Loading

ES|QL FIRST function

Embedded
field
The search field
sortField

The sort field

This function calculates the earliest occurrence of the search field (the first parameter), where sorting order is determined by the sort field (the second parameter). This sorting order is always ascending and null values always sort last. Both fields support null, single-valued, and multi-valued input. If the earliest sort field value appears in multiple documents, this function is allowed to return any corresponding search field value.

field sortField result
boolean date boolean
boolean date_nanos boolean
boolean integer boolean
boolean long boolean
cartesian_point date cartesian_point
cartesian_point date_nanos cartesian_point
cartesian_point integer cartesian_point
cartesian_point long cartesian_point
cartesian_shape date cartesian_shape
cartesian_shape date_nanos cartesian_shape
cartesian_shape integer cartesian_shape
cartesian_shape long cartesian_shape
date date date
date date_nanos date
date integer date
date long date
date_nanos date date_nanos
date_nanos date_nanos date_nanos
date_nanos integer date_nanos
date_nanos long date_nanos
double date double
double date_nanos double
double integer double
double long double
geo_point date geo_point
geo_point date_nanos geo_point
geo_point integer geo_point
geo_point long geo_point
geo_shape date geo_shape
geo_shape date_nanos geo_shape
geo_shape integer geo_shape
geo_shape long geo_shape
geohash date geohash
geohash date_nanos geohash
geohash integer geohash
geohash long geohash
geohex date geohex
geohex date_nanos geohex
geohex integer geohex
geohex long geohex
geotile date geotile
geotile date_nanos geotile
geotile integer geotile
geotile long geotile
integer date integer
integer date_nanos integer
integer integer integer
integer long integer
ip date ip
ip date_nanos ip
ip integer ip
ip long ip
keyword date keyword
keyword date_nanos keyword
keyword integer keyword
keyword long keyword
long date long
long date_nanos long
long integer long
long long long
text date keyword
text date_nanos keyword
text integer keyword
text long keyword
unsigned_long date unsigned_long
unsigned_long date_nanos unsigned_long
unsigned_long integer unsigned_long
unsigned_long long unsigned_long
version date version
version date_nanos version
version integer version
version long version 
        @timestamp        |  name   | number
"2025-11-25T00:00:00.000Z | alpha   | 1"
"2025-11-25T00:00:01.000Z | alpha   | 2"
"2025-11-25T00:00:02.000Z | bravo   | null"
"2025-11-25T00:00:03.000Z | alpha   | 4"
"2025-11-25T00:00:04.000Z | bravo   | 5"
"2025-11-25T00:00:05.000Z | charlie | [6, 7, 8]"
"2025-11-25T00:00:06.000Z | delta   | null"

From dataset
| STATS first_val = FIRST(number, @timestamp)
first_val:long
1
Warning

This can use a significant amount of memory and ES|QL doesn’t yet grow aggregations beyond the memory available. This function will continue to work until it is used to collect more values than can fit into memory, in which case it will fail the query with a Circuit Breaker Error. This is especially the case when grouping on a field with a large number of unique values, and even more so if the search field has multi-values of high cardinality.