ES|QL functions and operators

Returns true if the input expression yields no non-null values.

Returns the average of a numeric field.

Returns the total number of input values.

Returns the approximate number of distinct values.

Returns the earliest value of a field sorted by timestamp.

Returns the earliest occurrence of a field based on a sort field.

Returns the latest occurrence of a field based on a sort field.

Returns the latest value of a field sorted by timestamp.

Returns the maximum value of a field.

Returns the median value of a numeric field.

Returns the median absolute deviation, a robust measure of variability.

Returns the minimum value of a field.

Returns the value at which a certain percentage of observed values occur.

Returns true if the input expression yields any non-null values.

Collects sample values for a field.

Computes y-axis values of a sparkline graph for an aggregation over time.

Calculates the spatial centroid over a field with geometry type.

Calculates the spatial extent bounding box over a field with geometry type.

Returns the population standard deviation of a numeric field.

Returns the sum of a numeric expression.

Collects the top values for a field, including repeated values.

Returns unique deduplicated values as a multivalued field.

Returns the population variance of a numeric field.

Returns the weighted average of a numeric expression.

Calculates the absence of a field over a time range.

Calculates the average over time of a numeric field.

Calculates the count over time value of a field.

Calculates the count of distinct values over time for a field.

Calculates the absolute change of a gauge field in a time window.

Calculates the derivative over time of a numeric field using linear regression.

Calculates the earliest value of a field over a time window.

Calculates the absolute change between the last two data points of a gauge.

Calculates the absolute increase of a counter field in a time window.

Calculates the per-second rate of increase between the last two data points.

Calculates the latest value of a field over a time window.

Calculates the maximum value of a field over a time window.

Calculates the minimum value of a field over a time window.

Calculates the percentile over time of a field.

Calculates the presence of a field over a time range.

Calculates the per-second average rate of increase of a counter.

Calculates the population standard deviation over time of a numeric field.

Calculates the sum over time value of a field.

Calculates the population variance over time of a numeric field.

Creates groups of values (buckets) from a datetime or numeric input.

Groups text messages into categories of similarly formatted text values.

Creates timestamp-based buckets aligned to calendar boundaries.

Returns the value for the first condition that evaluates to true.

Returns the first of its arguments that is not null.

Returns the maximum value from multiple columns.

Returns the minimum value from multiple columns.

Clamps values to a specified minimum and maximum range.

Clamps input values to a lower bound, raising any value below min to min.

Clamps input values to an upper bound, reducing any value above max to max.

Returns the difference between two timestamps in the specified unit.

Extracts parts of a date, like year, month, day, hour.

Returns a string representation of a date, in the provided format.

Parses a string into a date using the specified format.

Rounds down a date to the closest interval.

Returns the name of the weekday for a date.

Returns the month name for a date.

Returns current date and time.

Filters data for a given time range using the @timestamp attribute.

Returns true if the provided IP is contained in one of the provided CIDR blocks.

Truncates an IP to a given prefix length.

Returns the absolute value of a number.

Returns the arccosine of a number.

Returns the inverse hyperbolic cosine of a number.

Returns the arcsine of a number.

Returns the inverse hyperbolic sine of a number.

Returns the arctangent of a number.

Returns the two-argument arctangent of y and x coordinates.

Returns the inverse hyperbolic tangent of a number.

Returns the cube root of a number.

Rounds a number up to the nearest integer.

Combines the magnitude of one number with the sign of another.

Returns the cosine of an angle.

Returns the hyperbolic cosine of a number.

Returns the mathematical constant e.

Returns the value of e raised to the power of the given number.

Rounds a number down to the nearest integer.

Returns the hypotenuse of two numbers.

Returns the logarithm of a value to a base.

Returns the base-10 logarithm of a number.

Returns the mathematical constant pi.

Returns a value raised to the power of an exponent.

Rounds a number to the specified number of decimal places.

Rounds down to one of a list of fixed points.

Returns the result of multiplying a number by 2 raised to a scale factor.

Returns the sign of the given number.

Returns the sine of an angle.

Returns the hyperbolic sine of a number.

Returns the square root of a number.

Returns the tangent of an angle.

Returns the hyperbolic tangent of a number.

Returns the mathematical constant tau.

Calculates a relevance score that decays with distance from a target origin.

Performs a KQL query and returns true if it matches the row.

Performs a match query on the specified field.

Performs a match_phrase query on the specified field.

Performs a query string query and returns true if it matches the row.

Returns relevance scores for full text function expressions.

Extracts the best snippets for a query string from a text field.

• ST_DISTANCE

  Computes the distance between two points.

• ST_INTERSECTS

  Returns true if two geometries intersect.

• ST_DISJOINT

  Returns whether two geometries are disjoint, sharing no points in common.

• ST_CONTAINS

  Returns whether the first geometry contains the second geometry.

• ST_WITHIN

  Returns whether the first geometry is within the second geometry.

• ST_X

  Extracts the x coordinate from the supplied point.

• ST_Y

  Extracts the y coordinate from the supplied point.

• ST_NPOINTS

  Counts the number of points in the supplied geometry.

• ST_BUFFER

  Computes a buffer area around the input geometry at the specified distance.

• ST_SIMPLIFY

  Simplifies the input geometry using the Douglas-Peucker algorithm with a specified tolerance.

• ST_SIMPLIFYPRESERVETOPOLOGY

  Simplifies the input geometry using a topology-preserving Douglas-Peucker algorithm.

• ST_GEOMETRYTYPE

  Returns the geometry type of the supplied geometry as a string.

• ST_DIMENSION

  Returns the topological dimension of the supplied geometry.

• ST_ISEMPTY

  Returns true if the supplied geometry is empty.

Determines the minimum bounding box of the supplied geometry.

• ST_XMAX

  Extracts the maximum x coordinate from the supplied geometry.

• ST_XMIN

  Extracts the minimum x coordinate from the supplied geometry.

• ST_YMAX

  Extracts the maximum y coordinate from the supplied geometry.

• ST_YMIN

  Extracts the minimum y coordinate from the supplied geometry.

• ST_GEOTILE

  Calculates the geotile of the supplied geo_point at the specified precision.

• ST_GEOHEX

  Calculates the geohex (H3 cell-id) of the supplied geo_point at the specified precision.

• ST_GEOHASH

  Calculates the geohash of the supplied geo_point at the specified precision.

Returns the bit length of a string.

Returns the byte length of a string.

Splits a text field into smaller chunks.

Concatenates two or more strings.

Checks whether a keyword substring is contained within another string.

Checks whether a keyword string ends with another string.

Decodes a base64 string.

Computes the hash of the input using a specified algorithm.

Extracts a value from a JSON string using JSONPath syntax.

Returns a substring of the specified length from the left side of a string.

Returns the character length of a string.

Returns the position of a keyword substring within another string.

Removes leading whitespaces from a string.

Computes the MD5 hash of the input.

Returns a string repeated a specified number of times.

Replaces regular expression matches in a string with a replacement string.

Returns the input string in reverse order.

Returns a substring of the specified length from the right side of a string.

Removes trailing whitespaces from a string.

Computes the SHA1 hash of the input.

Computes the SHA256 hash of the input.

Returns a string made of the specified number of spaces.

Splits a single valued string into multiple strings.

Checks whether a keyword string starts with another string.

Returns a substring of a string, specified by a start position and an optional length.

Encodes a string to a base64 string.

Returns a new string converted to lower case.

Returns a new string converted to upper case.

Removes leading and trailing whitespaces from a string.

Decodes a URL-encoded string.

URL-encodes a string with spaces encoded as plus signs.

URL-encodes a string with spaces encoded as percent codes.

Converts a numeric value to an aggregate_metric_double.

Converts a value to a boolean.

Converts a value to a cartesian_point.

Converts a value to a cartesian_shape.

Converts a numeric value to its counter type equivalent.

Converts a value to a date_period.

Converts a value to a date.

Converts a value to a nanosecond-resolution date.

Converts a number in radians to degrees.

Converts numbers or a hexadecimal string to a dense_vector.

Converts a value to a double.

Converts histogram-like values to an exponential histogram.

Converts a counter value to its gauge numeric equivalent.

Converts a value to a geohash.

Converts a value to a geohex.

Converts a value to a geo_point.

Converts a value to a geo_shape.

Converts a value to a geotile.

Converts a value to an integer.

Converts a string to an IP value.

Converts a value to a long.

Converts a number in degrees to radians.

Converts a value to a string.

Converts an untyped histogram to a TDigest.

Converts a value to a time_duration.

Converts a value to an unsigned long.

Converts a string to a version value.

• EMBEDDING

  Generates dense vector embeddings from multimodal input using an inference endpoint.

• KNN

  Finds the k nearest vectors to a query vector using a similarity metric.

• TEXT_EMBEDDING

  Generates dense vector embeddings from text input using an inference endpoint.

• V_COSINE

  Calculates the cosine similarity between two dense_vectors.

• V_DOT_PRODUCT

  Calculates the dot product between two dense_vectors.

• V_HAMMING

  Calculates the Hamming distance between two dense vectors.

• V_L1_NORM

  Calculates the L1 norm (Manhattan distance) between two dense_vectors.

• V_L2_NORM

  Calculates the L2 norm (Euclidean distance) between two dense_vectors.