ES|QL string functions

Serverless Stack

ES|QL supports these string functions:

• BIT_LENGTH
• BYTE_LENGTH
• CHUNK
• CONCAT
• CONTAINS
• ENDS_WITH
• FROM_BASE64
• HASH
• LEFT
• LENGTH
• LOCATE
• LTRIM
• MD5
• REPEAT
• REPLACE
• REVERSE
• RIGHT
• RTRIM
• SHA1
• SHA256
• SPACE
• SPLIT
• STARTS_WITH
• SUBSTRING
• TOP_SNIPPETS
• TO_BASE64
• TO_LOWER
• TO_UPPER
• TRIM
• URL_ENCODE
• URL_ENCODE_COMPONENT
• URL_DECODE

Syntax

×

Parameters

string

String expression. If null, the function returns null.

Description

Returns the bit length of a string.

Supported types

Example

FROM airports
| WHERE country == "India"
| KEEP city
| EVAL fn_length = LENGTH(city), fn_bit_length = BIT_LENGTH(city)
		

Syntax

×

Parameters

string

String expression. If null, the function returns null.

Description

Returns the byte length of a string.

Supported types

Example

FROM airports
| WHERE country == "India"
| KEEP city
| EVAL fn_length = LENGTH(city), fn_byte_length = BYTE_LENGTH(city)
		

Serverless Preview Stack Planned

Syntax

×

Parameters

field

The input to chunk.

chunking_settings

Options to customize chunking behavior. Defaults to {"strategy":"sentence","max_chunk_size":300,"sentence_overlap":0}.

Description

Use CHUNK to split a text field into smaller chunks.

Chunk can be used on fields from the text famiy like text and semantic_text. Chunk will split a text field into smaller chunks, using a sentence-based chunking strategy. The number of chunks returned, and the length of the sentences used to create the chunks can be specified.

Supported types

Supported function named parameters

separator_group

(keyword) Sets a predefined lists of separators based on the selected text type. Values may be markdown or plaintext. Only applicable to the recursive chunking strategy. When using the recursive chunking strategy one of separators or separator_group must be specified.

overlap

(integer) The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.

sentence_overlap

(integer) The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.

strategy

(keyword) The chunking strategy to use. Default value is sentence.

max_chunk_size

(integer) The maximum size of a chunk in words. This value cannot be lower than 20 (for sentence strategy) or 10 (for word or recursive strategies). This model should not exceed the window size for any associated models using the output of this function.

separators

(keyword) A list of strings used as possible split points when chunking text. Each string can be a plain string or a regular expression (regex) pattern. The system tries each separator in order to split the text, starting from the first item in the list. After splitting, it attempts to recombine smaller pieces into larger chunks that stay within the max_chunk_size limit, to reduce the total number of chunks generated. Only applicable to the recursive chunking strategy. When using the recursive chunking strategy one of separators or separator_group must be specified.

Example

Stack Planned

ROW result = CHUNK("It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief.", {"strategy": "word", "max_chunk_size": 10, "overlap": 1})
| MV_EXPAND result
		

Syntax

×

Parameters

string1

Strings to concatenate.

string2

Strings to concatenate.

Description

Concatenates two or more strings.

Supported types

Example

FROM employees
| KEEP first_name, last_name
| EVAL fullname = CONCAT(first_name, " ", last_name)
		

Stack 9.2.0

Syntax

×

Parameters

string

String expression: input string to check against. If null, the function returns null.

substring

String expression: A substring to find in the input string. If null, the function returns null.

Description

Returns a boolean that indicates whether a keyword substring is within another string. Returns null if either parameter is null.

Supported types

Example

ROW a = "hello"
| EVAL has_ll = CONTAINS(a, "ll")
		

Syntax

×

Parameters

str

String expression. If null, the function returns null.

suffix

String expression. If null, the function returns null.

Description

Returns a boolean that indicates whether a keyword string ends with another string.

Supported types

Example

FROM employees
| KEEP last_name
| EVAL ln_E = ENDS_WITH(last_name, "d")
		

Syntax

×

Parameters

string

A base64 string.

Description

Decode a base64 string.

Supported types

Example

ROW a = "ZWxhc3RpYw=="
| EVAL d = FROM_BASE64(a)
		

Syntax

×

Parameters

algorithm

Hash algorithm to use.

input

Input to hash.

Description

Computes the hash of the input using various algorithms such as MD5, SHA, SHA-224, SHA-256, SHA-384, SHA-512.

Supported types

Example

FROM sample_data
| WHERE message != "Connection error"
| EVAL md5 = hash("md5", message), sha256 = hash("sha256", message)
| KEEP message, md5, sha256
		

Syntax

×

Parameters

string

The string from which to return a substring.

length

The number of characters to return.

Description

Returns the substring that extracts length chars from string starting from the left.

Supported types

Example

FROM employees
| KEEP last_name
| EVAL left = LEFT(last_name, 3)
		

Syntax

×

Parameters

string

String expression. If null, the function returns null.

Description

Returns the character length of a string.

Supported types

Example

FROM airports
| WHERE country == "India"
| KEEP city
| EVAL fn_length = LENGTH(city)
		

Syntax

×

Parameters

string

An input string

substring

A substring to locate in the input string

start

The start index

Description

Returns an integer that indicates the position of a keyword substring within another string. Returns 0 if the substring cannot be found. Note that string positions start from 1.

Supported types

Example

ROW a = "hello"
| EVAL a_ll = LOCATE(a, "ll")
		

Syntax

×

Parameters

string

String expression. If null, the function returns null.

Description

Removes leading whitespaces from a string.

Supported types

Example

ROW message = "   some text  ",  color = " red "
| EVAL message = LTRIM(message)
| EVAL color = LTRIM(color)
| EVAL message = CONCAT("'", message, "'")
| EVAL color = CONCAT("'", color, "'")
		

Syntax

×

Parameters

input

Input to hash.

Description

Computes the MD5 hash of the input (if the MD5 hash is available on the JVM).

Supported types

Example

FROM sample_data
| WHERE message != "Connection error"
| EVAL md5 = md5(message)
| KEEP message, md5
		

Syntax

×

Parameters

string

String expression.

number

Number times to repeat.

Description

Returns a string constructed by concatenating string with itself the specified number of times.

Supported types

Example

ROW a = "Hello!"
| EVAL triple_a = REPEAT(a, 3)
		

Syntax

×

Parameters

string

String expression.

regex

Regular expression.

newString

Replacement string.

Description

The function substitutes in the string str any match of the regular expression regex with the replacement string newStr.

Supported types

Examples

This example replaces any occurrence of the word "World" with the word "Universe":

ROW str = "Hello World"
| EVAL str = REPLACE(str, "World", "Universe")
		

This example removes all spaces:

ROW str = "Hello World"
| EVAL str = REPLACE(str, "\\\\s+", "")
		

Syntax

×

Parameters

str

String expression. If null, the function returns null.

Description

Returns a new string representing the input string in reverse order.

Supported types

Examples

ROW message = "Some Text" | EVAL message_reversed = REVERSE(message);
		

REVERSE works with unicode, too! It keeps unicode grapheme clusters together during reversal.

ROW bending_arts = "💧🪨🔥💨" | EVAL bending_arts_reversed = REVERSE(bending_arts);
		

Syntax

×

Parameters

string

The string from which to returns a substring.

length

The number of characters to return.

Description

Return the substring that extracts length chars from str starting from the right.

Supported types

Example

FROM employees
| KEEP last_name
| EVAL right = RIGHT(last_name, 3)
		

Syntax

×

Parameters

string

String expression. If null, the function returns null.

Description

Removes trailing whitespaces from a string.

Supported types

Example

ROW message = "   some text  ",  color = " red "
| EVAL message = RTRIM(message)
| EVAL color = RTRIM(color)
| EVAL message = CONCAT("'", message, "'")
| EVAL color = CONCAT("'", color, "'")
		

Syntax

×

Parameters

input

Input to hash.

Description

Computes the SHA1 hash of the input.

Supported types

Example

FROM sample_data
| WHERE message != "Connection error"
| EVAL sha1 = sha1(message)
| KEEP message, sha1
		

Syntax

×

Parameters

input

Input to hash.

Description

Computes the SHA256 hash of the input.

Supported types

Example

FROM sample_data
| WHERE message != "Connection error"
| EVAL sha256 = sha256(message)
| KEEP message, sha256
		

Syntax

×

Parameters

number

Number of spaces in result.

Description

Returns a string made of number spaces.

Supported types

Example

ROW message = CONCAT("Hello", SPACE(1), "World!");
		

Syntax

×

Parameters

string

String expression. If null, the function returns null.

delim

Delimiter. Only single byte delimiters are currently supported.

Description

Split a single valued string into multiple strings.

Supported types

Example

ROW words="foo;bar;baz;qux;quux;corge"
| EVAL word = SPLIT(words, ";")
		

Syntax

×

Parameters

str

String expression. If null, the function returns null.

prefix

String expression. If null, the function returns null.

Description

Returns a boolean that indicates whether a keyword string starts with another string.

Supported types

Example

FROM employees
| KEEP last_name
| EVAL ln_S = STARTS_WITH(last_name, "B")
		

Syntax

×

Parameters

string

String expression. If null, the function returns null.

start

Start position.

length

Length of the substring from the start position. Optional; if omitted, all positions after start are returned.

Description

Returns a substring of a string, specified by a start position and an optional length.

Supported types

Examples

This example returns the first three characters of every last name:

FROM employees
| KEEP last_name
| EVAL ln_sub = SUBSTRING(last_name, 1, 3)
		

A negative start position is interpreted as being relative to the end of the string. This example returns the last three characters of every last name:

FROM employees
| KEEP last_name
| EVAL ln_sub = SUBSTRING(last_name, -3, 3)
		

If length is omitted, substring returns the remainder of the string. This example returns all characters except for the first:

FROM employees
| KEEP last_name
| EVAL ln_sub = SUBSTRING(last_name, 2)
		

Serverless Preview Stack Planned

Syntax

×

Parameters

field

The input to chunk.

query

The input text containing only query terms for snippet extraction. Lucene query syntax, operators, and wildcards are not allowed.

options

Options to customize snippet extraction behavior.

Description

Use TOP_SNIPPETS to extract the best snippets for a given query string from a text field.

TopSnippets can be used on fields from the text famiy like text and semantic_text. TopSnippets will extract the best snippets for a given query string.

Supported types

Supported function named parameters

num_words

(integer) The maximum number of words to return in each snippet. This allows better control of inference costs by limiting the size of tokens per snippet.

num_snippets

(integer) The maximum number of matching snippets to return.

Examples

Stack Planned

null
		

Stack Planned

FROM books
| WHERE MATCH(title, "Return")
| EVAL snippets = TOP_SNIPPETS(description, "Tolkien", { "num_snippets": 3, "num_words": 25 })
		

Syntax

×

Parameters

string

A string.

Description

Encode a string to a base64 string.

Supported types

Example

ROW a = "elastic"
| EVAL e = TO_BASE64(a)
		

Syntax

×

Parameters

str

String expression. If null, the function returns null. The input can be a single-valued column or expression, or a multi-valued column or expression Stack 9.1.0 .

Description

Returns a new string representing the input string converted to lower case.

Supported types

Examples

ROW message = "Some Text"
| EVAL message_lower = TO_LOWER(message)
		

Stack 9.1.0

ROW v = TO_LOWER(["Some", "Text"])
		

Syntax

×

Parameters

str

String expression. If null, the function returns null. The input can be a single-valued column or expression, or a multi-valued column or expression Stack 9.1.0 .

Description

Returns a new string representing the input string converted to upper case.

Supported types

Example

ROW message = "Some Text"
| EVAL message_upper = TO_UPPER(message)
		

Syntax

×

Parameters

string

String expression. If null, the function returns null.

Description

Removes leading and trailing whitespaces from a string.

Supported types

Example

ROW message = "   some text  ",  color = " red "
| EVAL message = TRIM(message)
| EVAL color = TRIM(color)
		

Stack 9.2.0

Syntax

×

Parameters

string

The URL to encode.

Description

URL-encodes the input. All characters are percent-encoded except for alphanumerics, ., -, _, and ~. Spaces are encoded as +.

Supported types

Example

ROW u = "https://example.com/?x=foo bar&y=baz" | EVAL u = URL_ENCODE(u)
		

Stack 9.2.0

Syntax

×

Parameters

string

The URL to encode.

Description

URL-encodes the input. All characters are percent-encoded except for alphanumerics, ., -, _, and ~. Spaces are encoded as %20.

Supported types

Example

ROW u = "https://example.com/?x=foo bar&y=baz"
| EVAL u = URL_ENCODE_COMPONENT(u)
		

Stack 9.2.0

Syntax

×

Parameters

string

The URL-encoded string to decode.

Description

URL-decodes the input, or returns null and adds a warning header to the response if the input cannot be decoded.

Supported types

Example

ROW u = "https%3A%2F%2Fexample.com%2F%3Fx%3Dfoo%20bar%26y%3Dbaz"
| EVAL u = URL_DECODE(u)