Using ES|QL

edit

The Elasticsearch Query Language, ES|QL, makes it easier to explore your data without leaving Discover.

In this tutorial we’ll use the Kibana sample web logs in Discover and Lens to explore the data and create visualizations.

Prerequisite

edit

To be able to select Language ES|QL from the Data views menu the enableESQL setting must be enabled from Stack Management > Advanced Settings. It is enabled by default.

Use ES|QL

edit

To load the sample data:

  1. On the home page, click Try sample data.
  2. Click Other sample data sets.
  3. On the Sample web logs card, click Add data.
  4. Open the main menu and select Discover.
  5. From the Data views menu, select Language ES|QL.

Let’s say we want to find out what operating system users have and how much RAM is on their machine.

  1. Set the time range to Last 7 days.
  2. Expand An image of the expand icon the query bar.
  3. Put each processing command on a new line for better readability.
  4. Copy the query below:

    FROM kibana_sample_data_logs
    | KEEP machine.os, machine.ram
  5. Click ▶Run.

    An image of the query result

    ES|QL keywords are not case sensitive.

Let’s add geo.dest to our query, to find out the geographical destination of the visits, and limit the results.

  1. Copy the query below:

    FROM kibana_sample_data_logs
    | KEEP machine.os, machine.ram, geo.dest
    | LIMIT 10
  2. Click ▶Run.

    An image of the extended query result

Let’s sort the data by machine ram and filter out the destination GB.

  1. Copy the query below:

    FROM kibana_sample_data_logs
    | KEEP machine.os, machine.ram, geo.dest
    | SORT machine.ram desc
    | WHERE geo.dest != "GB"
    | LIMIT 10
  2. Click ▶Run.

    esql full query

  3. Click Save to save the query and visualization to a dashboard.

To make changes to the visualization you can use the visualization drop-down. To make changes to the colors used or the axes, or click the pencil icon. This opens an in-line editor where you can change the colors and axes of the visualization.

For the complete ES|QL documentation, including tutorials, examples and the full syntax reference, refer to the Elasticsearch documentation. For a more detailed overview of ES|QL in Kibana, refer to Use ES|QL in Kibana.