ES|QL

The Elasticsearch Query Language, ES|QL, makes it faster and easier to explore your data.

ES|QL is a piped language which allows you to chain together multiple commands to query your data. Based on the query, Lens suggestions in Discover create a visualization of the query results.

ES|QL comes with its own dedicated ES|QL Compute Engine for greater efficiency. With one query you can search, aggregate, calculate and perform data transformations without leaving Discover*. Write your query directly in Discover or use the *Dev Tools with the ES|QL API.

You can switch to the ES|QL mode of Discover from the application menu bar.

ES|QL also features in-app help and suggestions, so you can get started faster and don’t have to leave the application to check syntax.

You can also use ES|QL queries to create panels on your dashboards, create enrich policies, and create alerting rules.

For more detailed information about ES|QL in Kibana, refer to Using ES|QL in Kibana.

ES|QL makes it much easier to analyze metrics, logs and traces from a single query. Find performance issues fast by defining fields on the fly, enriching data with lookups, and using simultaneous query processing. Combining ES|QL with machine learning and AiOps can improve detection accuracy and use aggregated value thresholds.

Use ES|QL to retrieve important information for investigation by using lookups. Enrich data and create new fields on the go to gain valuable insight for faster decision-making and actions. For example, perform a lookup on an IP address to identify its geographical location, its association with known malicious entities, or whether it belongs to a known cloud service provider all from one search bar. ES|QL ensures more accurate alerts by incorporating aggregated values in detection rules.

The main documentation for ES|QL lives in the Elasticsearch docs.

We also have a short tutorial in the Discover docs: Using ES|QL.