs-{now/d}>
+```
+
+Use comma-separated lists or wildcards to [query multiple data streams, indices, or aliases](docs-content://explore-analyze/query-filter/languages/esql-multi-index.md):
+
+```esql
+FROM employees-00001,other-employees-*
+```
+
+Use the format `<remote_cluster_name>:<target>` to [query data streams and indices on remote clusters](docs-content://explore-analyze/query-filter/languages/esql-cross-clusters.md):
+
+```esql
+FROM cluster_one:employees-00001,cluster_two:other-employees-*
+```
+
+Use the optional `METADATA` directive to enable [metadata fields](/reference/query-languages/esql/esql-metadata-fields.md):
+
+```esql
+FROM employees METADATA _id
+```
+
+Use enclosing double quotes (`"`) or three enclosing double quotes (`"""`) to escape index names that contain special characters:
+
+```esql
+FROM "this=that", """this[that"""
+```
+
+