Elastic Docs Kibana Guide [8.13] Discover
« Run a search session in the background Dashboard and visualizations »

Try ES|QLedit

Do not use ES|QL on production environments. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

The Elasticsearch Query Language, ES|QL, makes it easier to explore your data without leaving Discover.

In this tutorial we’ll use the Kibana sample web logs in Discover and Lens to explore the data and create visualizations.

Prerequisiteedit

To be able to select Try ES|QL from the Data views menu the discover:enableESQL setting must be enabled from Stack Management > Advanced Settings. It is enabled by default.

Trying ES|QLedit

To load the sample data:

  1. On the home page, click Try sample data.
  2. Click Other sample data sets.
  3. On the Sample web logs card, click Add data.
  4. Open the main menu and select Discover.
  5. From the Data views menu, select Try ES|QL.

Let’s say we want to find out what operating system users have and how much RAM is on their machine.

  1. Set the time range to Last 7 days.
  2. Expand An image of the expand icon the query bar.
  3. Put each processing command on a new line for better readability.

  4. Copy the query below:

    FROM kibana_sample_data_logs
| KEEP machine.os, machine.ram

  5. Click Update.

    An image of the query result

    ES|QL keywords are not case sensitive.

Let’s add geo.dest to our query, to find out the geographical destination of the visits, and limit the results.

  1. Copy the query below:

    FROM kibana_sample_data_logs
| KEEP machine.os, machine.ram, geo.dest
| LIMIT 10

  2. Click Update.

    An image of the extended query result

Let’s sort the data by machine ram and filter out the destination GB.

  1. Copy the query below:

    FROM kibana_sample_data_logs
| KEEP machine.os, machine.ram, geo.dest
| SORT machine.ram desc
| WHERE geo.dest != "GB"
| LIMIT 10

  2. Click Update.

    esql full query

  3. Click Save to save the query and visualization to a dashboard.

To make changes to the visualization you can use the visualization drop-down. To make changes to the colors used or the axes, or click the pencil icon. This opens an in-line editor where you can change the colors and axes of the visualization.

To learn more about ES|QL, try other tutorials, see more examples and reference material, refer to ES|QL.

« Run a search session in the background Dashboard and visualizations »