ESQL syntax reference
editESQL syntax reference
editBasic syntax
editAn ESQL query is composed of a source command followed
by an optional series of processing commands,
separated by a pipe character: 
. For example:
sourcecommand  processingcommand1  processingcommand2
The result of a query is the table produced by the final processing command.
For an overview of all supported commands, functions, and operators, refer to Commands and Functions and operators.
For readability, this documentation puts each processing command on a new line. However, you can write an ESQL query as a single line. The following query is identical to the previous one:
sourcecommand  processingcommand1  processingcommand2
Identifiers
editIdentifiers need to be quoted with backticks (`
) if:

they don’t start with a letter,
_
or@

any of the other characters is not a letter, number, or
_
For example:
FROM index  KEEP `1.field`
When referencing a function alias that itself uses a quoted identifier, the backticks of the quoted identifier need to be escaped with another backtick. For example:
FROM index  STATS COUNT(`1.field`)  EVAL my_count = `COUNT(``1.field``)`
Literals
editESQL currently supports numeric and string literals.
String literals
editA string literal is a sequence of unicode characters delimited by double
quotes ("
).
// Filter by a string value FROM index  WHERE first_name == "Georgi"
If the literal string itself contains quotes, these need to be escaped (\\"
).
ESQL also supports the triplequotes ("""
) delimiter, for convenience:
ROW name = """Indiana "Indy" Jones"""
The special characters CR, LF and TAB can be provided with the usual escaping:
\r
, \n
, \t
, respectively.
Numerical literals
editThe numeric literals are accepted in decimal and in the scientific notation
with the exponent marker (e
or E
), starting either with a digit, decimal
point .
or the negative sign 
:
1969  integer notation 3.14  decimal notation .1234  decimal notation starting with decimal point 4E5  scientific notation (with exponent marker) 1.2e3  scientific notation with decimal point .1e2  scientific notation starting with the negative sign
The integer numeric literals are implicitly converted to the integer
, long
or the double
type, whichever can first accommodate the literal’s value.
The floating point literals are implicitly converted the double
type.
To obtain constant values of different types, use one of the numeric conversion functions.
Comments
editESQL uses C++ style comments:

double slash
//
for single line comments 
/*
and*/
for block comments
// Query the employees index FROM employees  WHERE height > 2
FROM /* Query the employees index */ employees  WHERE height > 2
FROM employees /* Query the * employees * index */  WHERE height > 2
Timespan literals
editDatetime intervals and timespans can be expressed using timespan literals. Timespan literals are a combination of a number and a qualifier. These qualifiers are supported:

millisecond
/milliseconds

second
/seconds

minute
/minutes

hour
/hours

day
/days

week
/weeks

month
/months

year
/years
Timespan literals are not whitespace sensitive. These expressions are all valid:

1day

1 day

1 day