- 
                Notifications
    You must be signed in to change notification settings 
- Fork 25.6k
Add docs for ES|QL query logs #131287
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
          
     Merged
      
        
      
            luigidellaquila
  merged 11 commits into
  elastic:main
from
luigidellaquila:esql/query_log_docs
  
      
      
   
  Jul 16, 2025 
      
    
  
     Merged
                    Add docs for ES|QL query logs #131287
Changes from all commits
      Commits
    
    
            Show all changes
          
          
            11 commits
          
        
        Select commit
          Hold shift + click to select a range
      
      df8b691
              
                Add docs for ES|QL query logs
              
              
                luigidellaquila 3bf73f6
              
                Fix ToC
              
              
                luigidellaquila afc4376
              
                Fix link
              
              
                luigidellaquila b347c46
              
                Update docs/reference/query-languages/esql/esql-query-log.md
              
              
                luigidellaquila cc117e2
              
                Update docs/reference/query-languages/esql/esql-query-log.md
              
              
                luigidellaquila 72344af
              
                Update docs/reference/query-languages/esql/esql-query-log.md
              
              
                luigidellaquila f67d15c
              
                Update docs/reference/query-languages/esql/esql-query-log.md
              
              
                luigidellaquila cfe915a
              
                Update docs/reference/query-languages/esql/esql-query-log.md
              
              
                luigidellaquila 23c2025
              
                Update docs/reference/query-languages/esql/esql-troubleshooting.md
              
              
                luigidellaquila bf6a8db
              
                Better wording
              
              
                luigidellaquila 06f163f
              
                ES|QL as a md tag
              
              
                luigidellaquila File filter
Filter by extension
Conversations
          Failed to load comments.   
        
        
          
      Loading
        
  Jump to
        
          Jump to file
        
      
      
          Failed to load files.   
        
        
          
      Loading
        
  Diff view
Diff view
There are no files selected for viewing
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
              
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
              | Original file line number | Diff line number | Diff line change | 
|---|---|---|
| @@ -0,0 +1,130 @@ | ||
| --- | ||
| navigation_title: "Query log" | ||
| --- | ||
|  | ||
| # {{esql}} Query log [esql-query-log] | ||
|  | ||
|  | ||
| The {{esql}} query log allows to log {{esql}} queries based on their execution time. | ||
|  | ||
| You can use these logs to investigate, analyze or troubleshoot your cluster’s historical {{esql}} performance. | ||
|  | ||
| {{esql}} query log reports task duration at coordinator level, but might not encompass the full task execution time observed on the client. For example, logs don’t surface HTTP network delays. | ||
|  | ||
| Events that meet the specified threshold are emitted into [{{es}} server logs](docs-content://deploy-manage/monitor/logging-configuration/update-elasticsearch-logging-levels.md). | ||
|  | ||
| These logs can be found in local {{es}} service logs directory. Slow log files have a suffix of `_esql_querylog.json`. | ||
|  | ||
| ## Query log format [query-log-format] | ||
|  | ||
| The following is an example of a successful query event in the query log: | ||
|  | ||
| ```js | ||
| { | ||
| "@timestamp": "2025-03-11T08:39:50.076Z", | ||
| "log.level": "TRACE", | ||
| "auth.type": "REALM", | ||
| "elasticsearch.querylog.planning.took": 3108666, | ||
| "elasticsearch.querylog.planning.took_millis": 3, | ||
| "elasticsearch.querylog.query": "from index | limit 100", | ||
| "elasticsearch.querylog.search_type": "ESQL", | ||
| "elasticsearch.querylog.success": true, | ||
| "elasticsearch.querylog.took": 8050416, | ||
| "elasticsearch.querylog.took_millis": 8, | ||
| "user.name": "elastic-admin", | ||
| "user.realm": "default_file", | ||
| "ecs.version": "1.2.0", | ||
| "service.name": "ES_ECS", | ||
| "event.dataset": "elasticsearch.esql_querylog", | ||
| "process.thread.name": "elasticsearch[runTask-0][esql_worker][T#12]", | ||
| "log.logger": "esql.querylog.query", | ||
| "elasticsearch.cluster.uuid": "KZo1V7TcQM-O6fnqMm1t_g", | ||
| "elasticsearch.node.id": "uPgRE2TrSfa9IvnUpNT1Uw", | ||
| "elasticsearch.node.name": "runTask-0", | ||
| "elasticsearch.cluster.name": "runTask" | ||
| } | ||
| ``` | ||
|  | ||
| The following is an example of a failing query event in the query log: | ||
|  | ||
| ```js | ||
| { | ||
| "@timestamp": "2025-03-11T08:41:54.172Z", | ||
| "log.level": "TRACE", | ||
| "auth.type": "REALM", | ||
| "elasticsearch.querylog.error.message": "line 1:15: mismatched input 'limitxyz' expecting {DEV_CHANGE_POINT, 'enrich', 'dissect', 'eval', 'grok', 'limit', 'sort', 'stats', 'where', DEV_INLINESTATS, DEV_FORK, 'lookup', DEV_JOIN_LEFT, DEV_JOIN_RIGHT, DEV_LOOKUP, 'mv_expand', 'drop', 'keep', DEV_INSIST, 'rename'}", | ||
| "elasticsearch.querylog.error.type": "org.elasticsearch.xpack.esql.parser.ParsingException", | ||
| "elasticsearch.querylog.query": "from person | limitxyz 100", | ||
| "elasticsearch.querylog.search_type": "ESQL", | ||
| "elasticsearch.querylog.success": false, | ||
| "elasticsearch.querylog.took": 963750, | ||
| "elasticsearch.querylog.took_millis": 0, | ||
| "user.name": "elastic-admin", | ||
| "user.realm": "default_file", | ||
| "ecs.version": "1.2.0", | ||
| "service.name": "ES_ECS", | ||
| "event.dataset": "elasticsearch.esql_querylog", | ||
| "process.thread.name": "elasticsearch[runTask-0][search][T#16]", | ||
| "log.logger": "esql.querylog.query", | ||
| "elasticsearch.cluster.uuid": "KZo1V7TcQM-O6fnqMm1t_g", | ||
| "elasticsearch.node.id": "uPgRE2TrSfa9IvnUpNT1Uw", | ||
| "elasticsearch.node.name": "runTask-0", | ||
| "elasticsearch.cluster.name": "runTask" | ||
| } | ||
| ``` | ||
|  | ||
|  | ||
| ## Enable query logging [enable-query-log] | ||
|  | ||
| You can enable query logging at cluster level. | ||
|  | ||
| By default, all thresholds are set to `-1`, which results in no events being logged. | ||
|  | ||
| Query log thresholds can be enabled for the four logging levels: `trace`, `debug`, `info`, and `warn`. | ||
|  | ||
| To view the current query log settings, use the [get cluster settings API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-cluster-get-settings): | ||
|  | ||
| ```console | ||
| GET _cluster/settings?filter_path=*.esql.querylog.* | ||
| ``` | ||
|  | ||
| You can use the `esql.querylog.include.user` setting to append `user.*` and `auth.type` fields to slow log entries. These fields contain information about the user who triggered the request. | ||
|  | ||
| The following snippet adjusts all available {{esql}} query log settings [update cluster settings API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-cluster-put-settings): | ||
|  | ||
| ```console | ||
| PUT /_cluster/settings | ||
| { | ||
| "transient": { | ||
| "esql.querylog.threshold.warn": "10s", | ||
| "esql.querylog.threshold.info": "5s", | ||
| "esql.querylog.threshold.debug": "2s", | ||
| "esql.querylog.threshold.trace": "500ms", | ||
| "esql.querylog.include.user": true | ||
| } | ||
| } | ||
| ``` | ||
|  | ||
|  | ||
|  | ||
| ## Best practices for query logging [troubleshoot-query-log] | ||
|  | ||
| Logging slow requests can be resource intensive to your {{es}} cluster depending on the qualifying traffic’s volume. For example, emitted logs might increase the index disk usage of your [{{es}} monitoring](docs-content://deploy-manage/monitor/stack-monitoring.md) cluster. To reduce the impact of slow logs, consider the following: | ||
|  | ||
| * Set high thresholds to reduce the number of logged events. | ||
| * Enable slow logs only when troubleshooting. | ||
|  | ||
| If you aren’t sure how to start investigating traffic issues, consider enabling the `warn` threshold with a high `30s` threshold at the index level using the [update cluster settings API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-cluster-put-settings): | ||
|  | ||
| Here is an example of how to change cluster settings to enable query logging at `warn` level, for queries taking more than 30 seconds, and include user information in the logs: | ||
|  | ||
| ```console | ||
| PUT /_cluster/settings | ||
| { | ||
| "transient": { | ||
| "esql.querylog.include.user": true, | ||
| "esql.querylog.threshold.warn": "30s" | ||
| } | ||
| } | ||
| ``` | ||
|  | ||
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
              | Original file line number | Diff line number | Diff line change | 
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| --- | ||
| navigation_title: "Troubleshooting" | ||
| --- | ||
|  | ||
| # Troubleshooting {{esql}} [esql-troubleshooting] | ||
|  | ||
| This section provides some useful resource for troubleshooting {{esql}} | ||
|  | ||
| * [Query log](esql-query-log.md): Learn how to log {{esql}} queries | 
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
              
      
      Oops, something went wrong.
        
    
  
  Add this suggestion to a batch that can be applied as a single commit.
  This suggestion is invalid because no changes were made to the code.
  Suggestions cannot be applied while the pull request is closed.
  Suggestions cannot be applied while viewing a subset of changes.
  Only one suggestion per line can be applied in a batch.
  Add this suggestion to a batch that can be applied as a single commit.
  Applying suggestions on deleted lines is not supported.
  You must change the existing code in this line in order to create a valid suggestion.
  Outdated suggestions cannot be applied.
  This suggestion has been applied or marked resolved.
  Suggestions cannot be applied from pending reviews.
  Suggestions cannot be applied on multi-line comments.
  Suggestions cannot be applied while the pull request is queued to merge.
  Suggestion cannot be applied right now. Please check back later.
  
    
  
    
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unrelated to doc change, but I am surprised that we need to add a cluster id to the log.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not part of our implementation, I think the JSON logging infrastructure adds it to all the logs. BTW, it's the same in Search slow log