Loading

ES|QL FIRST function

Embedded
field
The search field
sortField

The sort field

This function calculates the earliest occurrence of the search field (the first parameter), where sorting order is determined by the sort field (the second parameter). This sorting order is always ascending and null values always sort last. Both fields support null, single-valued, and multi-valued input. If the earliest sort field value appears in multiple documents, this function is allowed to return any corresponding search field value.

field sortField result
boolean date boolean
boolean date_nanos boolean
boolean long boolean
date date date
date date_nanos date
date long date
date_nanos date date_nanos
date_nanos date_nanos date_nanos
date_nanos long date_nanos
double date double
double date_nanos double
double long double
integer date integer
integer date_nanos integer
integer long integer
ip date ip
ip date_nanos ip
ip long ip
keyword date keyword
keyword date_nanos keyword
keyword long keyword
long date long
long date_nanos long
long long long
text date keyword
text date_nanos keyword
text long keyword 
        @timestamp        |  name   | number
"2025-11-25T00:00:00.000Z | alpha   | 1"
"2025-11-25T00:00:01.000Z | alpha   | 2"
"2025-11-25T00:00:02.000Z | bravo   | null"
"2025-11-25T00:00:03.000Z | alpha   | 4"
"2025-11-25T00:00:04.000Z | bravo   | 5"
"2025-11-25T00:00:05.000Z | charlie | [6, 7, 8]"
"2025-11-25T00:00:06.000Z | delta   | null"

From dataset
| STATS first_val = FIRST(number, @timestamp)
first_val:long
1
Warning

This can use a significant amount of memory and ES|QL doesn’t yet grow aggregations beyond the memory available. This function will continue to work until it is used to collect more values than can fit into memory, in which case it will fail the query with a Circuit Breaker Error. This is especially the case when grouping on a field with a large number of unique values, and even more so if the search field has multi-values of high cardinality.