ES|QL FROM command

The FROM source command returns a table with data from a data stream, index, or alias.

Tip

For time series data, use the TS source command instead of FROM. TS enables time series aggregation functions and is optimized for processing time series indices.

Syntax

		FROM index_pattern [METADATA fields]
FROM index_pattern [, (FROM index_pattern [METADATA fields] [| processing_commands])]* [METADATA fields]
FROM (FROM index_pattern [METADATA fields] [| processing_commands]) [, (FROM index_pattern [METADATA fields] [| processing_commands])]* [METADATA fields]
		
	

Parameters

index_pattern: A list of indices, data streams or aliases. Supports wildcards and date math.
fields: A comma-separated list of metadata fields to retrieve.

The FROM source command returns a table with data from a data stream, index, or alias. Each row in the resulting table represents a document. Each column corresponds to a field, and can be accessed by the name of that field.

Note

By default, an ES|QL query without an explicit LIMIT uses an implicit limit of 1000. This applies to FROM too. A FROM command without LIMIT:

FROM employees

is executed as:

		FROM employees
| LIMIT 1000

Subqueries

The FROM command supports subqueries, which are complete ES|QL queries wrapped in parentheses. Each subquery starts with a FROM source command followed by zero or more piped processing commands. Multiple subqueries and regular index patterns can be combined in a single FROM clause, separated by commas.

		FROM
    employees,
    (FROM sample_data | WHERE client_ip == "172.21.3.15")
		
	

Examples

The following examples show common FROM patterns.

Query an index

FROM employees

Use date math in index names

Use date math to refer to indices, aliases, and data streams. This can be useful for time series data, for example to access today’s index:

FROM <logs-{now/d}>

Query multiple indices

Use comma-separated lists or wildcards to query multiple data streams, indices, or aliases:

FROM employees-00001,other-employees-*

Query remote clusters

Use the format <remote_cluster_name>:<target> to query data streams and indices on remote clusters:

FROM cluster_one:employees-00001,cluster_two:other-employees-*

Query across serverless projects

By default, queries run across the origin project and all linked projects. To learn more, refer to query across serverless projects.

Include metadata fields

Use the optional METADATA directive to enable metadata fields:

FROM employees METADATA _id

Escape index names with special characters

Use enclosing double quotes (") or three enclosing double quotes (""") to escape index names that contain special characters:

FROM "this=that", """this[that"""