diff --git a/docs/redirects.yml b/docs/redirects.yml new file mode 100644 index 0000000000000..b5ec8193dbb36 --- /dev/null +++ b/docs/redirects.yml @@ -0,0 +1,3 @@ +redirects: + 'reference/query-languages/esql/esql-functions-operators.md': '!reference/query-languages/esql/functions-operators/aggregation-functions.md' + 'reference/query-languages/esql/esql-commands.md': '!reference/query-languages/esql/commands/processing-commands.md' \ No newline at end of file diff --git a/docs/reference/query-languages/esql/_snippets/aggregation-functions.md b/docs/reference/query-languages/esql/_snippets/aggregation-functions.md deleted file mode 100644 index ecc039d67a4f3..0000000000000 --- a/docs/reference/query-languages/esql/_snippets/aggregation-functions.md +++ /dev/null @@ -1,53 +0,0 @@ -## {{esql}} aggregate functions [esql-agg-functions] - - -The [`STATS`](/reference/query-languages/esql/esql-commands.md#esql-stats-by) command supports these aggregate functions: - -:::{include} lists/aggregation-functions.md -::: - -:::{include} functions/layout/avg.md -::: - -:::{include} functions/layout/count.md -::: - -:::{include} functions/layout/count_distinct.md -::: - -:::{include} functions/layout/max.md -::: - -:::{include} functions/layout/median.md -::: - -:::{include} functions/layout/median_absolute_deviation.md -::: - -:::{include} functions/layout/min.md -::: - -:::{include} functions/layout/percentile.md -::: - -:::{include} functions/layout/st_centroid_agg.md -::: - -:::{include} functions/layout/st_extent_agg.md -::: - -:::{include} functions/layout/std_dev.md -::: - -:::{include} functions/layout/sum.md -::: - -:::{include} functions/layout/top.md -::: - -:::{include} functions/layout/values.md -::: - -:::{include} functions/layout/weighted_avg.md -::: - diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/date.csv-spec/docsNowWhere.md b/docs/reference/query-languages/esql/_snippets/commands/examples/date.csv-spec/docsNowWhere.md new file mode 100644 index 0000000000000..82cdb3e9a9d20 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/date.csv-spec/docsNowWhere.md @@ -0,0 +1,6 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM sample_data +| WHERE @timestamp > NOW() - 1 hour +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/basicDissect.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/basicDissect.md new file mode 100644 index 0000000000000..af273df1abeb9 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/basicDissect.md @@ -0,0 +1,11 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1" +| DISSECT a """%{date} - %{msg} - %{ip}""" +| KEEP date, msg, ip +``` + +| date:keyword | msg:keyword | ip:keyword | +| --- | --- | --- | +| 2023-01-23T12:15:00.000Z | some text | 127.0.0.1 | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/basicGrok.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/basicGrok.md new file mode 100644 index 0000000000000..0c2ecc1dae376 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/basicGrok.md @@ -0,0 +1,11 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +ROW a = "2023-01-23T12:15:00.000Z 127.0.0.1 some.email@foo.com 42" +| GROK a """%{TIMESTAMP_ISO8601:date} %{IP:ip} %{EMAILADDRESS:email} %{NUMBER:num}""" +| KEEP date, ip, email, num +``` + +| date:keyword | ip:keyword | email:keyword | num:keyword | +| --- | --- | --- | --- | +| 2023-01-23T12:15:00.000Z | 127.0.0.1 | some.email@foo.com | 42 | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/dissectWithToDatetime.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/dissectWithToDatetime.md new file mode 100644 index 0000000000000..b18f11d054584 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/dissectWithToDatetime.md @@ -0,0 +1,12 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1" +| DISSECT a """%{date} - %{msg} - %{ip}""" +| KEEP date, msg, ip +| EVAL date = TO_DATETIME(date) +``` + +| msg:keyword | ip:keyword | date:date | +| --- | --- | --- | +| some text | 127.0.0.1 | 2023-01-23T12:15:00.000Z | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/grokWithConversionSuffix.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/grokWithConversionSuffix.md new file mode 100644 index 0000000000000..b8843b04081d5 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/grokWithConversionSuffix.md @@ -0,0 +1,11 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +ROW a = "2023-01-23T12:15:00.000Z 127.0.0.1 some.email@foo.com 42" +| GROK a """%{TIMESTAMP_ISO8601:date} %{IP:ip} %{EMAILADDRESS:email} %{NUMBER:num:int}""" +| KEEP date, ip, email, num +``` + +| date:keyword | ip:keyword | email:keyword | num:integer | +| --- | --- | --- | --- | +| 2023-01-23T12:15:00.000Z | 127.0.0.1 | some.email@foo.com | 42 | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/grokWithDuplicateFieldNames.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/grokWithDuplicateFieldNames.md new file mode 100644 index 0000000000000..a79a0d27a641f --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/grokWithDuplicateFieldNames.md @@ -0,0 +1,13 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM addresses +| KEEP city.name, zip_code +| GROK zip_code """%{WORD:zip_parts} %{WORD:zip_parts}""" +``` + +| city.name:keyword | zip_code:keyword | zip_parts:keyword | +| --- | --- | --- | +| Amsterdam | 1016 ED | ["1016", "ED"] | +| San Francisco | CA 94108 | ["CA", "94108"] | +| Tokyo | 100-7014 | null | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/grokWithToDatetime.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/grokWithToDatetime.md new file mode 100644 index 0000000000000..954771b67f877 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/grokWithToDatetime.md @@ -0,0 +1,12 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +ROW a = "2023-01-23T12:15:00.000Z 127.0.0.1 some.email@foo.com 42" +| GROK a """%{TIMESTAMP_ISO8601:date} %{IP:ip} %{EMAILADDRESS:email} %{NUMBER:num:int}""" +| KEEP date, ip, email, num +| EVAL date = TO_DATETIME(date) +``` + +| ip:keyword | email:keyword | num:integer | date:date | +| --- | --- | --- | --- | +| 127.0.0.1 | some.email@foo.com | 42 | 2023-01-23T12:15:00.000Z | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keep.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keep.md new file mode 100644 index 0000000000000..548256fe86128 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keep.md @@ -0,0 +1,14 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| KEEP emp_no, first_name, last_name, height +``` + +| emp_no:integer | first_name:keyword | last_name:keyword | height:double | +| --- | --- | --- | --- | +| 10001 | Georgi | Facello | 2.03 | +| 10002 | Bezalel | Simmel | 2.08 | +| 10003 | Parto | Bamford | 1.83 | +| 10004 | Chirstian | Koblick | 1.78 | +| 10005 | Kyoichi | Maliniak | 2.05 | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keepCompleteName.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keepCompleteName.md new file mode 100644 index 0000000000000..d9b345dae6091 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keepCompleteName.md @@ -0,0 +1,9 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| KEEP first_name, last_name, first_name* +``` + +| first_name:keyword | last_name:keyword | +| --- | --- | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keepDoubleWildcard.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keepDoubleWildcard.md new file mode 100644 index 0000000000000..4fa9070e43528 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keepDoubleWildcard.md @@ -0,0 +1,9 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| KEEP h*, * +``` + +| height:double | height.float:double | height.half_float:double | height.scaled_float:double | hire_date:date | avg_worked_seconds:long | birth_date:date | emp_no:integer | first_name:keyword | gender:keyword | is_rehired:boolean | job_positions:keyword | languages:integer | languages.byte:integer | languages.long:long | languages.short:integer | last_name:keyword | salary:integer | salary_change:double | salary_change.int:integer | salary_change.keyword:keyword | salary_change.long:long | still_hired:boolean | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keepWildcard.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keepWildcard.md new file mode 100644 index 0000000000000..f8d92bcf028ba --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keepWildcard.md @@ -0,0 +1,9 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| KEEP h* +``` + +| height:double | height.float:double | height.half_float:double | height.scaled_float:double | hire_date:date | +| --- | --- | --- | --- | --- | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keepWildcardLowest.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keepWildcardLowest.md new file mode 100644 index 0000000000000..8bc195bd1b81a --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keepWildcardLowest.md @@ -0,0 +1,9 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| KEEP *, first_name +``` + +| avg_worked_seconds:long | birth_date:date | emp_no:integer | gender:keyword | height:double | height.float:double | height.half_float:double | height.scaled_float:double | hire_date:date | is_rehired:boolean | job_positions:keyword | languages:integer | languages.byte:integer | languages.long:long | languages.short:integer | last_name:keyword | salary:integer | salary_change:double | salary_change.int:integer | salary_change.keyword:keyword | salary_change.long:long | still_hired:boolean | first_name:keyword | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keepWildcardPrecedence.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keepWildcardPrecedence.md new file mode 100644 index 0000000000000..bdc6b304f00f0 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/keepWildcardPrecedence.md @@ -0,0 +1,9 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| KEEP first_name*, last_name, first_na* +``` + +| last_name:keyword | first_name:keyword | +| --- | --- | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/rename.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/rename.md new file mode 100644 index 0000000000000..8b3764a202f41 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/rename.md @@ -0,0 +1,7 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| KEEP first_name, last_name, still_hired +| RENAME still_hired AS employed +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/renameMultipleColumns.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/renameMultipleColumns.md new file mode 100644 index 0000000000000..a8f6a02e1d26c --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/renameMultipleColumns.md @@ -0,0 +1,7 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| KEEP first_name, last_name +| RENAME first_name AS fn, last_name AS ln +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/renameMultipleColumnsDifferentCommands.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/renameMultipleColumnsDifferentCommands.md new file mode 100644 index 0000000000000..183182fa965c5 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/renameMultipleColumnsDifferentCommands.md @@ -0,0 +1,8 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| KEEP first_name, last_name +| RENAME first_name AS fn +| RENAME last_name AS ln +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/sort.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/sort.md new file mode 100644 index 0000000000000..926bd16d3e72a --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/sort.md @@ -0,0 +1,7 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| KEEP first_name, last_name, height +| SORT height +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/sortDesc.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/sortDesc.md new file mode 100644 index 0000000000000..5468703837a59 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/sortDesc.md @@ -0,0 +1,7 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| KEEP first_name, last_name, height +| SORT height DESC +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/sortNullsFirst.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/sortNullsFirst.md new file mode 100644 index 0000000000000..73c7788ee69ce --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/sortNullsFirst.md @@ -0,0 +1,7 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| KEEP first_name, last_name, height +| SORT first_name ASC NULLS FIRST +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/sortTie.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/sortTie.md new file mode 100644 index 0000000000000..cce714a41e71f --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/sortTie.md @@ -0,0 +1,7 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| KEEP first_name, last_name, height +| SORT height DESC, first_name ASC +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/where.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/where.md new file mode 100644 index 0000000000000..6043a1b3ad2c1 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/where.md @@ -0,0 +1,7 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| KEEP first_name, last_name, still_hired +| WHERE still_hired == true +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/whereBoolean.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/whereBoolean.md new file mode 100644 index 0000000000000..6ca2fcbc904e0 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/whereBoolean.md @@ -0,0 +1,7 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| KEEP first_name, last_name, still_hired +| WHERE still_hired +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/whereFunction.md b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/whereFunction.md new file mode 100644 index 0000000000000..7a5835623a14d --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/docs.csv-spec/whereFunction.md @@ -0,0 +1,7 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| KEEP first_name, last_name, height +| WHERE LENGTH(first_name) < 4 +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/drop.csv-spec/height.md b/docs/reference/query-languages/esql/_snippets/commands/examples/drop.csv-spec/height.md new file mode 100644 index 0000000000000..14641b4c054fd --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/drop.csv-spec/height.md @@ -0,0 +1,6 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| DROP height +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/drop.csv-spec/heightWithWildcard.md b/docs/reference/query-languages/esql/_snippets/commands/examples/drop.csv-spec/heightWithWildcard.md new file mode 100644 index 0000000000000..db94532ba9305 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/drop.csv-spec/heightWithWildcard.md @@ -0,0 +1,6 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| DROP height* +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/enrich.csv-spec/enrich.md b/docs/reference/query-languages/esql/_snippets/commands/examples/enrich.csv-spec/enrich.md new file mode 100644 index 0000000000000..9af8cab8edb2c --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/enrich.csv-spec/enrich.md @@ -0,0 +1,10 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +ROW language_code = "1" +| ENRICH languages_policy +``` + +| language_code:keyword | language_name:keyword | +| --- | --- | +| 1 | English | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/enrich.csv-spec/enrich_on.md b/docs/reference/query-languages/esql/_snippets/commands/examples/enrich.csv-spec/enrich_on.md new file mode 100644 index 0000000000000..5ae47a361f882 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/enrich.csv-spec/enrich_on.md @@ -0,0 +1,10 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +ROW a = "1" +| ENRICH languages_policy ON a +``` + +| a:keyword | language_name:keyword | +| --- | --- | +| 1 | English | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/enrich.csv-spec/enrich_rename.md b/docs/reference/query-languages/esql/_snippets/commands/examples/enrich.csv-spec/enrich_rename.md new file mode 100644 index 0000000000000..1fb08cd6e24f4 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/enrich.csv-spec/enrich_rename.md @@ -0,0 +1,10 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +ROW a = "1" +| ENRICH languages_policy ON a WITH name = language_name +``` + +| a:keyword | name:keyword | +| --- | --- | +| 1 | English | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/enrich.csv-spec/enrich_with.md b/docs/reference/query-languages/esql/_snippets/commands/examples/enrich.csv-spec/enrich_with.md new file mode 100644 index 0000000000000..53828e210ee79 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/enrich.csv-spec/enrich_with.md @@ -0,0 +1,10 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +ROW a = "1" +| ENRICH languages_policy ON a WITH language_name +``` + +| a:keyword | language_name:keyword | +| --- | --- | +| 1 | English | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/eval.csv-spec/eval.md b/docs/reference/query-languages/esql/_snippets/commands/examples/eval.csv-spec/eval.md new file mode 100644 index 0000000000000..6423723d36683 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/eval.csv-spec/eval.md @@ -0,0 +1,14 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| SORT emp_no +| KEEP first_name, last_name, height +| EVAL height_feet = height * 3.281, height_cm = height * 100 +``` + +| first_name:keyword | last_name:keyword | height:double | height_feet:double | height_cm:double | +| --- | --- | --- | --- | --- | +| Georgi | Facello | 2.03 | 6.66043 | 202.99999999999997 | +| Bezalel | Simmel | 2.08 | 6.82448 | 208.0 | +| Parto | Bamford | 1.83 | 6.004230000000001 | 183.0 | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/eval.csv-spec/evalReplace.md b/docs/reference/query-languages/esql/_snippets/commands/examples/eval.csv-spec/evalReplace.md new file mode 100644 index 0000000000000..f9488edad3d13 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/eval.csv-spec/evalReplace.md @@ -0,0 +1,14 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| SORT emp_no +| KEEP first_name, last_name, height +| EVAL height = height * 3.281 +``` + +| first_name:keyword | last_name:keyword | height:double | +| --- | --- | --- | +| Georgi | Facello | 6.66043 | +| Bezalel | Simmel | 6.82448 | +| Parto | Bamford | 6.004230000000001 | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/eval.csv-spec/evalUnnamedColumn.md b/docs/reference/query-languages/esql/_snippets/commands/examples/eval.csv-spec/evalUnnamedColumn.md new file mode 100644 index 0000000000000..a35920b080ed1 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/eval.csv-spec/evalUnnamedColumn.md @@ -0,0 +1,14 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| SORT emp_no +| KEEP first_name, last_name, height +| EVAL height * 3.281 +``` + +| first_name:keyword | last_name:keyword | height:double | height * 3.281:double | +| --- | --- | --- | --- | +| Georgi | Facello | 2.03 | 6.66043 | +| Bezalel | Simmel | 2.08 | 6.82448 | +| Parto | Bamford | 1.83 | 6.004230000000001 | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/eval.csv-spec/evalUnnamedColumnStats.md b/docs/reference/query-languages/esql/_snippets/commands/examples/eval.csv-spec/evalUnnamedColumnStats.md new file mode 100644 index 0000000000000..00f0cada4ec7a --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/eval.csv-spec/evalUnnamedColumnStats.md @@ -0,0 +1,11 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| EVAL height * 3.281 +| STATS avg_height_feet = AVG(`height * 3.281`) +``` + +| avg_height_feet:double | +| --- | +| 5.801464200000001 | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/limit.csv-spec/basic.md b/docs/reference/query-languages/esql/_snippets/commands/examples/limit.csv-spec/basic.md new file mode 100644 index 0000000000000..ecb59d442b45d --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/limit.csv-spec/basic.md @@ -0,0 +1,7 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| SORT emp_no ASC +| LIMIT 5 +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/mv_expand.csv-spec/simple.md b/docs/reference/query-languages/esql/_snippets/commands/examples/mv_expand.csv-spec/simple.md new file mode 100644 index 0000000000000..a6378c1c772d8 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/mv_expand.csv-spec/simple.md @@ -0,0 +1,12 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +ROW a=[1,2,3], b="b", j=["a","b"] +| MV_EXPAND a +``` + +| a:integer | b:keyword | j:keyword | +| --- | --- | --- | +| 1 | b | ["a", "b"] | +| 2 | b | ["a", "b"] | +| 3 | b | ["a", "b"] | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/row.csv-spec/example.md b/docs/reference/query-languages/esql/_snippets/commands/examples/row.csv-spec/example.md new file mode 100644 index 0000000000000..6cd643b6f6991 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/row.csv-spec/example.md @@ -0,0 +1,9 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +ROW a = 1, b = "two", c = null +``` + +| a:integer | b:keyword | c:null | +| --- | --- | --- | +| 1 | "two" | null | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/row.csv-spec/function.md b/docs/reference/query-languages/esql/_snippets/commands/examples/row.csv-spec/function.md new file mode 100644 index 0000000000000..5b80c6162fa3a --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/row.csv-spec/function.md @@ -0,0 +1,5 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +ROW a = ROUND(1.23, 0) +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/row.csv-spec/multivalue.md b/docs/reference/query-languages/esql/_snippets/commands/examples/row.csv-spec/multivalue.md new file mode 100644 index 0000000000000..0a96b4be7c55d --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/row.csv-spec/multivalue.md @@ -0,0 +1,5 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +ROW a = [2, 1] +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/aggFiltering.md b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/aggFiltering.md new file mode 100644 index 0000000000000..7cd23ad8edcb8 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/aggFiltering.md @@ -0,0 +1,14 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| STATS avg50s = AVG(salary)::LONG WHERE birth_date < "1960-01-01", + avg60s = AVG(salary)::LONG WHERE birth_date >= "1960-01-01" + BY gender +| SORT gender +``` + +| avg50s:long | avg60s:long | gender:keyword | +| --- | --- | --- | +| 55462 | 46637 | F | +| 48279 | 44879 | M | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/aggFilteringNoGroup.md b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/aggFilteringNoGroup.md new file mode 100644 index 0000000000000..5f88fdcda30ba --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/aggFilteringNoGroup.md @@ -0,0 +1,14 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| EVAL Ks = salary / 1000 // thousands +| STATS under_40K = COUNT(*) WHERE Ks < 40, + inbetween = COUNT(*) WHERE 40 <= Ks AND Ks < 60, + over_60K = COUNT(*) WHERE 60 <= Ks, + total = COUNT(*) +``` + +| under_40K:long | inbetween:long | over_60K:long | total:long | +| --- | --- | --- | --- | +| 36 | 39 | 25 | 100 | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/docsStatsAvgNestedExpression.md b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/docsStatsAvgNestedExpression.md new file mode 100644 index 0000000000000..71a27d47c1ecc --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/docsStatsAvgNestedExpression.md @@ -0,0 +1,10 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| STATS avg_salary_change = ROUND(AVG(MV_AVG(salary_change)), 10) +``` + +| avg_salary_change:double | +| --- | +| 1.3904535865 | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/docsStatsByExpression.md b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/docsStatsByExpression.md new file mode 100644 index 0000000000000..6009dc585e30e --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/docsStatsByExpression.md @@ -0,0 +1,30 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| STATS my_count = COUNT() BY LEFT(last_name, 1) +| SORT `LEFT(last_name, 1)` +``` + +| my_count:long | LEFT(last_name, 1):keyword | +| --- | --- | +| 2 | A | +| 11 | B | +| 5 | C | +| 5 | D | +| 2 | E | +| 4 | F | +| 4 | G | +| 6 | H | +| 2 | J | +| 3 | K | +| 5 | L | +| 12 | M | +| 4 | N | +| 1 | O | +| 7 | P | +| 5 | R | +| 13 | S | +| 4 | T | +| 2 | W | +| 3 | Z | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/multi-mv-group.md b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/multi-mv-group.md new file mode 100644 index 0000000000000..0fdb1445dd4f2 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/multi-mv-group.md @@ -0,0 +1,12 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +ROW i=1, a=["a", "b"], b=[2, 3] | STATS MIN(i) BY a, b | SORT a ASC, b ASC +``` + +| MIN(i):integer | a:keyword | b:integer | +| --- | --- | --- | +| 1 | a | 2 | +| 1 | a | 3 | +| 1 | b | 2 | +| 1 | b | 3 | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/mv-group.md b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/mv-group.md new file mode 100644 index 0000000000000..bd198da5845e3 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/mv-group.md @@ -0,0 +1,10 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +ROW i=1, a=["a", "b"] | STATS MIN(i) BY a | SORT a ASC +``` + +| MIN(i):integer | a:keyword | +| --- | --- | +| 1 | a | +| 1 | b | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/stats.md b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/stats.md new file mode 100644 index 0000000000000..499c3b411d748 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/stats.md @@ -0,0 +1,16 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| STATS count = COUNT(emp_no) BY languages +| SORT languages +``` + +| count:long | languages:integer | +| --- | --- | +| 15 | 1 | +| 19 | 2 | +| 17 | 3 | +| 18 | 4 | +| 21 | 5 | +| 10 | null | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/statsCalcMultipleValues.md b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/statsCalcMultipleValues.md new file mode 100644 index 0000000000000..5baa2d58fb8af --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/statsCalcMultipleValues.md @@ -0,0 +1,10 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| STATS avg_lang = AVG(languages), max_lang = MAX(languages) +``` + +| avg_lang:double | max_lang:integer | +| --- | --- | +| 3.1222222222222222 | 5 | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/statsGroupByMultipleValues.md b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/statsGroupByMultipleValues.md new file mode 100644 index 0000000000000..da8ae402ff336 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/statsGroupByMultipleValues.md @@ -0,0 +1,9 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| EVAL hired = DATE_FORMAT("yyyy", hire_date) +| STATS avg_salary = AVG(salary) BY hired, languages.long +| EVAL avg_salary = ROUND(avg_salary) +| SORT hired, languages.long +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/statsUnnamedColumn.md b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/statsUnnamedColumn.md new file mode 100644 index 0000000000000..f007196b2bcc5 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/statsUnnamedColumn.md @@ -0,0 +1,10 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| STATS AVG(salary) +``` + +| AVG(salary):double | +| --- | +| 48248.55 | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/statsUnnamedColumnEval.md b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/statsUnnamedColumnEval.md new file mode 100644 index 0000000000000..70bfb6e84cc9c --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/statsUnnamedColumnEval.md @@ -0,0 +1,11 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| STATS AVG(salary) +| EVAL avg_salary_rounded = ROUND(`AVG(salary)`) +``` + +| AVG(salary):double | avg_salary_rounded:double | +| --- | --- | +| 48248.55 | 48249.0 | diff --git a/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/statsWithoutBy.md b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/statsWithoutBy.md new file mode 100644 index 0000000000000..da970b1299a20 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/examples/stats.csv-spec/statsWithoutBy.md @@ -0,0 +1,10 @@ +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. + +```esql +FROM employees +| STATS avg_lang = AVG(languages) +``` + +| avg_lang:double | +| --- | +| 3.1222222222222222 | diff --git a/docs/reference/query-languages/esql/_snippets/commands/layout/dissect.md b/docs/reference/query-languages/esql/_snippets/commands/layout/dissect.md new file mode 100644 index 0000000000000..79dd91b9f1800 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/layout/dissect.md @@ -0,0 +1,44 @@ +## `DISSECT` [esql-dissect] + +`DISSECT` enables you to [extract structured data out of a string](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md). + +**Syntax** + +```esql +DISSECT input "pattern" [APPEND_SEPARATOR=""] +``` + +**Parameters** + +`input` +: The column that contains the string you want to structure. If the column has +multiple values, `DISSECT` will process each value. + +`pattern` +: A [dissect pattern](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md#esql-dissect-patterns). + If a field name conflicts with an existing column, the existing column is dropped. + If a field name is used more than once, only the rightmost duplicate creates a column. + +`` +: A string used as the separator between appended values, when using the [append modifier](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md#esql-append-modifier). + +**Description** + +`DISSECT` enables you to [extract structured data out of a string](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md). +`DISSECT` matches the string against a delimiter-based pattern, and extracts the specified keys as columns. + +Refer to [Process data with `DISSECT`](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md#esql-process-data-with-dissect) for the syntax of dissect patterns. + +**Examples** + +The following example parses a string that contains a timestamp, some text, and +an IP address: + +:::{include} ../examples/docs.csv-spec/basicDissect.md +::: + +By default, `DISSECT` outputs keyword string columns. To convert to another +type, use [Type conversion functions](/reference/query-languages/esql/functions-operators/type-conversion-functions.md): + +:::{include} ../examples/docs.csv-spec/dissectWithToDatetime.md +::: diff --git a/docs/reference/query-languages/esql/_snippets/commands/layout/drop.md b/docs/reference/query-languages/esql/_snippets/commands/layout/drop.md new file mode 100644 index 0000000000000..4f383d4f0f237 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/layout/drop.md @@ -0,0 +1,24 @@ +## `DROP` [esql-drop] + +The `DROP` processing command removes one or more columns. + +**Syntax** + +```esql +DROP columns +``` + +**Parameters** + +`columns` +: A comma-separated list of columns to remove. Supports wildcards. + +**Examples** + +:::{include} ../examples/drop.csv-spec/height.md +::: +Rather than specify each column by name, you can use wildcards to drop all +columns with a name that matches a pattern: + +:::{include} ../examples/drop.csv-spec/heightWithWildcard.md +::: diff --git a/docs/reference/query-languages/esql/_snippets/commands/layout/enrich.md b/docs/reference/query-languages/esql/_snippets/commands/layout/enrich.md new file mode 100644 index 0000000000000..f33491d447482 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/layout/enrich.md @@ -0,0 +1,91 @@ +## `ENRICH` [esql-enrich] + +`ENRICH` enables you to add data from existing indices as new columns using an +enrich policy. + +**Syntax** + +```esql +ENRICH policy [ON match_field] [WITH [new_name1 = ]field1, [new_name2 = ]field2, ...] +``` + +**Parameters** + +`policy` +: The name of the enrich policy. + You need to [create](/reference/query-languages/esql/esql-enrich-data.md#esql-set-up-enrich-policy) + and [execute](/reference/query-languages/esql/esql-enrich-data.md#esql-execute-enrich-policy) + the enrich policy first. + +`mode` +: The mode of the enrich command in cross cluster {{esql}}. + See [enrich across clusters](docs-content://explore-analyze/query-filter/languages/esql-cross-clusters.md#ccq-enrich). + +`match_field` +: The match field. `ENRICH` uses its value to look for records in the enrich + index. If not specified, the match will be performed on the column with the same + name as the `match_field` defined in the [enrich policy](/reference/query-languages/esql/esql-enrich-data.md#esql-enrich-policy). + +`fieldX` +: The enrich fields from the enrich index that are added to the result as new + columns. If a column with the same name as the enrich field already exists, the + existing column will be replaced by the new column. If not specified, each of + the enrich fields defined in the policy is added. + A column with the same name as the enrich field will be dropped unless the + enrich field is renamed. + +`new_nameX` +: Enables you to change the name of the column that’s added for each of the enrich + fields. Defaults to the enrich field name. + If a column has the same name as the new name, it will be discarded. + If a name (new or original) occurs more than once, only the rightmost duplicate + creates a new column. + +**Description** + +`ENRICH` enables you to add data from existing indices as new columns using an +enrich policy. Refer to [Data enrichment](/reference/query-languages/esql/esql-enrich-data.md) +for information about setting up a policy. + +:::{image} /reference/query-languages/images/esql-enrich.png +:alt: esql enrich +::: + +::::{tip} +Before you can use `ENRICH`, you need to [create and execute an enrich policy](/reference/query-languages/esql/esql-enrich-data.md#esql-set-up-enrich-policy). +:::: + + +**Examples** + +The following example uses the `languages_policy` enrich policy to add a new +column for each enrich field defined in the policy. The match is performed using +the `match_field` defined in the [enrich policy](/reference/query-languages/esql/esql-enrich-data.md#esql-enrich-policy) and +requires that the input table has a column with the same name (`language_code` +in this example). `ENRICH` will look for records in th +[enrich index](/reference/query-languages/esql/esql-enrich-data.md#esql-enrich-index) +based on the match field value. + +:::{include} ../examples/enrich.csv-spec/enrich.md +::: + +To use a column with a different name than the `match_field` defined in the +policy as the match field, use `ON `: + +:::{include} ../examples/enrich.csv-spec/enrich_on.md +::: + +By default, each of the enrich fields defined in the policy is added as a +column. To explicitly select the enrich fields that are added, use +`WITH , , ...`: + +:::{include} ../examples/enrich.csv-spec/enrich_with.md +::: + +You can rename the columns that are added using `WITH new_name=`: + +:::{include} ../examples/enrich.csv-spec/enrich_rename.md +::: + +In case of name collisions, the newly created columns will override existing +columns. diff --git a/docs/reference/query-languages/esql/_snippets/commands/layout/eval.md b/docs/reference/query-languages/esql/_snippets/commands/layout/eval.md new file mode 100644 index 0000000000000..cd10448444ebd --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/layout/eval.md @@ -0,0 +1,53 @@ +## `EVAL` [esql-eval] + +The `EVAL` processing command enables you to append new columns with calculated +values. + +**Syntax** + +```esql +EVAL [column1 =] value1[, ..., [columnN =] valueN] +``` + +**Parameters** + +`columnX` +: The column name. + If a column with the same name already exists, the existing column is dropped. + If a column name is used more than once, only the rightmost duplicate creates a column. + +`valueX` +: The value for the column. Can be a literal, an expression, or a + [function](/reference/query-languages/esql/esql-functions-operators.md#esql-functions). + Can use columns defined left of this one. + +**Description** + +The `EVAL` processing command enables you to append new columns with calculated +values. `EVAL` supports various functions for calculating values. Refer to +[Functions](/reference/query-languages/esql/esql-functions-operators.md#esql-functions) for more information. + +**Examples** + +:::{include} ../examples/eval.csv-spec/eval.md +::: + +If the specified column already exists, the existing column will be dropped, and +the new column will be appended to the table: + +:::{include} ../examples/eval.csv-spec/evalReplace.md +::: + +Specifying the output column name is optional. If not specified, the new column +name is equal to the expression. The following query adds a column named +`height*3.281`: + +:::{include} ../examples/eval.csv-spec/evalUnnamedColumn.md +::: + +Because this name contains special characters, +[it needs to be quoted](/reference/query-languages/esql/esql-syntax.md#esql-identifiers) +with backticks (```) when using it in subsequent commands: + +:::{include} ../examples/eval.csv-spec/evalUnnamedColumnStats.md +::: diff --git a/docs/reference/query-languages/esql/_snippets/commands/layout/from.md b/docs/reference/query-languages/esql/_snippets/commands/layout/from.md new file mode 100644 index 0000000000000..45dce9136a029 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/layout/from.md @@ -0,0 +1,84 @@ +## `FROM` [esql-from] + +The `FROM` source command returns a table with data from a data stream, index, +or alias. + +**Syntax** + +```esql +FROM index_pattern [METADATA fields] +``` + +**Parameters** + +`index_pattern` +: A list of indices, data streams or aliases. Supports wildcards and date math. + +`fields` +: A comma-separated list of [metadata fields](/reference/query-languages/esql/esql-metadata-fields.md) to retrieve. + +**Description** + +The `FROM` source command returns a table with data from a data stream, index, +or alias. Each row in the resulting table represents a document. Each column +corresponds to a field, and can be accessed by the name of that field. + +::::{note} +By default, an {{esql}} query without an explicit [`LIMIT`](#esql-limit) uses an implicit +limit of 1000. This applies to `FROM` too. A `FROM` command without `LIMIT`: + +```esql +FROM employees +``` + +is executed as: + +```esql +FROM employees +| LIMIT 1000 +``` + +:::: + + +**Examples** + +```esql +FROM employees +``` + +You can use [date math](/reference/elasticsearch/rest-apis/api-conventions.md#api-date-math-index-names) to refer to indices, aliases +and data streams. This can be useful for time series data, for example to access +today’s index: + +```esql +FROM +``` + +Use comma-separated lists or wildcards to +[query multiple data streams, indices, or aliases](docs-content://explore-analyze/query-filter/languages/esql-multi-index.md): + +```esql +FROM employees-00001,other-employees-* +``` + +Use the format `:` to +[query data streams and indices on remote clusters](docs-content://explore-analyze/query-filter/languages/esql-cross-clusters.md): + +```esql +FROM cluster_one:employees-00001,cluster_two:other-employees-* +``` + +Use the optional `METADATA` directive to enable +[metadata fields](/reference/query-languages/esql/esql-metadata-fields.md): + +```esql +FROM employees METADATA _id +``` + +Use enclosing double quotes (`"`) or three enclosing double quotes (`"""`) to escape index names +that contain special characters: + +```esql +FROM "this=that", """this[that""" +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/layout/grok.md b/docs/reference/query-languages/esql/_snippets/commands/layout/grok.md new file mode 100644 index 0000000000000..6397eea898469 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/layout/grok.md @@ -0,0 +1,53 @@ +## `GROK` [esql-grok] + +`GROK` enables you to [extract structured data out of a string](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md). + +**Syntax** + +```esql +GROK input "pattern" +``` + +**Parameters** + +`input` +: The column that contains the string you want to structure. If the column has + multiple values, `GROK` will process each value. + +`pattern` +: A grok pattern. If a field name conflicts with an existing column, the existing column is discarded. + If a field name is used more than once, a multi-valued column will be created with one value + per each occurrence of the field name. + +**Description** + +`GROK` enables you to [extract structured data out of a string](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md). +`GROK` matches the string against patterns, based on regular expressions, +and extracts the specified patterns as columns. + +Refer to [Process data with `GROK`](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md#esql-process-data-with-grok) for the syntax of grok patterns. + +**Examples** + +The following example parses a string that contains a timestamp, an IP address, +an email address, and a number: + +:::{include} ../examples/docs.csv-spec/basicGrok.md +::: + +By default, `GROK` outputs keyword string columns. `int` and `float` types can +be converted by appending `:type` to the semantics in the pattern. For example +`{NUMBER:num:int}`: + +:::{include} ../examples/docs.csv-spec/grokWithConversionSuffix.md +::: + +For other type conversions, use [Type conversion functions](/reference/query-languages/esql/functions-operators/type-conversion-functions.md): + +:::{include} ../examples/docs.csv-spec/grokWithToDatetime.md +::: + +If a field name is used more than once, `GROK` creates a multi-valued column: + +:::{include} ../examples/docs.csv-spec/grokWithDuplicateFieldNames.md +::: diff --git a/docs/reference/query-languages/esql/_snippets/commands/layout/keep.md b/docs/reference/query-languages/esql/_snippets/commands/layout/keep.md new file mode 100644 index 0000000000000..3f2a357d037eb --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/layout/keep.md @@ -0,0 +1,73 @@ +## `KEEP` [esql-keep] + +The `KEEP` processing command enables you to specify what columns are returned +and the order in which they are returned. + +**Syntax** + +```esql +KEEP columns +``` + +**Parameters** + +`columns` +: A comma-separated list of columns to keep. Supports wildcards. + See below for the behavior in case an existing column matches multiple + given wildcards or column names. + +**Description** + +The `KEEP` processing command enables you to specify what columns are returned +and the order in which they are returned. + +Precedence rules are applied when a field name matches multiple expressions. +Fields are added in the order they appear. If one field matches multiple expressions, the following precedence rules apply (from highest to lowest priority): + +1. Complete field name (no wildcards) +2. Partial wildcard expressions (for example: `fieldNam*`) +3. Wildcard only (`*`) + +If a field matches two expressions with the same precedence, the rightmost expression wins. + +Refer to the examples for illustrations of these precedence rules. + +**Examples** + +The columns are returned in the specified order: + +:::{include} ../examples/docs.csv-spec/keep.md +::: + +Rather than specify each column by name, you can use wildcards to return all +columns with a name that matches a pattern: + +:::{include} ../examples/docs.csv-spec/keepWildcard.md +::: + +The asterisk wildcard (`*`) by itself translates to all columns that do not +match the other arguments. + +This query will first return all columns with a name +that starts with `h`, followed by all other columns: + +:::{include} ../examples/docs.csv-spec/keepDoubleWildcard.md +::: + +The following examples show how precedence rules work when a field name matches multiple expressions. + +Complete field name has precedence over wildcard expressions: + +:::{include} ../examples/docs.csv-spec/keepCompleteName.md +::: + +Wildcard expressions have the same priority, but last one wins (despite being less specific): + +:::{include} ../examples/docs.csv-spec/keepWildcardPrecedence.md +::: + +A simple wildcard expression `*` has the lowest precedence. +Output order is determined by the other arguments: + +:::{include} ../examples/docs.csv-spec/keepWildcardLowest.md +::: diff --git a/docs/reference/query-languages/esql/_snippets/commands/layout/limit.md b/docs/reference/query-languages/esql/_snippets/commands/layout/limit.md new file mode 100644 index 0000000000000..9bc8d0d86c096 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/layout/limit.md @@ -0,0 +1,27 @@ +## `LIMIT` [esql-limit] + +The `LIMIT` processing command enables you to limit the number of rows that are +returned. + +**Syntax** + +```esql +LIMIT max_number_of_rows +``` + +**Parameters** + +`max_number_of_rows` +: The maximum number of rows to return. + +**Description** + +The `LIMIT` processing command enables you to limit the number of rows that are +returned. +:::{include} ../../common/result-set-size-limitation.md +::: + +**Example** + +:::{include} ../examples/limit.csv-spec/basic.md +::: diff --git a/docs/reference/query-languages/esql/_snippets/commands/layout/lookup-join.md b/docs/reference/query-languages/esql/_snippets/commands/layout/lookup-join.md new file mode 100644 index 0000000000000..94d879770ba8f --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/layout/lookup-join.md @@ -0,0 +1,104 @@ +## `LOOKUP JOIN` [esql-lookup-join] + +::::{warning} +This functionality is in technical preview and may be +changed or removed in a future release. Elastic will work to fix any +issues, but features in technical preview are not subject to the support +SLA of official GA features. +:::: + +`LOOKUP JOIN` enables you to add data from another index, AKA a 'lookup' +index, to your {{esql}} query results, simplifying data enrichment +and analysis workflows. + +**Syntax** + +```esql +FROM +| LOOKUP JOIN ON +``` + +**Parameters** + +`` +: The name of the lookup index. This must be a specific index name - wildcards, aliases, and remote cluster + references are not supported. + +`` +: The field to join on. This field must exist + in both your current query results and in the lookup index. If the field + contains multi-valued entries, those entries will not match anything + (the added fields will contain `null` for those rows). + +**Description** + +The `LOOKUP JOIN` command adds new columns to your {esql} query +results table by finding documents in a lookup index that share the same +join field value as your result rows. + +For each row in your results table that matches a document in the lookup +index based on the join field, all fields from the matching document are +added as new columns to that row. + +If multiple documents in the lookup index match a single row in your +results, the output will contain one row for each matching combination. + +**Examples** + +::::{tip} +In case of name collisions, the newly created columns will override existing columns. +:::: + +**IP Threat correlation**: This query would allow you to see if any source +IPs match known malicious addresses. + +```esql +FROM firewall_logs +| LOOKUP JOIN threat_list ON source.IP +``` + +To filter only for those rows that have a matching `threat_list` entry, use `WHERE ... IS NOT NULL` with a field from the lookup index: + +```esql +FROM firewall_logs +| LOOKUP JOIN threat_list ON source.IP +| WHERE threat_level IS NOT NULL +``` + +**Host metadata correlation**: This query pulls in environment or +ownership details for each host to correlate with your metrics data. + +```esql +FROM system_metrics +| LOOKUP JOIN host_inventory ON host.name +| LOOKUP JOIN employees ON host.name +``` + +**Service ownership mapping**: This query would show logs with the owning +team or escalation information for faster triage and incident response. + +```esql +FROM app_logs +| LOOKUP JOIN service_owners ON service_id +``` + +`LOOKUP JOIN` is generally faster when there are fewer rows to join +with. {{esql}} will try and perform any `WHERE` clause before the +`LOOKUP JOIN` where possible. + +The two following examples will have the same results. The two examples +have the `WHERE` clause before and after the `LOOKUP JOIN`. It does not +matter how you write your query, our optimizer will move the filter +before the lookup when possible. + +```esql +FROM Left +| WHERE Language IS NOT NULL +| LOOKUP JOIN Right ON Key +``` + +```esql +FROM Left +| LOOKUP JOIN Right ON Key +| WHERE Language IS NOT NULL +``` diff --git a/docs/reference/query-languages/esql/_snippets/commands/layout/mv_expand.md b/docs/reference/query-languages/esql/_snippets/commands/layout/mv_expand.md new file mode 100644 index 0000000000000..9812a7d0c2335 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/layout/mv_expand.md @@ -0,0 +1,28 @@ +## `MV_EXPAND` [esql-mv_expand] + +::::{warning} +This functionality is in technical preview and may be +changed or removed in a future release. Elastic will work to fix any +issues, but features in technical preview are not subject to the support +SLA of official GA features. +:::: + + +The `MV_EXPAND` processing command expands multivalued columns into one row per +value, duplicating other columns. + +**Syntax** + +```esql +MV_EXPAND column +``` + +**Parameters** + +`column` +: The multivalued column to expand. + +**Example** + +:::{include} ../examples/mv_expand.csv-spec/simple.md +::: diff --git a/docs/reference/query-languages/esql/_snippets/commands/layout/rename.md b/docs/reference/query-languages/esql/_snippets/commands/layout/rename.md new file mode 100644 index 0000000000000..a6aaf3ca93b27 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/layout/rename.md @@ -0,0 +1,41 @@ +## `RENAME` [esql-rename] + +The `RENAME` processing command renames one or more columns. + +**Syntax** + +```esql +RENAME old_name1 AS new_name1[, ..., old_nameN AS new_nameN] +``` + +**Parameters** + +`old_nameX` +: The name of a column you want to rename. + +`new_nameX` +: The new name of the column. If it conflicts with an existing column name, + the existing column is dropped. If multiple columns are renamed to the same + name, all but the rightmost column with the same new name are dropped. + +**Description** + +The `RENAME` processing command renames one or more columns. If a column with +the new name already exists, it will be replaced by the new column. + +A `RENAME` with multiple column renames is equivalent to multiple sequential `RENAME` commands. + +**Examples** + +:::{include} ../examples/docs.csv-spec/rename.md +::: + +Multiple columns can be renamed with a single `RENAME` command: + +:::{include} ../examples/docs.csv-spec/renameMultipleColumns.md +::: + +With multiple `RENAME` commands: + +:::{include} ../examples/docs.csv-spec/renameMultipleColumnsDifferentCommands.md +::: diff --git a/docs/reference/query-languages/esql/_snippets/commands/layout/row.md b/docs/reference/query-languages/esql/_snippets/commands/layout/row.md new file mode 100644 index 0000000000000..ebbede74ab44d --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/layout/row.md @@ -0,0 +1,35 @@ +## `ROW` [esql-row] + +The `ROW` source command produces a row with one or more columns with values +that you specify. This can be useful for testing. + +**Syntax** + +```esql +ROW column1 = value1[, ..., columnN = valueN] +``` + +**Parameters** + +`columnX` +: The column name. + In case of duplicate column names, only the rightmost duplicate creates a column. + +`valueX` +: The value for the column. Can be a literal, an expression, or a + [function](/reference/query-languages/esql/esql-functions-operators.md#esql-functions). + +**Examples** + +:::{include} ../examples/row.csv-spec/example.md +::: + +Use square brackets to create multi-value columns: + +:::{include} ../examples/row.csv-spec/multivalue.md +::: + +`ROW` supports the use of [functions](/reference/query-languages/esql/esql-functions-operators.md#esql-functions): + +:::{include} ../examples/row.csv-spec/function.md +::: diff --git a/docs/reference/query-languages/esql/_snippets/commands/layout/show.md b/docs/reference/query-languages/esql/_snippets/commands/layout/show.md new file mode 100644 index 0000000000000..04782a8cc990b --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/layout/show.md @@ -0,0 +1,27 @@ +## `SHOW` [esql-show] + +The `SHOW` source command returns information about the deployment and +its capabilities. + +**Syntax** + +```esql +SHOW item +``` + +**Parameters** + +`item` +: Can only be `INFO`. + +**Examples** + +Use `SHOW INFO` to return the deployment’s version, build date and hash. + +```esql +SHOW INFO +``` + +| version | date | hash | +| --- | --- | --- | +| 8.13.0 | 2024-02-23T10:04:18.123117961Z | 04ba8c8db2507501c88f215e475de7b0798cb3b3 | diff --git a/docs/reference/query-languages/esql/_snippets/commands/layout/sort.md b/docs/reference/query-languages/esql/_snippets/commands/layout/sort.md new file mode 100644 index 0000000000000..61ddd45fc1ff2 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/layout/sort.md @@ -0,0 +1,52 @@ +## `SORT` [esql-sort] + +The `SORT` processing command sorts a table on one or more columns. + +**Syntax** + +```esql +SORT column1 [ASC/DESC][NULLS FIRST/NULLS LAST][, ..., columnN [ASC/DESC][NULLS FIRST/NULLS LAST]] +``` + +**Parameters** + +`columnX` +: The column to sort on. + +**Description** + +The `SORT` processing command sorts a table on one or more columns. + +The default sort order is ascending. Use `ASC` or `DESC` to specify an explicit +sort order. + +Two rows with the same sort key are considered equal. You can provide additional +sort expressions to act as tie breakers. + +Sorting on multivalued columns uses the lowest value when sorting ascending and +the highest value when sorting descending. + +By default, `null` values are treated as being larger than any other value. With +an ascending sort order, `null` values are sorted last, and with a descending +sort order, `null` values are sorted first. You can change that by providing +`NULLS FIRST` or `NULLS LAST`. + +**Examples** + +:::{include} ../examples/docs.csv-spec/sort.md +::: + +Explicitly sorting in ascending order with `ASC`: + +:::{include} ../examples/docs.csv-spec/sortDesc.md +::: + +Providing additional sort expressions to act as tie breakers: + +:::{include} ../examples/docs.csv-spec/sortTie.md +::: + +Sorting `null` values first using `NULLS FIRST`: + +:::{include} ../examples/docs.csv-spec/sortNullsFirst.md +::: diff --git a/docs/reference/query-languages/esql/_snippets/commands/layout/stats-by.md b/docs/reference/query-languages/esql/_snippets/commands/layout/stats-by.md new file mode 100644 index 0000000000000..c8a5899f6c5ef --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/layout/stats-by.md @@ -0,0 +1,142 @@ +## `STATS` [esql-stats-by] + +The `STATS` processing command groups rows according to a common value +and calculates one or more aggregated values over the grouped rows. + +**Syntax** + +```esql +STATS [column1 =] expression1 [WHERE boolean_expression1][, + ..., + [columnN =] expressionN [WHERE boolean_expressionN]] + [BY grouping_expression1[, ..., grouping_expressionN]] +``` + +**Parameters** + +`columnX` +: The name by which the aggregated value is returned. If omitted, the name is + equal to the corresponding expression (`expressionX`). + If multiple columns have the same name, all but the rightmost column with this + name will be ignored. + +`expressionX` +: An expression that computes an aggregated value. + +`grouping_expressionX` +: An expression that outputs the values to group by. + If its name coincides with one of the computed columns, that column will be ignored. + +`boolean_expressionX` +: The condition that must be met for a row to be included in the evaluation of `expressionX`. + +::::{note} +Individual `null` values are skipped when computing aggregations. +:::: + + +**Description** + +The `STATS` processing command groups rows according to a common value +and calculates one or more aggregated values over the grouped rows. For the +calculation of each aggregated value, the rows in a group can be filtered with +`WHERE`. If `BY` is omitted, the output table contains exactly one row with +the aggregations applied over the entire dataset. + +The following [aggregation functions](/reference/query-languages/esql/functions-operators/aggregation-functions.md) are supported: + +:::{include} ../../lists/aggregation-functions.md +::: + +The following [grouping functions](/reference/query-languages/esql/functions-operators/grouping-functions.md) are supported: + +:::{include} ../../lists/grouping-functions.md +::: + +::::{note} +`STATS` without any groups is much much faster than adding a group. +:::: + + +::::{note} +Grouping on a single expression is currently much more optimized than grouping +on many expressions. In some tests we have seen grouping on a single `keyword` +column to be five times faster than grouping on two `keyword` columns. Do +not try to work around this by combining the two columns together with +something like [`CONCAT`](/reference/query-languages/esql/functions-operators/string-functions.md#esql-concat) +and then grouping - that is not going to be faster. +:::: + + +**Examples** + +Calculating a statistic and grouping by the values of another column: + +:::{include} ../examples/stats.csv-spec/stats.md +::: + +Omitting `BY` returns one row with the aggregations applied over the entire +dataset: + +:::{include} ../examples/stats.csv-spec/statsWithoutBy.md +::: + +It’s possible to calculate multiple values: + +:::{include} ../examples/stats.csv-spec/statsCalcMultipleValues.md +::: + +To filter the rows that go into an aggregation, use the `WHERE` clause: + +:::{include} ../examples/stats.csv-spec/aggFiltering.md +::: + +The aggregations can be mixed, with and without a filter and grouping is +optional as well: + +:::{include} ../examples/stats.csv-spec/aggFilteringNoGroup.md +::: + +$$$esql-stats-mv-group$$$ +If the grouping key is multivalued then the input row is in all groups: + +:::{include} ../examples/stats.csv-spec/mv-group.md +::: + +It’s also possible to group by multiple values: + +:::{include} ../examples/stats.csv-spec/statsGroupByMultipleValues.md +::: +If all the grouping keys are multivalued then the input row is in all groups: + +:::{include} ../examples/stats.csv-spec/multi-mv-group.md +::: + +Both the aggregating functions and the grouping expressions accept other +functions. This is useful for using `STATS` on multivalue columns. +For example, to calculate the average salary change, you can use `MV_AVG` to +first average the multiple values per employee, and use the result with the +`AVG` function: + +:::{include} ../examples/stats.csv-spec/docsStatsAvgNestedExpression.md +::: + +An example of grouping by an expression is grouping employees on the first +letter of their last name: + +:::{include} ../examples/stats.csv-spec/docsStatsByExpression.md +::: + +Specifying the output column name is optional. If not specified, the new column +name is equal to the expression. The following query returns a column named +`AVG(salary)`: + +:::{include} ../examples/stats.csv-spec/statsUnnamedColumn.md +::: + +Because this name contains special characters, +[it needs to be quoted](/reference/query-languages/esql/esql-syntax.md#esql-identifiers) +with backticks (```) when using it in subsequent commands: + +:::{include} ../examples/stats.csv-spec/statsUnnamedColumnEval.md +::: diff --git a/docs/reference/query-languages/esql/_snippets/commands/layout/where.md b/docs/reference/query-languages/esql/_snippets/commands/layout/where.md new file mode 100644 index 0000000000000..5038ebd647ce1 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/commands/layout/where.md @@ -0,0 +1,110 @@ +## `WHERE` [esql-where] + +The `WHERE` processing command produces a table that contains all the rows from +the input table for which the provided condition evaluates to `true`. + +::::{tip} +In case of value exclusions, fields with `null` values will be excluded from search results. +In this context a `null` means either there is an explicit `null` value in the document or +there is no value at all. For example: `WHERE field != "value"` will be interpreted as +`WHERE field != "value" AND field IS NOT NULL`. +:::: + + +**Syntax** + +```esql +WHERE expression +``` + +**Parameters** + +`expression` +: A boolean expression. + +**Examples** + +:::{include} ../examples/docs.csv-spec/where.md +::: +Which, if `still_hired` is a boolean field, can be simplified to: + +:::{include} ../examples/docs.csv-spec/whereBoolean.md +::: +Use date math to retrieve data from a specific time range. For example, to +retrieve the last hour of logs: + +:::{include} ../examples/date.csv-spec/docsNowWhere.md +::: +`WHERE` supports various [functions](/reference/query-languages/esql/esql-functions-operators.md#esql-functions). +For example the [`LENGTH`](/reference/query-languages/esql/functions-operators/string-functions.md#esql-length) function: + +:::{include} ../examples/docs.csv-spec/whereFunction.md +::: + +For a complete list of all functions, refer to [Functions overview](/reference/query-languages/esql/esql-functions-operators.md#esql-functions). + +### NULL Predicates + +For NULL comparison, use the `IS NULL` and `IS NOT NULL` predicates. + +:::{include} ../../operators/examples/is_null.md +::: + +:::{include} ../../operators/examples/is_not_null.md +::: + +### Matching text + +For matching text, you can use [full text search functions](/reference/query-languages/esql/functions-operators/search-functions.md) like `MATCH`. + +Use [`MATCH`](/reference/query-languages/esql/functions-operators/search-functions.md#esql-match) to perform a +[match query](/reference/query-languages/query-dsl/query-dsl-match-query.md) on a specified field. + +Match can be used on text fields, as well as other field types like boolean, dates, and numeric types. + +:::{include} ../../functions/examples/match.md +::: + +::::{tip} +You can also use the shorthand [match operator](/reference/query-languages/esql/functions-operators/operators.md#esql-match-operator) `:` instead of `MATCH`. + +:::: + +### LIKE and RLIKE + +Use `LIKE` to filter data based on string patterns using wildcards. `LIKE` usually acts on a field placed on the left-hand side of the operator, but it can also act on a constant (literal) expression. The right-hand side of the operator represents the pattern. + +The following wildcard characters are supported: + +* `*` matches zero or more characters. +* `?` matches one character. + +:::{include} ../../operators/types/like.md +::: + +:::{include} ../../operators/examples/like.md +::: + +:::{include} ../../operators/detailedDescription/like.md +::: + +Use `RLIKE` to filter data based on string patterns using using [regular expressions](/reference/query-languages/query-dsl/regexp-syntax.md). `RLIKE` usually acts on a field placed on the left-hand side of the operator, but it can also act on a constant (literal) expression. The right-hand side of the operator represents the pattern. + +:::{include} ../../operators/types/rlike.md +::: + +:::{include} ../../operators/examples/rlike.md +::: + +:::{include} ../../operators/detailedDescription/rlike.md +::: + +### IN + +The `IN` operator allows testing whether a field or expression equals an element +in a list of literals, fields or expressions: + +:::{include} ../../operators/examples/in.md +::: + +For a complete list of all operators, refer to [Operators](/reference/query-languages/esql/esql-functions-operators.md#esql-operators-overview). diff --git a/docs/reference/query-languages/esql/_snippets/common/result-set-size-limitation.md b/docs/reference/query-languages/esql/_snippets/common/result-set-size-limitation.md new file mode 100644 index 0000000000000..1a6b4dada3dd7 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/common/result-set-size-limitation.md @@ -0,0 +1,46 @@ +For instance, +```esql +FROM index | WHERE field = "value" +``` +is equivalent to: +```esql +FROM index | WHERE field = "value" | LIMIT 1000 +``` + +Queries do not return more than 10,000 rows, regardless of the `LIMIT` command’s value. This is a configurable upper limit. + +To overcome this limitation: + +* Reduce the result set size by modifying the query to only return relevant data. Use [`WHERE`](/reference/query-languages/esql/commands/processing-commands.md#esql-where) to select a smaller subset of the data. +* Shift any post-query processing to the query itself. You can use the {{esql}} [`STATS`](/reference/query-languages/esql/commands/processing-commands.md#esql-stats-by) command to aggregate data in the query. + +The upper limit only applies to the number of rows that are output by the query, not to the number of documents it processes: the query runs on the full data set. + +Consider the following two queries: +```esql +FROM index | WHERE field0 == "value" | LIMIT 20000 +``` +and +```esql +FROM index | STATS AVG(field1) BY field2 | LIMIT 20000 +``` + +In both cases, the filtering by `field0` in the first query or the grouping by `field2` in the second is applied over all the documents present in the `index`, irrespective of their number or indexes size. However, both queries will return at most 10,000 rows, even if there were more rows available to return. + +The default and maximum limits can be changed using these dynamic cluster settings: + +* `esql.query.result_truncation_default_size` +* `esql.query.result_truncation_max_size` + +However, doing so involves trade-offs. A larger result-set involves a higher memory pressure and increased processing times; the internode traffic within and across clusters can also increase. + +These limitations are similar to those enforced by the [search API for pagination](/reference/elasticsearch/rest-apis/paginate-search-results.md). + +| Functionality | Search | {{esql}} | +|----------------------------------|-------------------------|-------------------------------------------| +| Results returned by default | 10 | 1.000 | +| Default upper limit | 10,000 | 10,000 | +| Specify number of results | `size` | `LIMIT` | +| Change default number of results | n/a | esql.query.result_truncation_default_size | +| Change default upper limit | index-max-result-window | esql.query.result_truncation_max_size | + diff --git a/docs/reference/query-languages/esql/_snippets/conditional-functions-and-expressions.md b/docs/reference/query-languages/esql/_snippets/conditional-functions-and-expressions.md deleted file mode 100644 index ce95f05ee6389..0000000000000 --- a/docs/reference/query-languages/esql/_snippets/conditional-functions-and-expressions.md +++ /dev/null @@ -1,21 +0,0 @@ -## {{esql}} conditional functions and expressions [esql-conditional-functions-and-expressions] - - -Conditional functions return one of their arguments by evaluating in an if-else manner. {{esql}} supports these conditional functions: - -:::{include} lists/conditional-functions-and-expressions.md -::: - - -:::{include} functions/layout/case.md -::: - -:::{include} functions/layout/coalesce.md -::: - -:::{include} functions/layout/greatest.md -::: - -:::{include} functions/layout/least.md -::: - diff --git a/docs/reference/query-languages/esql/_snippets/date-time-functions.md b/docs/reference/query-languages/esql/_snippets/date-time-functions.md deleted file mode 100644 index c0e6372f30f00..0000000000000 --- a/docs/reference/query-languages/esql/_snippets/date-time-functions.md +++ /dev/null @@ -1,27 +0,0 @@ -## {{esql}} date-time functions [esql-date-time-functions] - - -{{esql}} supports these date-time functions: - -:::{include} lists/date-time-functions.md -::: - - -:::{include} functions/layout/date_diff.md -::: - -:::{include} functions/layout/date_extract.md -::: - -:::{include} functions/layout/date_format.md -::: - -:::{include} functions/layout/date_parse.md -::: - -:::{include} functions/layout/date_trunc.md -::: - -:::{include} functions/layout/now.md -::: - diff --git a/docs/reference/query-languages/esql/_snippets/functions/description/date_trunc.md b/docs/reference/query-languages/esql/_snippets/functions/description/date_trunc.md index c32140d50ecc9..e207cc6d94034 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/description/date_trunc.md +++ b/docs/reference/query-languages/esql/_snippets/functions/description/date_trunc.md @@ -2,6 +2,5 @@ **Description** -Rounds down a date to the closest interval since epoch, which starts -at `0001-01-01T00:00:00Z`. +Rounds down a date to the closest interval since epoch, which starts at `0001-01-01T00:00:00Z`. diff --git a/docs/reference/query-languages/esql/_snippets/functions/description/greatest.md b/docs/reference/query-languages/esql/_snippets/functions/description/greatest.md index 11ae376911432..15f80d3f6254d 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/description/greatest.md +++ b/docs/reference/query-languages/esql/_snippets/functions/description/greatest.md @@ -2,7 +2,7 @@ **Description** -Returns the maximum value from multiple columns. This is similar to [`MV_MAX`](/reference/query-languages/esql/esql-functions-operators.md#esql-mv_max) except it is intended to run on multiple columns at once. +Returns the maximum value from multiple columns. This is similar to [`MV_MAX`](/reference/query-languages/esql/functions-operators/mv-functions.md#esql-mv_max) except it is intended to run on multiple columns at once. ::::{note} When run on `keyword` or `text` fields, this returns the last string in alphabetical order. When run on `boolean` columns this will return `true` if any values are `true`. diff --git a/docs/reference/query-languages/esql/_snippets/functions/description/least.md b/docs/reference/query-languages/esql/_snippets/functions/description/least.md index 6ca296474d39e..773c82c44625a 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/description/least.md +++ b/docs/reference/query-languages/esql/_snippets/functions/description/least.md @@ -2,5 +2,5 @@ **Description** -Returns the minimum value from multiple columns. This is similar to [`MV_MIN`](/reference/query-languages/esql/esql-functions-operators.md#esql-mv_min) except it is intended to run on multiple columns at once. +Returns the minimum value from multiple columns. This is similar to [`MV_MIN`](/reference/query-languages/esql/functions-operators/mv-functions.md#esql-mv_min) except it is intended to run on multiple columns at once. diff --git a/docs/reference/query-languages/esql/_snippets/functions/description/match.md b/docs/reference/query-languages/esql/_snippets/functions/description/match.md index f24f66197d739..8dd64d9671501 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/description/match.md +++ b/docs/reference/query-languages/esql/_snippets/functions/description/match.md @@ -2,5 +2,5 @@ **Description** -Use `MATCH` to perform a [match query](/reference/query-languages/query-dsl/query-dsl-match-query.md) on the specified field. Using `MATCH` is equivalent to using the `match` query in the Elasticsearch Query DSL. Match can be used on fields from the text family like [text](/reference/elasticsearch/mapping-reference/text.md) and [semantic_text](/reference/elasticsearch/mapping-reference/semantic-text.md), as well as other field types like keyword, boolean, dates, and numeric types. Match can use [function named parameters](/reference/query-languages/esql/esql-syntax.md#esql-function-named-params) to specify additional options for the match query. All [match query parameters](/reference/query-languages/query-dsl/query-dsl-match-query.md#match-field-params) are supported. For a simplified syntax, you can use the [match operator](/reference/query-languages/esql/esql-functions-operators.md#esql-search-operators) `:` operator instead of `MATCH`. `MATCH` returns true if the provided query matches the row. +Use `MATCH` to perform a [match query](/reference/query-languages/query-dsl/query-dsl-match-query.md) on the specified field. Using `MATCH` is equivalent to using the `match` query in the Elasticsearch Query DSL. Match can be used on fields from the text family like [text](/reference/elasticsearch/mapping-reference/text.md) and [semantic_text](/reference/elasticsearch/mapping-reference/semantic-text.md), as well as other field types like keyword, boolean, dates, and numeric types. Match can use [function named parameters](/reference/query-languages/esql/esql-syntax.md#esql-function-named-params) to specify additional options for the match query. All [match query parameters](/reference/query-languages/query-dsl/query-dsl-match-query.md#match-field-params) are supported. For a simplified syntax, you can use the [match operator](/reference/query-languages/esql/functions-operators/operators.md#esql-match-operator) `:` operator instead of `MATCH`. `MATCH` returns true if the provided query matches the row. diff --git a/docs/reference/query-languages/esql/_snippets/functions/description/median.md b/docs/reference/query-languages/esql/_snippets/functions/description/median.md index 29560cc83688f..cadb73d7147d2 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/description/median.md +++ b/docs/reference/query-languages/esql/_snippets/functions/description/median.md @@ -2,10 +2,10 @@ **Description** -The value that is greater than half of all values and less than half of all values, also known as the 50% [`PERCENTILE`](/reference/query-languages/esql/esql-functions-operators.md#esql-percentile). +The value that is greater than half of all values and less than half of all values, also known as the 50% [`PERCENTILE`](/reference/query-languages/esql/functions-operators/aggregation-functions.md#esql-percentile). ::::{note} -Like [`PERCENTILE`](/reference/query-languages/esql/esql-functions-operators.md#esql-percentile), `MEDIAN` is [usually approximate](/reference/query-languages/esql/esql-functions-operators.md#esql-percentile-approximate). +Like [`PERCENTILE`](/reference/query-languages/esql/functions-operators/aggregation-functions.md#esql-percentile), `MEDIAN` is [usually approximate](/reference/query-languages/esql/functions-operators/aggregation-functions.md#esql-percentile-approximate). :::: diff --git a/docs/reference/query-languages/esql/_snippets/functions/description/median_absolute_deviation.md b/docs/reference/query-languages/esql/_snippets/functions/description/median_absolute_deviation.md index df5bed3c82e71..ca670661e648f 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/description/median_absolute_deviation.md +++ b/docs/reference/query-languages/esql/_snippets/functions/description/median_absolute_deviation.md @@ -5,7 +5,7 @@ Returns the median absolute deviation, a measure of variability. It is a robust statistic, meaning that it is useful for describing data that may have outliers, or may not be normally distributed. For such data it can be more descriptive than standard deviation. It is calculated as the median of each data point’s deviation from the median of the entire sample. That is, for a random variable `X`, the median absolute deviation is `median(|median(X) - X|)`. ::::{note} -Like [`PERCENTILE`](/reference/query-languages/esql/esql-functions-operators.md#esql-percentile), `MEDIAN_ABSOLUTE_DEVIATION` is [usually approximate](/reference/query-languages/esql/esql-functions-operators.md#esql-percentile-approximate). +Like [`PERCENTILE`](/reference/query-languages/esql/functions-operators/aggregation-functions.md#esql-percentile), `MEDIAN_ABSOLUTE_DEVIATION` is [usually approximate](/reference/query-languages/esql/functions-operators/aggregation-functions.md#esql-percentile-approximate). :::: diff --git a/docs/reference/query-languages/esql/_snippets/functions/description/mv_first.md b/docs/reference/query-languages/esql/_snippets/functions/description/mv_first.md index 2a943472f6c4f..ad3139e6f3c12 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/description/mv_first.md +++ b/docs/reference/query-languages/esql/_snippets/functions/description/mv_first.md @@ -2,11 +2,11 @@ **Description** -Converts a multivalued expression into a single valued column containing the first value. This is most useful when reading from a function that emits multivalued columns in a known order like [`SPLIT`](/reference/query-languages/esql/esql-functions-operators.md#esql-split). +Converts a multivalued expression into a single valued column containing the first value. This is most useful when reading from a function that emits multivalued columns in a known order like [`SPLIT`](/reference/query-languages/esql/functions-operators/string-functions.md#esql-split). The order that [multivalued fields](/reference/query-languages/esql/esql-multivalued-fields.md) are read from underlying storage is not guaranteed. It is **frequently** ascending, but don’t -rely on that. If you need the minimum value use [`MV_MIN`](/reference/query-languages/esql/esql-functions-operators.md#esql-mv_min) instead of +rely on that. If you need the minimum value use [`MV_MIN`](/reference/query-languages/esql/functions-operators/mv-functions.md#esql-mv_min) instead of `MV_FIRST`. `MV_MIN` has optimizations for sorted values so there isn’t a performance benefit to `MV_FIRST`. diff --git a/docs/reference/query-languages/esql/_snippets/functions/description/mv_last.md b/docs/reference/query-languages/esql/_snippets/functions/description/mv_last.md index 365a0d5f34cad..c94a5c9626b13 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/description/mv_last.md +++ b/docs/reference/query-languages/esql/_snippets/functions/description/mv_last.md @@ -2,11 +2,11 @@ **Description** -Converts a multivalue expression into a single valued column containing the last value. This is most useful when reading from a function that emits multivalued columns in a known order like [`SPLIT`](/reference/query-languages/esql/esql-functions-operators.md#esql-split). +Converts a multivalue expression into a single valued column containing the last value. This is most useful when reading from a function that emits multivalued columns in a known order like [`SPLIT`](/reference/query-languages/esql/functions-operators/string-functions.md#esql-split). The order that [multivalued fields](/reference/query-languages/esql/esql-multivalued-fields.md) are read from underlying storage is not guaranteed. It is **frequently** ascending, but don’t -rely on that. If you need the maximum value use [`MV_MAX`](/reference/query-languages/esql/esql-functions-operators.md#esql-mv_max) instead of +rely on that. If you need the maximum value use [`MV_MAX`](/reference/query-languages/esql/functions-operators/mv-functions.md#esql-mv_max) instead of `MV_LAST`. `MV_MAX` has optimizations for sorted values so there isn’t a performance benefit to `MV_LAST`. diff --git a/docs/reference/query-languages/esql/_snippets/functions/description/mv_slice.md b/docs/reference/query-languages/esql/_snippets/functions/description/mv_slice.md index b70d4ed70c1be..92772172ac4f6 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/description/mv_slice.md +++ b/docs/reference/query-languages/esql/_snippets/functions/description/mv_slice.md @@ -2,7 +2,7 @@ **Description** -Returns a subset of the multivalued field using the start and end index values. This is most useful when reading from a function that emits multivalued columns in a known order like [`SPLIT`](/reference/query-languages/esql/esql-functions-operators.md#esql-split) or [`MV_SORT`](/reference/query-languages/esql/esql-functions-operators.md#esql-mv_sort). +Returns a subset of the multivalued field using the start and end index values. This is most useful when reading from a function that emits multivalued columns in a known order like [`SPLIT`](/reference/query-languages/esql/functions-operators/string-functions.md#esql-split) or [`MV_SORT`](/reference/query-languages/esql/functions-operators/mv-functions.md#esql-mv_sort). The order that [multivalued fields](/reference/query-languages/esql/esql-multivalued-fields.md) are read from underlying storage is not guaranteed. It is **frequently** ascending, but don’t diff --git a/docs/reference/query-languages/esql/_snippets/functions/description/st_contains.md b/docs/reference/query-languages/esql/_snippets/functions/description/st_contains.md index ffda3085adfe9..1067ea10b99f1 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/description/st_contains.md +++ b/docs/reference/query-languages/esql/_snippets/functions/description/st_contains.md @@ -2,5 +2,5 @@ **Description** -Returns whether the first geometry contains the second geometry. This is the inverse of the [ST_WITHIN](/reference/query-languages/esql/esql-functions-operators.md#esql-st_within) function. +Returns whether the first geometry contains the second geometry. This is the inverse of the [ST_WITHIN](/reference/query-languages/esql/functions-operators/spatial-functions.md#esql-st_within) function. diff --git a/docs/reference/query-languages/esql/_snippets/functions/description/st_disjoint.md b/docs/reference/query-languages/esql/_snippets/functions/description/st_disjoint.md index 7741a25e2e44a..031a3a9ab2efb 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/description/st_disjoint.md +++ b/docs/reference/query-languages/esql/_snippets/functions/description/st_disjoint.md @@ -2,5 +2,5 @@ **Description** -Returns whether the two geometries or geometry columns are disjoint. This is the inverse of the [ST_INTERSECTS](/reference/query-languages/esql/esql-functions-operators.md#esql-st_intersects) function. In mathematical terms: ST_Disjoint(A, B) ⇔ A ⋂ B = ∅ +Returns whether the two geometries or geometry columns are disjoint. This is the inverse of the [ST_INTERSECTS](/reference/query-languages/esql/functions-operators/spatial-functions.md#esql-st_intersects) function. In mathematical terms: ST_Disjoint(A, B) ⇔ A ⋂ B = ∅ diff --git a/docs/reference/query-languages/esql/_snippets/functions/description/st_intersects.md b/docs/reference/query-languages/esql/_snippets/functions/description/st_intersects.md index 9a7ed9ad6b418..874c2eacfcdd5 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/description/st_intersects.md +++ b/docs/reference/query-languages/esql/_snippets/functions/description/st_intersects.md @@ -2,5 +2,5 @@ **Description** -Returns true if two geometries intersect. They intersect if they have any point in common, including their interior points (points along lines or within polygons). This is the inverse of the [ST_DISJOINT](/reference/query-languages/esql/esql-functions-operators.md#esql-st_disjoint) function. In mathematical terms: ST_Intersects(A, B) ⇔ A ⋂ B ≠ ∅ +Returns true if two geometries intersect. They intersect if they have any point in common, including their interior points (points along lines or within polygons). This is the inverse of the [ST_DISJOINT](/reference/query-languages/esql/functions-operators/spatial-functions.md#esql-st_disjoint) function. In mathematical terms: ST_Intersects(A, B) ⇔ A ⋂ B ≠ ∅ diff --git a/docs/reference/query-languages/esql/_snippets/functions/description/st_within.md b/docs/reference/query-languages/esql/_snippets/functions/description/st_within.md index 3e6b0f2a615f1..625b740e44cf2 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/description/st_within.md +++ b/docs/reference/query-languages/esql/_snippets/functions/description/st_within.md @@ -2,5 +2,5 @@ **Description** -Returns whether the first geometry is within the second geometry. This is the inverse of the [ST_CONTAINS](/reference/query-languages/esql/esql-functions-operators.md#esql-st_contains) function. +Returns whether the first geometry is within the second geometry. This is the inverse of the [ST_CONTAINS](/reference/query-languages/esql/functions-operators/spatial-functions.md#esql-st_contains) function. diff --git a/docs/reference/query-languages/esql/_snippets/functions/description/to_datetime.md b/docs/reference/query-languages/esql/_snippets/functions/description/to_datetime.md index 3737d7899b427..6bc18bc53ad35 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/description/to_datetime.md +++ b/docs/reference/query-languages/esql/_snippets/functions/description/to_datetime.md @@ -2,7 +2,7 @@ **Description** -Converts an input value to a date value. A string will only be successfully converted if it’s respecting the format `yyyy-MM-dd'T'HH:mm:ss.SSS'Z'`. To convert dates in other formats, use [`DATE_PARSE`](/reference/query-languages/esql/esql-functions-operators.md#esql-date_parse). +Converts an input value to a date value. A string will only be successfully converted if it’s respecting the format `yyyy-MM-dd'T'HH:mm:ss.SSS'Z'`. To convert dates in other formats, use [`DATE_PARSE`](/reference/query-languages/esql/functions-operators/date-time-functions.md#esql-date_parse). ::::{note} Note that when converting from nanosecond resolution to millisecond resolution with this function, the nanosecond date is truncated, not rounded. diff --git a/docs/reference/query-languages/esql/_snippets/functions/description/values.md b/docs/reference/query-languages/esql/_snippets/functions/description/values.md index 246b3d79b0488..ecfd420f7c9da 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/description/values.md +++ b/docs/reference/query-languages/esql/_snippets/functions/description/values.md @@ -2,5 +2,5 @@ **Description** -Returns all values in a group as a multivalued field. The order of the returned values isn’t guaranteed. If you need the values returned in order use [`MV_SORT`](/reference/query-languages/esql/esql-functions-operators.md#esql-mv_sort). +Returns all values in a group as a multivalued field. The order of the returned values isn’t guaranteed. If you need the values returned in order use [`MV_SORT`](/reference/query-languages/esql/functions-operators/mv-functions.md#esql-mv_sort). diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/bucket.md b/docs/reference/query-languages/esql/_snippets/functions/examples/bucket.md index 2a598a4acf486..1ef970506fd5d 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/bucket.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/bucket.md @@ -29,7 +29,7 @@ FROM employees The goal isn’t to provide **exactly** the target number of buckets, it’s to pick a range that people are comfortable with that provides at most the target number of buckets. -Combine `BUCKET` with an [aggregation](/reference/query-languages/esql/esql-functions-operators.md#esql-agg-functions) to create a histogram: +Combine `BUCKET` with an [aggregation](/reference/query-languages/esql/functions-operators/aggregation-functions.md) to create a histogram: ```esql FROM employees @@ -75,7 +75,7 @@ FROM employees ::::{note} `BUCKET` does not filter any rows. It only uses the provided range to pick a good bucket size. For rows with a value outside of the range, it returns a bucket value that corresponds to a bucket outside the range. -Combine `BUCKET` with [`WHERE`](/reference/query-languages/esql/esql-commands.md#esql-where) to filter rows. +Combine `BUCKET` with [`WHERE`](/reference/query-languages/esql/commands/processing-commands.md#esql-where) to filter rows. :::: If the desired bucket size is known in advance, simply provide it as the second @@ -100,8 +100,7 @@ FROM employees ::::{note} When providing the bucket size as the second parameter, it must be a time -duration or date period. Also the reference is epoch, which starts -at `0001-01-01T00:00:00Z`. +duration or date period. Also the reference is epoch, which starts at `0001-01-01T00:00:00Z`. :::: `BUCKET` can also operate on numeric fields. For example, to create a salary histogram: @@ -180,7 +179,7 @@ FROM employees | 54539.75 | 1985-11-01T00:00:00.000Z | `BUCKET` may be used in both the aggregating and grouping part of the -[STATS ... BY ...](/reference/query-languages/esql/esql-commands.md#esql-stats-by) command provided that in the aggregating +[STATS ... BY ...](/reference/query-languages/esql/commands/processing-commands.md#esql-stats-by) command provided that in the aggregating part the function is referenced by an alias defined in the grouping part, or that it is invoked with the exact same expression: diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/count.md b/docs/reference/query-languages/esql/_snippets/functions/examples/count.md index 9ad53de6570ed..48b4d916afdb9 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/count.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/count.md @@ -39,7 +39,7 @@ ROW words="foo;bar;baz;qux;quux;foo" | --- | | 6 | -To count the number of times an expression returns `TRUE` use a [`WHERE`](/reference/query-languages/esql/esql-commands.md#esql-where) command to remove rows that shouldn’t be included +To count the number of times an expression returns `TRUE` use a [`WHERE`](/reference/query-languages/esql/commands/processing-commands.md#esql-where) command to remove rows that shouldn’t be included ```esql ROW n=1 diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/date_trunc.md b/docs/reference/query-languages/esql/_snippets/functions/examples/date_trunc.md index 040deec020edc..2d0fd53129412 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/date_trunc.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/date_trunc.md @@ -14,7 +14,7 @@ FROM employees | Amabile | Gomatam | 1992-11-18T00:00:00.000Z | 1992-01-01T00:00:00.000Z | | Anneke | Preusig | 1989-06-02T00:00:00.000Z | 1989-01-01T00:00:00.000Z | -Combine `DATE_TRUNC` with [`STATS`](/reference/query-languages/esql/esql-commands.md#esql-stats-by) to create date histograms. For +Combine `DATE_TRUNC` with [`STATS`](/reference/query-languages/esql/commands/processing-commands.md#esql-stats-by) to create date histograms. For example, the number of hires per year: ```esql diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/mv_concat.md b/docs/reference/query-languages/esql/_snippets/functions/examples/mv_concat.md index 4eb02ca402f5f..5b11bb4d1b677 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/mv_concat.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/mv_concat.md @@ -11,7 +11,7 @@ ROW a=["foo", "zoo", "bar"] | --- | --- | | ["foo", "zoo", "bar"] | "foo, zoo, bar" | -To concat non-string columns, call [`TO_STRING`](/reference/query-languages/esql/esql-functions-operators.md#esql-to_string) first: +To concat non-string columns, call [`TO_STRING`](/reference/query-languages/esql/functions-operators/type-conversion-functions.md#esql-to_string) first: ```esql ROW a=[10, 9, 8] diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/now.md b/docs/reference/query-languages/esql/_snippets/functions/examples/now.md index aabe6474beff2..ffb4b67e1960b 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/now.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/now.md @@ -17,7 +17,4 @@ FROM sample_data | WHERE @timestamp > NOW() - 1 hour ``` -| @timestamp:date | client_ip:ip | event_duration:long | message:keyword | -| --- | --- | --- | --- | - diff --git a/docs/reference/query-languages/esql/_snippets/functions/parameters/count_distinct.md b/docs/reference/query-languages/esql/_snippets/functions/parameters/count_distinct.md index bd4cc3a7c256d..77cd7a84c5fd5 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/parameters/count_distinct.md +++ b/docs/reference/query-languages/esql/_snippets/functions/parameters/count_distinct.md @@ -6,5 +6,5 @@ : Column or literal for which to count the number of distinct values. `precision` -: Precision threshold. Refer to [`AGG-COUNT-DISTINCT-APPROXIMATE`](/reference/query-languages/esql/esql-functions-operators.md#esql-agg-count-distinct-approximate). The maximum supported value is 40000. Thresholds above this number will have the same effect as a threshold of 40000. The default value is 3000. +: Precision threshold. Refer to [`AGG-COUNT-DISTINCT-APPROXIMATE`](/reference/query-languages/esql/functions-operators/aggregation-functions.md#esql-agg-count-distinct-approximate). The maximum supported value is 40000. Thresholds above this number will have the same effect as a threshold of 40000. The default value is 3000. diff --git a/docs/reference/query-languages/esql/_snippets/grouping-functions.md b/docs/reference/query-languages/esql/_snippets/grouping-functions.md deleted file mode 100644 index 5166f11e40ec7..0000000000000 --- a/docs/reference/query-languages/esql/_snippets/grouping-functions.md +++ /dev/null @@ -1,15 +0,0 @@ -## {{esql}} grouping functions [esql-group-functions] - - -The [`STATS`](/reference/query-languages/esql/esql-commands.md#esql-stats-by) command supports these grouping functions: - -:::{include} lists/grouping-functions.md -::: - - -:::{include} functions/layout/bucket.md -::: - -:::{include} functions/layout/categorize.md -::: - diff --git a/docs/reference/query-languages/esql/_snippets/ip-functions.md b/docs/reference/query-languages/esql/_snippets/ip-functions.md deleted file mode 100644 index 2018f913ea733..0000000000000 --- a/docs/reference/query-languages/esql/_snippets/ip-functions.md +++ /dev/null @@ -1,15 +0,0 @@ -## {{esql}} IP functions [esql-ip-functions] - - -{{esql}} supports these IP functions: - -:::{include} lists/ip-functions.md -::: - - -:::{include} functions/layout/cidr_match.md -::: - -:::{include} functions/layout/ip_prefix.md -::: - diff --git a/docs/reference/query-languages/esql/_snippets/lists/aggregation-functions.md b/docs/reference/query-languages/esql/_snippets/lists/aggregation-functions.md index a2698e9aad583..85a8a70e94341 100644 --- a/docs/reference/query-languages/esql/_snippets/lists/aggregation-functions.md +++ b/docs/reference/query-languages/esql/_snippets/lists/aggregation-functions.md @@ -1,15 +1,15 @@ -* [`AVG`](../../esql-functions-operators.md#esql-avg) -* [`COUNT`](../../esql-functions-operators.md#esql-count) -* [`COUNT_DISTINCT`](../../esql-functions-operators.md#esql-count_distinct) -* [`MAX`](../../esql-functions-operators.md#esql-max) -* [`MEDIAN`](../../esql-functions-operators.md#esql-median) -* [`MEDIAN_ABSOLUTE_DEVIATION`](../../esql-functions-operators.md#esql-median_absolute_deviation) -* [`MIN`](../../esql-functions-operators.md#esql-min) -* [`PERCENTILE`](../../esql-functions-operators.md#esql-percentile) -* [preview] [`ST_CENTROID_AGG`](../../esql-functions-operators.md#esql-st_centroid_agg) -* [preview] [`ST_EXTENT_AGG`](../../esql-functions-operators.md#esql-st_extent_agg) -* [`STD_DEV`](../../esql-functions-operators.md#esql-std_dev) -* [`SUM`](../../esql-functions-operators.md#esql-sum) -* [`TOP`](../../esql-functions-operators.md#esql-top) -* [preview] [`VALUES`](../../esql-functions-operators.md#esql-values) -* [`WEIGHTED_AVG`](../../esql-functions-operators.md#esql-weighted_avg) +* [`AVG`](../../functions-operators/aggregation-functions.md#esql-avg) +* [`COUNT`](../../functions-operators/aggregation-functions.md#esql-count) +* [`COUNT_DISTINCT`](../../functions-operators/aggregation-functions.md#esql-count_distinct) +* [`MAX`](../../functions-operators/aggregation-functions.md#esql-max) +* [`MEDIAN`](../../functions-operators/aggregation-functions.md#esql-median) +* [`MEDIAN_ABSOLUTE_DEVIATION`](../../functions-operators/aggregation-functions.md#esql-median_absolute_deviation) +* [`MIN`](../../functions-operators/aggregation-functions.md#esql-min) +* [`PERCENTILE`](../../functions-operators/aggregation-functions.md#esql-percentile) +* [preview] [`ST_CENTROID_AGG`](../../functions-operators/aggregation-functions.md#esql-st_centroid_agg) +* [preview] [`ST_EXTENT_AGG`](../../functions-operators/aggregation-functions.md#esql-st_extent_agg) +* [`STD_DEV`](../../functions-operators/aggregation-functions.md#esql-std_dev) +* [`SUM`](../../functions-operators/aggregation-functions.md#esql-sum) +* [`TOP`](../../functions-operators/aggregation-functions.md#esql-top) +* [preview] [`VALUES`](../../functions-operators/aggregation-functions.md#esql-values) +* [`WEIGHTED_AVG`](../../functions-operators/aggregation-functions.md#esql-weighted_avg) diff --git a/docs/reference/query-languages/esql/_snippets/lists/binary-operators.md b/docs/reference/query-languages/esql/_snippets/lists/binary-operators.md index 420c81e0764f4..306ebf4683f5f 100644 --- a/docs/reference/query-languages/esql/_snippets/lists/binary-operators.md +++ b/docs/reference/query-languages/esql/_snippets/lists/binary-operators.md @@ -1,11 +1,11 @@ -* [Equality](../../esql-functions-operators.md#esql-equals) -* [Inequality `!=`](../../esql-functions-operators.md#esql-not_equals) -* [Less than `<`](../../esql-functions-operators.md#esql-less_than) -* [Less than or equal to `<=`](../../esql-functions-operators.md#esql-less_than_or_equal) -* [Greater than `>`](../../esql-functions-operators.md#esql-greater_than) -* [Greater than or equal to `>=`](../../esql-functions-operators.md#esql-greater_than_or_equal) -* [Add `+`](../../esql-functions-operators.md#esql-add) -* [Subtract `-`](../../esql-functions-operators.md#esql-sub) -* [Multiply `*`](../../esql-functions-operators.md#esql-mul) -* [Divide `/`](../../esql-functions-operators.md#esql-div) -* [Modulus `%`](../../esql-functions-operators.md#esql-mod) +* [Equality](../../functions-operators/operators.md#esql-equals) +* [Inequality `!=`](../../functions-operators/operators.md#esql-not_equals) +* [Less than `<`](../../functions-operators/operators.md#esql-less_than) +* [Less than or equal to `<=`](../../functions-operators/operators.md#esql-less_than_or_equal) +* [Greater than `>`](../../functions-operators/operators.md#esql-greater_than) +* [Greater than or equal to `>=`](../../functions-operators/operators.md#esql-greater_than_or_equal) +* [Add `+`](../../functions-operators/operators.md#esql-add) +* [Subtract `-`](../../functions-operators/operators.md#esql-sub) +* [Multiply `*`](../../functions-operators/operators.md#esql-mul) +* [Divide `/`](../../functions-operators/operators.md#esql-div) +* [Modulus `%`](../../functions-operators/operators.md#esql-mod) diff --git a/docs/reference/query-languages/esql/_snippets/lists/conditional-functions-and-expressions.md b/docs/reference/query-languages/esql/_snippets/lists/conditional-functions-and-expressions.md index 68f11e51f7191..02f6dfdd2f0c6 100644 --- a/docs/reference/query-languages/esql/_snippets/lists/conditional-functions-and-expressions.md +++ b/docs/reference/query-languages/esql/_snippets/lists/conditional-functions-and-expressions.md @@ -1,4 +1,4 @@ -* [`CASE`](../../esql-functions-operators.md#esql-case) -* [`COALESCE`](../../esql-functions-operators.md#esql-coalesce) -* [`GREATEST`](../../esql-functions-operators.md#esql-greatest) -* [`LEAST`](../../esql-functions-operators.md#esql-least) +* [`CASE`](../../functions-operators/conditional-functions-and-expressions.md#esql-case) +* [`COALESCE`](../../functions-operators/conditional-functions-and-expressions.md#esql-coalesce) +* [`GREATEST`](../../functions-operators/conditional-functions-and-expressions.md#esql-greatest) +* [`LEAST`](../../functions-operators/conditional-functions-and-expressions.md#esql-least) diff --git a/docs/reference/query-languages/esql/_snippets/lists/date-time-functions.md b/docs/reference/query-languages/esql/_snippets/lists/date-time-functions.md index 3cbb133b251f2..a9b6b090e0472 100644 --- a/docs/reference/query-languages/esql/_snippets/lists/date-time-functions.md +++ b/docs/reference/query-languages/esql/_snippets/lists/date-time-functions.md @@ -1,6 +1,6 @@ -* [`DATE_DIFF`](../../esql-functions-operators.md#esql-date_diff) -* [`DATE_EXTRACT`](../../esql-functions-operators.md#esql-date_extract) -* [`DATE_FORMAT`](../../esql-functions-operators.md#esql-date_format) -* [`DATE_PARSE`](../../esql-functions-operators.md#esql-date_parse) -* [`DATE_TRUNC`](../../esql-functions-operators.md#esql-date_trunc) -* [`NOW`](../../esql-functions-operators.md#esql-now) +* [`DATE_DIFF`](../../functions-operators/date-time-functions.md#esql-date_diff) +* [`DATE_EXTRACT`](../../functions-operators/date-time-functions.md#esql-date_extract) +* [`DATE_FORMAT`](../../functions-operators/date-time-functions.md#esql-date_format) +* [`DATE_PARSE`](../../functions-operators/date-time-functions.md#esql-date_parse) +* [`DATE_TRUNC`](../../functions-operators/date-time-functions.md#esql-date_trunc) +* [`NOW`](../../functions-operators/date-time-functions.md#esql-now) diff --git a/docs/reference/query-languages/esql/_snippets/lists/grouping-functions.md b/docs/reference/query-languages/esql/_snippets/lists/grouping-functions.md index 8d744b93ec20c..2cb88f927abd4 100644 --- a/docs/reference/query-languages/esql/_snippets/lists/grouping-functions.md +++ b/docs/reference/query-languages/esql/_snippets/lists/grouping-functions.md @@ -1,2 +1,2 @@ -* [`BUCKET`](../../esql-functions-operators.md#esql-bucket) -* [preview] [`CATEGORIZE`](../../esql-functions-operators.md#esql-categorize) +* [`BUCKET`](../../functions-operators/grouping-functions.md#esql-bucket) +* [preview] [`CATEGORIZE`](../../functions-operators/grouping-functions.md#esql-categorize) diff --git a/docs/reference/query-languages/esql/_snippets/lists/infix-operators.md b/docs/reference/query-languages/esql/_snippets/lists/infix-operators.md new file mode 100644 index 0000000000000..48eac234ac302 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/lists/infix-operators.md @@ -0,0 +1,5 @@ +* [Cast `::`](../../functions-operators/operators.md#esql-cast-operator) +* [`IN`](../../functions-operators/operators.md#esql-in-operator) +* [`LIKE`](../../functions-operators/operators.md#esql-like) +* [`RLIKE`](../../functions-operators/operators.md#esql-rlike) +* [preview] [Match `:`](../../functions-operators/operators.md#esql-match-operator) diff --git a/docs/reference/query-languages/esql/_snippets/lists/ip-functions.md b/docs/reference/query-languages/esql/_snippets/lists/ip-functions.md index 3b5084e7339c2..9e111be5642fc 100644 --- a/docs/reference/query-languages/esql/_snippets/lists/ip-functions.md +++ b/docs/reference/query-languages/esql/_snippets/lists/ip-functions.md @@ -1,2 +1,2 @@ -* [`CIDR_MATCH`](../../esql-functions-operators.md#esql-cidr_match) -* [`IP_PREFIX`](../../esql-functions-operators.md#esql-ip_prefix) +* [`CIDR_MATCH`](../../functions-operators/ip-functions.md#esql-cidr_match) +* [`IP_PREFIX`](../../functions-operators/ip-functions.md#esql-ip_prefix) diff --git a/docs/reference/query-languages/esql/_snippets/lists/like-and-rlike-operators.md b/docs/reference/query-languages/esql/_snippets/lists/like-and-rlike-operators.md deleted file mode 100644 index 5a21c70936627..0000000000000 --- a/docs/reference/query-languages/esql/_snippets/lists/like-and-rlike-operators.md +++ /dev/null @@ -1,2 +0,0 @@ -* [`LIKE`](../../esql-functions-operators.md#esql-like) -* [`RLIKE`](../../esql-functions-operators.md#esql-rlike) diff --git a/docs/reference/query-languages/esql/_snippets/lists/math-functions.md b/docs/reference/query-languages/esql/_snippets/lists/math-functions.md index 3cac8b9b4bf6f..0c3d0373ad243 100644 --- a/docs/reference/query-languages/esql/_snippets/lists/math-functions.md +++ b/docs/reference/query-languages/esql/_snippets/lists/math-functions.md @@ -1,25 +1,25 @@ -* [`ABS`](../../esql-functions-operators.md#esql-abs) -* [`ACOS`](../../esql-functions-operators.md#esql-acos) -* [`ASIN`](../../esql-functions-operators.md#esql-asin) -* [`ATAN`](../../esql-functions-operators.md#esql-atan) -* [`ATAN2`](../../esql-functions-operators.md#esql-atan2) -* [`CBRT`](../../esql-functions-operators.md#esql-cbrt) -* [`CEIL`](../../esql-functions-operators.md#esql-ceil) -* [`COS`](../../esql-functions-operators.md#esql-cos) -* [`COSH`](../../esql-functions-operators.md#esql-cosh) -* [`E`](../../esql-functions-operators.md#esql-e) -* [`EXP`](../../esql-functions-operators.md#esql-exp) -* [`FLOOR`](../../esql-functions-operators.md#esql-floor) -* [`HYPOT`](../../esql-functions-operators.md#esql-hypot) -* [`LOG`](../../esql-functions-operators.md#esql-log) -* [`LOG10`](../../esql-functions-operators.md#esql-log10) -* [`PI`](../../esql-functions-operators.md#esql-pi) -* [`POW`](../../esql-functions-operators.md#esql-pow) -* [`ROUND`](../../esql-functions-operators.md#esql-round) -* [`SIGNUM`](../../esql-functions-operators.md#esql-signum) -* [`SIN`](../../esql-functions-operators.md#esql-sin) -* [`SINH`](../../esql-functions-operators.md#esql-sinh) -* [`SQRT`](../../esql-functions-operators.md#esql-sqrt) -* [`TAN`](../../esql-functions-operators.md#esql-tan) -* [`TANH`](../../esql-functions-operators.md#esql-tanh) -* [`TAU`](../../esql-functions-operators.md#esql-tau) +* [`ABS`](../../functions-operators/math-functions.md#esql-abs) +* [`ACOS`](../../functions-operators/math-functions.md#esql-acos) +* [`ASIN`](../../functions-operators/math-functions.md#esql-asin) +* [`ATAN`](../../functions-operators/math-functions.md#esql-atan) +* [`ATAN2`](../../functions-operators/math-functions.md#esql-atan2) +* [`CBRT`](../../functions-operators/math-functions.md#esql-cbrt) +* [`CEIL`](../../functions-operators/math-functions.md#esql-ceil) +* [`COS`](../../functions-operators/math-functions.md#esql-cos) +* [`COSH`](../../functions-operators/math-functions.md#esql-cosh) +* [`E`](../../functions-operators/math-functions.md#esql-e) +* [`EXP`](../../functions-operators/math-functions.md#esql-exp) +* [`FLOOR`](../../functions-operators/math-functions.md#esql-floor) +* [`HYPOT`](../../functions-operators/math-functions.md#esql-hypot) +* [`LOG`](../../functions-operators/math-functions.md#esql-log) +* [`LOG10`](../../functions-operators/math-functions.md#esql-log10) +* [`PI`](../../functions-operators/math-functions.md#esql-pi) +* [`POW`](../../functions-operators/math-functions.md#esql-pow) +* [`ROUND`](../../functions-operators/math-functions.md#esql-round) +* [`SIGNUM`](../../functions-operators/math-functions.md#esql-signum) +* [`SIN`](../../functions-operators/math-functions.md#esql-sin) +* [`SINH`](../../functions-operators/math-functions.md#esql-sinh) +* [`SQRT`](../../functions-operators/math-functions.md#esql-sqrt) +* [`TAN`](../../functions-operators/math-functions.md#esql-tan) +* [`TANH`](../../functions-operators/math-functions.md#esql-tanh) +* [`TAU`](../../functions-operators/math-functions.md#esql-tau) diff --git a/docs/reference/query-languages/esql/_snippets/lists/mv-functions.md b/docs/reference/query-languages/esql/_snippets/lists/mv-functions.md index 70ae63ef5c584..a7b32dfb3835e 100644 --- a/docs/reference/query-languages/esql/_snippets/lists/mv-functions.md +++ b/docs/reference/query-languages/esql/_snippets/lists/mv-functions.md @@ -1,17 +1,17 @@ -* [`MV_APPEND`](../../esql-functions-operators.md#esql-mv_append) -* [`MV_AVG`](../../esql-functions-operators.md#esql-mv_avg) -* [`MV_CONCAT`](../../esql-functions-operators.md#esql-mv_concat) -* [`MV_COUNT`](../../esql-functions-operators.md#esql-mv_count) -* [`MV_DEDUPE`](../../esql-functions-operators.md#esql-mv_dedupe) -* [`MV_FIRST`](../../esql-functions-operators.md#esql-mv_first) -* [`MV_LAST`](../../esql-functions-operators.md#esql-mv_last) -* [`MV_MAX`](../../esql-functions-operators.md#esql-mv_max) -* [`MV_MEDIAN`](../../esql-functions-operators.md#esql-mv_median) -* [`MV_MEDIAN_ABSOLUTE_DEVIATION`](../../esql-functions-operators.md#esql-mv_median_absolute_deviation) -* [`MV_MIN`](../../esql-functions-operators.md#esql-mv_min) -* [`MV_PERCENTILE`](../../esql-functions-operators.md#esql-mv_percentile) -* [`MV_PSERIES_WEIGHTED_SUM`](../../esql-functions-operators.md#esql-mv_pseries_weighted_sum) -* [`MV_SORT`](../../esql-functions-operators.md#esql-mv_sort) -* [`MV_SLICE`](../../esql-functions-operators.md#esql-mv_slice) -* [`MV_SUM`](../../esql-functions-operators.md#esql-mv_sum) -* [`MV_ZIP`](../../esql-functions-operators.md#esql-mv_zip) +* [`MV_APPEND`](../../functions-operators/mv-functions.md#esql-mv_append) +* [`MV_AVG`](../../functions-operators/mv-functions.md#esql-mv_avg) +* [`MV_CONCAT`](../../functions-operators/mv-functions.md#esql-mv_concat) +* [`MV_COUNT`](../../functions-operators/mv-functions.md#esql-mv_count) +* [`MV_DEDUPE`](../../functions-operators/mv-functions.md#esql-mv_dedupe) +* [`MV_FIRST`](../../functions-operators/mv-functions.md#esql-mv_first) +* [`MV_LAST`](../../functions-operators/mv-functions.md#esql-mv_last) +* [`MV_MAX`](../../functions-operators/mv-functions.md#esql-mv_max) +* [`MV_MEDIAN`](../../functions-operators/mv-functions.md#esql-mv_median) +* [`MV_MEDIAN_ABSOLUTE_DEVIATION`](../../functions-operators/mv-functions.md#esql-mv_median_absolute_deviation) +* [`MV_MIN`](../../functions-operators/mv-functions.md#esql-mv_min) +* [`MV_PERCENTILE`](../../functions-operators/mv-functions.md#esql-mv_percentile) +* [`MV_PSERIES_WEIGHTED_SUM`](../../functions-operators/mv-functions.md#esql-mv_pseries_weighted_sum) +* [`MV_SORT`](../../functions-operators/mv-functions.md#esql-mv_sort) +* [`MV_SLICE`](../../functions-operators/mv-functions.md#esql-mv_slice) +* [`MV_SUM`](../../functions-operators/mv-functions.md#esql-mv_sum) +* [`MV_ZIP`](../../functions-operators/mv-functions.md#esql-mv_zip) diff --git a/docs/reference/query-languages/esql/_snippets/lists/operators.md b/docs/reference/query-languages/esql/_snippets/lists/operators.md index fc9e2af9f0e85..199219eee154b 100644 --- a/docs/reference/query-languages/esql/_snippets/lists/operators.md +++ b/docs/reference/query-languages/esql/_snippets/lists/operators.md @@ -1,8 +1,5 @@ -* [Binary operators](../../esql-functions-operators.md#esql-binary-operators) -* [Unary operators](../../esql-functions-operators.md#esql-unary-operators) -* [Logical operators](../../esql-functions-operators.md#esql-logical-operators) -* [`IS NULL` and `IS NOT NULL` predicates](../../esql-functions-operators.md#esql-predicates) -* [`Cast (::)`](../../esql-functions-operators.md#esql-cast-operator) -* [`IN`](../../esql-functions-operators.md#esql-in-operator) -* [`LIKE` and `RLIKE`](../../esql-functions-operators.md#esql-like-operators) -* [preview] [Search operators](../../esql-functions-operators.md#esql-search-operators) +* [Binary operators](../../functions-operators/operators.md#esql-binary-operators) +* [Unary operators](../../functions-operators/operators.md#esql-unary-operators) +* [Logical operators](../../functions-operators/operators.md#esql-logical-operators) +* [suffix operators](../../functions-operators/operators.md#esql-suffix-operators) +* [infix operators](../../functions-operators/operators.md#esql-infix-operators) diff --git a/docs/reference/query-languages/esql/_snippets/lists/processing-commands.md b/docs/reference/query-languages/esql/_snippets/lists/processing-commands.md new file mode 100644 index 0000000000000..ffa17b15e73cd --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/lists/processing-commands.md @@ -0,0 +1,13 @@ +* [`DISSECT`](../../commands/processing-commands.md#esql-dissect) +* [`DROP`](../../commands/processing-commands.md#esql-drop) +* [`ENRICH`](../../commands/processing-commands.md#esql-enrich) +* [`EVAL`](../../commands/processing-commands.md#esql-eval) +* [`GROK`](../../commands/processing-commands.md#esql-grok) +* [`KEEP`](../../commands/processing-commands.md#esql-keep) +* [`LIMIT`](../../commands/processing-commands.md#esql-limit) +* [preview] [`LOOKUP JOIN`](../../commands/processing-commands.md#esql-lookup-join) +* [preview] [`MV_EXPAND`](../../commands/processing-commands.md#esql-mv_expand) +* [`RENAME`](../../commands/processing-commands.md#esql-rename) +* [`SORT`](../../commands/processing-commands.md#esql-sort) +* [`STATS`](../../commands/processing-commands.md#esql-stats-by) +* [`WHERE`](../../commands/processing-commands.md#esql-where) diff --git a/docs/reference/query-languages/esql/_snippets/lists/search-functions.md b/docs/reference/query-languages/esql/_snippets/lists/search-functions.md index 1bb1da2772c86..f8deaf752414f 100644 --- a/docs/reference/query-languages/esql/_snippets/lists/search-functions.md +++ b/docs/reference/query-languages/esql/_snippets/lists/search-functions.md @@ -1,4 +1,4 @@ -* [preview] [`KQL`](../../esql-functions-operators.md#esql-kql) -* [preview] [`MATCH`](../../esql-functions-operators.md#esql-match) -* [preview] [`QSTR`](../../esql-functions-operators.md#esql-qstr) -% * [preview] [`TERM`](../../esql-functions-operators.md#esql-term) +* [preview] [`KQL`](../../functions-operators/search-functions.md#esql-kql) +* [preview] [`MATCH`](../../functions-operators/search-functions.md#esql-match) +* [preview] [`QSTR`](../../functions-operators/search-functions.md#esql-qstr) +% * [preview] [`TERM`](../../functions-operators/search-functions.md#esql-term) diff --git a/docs/reference/query-languages/esql/_snippets/lists/source-commands.md b/docs/reference/query-languages/esql/_snippets/lists/source-commands.md new file mode 100644 index 0000000000000..21194abdec2f7 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/lists/source-commands.md @@ -0,0 +1,3 @@ +* [`FROM`](../../commands/source-commands.md#esql-from) +* [`ROW`](../../commands/source-commands.md#esql-row) +* [`SHOW`](../../commands/source-commands.md#esql-show) diff --git a/docs/reference/query-languages/esql/_snippets/lists/spatial-functions.md b/docs/reference/query-languages/esql/_snippets/lists/spatial-functions.md index c234d341fd979..78ac6495441b6 100644 --- a/docs/reference/query-languages/esql/_snippets/lists/spatial-functions.md +++ b/docs/reference/query-languages/esql/_snippets/lists/spatial-functions.md @@ -1,12 +1,12 @@ -* [`ST_DISTANCE`](../../esql-functions-operators.md#esql-st_distance) -* [`ST_INTERSECTS`](../../esql-functions-operators.md#esql-st_intersects) -* [`ST_DISJOINT`](../../esql-functions-operators.md#esql-st_disjoint) -* [`ST_CONTAINS`](../../esql-functions-operators.md#esql-st_contains) -* [`ST_WITHIN`](../../esql-functions-operators.md#esql-st_within) -* [`ST_X`](../../esql-functions-operators.md#esql-st_x) -* [`ST_Y`](../../esql-functions-operators.md#esql-st_y) -* [preview] [`ST_ENVELOPE`](../../esql-functions-operators.md#esql-st_envelope) -* [preview] [`ST_XMAX`](../../esql-functions-operators.md#esql-st_xmax) -* [preview] [`ST_XMIN`](../../esql-functions-operators.md#esql-st_xmin) -* [preview] [`ST_YMAX`](../../esql-functions-operators.md#esql-st_ymax) -* [preview] [`ST_YMIN`](../../esql-functions-operators.md#esql-st_ymin) +* [`ST_DISTANCE`](../../functions-operators/spatial-functions.md#esql-st_distance) +* [`ST_INTERSECTS`](../../functions-operators/spatial-functions.md#esql-st_intersects) +* [`ST_DISJOINT`](../../functions-operators/spatial-functions.md#esql-st_disjoint) +* [`ST_CONTAINS`](../../functions-operators/spatial-functions.md#esql-st_contains) +* [`ST_WITHIN`](../../functions-operators/spatial-functions.md#esql-st_within) +* [`ST_X`](../../functions-operators/spatial-functions.md#esql-st_x) +* [`ST_Y`](../../functions-operators/spatial-functions.md#esql-st_y) +* [preview] [`ST_ENVELOPE`](../../functions-operators/spatial-functions.md#esql-st_envelope) +* [preview] [`ST_XMAX`](../../functions-operators/spatial-functions.md#esql-st_xmax) +* [preview] [`ST_XMIN`](../../functions-operators/spatial-functions.md#esql-st_xmin) +* [preview] [`ST_YMAX`](../../functions-operators/spatial-functions.md#esql-st_ymax) +* [preview] [`ST_YMIN`](../../functions-operators/spatial-functions.md#esql-st_ymin) diff --git a/docs/reference/query-languages/esql/_snippets/lists/string-functions.md b/docs/reference/query-languages/esql/_snippets/lists/string-functions.md index 7e1e5f38cf8c3..612f59d7056a6 100644 --- a/docs/reference/query-languages/esql/_snippets/lists/string-functions.md +++ b/docs/reference/query-languages/esql/_snippets/lists/string-functions.md @@ -1,26 +1,26 @@ -* [`BIT_LENGTH`](../../esql-functions-operators.md#esql-bit_length) -* [`BYTE_LENGTH`](../../esql-functions-operators.md#esql-byte_length) -* [`CONCAT`](../../esql-functions-operators.md#esql-concat) -* [`ENDS_WITH`](../../esql-functions-operators.md#esql-ends_with) -* [`FROM_BASE64`](../../esql-functions-operators.md#esql-from_base64) -* [`HASH`](../../esql-functions-operators.md#esql-hash) -* [`LEFT`](../../esql-functions-operators.md#esql-left) -* [`LENGTH`](../../esql-functions-operators.md#esql-length) -* [`LOCATE`](../../esql-functions-operators.md#esql-locate) -* [`LTRIM`](../../esql-functions-operators.md#esql-ltrim) -* [`MD5`](../../esql-functions-operators.md#esql-md5) -* [`REPEAT`](../../esql-functions-operators.md#esql-repeat) -* [`REPLACE`](../../esql-functions-operators.md#esql-replace) -* [`REVERSE`](../../esql-functions-operators.md#esql-reverse) -* [`RIGHT`](../../esql-functions-operators.md#esql-right) -* [`RTRIM`](../../esql-functions-operators.md#esql-rtrim) -* [`SHA1`](../../esql-functions-operators.md#esql-sha1) -* [`SHA256`](../../esql-functions-operators.md#esql-sha256) -* [`SPACE`](../../esql-functions-operators.md#esql-space) -* [`SPLIT`](../../esql-functions-operators.md#esql-split) -* [`STARTS_WITH`](../../esql-functions-operators.md#esql-starts_with) -* [`SUBSTRING`](../../esql-functions-operators.md#esql-substring) -* [`TO_BASE64`](../../esql-functions-operators.md#esql-to_base64) -* [`TO_LOWER`](../../esql-functions-operators.md#esql-to_lower) -* [`TO_UPPER`](../../esql-functions-operators.md#esql-to_upper) -* [`TRIM`](../../esql-functions-operators.md#esql-trim) +* [`BIT_LENGTH`](../../functions-operators/string-functions.md#esql-bit_length) +* [`BYTE_LENGTH`](../../functions-operators/string-functions.md#esql-byte_length) +* [`CONCAT`](../../functions-operators/string-functions.md#esql-concat) +* [`ENDS_WITH`](../../functions-operators/string-functions.md#esql-ends_with) +* [`FROM_BASE64`](../../functions-operators/string-functions.md#esql-from_base64) +* [`HASH`](../../functions-operators/string-functions.md#esql-hash) +* [`LEFT`](../../functions-operators/string-functions.md#esql-left) +* [`LENGTH`](../../functions-operators/string-functions.md#esql-length) +* [`LOCATE`](../../functions-operators/string-functions.md#esql-locate) +* [`LTRIM`](../../functions-operators/string-functions.md#esql-ltrim) +* [`MD5`](../../functions-operators/string-functions.md#esql-md5) +* [`REPEAT`](../../functions-operators/string-functions.md#esql-repeat) +* [`REPLACE`](../../functions-operators/string-functions.md#esql-replace) +* [`REVERSE`](../../functions-operators/string-functions.md#esql-reverse) +* [`RIGHT`](../../functions-operators/string-functions.md#esql-right) +* [`RTRIM`](../../functions-operators/string-functions.md#esql-rtrim) +* [`SHA1`](../../functions-operators/string-functions.md#esql-sha1) +* [`SHA256`](../../functions-operators/string-functions.md#esql-sha256) +* [`SPACE`](../../functions-operators/string-functions.md#esql-space) +* [`SPLIT`](../../functions-operators/string-functions.md#esql-split) +* [`STARTS_WITH`](../../functions-operators/string-functions.md#esql-starts_with) +* [`SUBSTRING`](../../functions-operators/string-functions.md#esql-substring) +* [`TO_BASE64`](../../functions-operators/string-functions.md#esql-to_base64) +* [`TO_LOWER`](../../functions-operators/string-functions.md#esql-to_lower) +* [`TO_UPPER`](../../functions-operators/string-functions.md#esql-to_upper) +* [`TRIM`](../../functions-operators/string-functions.md#esql-trim) diff --git a/docs/reference/query-languages/esql/_snippets/lists/suffix-operators.md b/docs/reference/query-languages/esql/_snippets/lists/suffix-operators.md new file mode 100644 index 0000000000000..55225e6084bf9 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/lists/suffix-operators.md @@ -0,0 +1,2 @@ +* [`IS NULL`](../../functions-operators/operators.md#esql-is_null) +* [`IS NOT NULL`](../../functions-operators/operators.md#esql-is_not_null) diff --git a/docs/reference/query-languages/esql/_snippets/lists/type-conversion-functions.md b/docs/reference/query-languages/esql/_snippets/lists/type-conversion-functions.md index a3221f621f2ac..59da01b8578db 100644 --- a/docs/reference/query-languages/esql/_snippets/lists/type-conversion-functions.md +++ b/docs/reference/query-languages/esql/_snippets/lists/type-conversion-functions.md @@ -1,18 +1,18 @@ -* [`TO_BOOLEAN`](../../esql-functions-operators.md#esql-to_boolean) -* [`TO_CARTESIANPOINT`](../../esql-functions-operators.md#esql-to_cartesianpoint) -* [`TO_CARTESIANSHAPE`](../../esql-functions-operators.md#esql-to_cartesianshape) -* [preview] [`TO_DATEPERIOD`](../../esql-functions-operators.md#esql-to_dateperiod) -* [`TO_DATETIME`](../../esql-functions-operators.md#esql-to_datetime) -* [`TO_DATE_NANOS`](../../esql-functions-operators.md#esql-to_date_nanos) -* [`TO_DEGREES`](../../esql-functions-operators.md#esql-to_degrees) -* [`TO_DOUBLE`](../../esql-functions-operators.md#esql-to_double) -* [`TO_GEOPOINT`](../../esql-functions-operators.md#esql-to_geopoint) -* [`TO_GEOSHAPE`](../../esql-functions-operators.md#esql-to_geoshape) -* [`TO_INTEGER`](../../esql-functions-operators.md#esql-to_integer) -* [`TO_IP`](../../esql-functions-operators.md#esql-to_ip) -* [`TO_LONG`](../../esql-functions-operators.md#esql-to_long) -* [`TO_RADIANS`](../../esql-functions-operators.md#esql-to_radians) -* [`TO_STRING`](../../esql-functions-operators.md#esql-to_string) -* [preview] [`TO_TIMEDURATION`](../../esql-functions-operators.md#esql-to_timeduration) -* [preview] [`TO_UNSIGNED_LONG`](../../esql-functions-operators.md#esql-to_unsigned_long) -* [`TO_VERSION`](../../esql-functions-operators.md#esql-to_version) +* [`TO_BOOLEAN`](../../functions-operators/type-conversion-functions.md#esql-to_boolean) +* [`TO_CARTESIANPOINT`](../../functions-operators/type-conversion-functions.md#esql-to_cartesianpoint) +* [`TO_CARTESIANSHAPE`](../../functions-operators/type-conversion-functions.md#esql-to_cartesianshape) +* [preview] [`TO_DATEPERIOD`](../../functions-operators/type-conversion-functions.md#esql-to_dateperiod) +* [`TO_DATETIME`](../../functions-operators/type-conversion-functions.md#esql-to_datetime) +* [`TO_DATE_NANOS`](../../functions-operators/type-conversion-functions.md#esql-to_date_nanos) +* [`TO_DEGREES`](../../functions-operators/type-conversion-functions.md#esql-to_degrees) +* [`TO_DOUBLE`](../../functions-operators/type-conversion-functions.md#esql-to_double) +* [`TO_GEOPOINT`](../../functions-operators/type-conversion-functions.md#esql-to_geopoint) +* [`TO_GEOSHAPE`](../../functions-operators/type-conversion-functions.md#esql-to_geoshape) +* [`TO_INTEGER`](../../functions-operators/type-conversion-functions.md#esql-to_integer) +* [`TO_IP`](../../functions-operators/type-conversion-functions.md#esql-to_ip) +* [`TO_LONG`](../../functions-operators/type-conversion-functions.md#esql-to_long) +* [`TO_RADIANS`](../../functions-operators/type-conversion-functions.md#esql-to_radians) +* [`TO_STRING`](../../functions-operators/type-conversion-functions.md#esql-to_string) +* [preview] [`TO_TIMEDURATION`](../../functions-operators/type-conversion-functions.md#esql-to_timeduration) +* [preview] [`TO_UNSIGNED_LONG`](../../functions-operators/type-conversion-functions.md#esql-to_unsigned_long) +* [`TO_VERSION`](../../functions-operators/type-conversion-functions.md#esql-to_version) diff --git a/docs/reference/query-languages/esql/_snippets/math-functions.md b/docs/reference/query-languages/esql/_snippets/math-functions.md deleted file mode 100644 index 9b0123ad4a776..0000000000000 --- a/docs/reference/query-languages/esql/_snippets/math-functions.md +++ /dev/null @@ -1,83 +0,0 @@ -## {{esql}} mathematical functions [esql-math-functions] - - -{{esql}} supports these mathematical functions: - -:::{include} lists/math-functions.md -::: - -:::{include} functions/layout/abs.md -::: - -:::{include} functions/layout/acos.md -::: - -:::{include} functions/layout/asin.md -::: - -:::{include} functions/layout/atan.md -::: - -:::{include} functions/layout/atan2.md -::: - -:::{include} functions/layout/cbrt.md -::: - -:::{include} functions/layout/ceil.md -::: - -:::{include} functions/layout/cos.md -::: - -:::{include} functions/layout/cosh.md -::: - -:::{include} functions/layout/e.md -::: - -:::{include} functions/layout/exp.md -::: - -:::{include} functions/layout/floor.md -::: - -:::{include} functions/layout/hypot.md -::: - -:::{include} functions/layout/log.md -::: - -:::{include} functions/layout/log10.md -::: - -:::{include} functions/layout/pi.md -::: - -:::{include} functions/layout/pow.md -::: - -:::{include} functions/layout/round.md -::: - -:::{include} functions/layout/signum.md -::: - -:::{include} functions/layout/sin.md -::: - -:::{include} functions/layout/sinh.md -::: - -:::{include} functions/layout/sqrt.md -::: - -:::{include} functions/layout/tan.md -::: - -:::{include} functions/layout/tanh.md -::: - -:::{include} functions/layout/tau.md -::: - diff --git a/docs/reference/query-languages/esql/_snippets/mv-functions.md b/docs/reference/query-languages/esql/_snippets/mv-functions.md deleted file mode 100644 index 330803afafefd..0000000000000 --- a/docs/reference/query-languages/esql/_snippets/mv-functions.md +++ /dev/null @@ -1,59 +0,0 @@ -## {{esql}} multivalue functions [esql-mv-functions] - -{{esql}} supports these multivalue functions: - -:::{include} lists/mv-functions.md -::: - - -:::{include} functions/layout/mv_append.md -::: - -:::{include} functions/layout/mv_avg.md -::: - -:::{include} functions/layout/mv_concat.md -::: - -:::{include} functions/layout/mv_count.md -::: - -:::{include} functions/layout/mv_dedupe.md -::: - -:::{include} functions/layout/mv_first.md -::: - -:::{include} functions/layout/mv_last.md -::: - -:::{include} functions/layout/mv_max.md -::: - -:::{include} functions/layout/mv_median.md -::: - -:::{include} functions/layout/mv_median_absolute_deviation.md -::: - -:::{include} functions/layout/mv_min.md -::: - -:::{include} functions/layout/mv_percentile.md -::: - -:::{include} functions/layout/mv_pseries_weighted_sum.md -::: - -:::{include} functions/layout/mv_slice.md -::: - -:::{include} functions/layout/mv_sort.md -::: - -:::{include} functions/layout/mv_sum.md -::: - -:::{include} functions/layout/mv_zip.md -::: - diff --git a/docs/reference/query-languages/esql/_snippets/operators.md b/docs/reference/query-languages/esql/_snippets/operators.md deleted file mode 100644 index 8569f70213d3a..0000000000000 --- a/docs/reference/query-languages/esql/_snippets/operators.md +++ /dev/null @@ -1,32 +0,0 @@ -## {{esql}} operators [esql-operators] - -Boolean operators for comparing against one or multiple expressions. - -:::{include} lists/operators.md -::: - -% And now the actual content - -:::{include} operators/binary.md -::: - -:::{include} operators/unary.md -::: - -:::{include} operators/logical.md -::: - -:::{include} operators/predicates.md -::: - -:::{include} operators/cast.md -::: - -:::{include} operators/in.md -::: - -:::{include} operators/like-and-rlike.md -::: - -:::{include} operators/search.md -::: diff --git a/docs/reference/query-languages/esql/_snippets/operators/detailedDescription/div.md b/docs/reference/query-languages/esql/_snippets/operators/detailedDescription/div.md index 075b3232b6583..421bddcda0c4e 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/detailedDescription/div.md +++ b/docs/reference/query-languages/esql/_snippets/operators/detailedDescription/div.md @@ -1,6 +1,6 @@ ::::{note} -Division of two integer types will yield an integer result, rounding towards 0. If you need floating point division, [`Cast (::)`](/reference/query-languages/esql/esql-functions-operators.md#esql-cast-operator) one of the arguments to a `DOUBLE`. +Division of two integer types will yield an integer result, rounding towards 0. If you need floating point division, [`Cast (::)`](/reference/query-languages/esql/functions-operators/operators.md#esql-cast-operator) one of the arguments to a `DOUBLE`. :::: diff --git a/docs/reference/query-languages/esql/_snippets/operators/examples/match_operator.md b/docs/reference/query-languages/esql/_snippets/operators/examples/match_operator.md index 9fd7c5aab2a3d..858765557f8c7 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/examples/match_operator.md +++ b/docs/reference/query-languages/esql/_snippets/operators/examples/match_operator.md @@ -4,7 +4,7 @@ ```esql FROM books -| WHERE MATCH(author, "Faulkner") +| WHERE author:"Faulkner" ``` | book_no:keyword | author:text | diff --git a/docs/reference/query-languages/esql/_snippets/operators/infix.md b/docs/reference/query-languages/esql/_snippets/operators/infix.md new file mode 100644 index 0000000000000..729f23b71561e --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/operators/infix.md @@ -0,0 +1,20 @@ +## Infix operators [esql-infix-operators] + +:::{include} ../lists/infix-operators.md +::: + + +:::{include} layout/cast.md +::: + +:::{include} layout/in.md +::: + +:::{include} layout/like.md +::: + +:::{include} layout/rlike.md +::: + +:::{include} layout/match_operator.md +::: diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/add.md b/docs/reference/query-languages/esql/_snippets/operators/layout/add.md index 81d9e234dedf5..cd67b7e822f33 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/layout/add.md +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/add.md @@ -1,4 +1,4 @@ -## Add `+` [esql-add] +### Add `+` [esql-add] :::{image} ../../../images/operators/add.svg :alt: Embedded diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/cast.md b/docs/reference/query-languages/esql/_snippets/operators/layout/cast.md index d0fcda92b6f9e..fa7e404b57bea 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/layout/cast.md +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/cast.md @@ -1,11 +1,11 @@ -## `Cast (::)` [esql-cast-operator] +### Cast (`::`) [esql-cast-operator] :::{image} ../../../images/operators/cast.svg :alt: Embedded :class: text-center ::: -The `::` operator provides a convenient alternative syntax to the TO_ [conversion functions](../../../esql-functions-operators.md#esql-type-conversion-functions). +The `::` operator provides a convenient alternative syntax to the TO_ [conversion functions](../../../functions-operators/type-conversion-functions.md). :::{include} ../examples/cast.md diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/div.md b/docs/reference/query-languages/esql/_snippets/operators/layout/div.md index 85b6e49dafcff..2e54ce2cc3c7e 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/layout/div.md +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/div.md @@ -1,4 +1,4 @@ -## Divide `/` [esql-div] +### Divide `/` [esql-div] :::{image} ../../../images/operators/div.svg :alt: Embedded diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/equals.md b/docs/reference/query-languages/esql/_snippets/operators/layout/equals.md index 8829bff8b3a04..3d391e34401bd 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/layout/equals.md +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/equals.md @@ -1,4 +1,4 @@ -## Equality [esql-equals] +### Equality [esql-equals] **Syntax** diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/greater_than.md b/docs/reference/query-languages/esql/_snippets/operators/layout/greater_than.md index 2fa5d8b5127b8..702ca400fdceb 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/layout/greater_than.md +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/greater_than.md @@ -1,4 +1,4 @@ -## Greater than `>` [esql-greater_than] +### Greater than `>` [esql-greater_than] :::{image} ../../../images/operators/greater_than.svg :alt: Embedded diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/greater_than_or_equal.md b/docs/reference/query-languages/esql/_snippets/operators/layout/greater_than_or_equal.md index 9fd703b0c9f2b..61d8bf1f3f07f 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/layout/greater_than_or_equal.md +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/greater_than_or_equal.md @@ -1,4 +1,4 @@ -## Greater than or equal to `>=` [esql-greater_than_or_equal] +### Greater than or equal to `>=` [esql-greater_than_or_equal] :::{image} ../../../images/operators/greater_than_or_equal.svg :alt: Embedded diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/in.md b/docs/reference/query-languages/esql/_snippets/operators/layout/in.md index b7637c4ad8f74..e02de940c4fb4 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/layout/in.md +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/in.md @@ -1,4 +1,9 @@ -## `IN` [esql-in-operator] +### `IN` [esql-in-operator] + +:::{image} ../../../images/operators/in.svg +:alt: Embedded +:class: text-center +::: The `IN` operator allows testing whether a field or expression equals an element in a list of literals, fields or expressions. diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/is_not_null.md b/docs/reference/query-languages/esql/_snippets/operators/layout/is_not_null.md new file mode 100644 index 0000000000000..c158363a27262 --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/is_not_null.md @@ -0,0 +1,11 @@ +### `IS NOT NULL` [esql-is_not_null] + +For NULL comparison, use the `IS NULL` and `IS NOT NULL` predicates. + +:::{image} ../../../images/operators/is_not_null.svg +:alt: Embedded +:class: text-center +::: + +:::{include} ../examples/is_not_null.md +::: diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/is_null.md b/docs/reference/query-languages/esql/_snippets/operators/layout/is_null.md new file mode 100644 index 0000000000000..7abaf8c5bf34b --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/is_null.md @@ -0,0 +1,11 @@ +### `IS NULL` [esql-is_null] + +For NULL comparison, use the `IS NULL` and `IS NOT NULL` predicates. + +:::{image} ../../../images/operators/is_null.svg +:alt: Embedded +:class: text-center +::: + +:::{include} ../examples/is_null.md +::: diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/less_than.md b/docs/reference/query-languages/esql/_snippets/operators/layout/less_than.md index 4bf76103e0d98..98511df7812be 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/layout/less_than.md +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/less_than.md @@ -1,4 +1,4 @@ -## Less than `<` [esql-less_than] +### Less than `<` [esql-less_than] :::{image} ../../../images/operators/less_than.svg :alt: Embedded diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/less_than_or_equal.md b/docs/reference/query-languages/esql/_snippets/operators/layout/less_than_or_equal.md index 9bf566daac338..6c5f023a37e6f 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/layout/less_than_or_equal.md +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/less_than_or_equal.md @@ -1,4 +1,4 @@ -## Less than or equal to `<=` [esql-less_than_or_equal] +### Less than or equal to `<=` [esql-less_than_or_equal] :::{image} ../../../images/operators/less_than_or_equal.svg :alt: Embedded diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/like.md b/docs/reference/query-languages/esql/_snippets/operators/layout/like.md index e9634022f0f4b..0f2f596ccb0a2 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/layout/like.md +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/like.md @@ -1,4 +1,9 @@ -## `LIKE` [esql-like] +### `LIKE` [esql-like] + +:::{image} ../../../images/operators/like.svg +:alt: Embedded +:class: text-center +::: Use `LIKE` to filter data based on string patterns using wildcards. `LIKE` usually acts on a field placed on the left-hand side of the operator, but it can also act on a constant (literal) expression. The right-hand side of the operator represents the pattern. diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/match_operator.md b/docs/reference/query-languages/esql/_snippets/operators/layout/match_operator.md index bec6a313e2b76..3f9acb7d89738 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/layout/match_operator.md +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/match_operator.md @@ -1,3 +1,5 @@ +### Match operator (`:`) [esql-match-operator] + The only search operator is match (`:`). **Syntax** @@ -15,9 +17,9 @@ Do not use on production environments. This functionality is in technical previe The match operator performs a [match query](/reference/query-languages/query-dsl/query-dsl-match-query.md) on the specified field. Returns true if the provided query matches the row. -The match operator is equivalent to the [match function](../../../esql-functions-operators.md#esql-match). +The match operator is equivalent to the [match function](../../../functions-operators/search-functions.md#esql-match). -For using the function syntax, or adding [match query parameters](/reference/query-languages/query-dsl/query-dsl-match-query.md#match-field-params), you can use the [match function](../../../esql-functions-operators.md#esql-match). +For using the function syntax, or adding [match query parameters](/reference/query-languages/query-dsl/query-dsl-match-query.md#match-field-params), you can use the [match function](../../../functions-operators/search-functions.md#esql-match). :::{include} ../types/match_operator.md diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/mod.md b/docs/reference/query-languages/esql/_snippets/operators/layout/mod.md index d3fd36fd544b3..e17edff78fa00 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/layout/mod.md +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/mod.md @@ -1,4 +1,4 @@ -## Modulus `%` [esql-mod] +### Modulus `%` [esql-mod] :::{image} ../../../images/operators/mod.svg :alt: Embedded diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/mul.md b/docs/reference/query-languages/esql/_snippets/operators/layout/mul.md index 5a5f31cb772ee..05f1062a6f9c2 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/layout/mul.md +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/mul.md @@ -1,4 +1,4 @@ -## Multiply `*` [esql-mul] +### Multiply `*` [esql-mul] :::{image} ../../../images/operators/mul.svg :alt: Embedded diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/not_equals.md b/docs/reference/query-languages/esql/_snippets/operators/layout/not_equals.md index c1bf571246bd3..6fff6b080e74c 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/layout/not_equals.md +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/not_equals.md @@ -1,4 +1,4 @@ -## Inequality `!=` [esql-not_equals] +### Inequality `!=` [esql-not_equals] :::{image} ../../../images/operators/not_equals.svg :alt: Embedded diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/predicates.md b/docs/reference/query-languages/esql/_snippets/operators/layout/predicates.md deleted file mode 100644 index 3b144f9fd2e8b..0000000000000 --- a/docs/reference/query-languages/esql/_snippets/operators/layout/predicates.md +++ /dev/null @@ -1,7 +0,0 @@ -## `IS NULL` and `IS NOT NULL` predicates [esql-predicates] - -For NULL comparison, use the `IS NULL` and `IS NOT NULL` predicates. - - -:::{include} ../examples/predicates.md -::: diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/rlike.md b/docs/reference/query-languages/esql/_snippets/operators/layout/rlike.md index cd928a01aaf34..1a6cfb6c37713 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/layout/rlike.md +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/rlike.md @@ -1,7 +1,11 @@ -## `RLIKE` [esql-rlike] +### `RLIKE` [esql-rlike] -Use `RLIKE` to filter data based on string patterns using using [regular expressions](/reference/query-languages/query-dsl/regexp-syntax.md). `RLIKE` usually acts on a field placed on the left-hand side of the operator, but it can also act on a constant (literal) expression. The right-hand side of the operator represents the pattern. +:::{image} ../../../images/operators/rlike.svg +:alt: Embedded +:class: text-center +::: +Use `RLIKE` to filter data based on string patterns using using [regular expressions](/reference/query-languages/query-dsl/regexp-syntax.md). `RLIKE` usually acts on a field placed on the left-hand side of the operator, but it can also act on a constant (literal) expression. The right-hand side of the operator represents the pattern. :::{include} ../types/rlike.md ::: diff --git a/docs/reference/query-languages/esql/_snippets/operators/layout/sub.md b/docs/reference/query-languages/esql/_snippets/operators/layout/sub.md index 2564393780ff3..40b5ae090ad75 100644 --- a/docs/reference/query-languages/esql/_snippets/operators/layout/sub.md +++ b/docs/reference/query-languages/esql/_snippets/operators/layout/sub.md @@ -1,4 +1,4 @@ -## Subtract `-` [esql-sub] +### Subtract `-` [esql-sub] :::{image} ../../../images/operators/sub.svg :alt: Embedded diff --git a/docs/reference/query-languages/esql/_snippets/operators/predicates.md b/docs/reference/query-languages/esql/_snippets/operators/predicates.md deleted file mode 100644 index 89e682f541b37..0000000000000 --- a/docs/reference/query-languages/esql/_snippets/operators/predicates.md +++ /dev/null @@ -1,3 +0,0 @@ -:::{include} layout/predicates.md -::: - diff --git a/docs/reference/query-languages/esql/_snippets/operators/search.md b/docs/reference/query-languages/esql/_snippets/operators/search.md deleted file mode 100644 index 6c629e8335bdd..0000000000000 --- a/docs/reference/query-languages/esql/_snippets/operators/search.md +++ /dev/null @@ -1,5 +0,0 @@ -## Search operators [esql-search-operators] - -:::{include} layout/match_operator.md -::: - diff --git a/docs/reference/query-languages/esql/_snippets/operators/suffix.md b/docs/reference/query-languages/esql/_snippets/operators/suffix.md new file mode 100644 index 0000000000000..b55bf8d3142fd --- /dev/null +++ b/docs/reference/query-languages/esql/_snippets/operators/suffix.md @@ -0,0 +1,11 @@ +## Suffix operators [esql-suffix-operators] + +:::{include} ../lists/suffix-operators.md +::: + + +:::{include} layout/is_null.md +::: + +:::{include} layout/is_not_null.md +::: diff --git a/docs/reference/query-languages/esql/_snippets/search-functions.md b/docs/reference/query-languages/esql/_snippets/search-functions.md deleted file mode 100644 index 0c48adf063f6d..0000000000000 --- a/docs/reference/query-languages/esql/_snippets/search-functions.md +++ /dev/null @@ -1,31 +0,0 @@ -## {{esql}} Full-text search functions [esql-search-functions] - - -Full text functions are used to search for text in fields. [Text analysis](docs-content://manage-data/data-store/text-analysis.md) is used to analyze the query before it is searched. - -Full text functions can be used to match [multivalued fields](/reference/query-languages/esql/esql-multivalued-fields.md). A multivalued field that contains a value that matches a full text query is considered to match the query. - -Full text functions are significantly more performant for text search use cases on large data sets than using pattern matching or regular expressions with `LIKE` or `RLIKE` - -See [full text search limitations](/reference/query-languages/esql/limitations.md#esql-limitations-full-text-search) for information on the limitations of full text search. - -{{esql}} supports these full-text search functions: - -:::{include} lists/search-functions.md -::: - - -:::{include} functions/layout/kql.md -::: - -:::{include} functions/layout/match.md -::: - -:::{include} functions/layout/qstr.md -::: - -% TERM is currently a hidden feature -% To make it visible again, uncomment this and the line in lists/search-functions.md -% :::{include} functions/layout/term.md -% ::: - diff --git a/docs/reference/query-languages/esql/_snippets/spatial-functions.md b/docs/reference/query-languages/esql/_snippets/spatial-functions.md deleted file mode 100644 index d3a32ec57ad2f..0000000000000 --- a/docs/reference/query-languages/esql/_snippets/spatial-functions.md +++ /dev/null @@ -1,44 +0,0 @@ -## {{esql}} spatial functions [esql-spatial-functions] - -{{esql}} supports these spatial functions: - -:::{include} lists/spatial-functions.md -::: - - -:::{include} functions/layout/st_distance.md -::: - -:::{include} functions/layout/st_intersects.md -::: - -:::{include} functions/layout/st_disjoint.md -::: - -:::{include} functions/layout/st_contains.md -::: - -:::{include} functions/layout/st_within.md -::: - -:::{include} functions/layout/st_x.md -::: - -:::{include} functions/layout/st_y.md -::: - -:::{include} functions/layout/st_envelope.md -::: - -:::{include} functions/layout/st_xmax.md -::: - -:::{include} functions/layout/st_xmin.md -::: - -:::{include} functions/layout/st_ymax.md -::: - -:::{include} functions/layout/st_ymin.md -::: - diff --git a/docs/reference/query-languages/esql/_snippets/string-functions.md b/docs/reference/query-languages/esql/_snippets/string-functions.md deleted file mode 100644 index 1f43d0e22ad7f..0000000000000 --- a/docs/reference/query-languages/esql/_snippets/string-functions.md +++ /dev/null @@ -1,86 +0,0 @@ -## {{esql}} string functions [esql-string-functions] - -{{esql}} supports these string functions: - -:::{include} lists/string-functions.md -::: - - -:::{include} functions/layout/bit_length.md -::: - -:::{include} functions/layout/byte_length.md -::: - -:::{include} functions/layout/concat.md -::: - -:::{include} functions/layout/ends_with.md -::: - -:::{include} functions/layout/from_base64.md -::: - -:::{include} functions/layout/hash.md -::: - -:::{include} functions/layout/left.md -::: - -:::{include} functions/layout/length.md -::: - -:::{include} functions/layout/locate.md -::: - -:::{include} functions/layout/ltrim.md -::: - -:::{include} functions/layout/md5.md -::: - -:::{include} functions/layout/repeat.md -::: - -:::{include} functions/layout/replace.md -::: - -:::{include} functions/layout/reverse.md -::: - -:::{include} functions/layout/right.md -::: - -:::{include} functions/layout/rtrim.md -::: - -:::{include} functions/layout/sha1.md -::: - -:::{include} functions/layout/sha256.md -::: - -:::{include} functions/layout/space.md -::: - -:::{include} functions/layout/split.md -::: - -:::{include} functions/layout/starts_with.md -::: - -:::{include} functions/layout/substring.md -::: - -:::{include} functions/layout/to_base64.md -::: - -:::{include} functions/layout/to_lower.md -::: - -:::{include} functions/layout/to_upper.md -::: - -:::{include} functions/layout/trim.md -::: - diff --git a/docs/reference/query-languages/esql/_snippets/type-conversion-functions.md b/docs/reference/query-languages/esql/_snippets/type-conversion-functions.md deleted file mode 100644 index b58b851189479..0000000000000 --- a/docs/reference/query-languages/esql/_snippets/type-conversion-functions.md +++ /dev/null @@ -1,69 +0,0 @@ -## {{esql}} type conversion functions [esql-type-conversion-functions] - - -::::{tip} -{{esql}} supports implicit casting from string literals to certain data types. Refer to [implicit casting](/reference/query-languages/esql/esql-implicit-casting.md) for details. - -:::: - - -{{esql}} supports these type conversion functions: - -:::{include} lists/type-conversion-functions.md -::: - - -:::{include} functions/layout/to_boolean.md -::: - -:::{include} functions/layout/to_cartesianpoint.md -::: - -:::{include} functions/layout/to_cartesianshape.md -::: - -:::{include} functions/layout/to_dateperiod.md -::: - -:::{include} functions/layout/to_datetime.md -::: - -:::{include} functions/layout/to_date_nanos.md -::: - -:::{include} functions/layout/to_degrees.md -::: - -:::{include} functions/layout/to_double.md -::: - -:::{include} functions/layout/to_geopoint.md -::: - -:::{include} functions/layout/to_geoshape.md -::: - -:::{include} functions/layout/to_integer.md -::: - -:::{include} functions/layout/to_ip.md -::: - -:::{include} functions/layout/to_long.md -::: - -:::{include} functions/layout/to_radians.md -::: - -:::{include} functions/layout/to_string.md -::: - -:::{include} functions/layout/to_timeduration.md -::: - -:::{include} functions/layout/to_unsigned_long.md -::: - -:::{include} functions/layout/to_version.md -::: - diff --git a/docs/reference/query-languages/esql/processing-commands/inlinestats.disabled b/docs/reference/query-languages/esql/commands/inlinestats.disabled similarity index 100% rename from docs/reference/query-languages/esql/processing-commands/inlinestats.disabled rename to docs/reference/query-languages/esql/commands/inlinestats.disabled diff --git a/docs/reference/query-languages/esql/processing-commands/lookup.disabled b/docs/reference/query-languages/esql/commands/lookup.disabled similarity index 100% rename from docs/reference/query-languages/esql/processing-commands/lookup.disabled rename to docs/reference/query-languages/esql/commands/lookup.disabled diff --git a/docs/reference/query-languages/esql/commands/processing-commands.md b/docs/reference/query-languages/esql/commands/processing-commands.md new file mode 100644 index 0000000000000..c2a295e2f229b --- /dev/null +++ b/docs/reference/query-languages/esql/commands/processing-commands.md @@ -0,0 +1,57 @@ +--- +navigation_title: "Processing commands" +mapped_pages: + - https://www.elastic.co/guide/en/elasticsearch/reference/current/commands/processing-commands.html +--- + +# {{esql}} processing commands [esql-processing-commands] + +{{esql}} processing commands change an input table by adding, removing, or changing rows and columns. + +:::{image} ../../images/processing-command.svg +:alt: A processing command changing an input table +::: + +{{esql}} supports these processing commands: + +:::{include} ../_snippets/lists/processing-commands.md +::: + +:::{include} ../_snippets/commands/layout/dissect.md +::: + +:::{include} ../_snippets/commands/layout/drop.md +::: + +:::{include} ../_snippets/commands/layout/enrich.md +::: + +:::{include} ../_snippets/commands/layout/eval.md +::: + +:::{include} ../_snippets/commands/layout/grok.md +::: + +:::{include} ../_snippets/commands/layout/keep.md +::: + +:::{include} ../_snippets/commands/layout/limit.md +::: + +:::{include} ../_snippets/commands/layout/lookup-join.md +::: + +:::{include} ../_snippets/commands/layout/mv_expand.md +::: + +:::{include} ../_snippets/commands/layout/rename.md +::: + +:::{include} ../_snippets/commands/layout/sort.md +::: + +:::{include} ../_snippets/commands/layout/stats-by.md +::: + +:::{include} ../_snippets/commands/layout/where.md +::: diff --git a/docs/reference/query-languages/esql/commands/source-commands.md b/docs/reference/query-languages/esql/commands/source-commands.md new file mode 100644 index 0000000000000..e253d898874f2 --- /dev/null +++ b/docs/reference/query-languages/esql/commands/source-commands.md @@ -0,0 +1,28 @@ +--- +navigation_title: "Source commands" +mapped_pages: + - https://www.elastic.co/guide/en/elasticsearch/reference/current/commands/source-commands.html +--- + +# {{esql}} source commands [esql-source-commands] + +An {{esql}} source command produces a table, typically with data from {{es}}. An {{esql}} query must start with a source command. + +:::{image} ../../images/source-command.svg +:alt: A source command producing a table from {{es}} +::: + +{{esql}} supports these source commands: + +:::{include} ../_snippets/lists/source-commands.md +::: + +:::{include} ../_snippets/commands/layout/from.md +::: + +:::{include} ../_snippets/commands/layout/row.md +::: + +:::{include} ../_snippets/commands/layout/show.md +::: + diff --git a/docs/reference/query-languages/esql/esql-commands.md b/docs/reference/query-languages/esql/esql-commands.md index 0e2b679d0f101..9c5ec270ecd2a 100644 --- a/docs/reference/query-languages/esql/esql-commands.md +++ b/docs/reference/query-languages/esql/esql-commands.md @@ -16,10 +16,8 @@ An {{esql}} source command produces a table, typically with data from {{es}}. An {{esql}} supports these source commands: -* [`FROM`](#esql-from) -* [`ROW`](#esql-row) -* [`SHOW`](#esql-show) - +:::{include} _snippets/lists/source-commands.md +::: ## Processing commands [esql-processing-commands] @@ -31,1295 +29,5 @@ An {{esql}} source command produces a table, typically with data from {{es}}. An {{esql}} supports these processing commands: -* [`DISSECT`](#esql-dissect) -* [`DROP`](#esql-drop) -* [`ENRICH`](#esql-enrich) -* [`EVAL`](#esql-eval) -* [`GROK`](#esql-grok) -* [`KEEP`](#esql-keep) -* [`LIMIT`](#esql-limit) -* [preview] [`LOOKUP JOIN`](#esql-lookup-join) -* [preview] [`MV_EXPAND`](#esql-mv_expand) -* [`RENAME`](#esql-rename) -* [`SORT`](#esql-sort) -* [`STATS`](#esql-stats-by) -* [`WHERE`](#esql-where) - - -## `FROM` [esql-from] - -The `FROM` source command returns a table with data from a data stream, index, or alias. - -**Syntax** - -```esql -FROM index_pattern [METADATA fields] -``` - -**Parameters** - -`index_pattern` -: A list of indices, data streams or aliases. Supports wildcards and date math. - -`fields` -: A comma-separated list of [metadata fields](/reference/query-languages/esql/esql-metadata-fields.md) to retrieve. - -**Description** - -The `FROM` source command returns a table with data from a data stream, index, or alias. Each row in the resulting table represents a document. Each column corresponds to a field, and can be accessed by the name of that field. - -::::{note} -By default, an {{esql}} query without an explicit [`LIMIT`](#esql-limit) uses an implicit limit of 1000. This applies to `FROM` too. A `FROM` command without `LIMIT`: - -```esql -FROM employees -``` - -is executed as: - -```esql -FROM employees -| LIMIT 1000 -``` - -:::: - - -**Examples** - -```esql -FROM employees -``` - -You can use [date math](/reference/elasticsearch/rest-apis/api-conventions.md#api-date-math-index-names) to refer to indices, aliases and data streams. This can be useful for time series data, for example to access today’s index: - -```esql -FROM -``` - -Use comma-separated lists or wildcards to [query multiple data streams, indices, or aliases](docs-content://explore-analyze/query-filter/languages/esql-multi-index.md): - -```esql -FROM employees-00001,other-employees-* -``` - -Use the format `:` to [query data streams and indices on remote clusters](docs-content://explore-analyze/query-filter/languages/esql-cross-clusters.md): - -```esql -FROM cluster_one:employees-00001,cluster_two:other-employees-* -``` - -Use the optional `METADATA` directive to enable [metadata fields](/reference/query-languages/esql/esql-metadata-fields.md): - -```esql -FROM employees METADATA _id -``` - -Use enclosing double quotes (`"`) or three enclosing double quotes (`"""`) to escape index names that contain special characters: - -```esql -FROM "this=that", """this[that""" -``` - - -## `ROW` [esql-row] - -The `ROW` source command produces a row with one or more columns with values that you specify. This can be useful for testing. - -**Syntax** - -```esql -ROW column1 = value1[, ..., columnN = valueN] -``` - -**Parameters** - -`columnX` -: The column name. In case of duplicate column names, only the rightmost duplicate creates a column. - -`valueX` -: The value for the column. Can be a literal, an expression, or a [function](/reference/query-languages/esql/esql-functions-operators.md#esql-functions). - -**Examples** - -```esql -ROW a = 1, b = "two", c = null -``` - -| a:integer | b:keyword | c:null | -| --- | --- | --- | -| 1 | "two" | null | - -Use square brackets to create multi-value columns: - -```esql -ROW a = [2, 1] -``` - -`ROW` supports the use of [functions](/reference/query-languages/esql/esql-functions-operators.md#esql-functions): - -```esql -ROW a = ROUND(1.23, 0) -``` - - -## `SHOW` [esql-show] - -The `SHOW` source command returns information about the deployment and its capabilities. - -**Syntax** - -```esql -SHOW item -``` - -**Parameters** - -`item` -: Can only be `INFO`. - -**Examples** - -Use `SHOW INFO` to return the deployment’s version, build date and hash. - -```esql -SHOW INFO -``` - -| version | date | hash | -| --- | --- | --- | -| 8.13.0 | 2024-02-23T10:04:18.123117961Z | 04ba8c8db2507501c88f215e475de7b0798cb3b3 | - - -## `DISSECT` [esql-dissect] - -`DISSECT` enables you to [extract structured data out of a string](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md). - -**Syntax** - -```esql -DISSECT input "pattern" [APPEND_SEPARATOR=""] -``` - -**Parameters** - -`input` -: The column that contains the string you want to structure. If the column has multiple values, `DISSECT` will process each value. - -`pattern` -: A [dissect pattern](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md#esql-dissect-patterns). If a field name conflicts with an existing column, the existing column is dropped. If a field name is used more than once, only the rightmost duplicate creates a column. - -`` -: A string used as the separator between appended values, when using the [append modifier](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md#esql-append-modifier). - -**Description** - -`DISSECT` enables you to [extract structured data out of a string](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md). `DISSECT` matches the string against a delimiter-based pattern, and extracts the specified keys as columns. - -Refer to [Process data with `DISSECT`](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md#esql-process-data-with-dissect) for the syntax of dissect patterns. - -**Examples** - -The following example parses a string that contains a timestamp, some text, and an IP address: - -```esql -ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1" -| DISSECT a """%{date} - %{msg} - %{ip}""" -| KEEP date, msg, ip -``` - -| date:keyword | msg:keyword | ip:keyword | -| --- | --- | --- | -| 2023-01-23T12:15:00.000Z | some text | 127.0.0.1 | - -By default, `DISSECT` outputs keyword string columns. To convert to another type, use [Type conversion functions](/reference/query-languages/esql/esql-functions-operators.md#esql-type-conversion-functions): - -```esql -ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1" -| DISSECT a """%{date} - %{msg} - %{ip}""" -| KEEP date, msg, ip -| EVAL date = TO_DATETIME(date) -``` - -| msg:keyword | ip:keyword | date:date | -| --- | --- | --- | -| some text | 127.0.0.1 | 2023-01-23T12:15:00.000Z | - - -## `DROP` [esql-drop] - -The `DROP` processing command removes one or more columns. - -**Syntax** - -```esql -DROP columns -``` - -**Parameters** - -`columns` -: A comma-separated list of columns to remove. Supports wildcards. - -**Examples** - -```esql -FROM employees -| DROP height -``` - -Rather than specify each column by name, you can use wildcards to drop all columns with a name that matches a pattern: - -```esql -FROM employees -| DROP height* -``` - - -## `ENRICH` [esql-enrich] - -`ENRICH` enables you to add data from existing indices as new columns using an enrich policy. - -**Syntax** - -```esql -ENRICH policy [ON match_field] [WITH [new_name1 = ]field1, [new_name2 = ]field2, ...] -``` - -**Parameters** - -`policy` -: The name of the enrich policy. You need to [create](/reference/query-languages/esql/esql-enrich-data.md#esql-set-up-enrich-policy) and [execute](/reference/query-languages/esql/esql-enrich-data.md#esql-execute-enrich-policy) the enrich policy first. - -`mode` -: The mode of the enrich command in cross cluster {{esql}}. See [enrich across clusters](docs-content://explore-analyze/query-filter/languages/esql-cross-clusters.md#ccq-enrich). - -`match_field` -: The match field. `ENRICH` uses its value to look for records in the enrich index. If not specified, the match will be performed on the column with the same name as the `match_field` defined in the [enrich policy](/reference/query-languages/esql/esql-enrich-data.md#esql-enrich-policy). - -`fieldX` -: The enrich fields from the enrich index that are added to the result as new columns. If a column with the same name as the enrich field already exists, the existing column will be replaced by the new column. If not specified, each of the enrich fields defined in the policy is added. A column with the same name as the enrich field will be dropped unless the enrich field is renamed. - -`new_nameX` -: Enables you to change the name of the column that’s added for each of the enrich fields. Defaults to the enrich field name. If a column has the same name as the new name, it will be discarded. If a name (new or original) occurs more than once, only the rightmost duplicate creates a new column. - -**Description** - -`ENRICH` enables you to add data from existing indices as new columns using an enrich policy. Refer to [Data enrichment](/reference/query-languages/esql/esql-enrich-data.md) for information about setting up a policy. - -:::{image} ../images/esql-enrich.png -:alt: esql enrich +:::{include} _snippets/lists/processing-commands.md ::: - -::::{tip} -Before you can use `ENRICH`, you need to [create and execute an enrich policy](/reference/query-languages/esql/esql-enrich-data.md#esql-set-up-enrich-policy). -:::: - - -**Examples** - -The following example uses the `languages_policy` enrich policy to add a new column for each enrich field defined in the policy. The match is performed using the `match_field` defined in the [enrich policy](/reference/query-languages/esql/esql-enrich-data.md#esql-enrich-policy) and requires that the input table has a column with the same name (`language_code` in this example). `ENRICH` will look for records in the [enrich index](/reference/query-languages/esql/esql-enrich-data.md#esql-enrich-index) based on the match field value. - -```esql -ROW language_code = "1" -| ENRICH languages_policy -``` - -| language_code:keyword | language_name:keyword | -| --- | --- | -| 1 | English | - -To use a column with a different name than the `match_field` defined in the policy as the match field, use `ON `: - -```esql -ROW a = "1" -| ENRICH languages_policy ON a -``` - -| a:keyword | language_name:keyword | -| --- | --- | -| 1 | English | - -By default, each of the enrich fields defined in the policy is added as a column. To explicitly select the enrich fields that are added, use `WITH , , ...`: - -```esql -ROW a = "1" -| ENRICH languages_policy ON a WITH language_name -``` - -| a:keyword | language_name:keyword | -| --- | --- | -| 1 | English | - -You can rename the columns that are added using `WITH new_name=`: - -```esql -ROW a = "1" -| ENRICH languages_policy ON a WITH name = language_name -``` - -| a:keyword | name:keyword | -| --- | --- | -| 1 | English | - -In case of name collisions, the newly created columns will override existing columns. - - -## `EVAL` [esql-eval] - -The `EVAL` processing command enables you to append new columns with calculated values. - -**Syntax** - -```esql -EVAL [column1 =] value1[, ..., [columnN =] valueN] -``` - -**Parameters** - -`columnX` -: The column name. If a column with the same name already exists, the existing column is dropped. If a column name is used more than once, only the rightmost duplicate creates a column. - -`valueX` -: The value for the column. Can be a literal, an expression, or a [function](/reference/query-languages/esql/esql-functions-operators.md#esql-functions). Can use columns defined left of this one. - -**Description** - -The `EVAL` processing command enables you to append new columns with calculated values. `EVAL` supports various functions for calculating values. Refer to [Functions](/reference/query-languages/esql/esql-functions-operators.md#esql-functions) for more information. - -**Examples** - -```esql -FROM employees -| SORT emp_no -| KEEP first_name, last_name, height -| EVAL height_feet = height * 3.281, height_cm = height * 100 -``` - -| first_name:keyword | last_name:keyword | height:double | height_feet:double | height_cm:double | -| --- | --- | --- | --- | --- | -| Georgi | Facello | 2.03 | 6.66043 | 202.99999999999997 | -| Bezalel | Simmel | 2.08 | 6.82448 | 208.0 | -| Parto | Bamford | 1.83 | 6.004230000000001 | 183.0 | - -If the specified column already exists, the existing column will be dropped, and the new column will be appended to the table: - -```esql -FROM employees -| SORT emp_no -| KEEP first_name, last_name, height -| EVAL height = height * 3.281 -``` - -| first_name:keyword | last_name:keyword | height:double | -| --- | --- | --- | -| Georgi | Facello | 6.66043 | -| Bezalel | Simmel | 6.82448 | -| Parto | Bamford | 6.004230000000001 | - -Specifying the output column name is optional. If not specified, the new column name is equal to the expression. The following query adds a column named `height*3.281`: - -```esql -FROM employees -| SORT emp_no -| KEEP first_name, last_name, height -| EVAL height * 3.281 -``` - -| first_name:keyword | last_name:keyword | height:double | height * 3.281:double | -| --- | --- | --- | --- | -| Georgi | Facello | 2.03 | 6.66043 | -| Bezalel | Simmel | 2.08 | 6.82448 | -| Parto | Bamford | 1.83 | 6.004230000000001 | - -Because this name contains special characters, [it needs to be quoted](/reference/query-languages/esql/esql-syntax.md#esql-identifiers) with backticks (```) when using it in subsequent commands: - -```esql -FROM employees -| EVAL height * 3.281 -| STATS avg_height_feet = AVG(`height * 3.281`) -``` - -| avg_height_feet:double | -| --- | -| 5.801464200000001 | - - -## `GROK` [esql-grok] - -`GROK` enables you to [extract structured data out of a string](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md). - -**Syntax** - -```esql -GROK input "pattern" -``` - -**Parameters** - -`input` -: The column that contains the string you want to structure. If the column has multiple values, `GROK` will process each value. - -`pattern` -: A grok pattern. If a field name conflicts with an existing column, the existing column is discarded. If a field name is used more than once, a multi-valued column will be created with one value per each occurrence of the field name. - -**Description** - -`GROK` enables you to [extract structured data out of a string](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md). `GROK` matches the string against patterns, based on regular expressions, and extracts the specified patterns as columns. - -Refer to [Process data with `GROK`](/reference/query-languages/esql/esql-process-data-with-dissect-grok.md#esql-process-data-with-grok) for the syntax of grok patterns. - -**Examples** - -The following example parses a string that contains a timestamp, an IP address, an email address, and a number: - -```esql -ROW a = "2023-01-23T12:15:00.000Z 127.0.0.1 some.email@foo.com 42" -| GROK a """%{TIMESTAMP_ISO8601:date} %{IP:ip} %{EMAILADDRESS:email} %{NUMBER:num}""" -| KEEP date, ip, email, num -``` - -| date:keyword | ip:keyword | email:keyword | num:keyword | -| --- | --- | --- | --- | -| 2023-01-23T12:15:00.000Z | 127.0.0.1 | `some.email@foo.com` | 42 | - -By default, `GROK` outputs keyword string columns. `int` and `float` types can be converted by appending `:type` to the semantics in the pattern. For example `{NUMBER:num:int}`: - -```esql -ROW a = "2023-01-23T12:15:00.000Z 127.0.0.1 some.email@foo.com 42" -| GROK a """%{TIMESTAMP_ISO8601:date} %{IP:ip} %{EMAILADDRESS:email} %{NUMBER:num:int}""" -| KEEP date, ip, email, num -``` - -| date:keyword | ip:keyword | email:keyword | num:integer | -| --- | --- | --- | --- | -| 2023-01-23T12:15:00.000Z | 127.0.0.1 | `some.email@foo.com` | 42 | - -For other type conversions, use [Type conversion functions](/reference/query-languages/esql/esql-functions-operators.md#esql-type-conversion-functions): - -```esql -ROW a = "2023-01-23T12:15:00.000Z 127.0.0.1 some.email@foo.com 42" -| GROK a """%{TIMESTAMP_ISO8601:date} %{IP:ip} %{EMAILADDRESS:email} %{NUMBER:num:int}""" -| KEEP date, ip, email, num -| EVAL date = TO_DATETIME(date) -``` - -| ip:keyword | email:keyword | num:integer | date:date | -| --- | --- | --- | --- | -| 127.0.0.1 | `some.email@foo.com` | 42 | 2023-01-23T12:15:00.000Z | - -If a field name is used more than once, `GROK` creates a multi-valued column: - -```esql -FROM addresses -| KEEP city.name, zip_code -| GROK zip_code """%{WORD:zip_parts} %{WORD:zip_parts}""" -``` - -| city.name:keyword | zip_code:keyword | zip_parts:keyword | -| --- | --- | --- | -| Amsterdam | 1016 ED | ["1016", "ED"] | -| San Francisco | CA 94108 | ["CA", "94108"] | -| Tokyo | 100-7014 | null | - - -## `KEEP` [esql-keep] - -The `KEEP` processing command enables you to specify what columns are returned and the order in which they are returned. - -**Syntax** - -```esql -KEEP columns -``` - -**Parameters** - -`columns` -: A comma-separated list of columns to keep. Supports wildcards. See below for the behavior in case an existing column matches multiple given wildcards or column names. - -**Description** - -The `KEEP` processing command enables you to specify what columns are returned and the order in which they are returned. - -Precedence rules are applied when a field name matches multiple expressions. Fields are added in the order they appear. If one field matches multiple expressions, the following precedence rules apply (from highest to lowest priority): - -1. Complete field name (no wildcards) -2. Partial wildcard expressions (for example: `fieldNam*`) -3. Wildcard only (`*`) - -If a field matches two expressions with the same precedence, the rightmost expression wins. - -Refer to the examples for illustrations of these precedence rules. - -**Examples** - -The columns are returned in the specified order: - -```esql -FROM employees -| KEEP emp_no, first_name, last_name, height -``` - -| emp_no:integer | first_name:keyword | last_name:keyword | height:double | -| --- | --- | --- | --- | -| 10001 | Georgi | Facello | 2.03 | -| 10002 | Bezalel | Simmel | 2.08 | -| 10003 | Parto | Bamford | 1.83 | -| 10004 | Chirstian | Koblick | 1.78 | -| 10005 | Kyoichi | Maliniak | 2.05 | - -Rather than specify each column by name, you can use wildcards to return all columns with a name that matches a pattern: - -```esql -FROM employees -| KEEP h* -``` - -| height:double | height.float:double | height.half_float:double | height.scaled_float:double | hire_date:date | -| --- | --- | --- | --- | --- | - -The asterisk wildcard (`*`) by itself translates to all columns that do not match the other arguments. - -This query will first return all columns with a name that starts with `h`, followed by all other columns: - -```esql -FROM employees -| KEEP h*, * -``` - -| height:double | height.float:double | height.half_float:double | height.scaled_float:double | hire_date:date | avg_worked_seconds:long | birth_date:date | emp_no:integer | first_name:keyword | gender:keyword | is_rehired:boolean | job_positions:keyword | languages:integer | languages.byte:integer | languages.long:long | languages.short:integer | last_name:keyword | salary:integer | salary_change:double | salary_change.int:integer | salary_change.keyword:keyword | salary_change.long:long | still_hired:boolean | -| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | - -The following examples show how precedence rules work when a field name matches multiple expressions. - -Complete field name has precedence over wildcard expressions: - -```esql -FROM employees -| KEEP first_name, last_name, first_name* -``` - -| first_name:keyword | last_name:keyword | -| --- | --- | - -Wildcard expressions have the same priority, but last one wins (despite being less specific): - -```esql -FROM employees -| KEEP first_name*, last_name, first_na* -``` - -| last_name:keyword | first_name:keyword | -| --- | --- | - -A simple wildcard expression `*` has the lowest precedence. Output order is determined by the other arguments: - -```esql -FROM employees -| KEEP *, first_name -``` - -| avg_worked_seconds:long | birth_date:date | emp_no:integer | gender:keyword | height:double | height.float:double | height.half_float:double | height.scaled_float:double | hire_date:date | is_rehired:boolean | job_positions:keyword | languages:integer | languages.byte:integer | languages.long:long | languages.short:integer | last_name:keyword | salary:integer | salary_change:double | salary_change.int:integer | salary_change.keyword:keyword | salary_change.long:long | still_hired:boolean | first_name:keyword | -| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | - - -## `LIMIT` [esql-limit] - -The `LIMIT` processing command enables you to limit the number of rows that are returned. - -**Syntax** - -```esql -LIMIT max_number_of_rows -``` - -**Parameters** - -`max_number_of_rows` -: The maximum number of rows to return. - -**Description** - -The `LIMIT` processing command enables you to limit the number of rows that are returned. Queries do not return more than 10,000 rows, regardless of the `LIMIT` command’s value. - -This limit only applies to the number of rows that are retrieved by the query. Queries and aggregations run on the full data set. - -To overcome this limitation: - -* Reduce the result set size by modifying the query to only return relevant data. Use [`WHERE`](#esql-where) to select a smaller subset of the data. -* Shift any post-query processing to the query itself. You can use the {{esql}} [`STATS`](#esql-stats-by) command to aggregate data in the query. - -The default and maximum limits can be changed using these dynamic cluster settings: - -* `esql.query.result_truncation_default_size` -* `esql.query.result_truncation_max_size` - -**Example** - -```esql -FROM employees -| SORT emp_no ASC -| LIMIT 5 -``` - -## `LOOKUP JOIN` [esql-lookup-join] - -::::{warning} -This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. -:::: - -`LOOKUP JOIN` enables you to add data from another index, AKA a 'lookup' index, to your {{esql}} query results, simplifying data enrichment and analysis workflows. - -**Syntax** - -```esql -FROM -| LOOKUP JOIN ON -``` - -**Parameters** - -`` -: The name of the lookup index. This must be a specific index name - wildcards, aliases, and remote cluster references are not supported. - -`` -: The field to join on. This field must exist in both your current query results and in the lookup index. If the field contains multi-valued entries, those entries will not match anything (the added fields will contain `null` for those rows). - -**Description** - -The `LOOKUP JOIN` command adds new columns to your {esql} query results table by finding documents in a lookup index that share the same join field value as your result rows. - -For each row in your results table that matches a document in the lookup index based on the join field, all fields from the matching document are added as new columns to that row. - -If multiple documents in the lookup index match a single row in your results, the output will contain one row for each matching combination. - -**Examples** - -::::{tip} -In case of name collisions, the newly created columns will override existing columns. -:::: - -**IP Threat correlation**: This query would allow you to see if any source IPs match known malicious addresses. - -```esql -FROM firewall_logs -| LOOKUP JOIN threat_list ON source.IP -``` - -To filter only for those rows that have a matching `threat_list` entry, use `WHERE ... IS NOT NULL` with a field from the lookup index: - -```esql -FROM firewall_logs -| LOOKUP JOIN threat_list ON source.IP -| WHERE threat_level IS NOT NULL -``` - -**Host metadata correlation**: This query pulls in environment or ownership details for each host to correlate with your metrics data. - -```esql -FROM system_metrics -| LOOKUP JOIN host_inventory ON host.name -| LOOKUP JOIN employees ON host.name -``` - -**Service ownership mapping**: This query would show logs with the owning team or escalation information for faster triage and incident response. - -```esql -FROM app_logs -| LOOKUP JOIN service_owners ON service_id -``` - -`LOOKUP JOIN` is generally faster when there are fewer rows to join with. {{esql}} will try and perform any `WHERE` clause before the `LOOKUP JOIN` where possible. - -The two following examples will have the same results. The two examples have the `WHERE` clause before and after the `LOOKUP JOIN`. It does not matter how you write your query, our optimizer will move the filter before the lookup when possible. - -```esql -FROM Left -| WHERE Language IS NOT NULL -| LOOKUP JOIN Right ON Key -``` - -```esql -FROM Left -| LOOKUP JOIN Right ON Key -| WHERE Language IS NOT NULL -``` - -## `MV_EXPAND` [esql-mv_expand] - -::::{warning} -This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. -:::: - - -The `MV_EXPAND` processing command expands multivalued columns into one row per value, duplicating other columns. - -**Syntax** - -```esql -MV_EXPAND column -``` - -**Parameters** - -`column` -: The multivalued column to expand. - -**Example** - -```esql -ROW a=[1,2,3], b="b", j=["a","b"] -| MV_EXPAND a -``` - -| a:integer | b:keyword | j:keyword | -| --- | --- | --- | -| 1 | b | ["a", "b"] | -| 2 | b | ["a", "b"] | -| 3 | b | ["a", "b"] | - - -## `RENAME` [esql-rename] - -The `RENAME` processing command renames one or more columns. - -**Syntax** - -```esql -RENAME old_name1 AS new_name1[, ..., old_nameN AS new_nameN] -``` - -**Parameters** - -`old_nameX` -: The name of a column you want to rename. - -`new_nameX` -: The new name of the column. If it conflicts with an existing column name, the existing column is dropped. If multiple columns are renamed to the same name, all but the rightmost column with the same new name are dropped. - -**Description** - -The `RENAME` processing command renames one or more columns. If a column with the new name already exists, it will be replaced by the new column. - -A `RENAME` with multiple column renames is equivalent to multiple sequential `RENAME` commands. - -**Examples** - -```esql -FROM employees -| KEEP first_name, last_name, still_hired -| RENAME still_hired AS employed -``` - -Multiple columns can be renamed with a single `RENAME` command: - -```esql -FROM employees -| KEEP first_name, last_name -| RENAME first_name AS fn, last_name AS ln -``` - -With multiple `RENAME` commands: - -```esql -FROM employees -| KEEP first_name, last_name -| RENAME first_name AS fn -| RENAME last_name AS ln -``` - - -## `SORT` [esql-sort] - -The `SORT` processing command sorts a table on one or more columns. - -**Syntax** - -```esql -SORT column1 [ASC/DESC][NULLS FIRST/NULLS LAST][, ..., columnN [ASC/DESC][NULLS FIRST/NULLS LAST]] -``` - -**Parameters** - -`columnX` -: The column to sort on. - -**Description** - -The `SORT` processing command sorts a table on one or more columns. - -The default sort order is ascending. Use `ASC` or `DESC` to specify an explicit sort order. - -Two rows with the same sort key are considered equal. You can provide additional sort expressions to act as tie breakers. - -Sorting on multivalued columns uses the lowest value when sorting ascending and the highest value when sorting descending. - -By default, `null` values are treated as being larger than any other value. With an ascending sort order, `null` values are sorted last, and with a descending sort order, `null` values are sorted first. You can change that by providing `NULLS FIRST` or `NULLS LAST`. - -**Examples** - -```esql -FROM employees -| KEEP first_name, last_name, height -| SORT height -``` - -Explicitly sorting in ascending order with `ASC`: - -```esql -FROM employees -| KEEP first_name, last_name, height -| SORT height DESC -``` - -Providing additional sort expressions to act as tie breakers: - -```esql -FROM employees -| KEEP first_name, last_name, height -| SORT height DESC, first_name ASC -``` - -Sorting `null` values first using `NULLS FIRST`: - -```esql -FROM employees -| KEEP first_name, last_name, height -| SORT first_name ASC NULLS FIRST -``` - - -## `STATS` [esql-stats-by] - -The `STATS` processing command groups rows according to a common value and calculates one or more aggregated values over the grouped rows. - -**Syntax** - -```esql -STATS [column1 =] expression1 [WHERE boolean_expression1][, - ..., - [columnN =] expressionN [WHERE boolean_expressionN]] - [BY grouping_expression1[, ..., grouping_expressionN]] -``` - -**Parameters** - -`columnX` -: The name by which the aggregated value is returned. If omitted, the name is equal to the corresponding expression (`expressionX`). If multiple columns have the same name, all but the rightmost column with this name will be ignored. - -`expressionX` -: An expression that computes an aggregated value. - -`grouping_expressionX` -: An expression that outputs the values to group by. If its name coincides with one of the computed columns, that column will be ignored. - -`boolean_expressionX` -: The condition that must be met for a row to be included in the evaluation of `expressionX`. - -::::{note} -Individual `null` values are skipped when computing aggregations. -:::: - - -**Description** - -The `STATS` processing command groups rows according to a common value and calculates one or more aggregated values over the grouped rows. For the calculation of each aggregated value, the rows in a group can be filtered with `WHERE`. If `BY` is omitted, the output table contains exactly one row with the aggregations applied over the entire dataset. - -The following [aggregation functions](/reference/query-languages/esql/esql-functions-operators.md#esql-agg-functions) are supported: - -* [`AVG`](/reference/query-languages/esql/esql-functions-operators.md#esql-avg) -* [`COUNT`](/reference/query-languages/esql/esql-functions-operators.md#esql-count) -* [`COUNT_DISTINCT`](/reference/query-languages/esql/esql-functions-operators.md#esql-count_distinct) -* [`MAX`](/reference/query-languages/esql/esql-functions-operators.md#esql-max) -* [`MEDIAN`](/reference/query-languages/esql/esql-functions-operators.md#esql-median) -* [`MEDIAN_ABSOLUTE_DEVIATION`](/reference/query-languages/esql/esql-functions-operators.md#esql-median_absolute_deviation) -* [`MIN`](/reference/query-languages/esql/esql-functions-operators.md#esql-min) -* [`PERCENTILE`](/reference/query-languages/esql/esql-functions-operators.md#esql-percentile) -* [preview] [`ST_CENTROID_AGG`](/reference/query-languages/esql/esql-functions-operators.md#esql-st_centroid_agg) -* [preview] [`ST_EXTENT_AGG`](/reference/query-languages/esql/esql-functions-operators.md#esql-st_extent_agg) -* [`STD_DEV`](/reference/query-languages/esql/esql-functions-operators.md#esql-std_dev) -* [`SUM`](/reference/query-languages/esql/esql-functions-operators.md#esql-sum) -* [`TOP`](/reference/query-languages/esql/esql-functions-operators.md#esql-top) -* [`VALUES`](/reference/query-languages/esql/esql-functions-operators.md#esql-values) -* [`WEIGHTED_AVG`](/reference/query-languages/esql/esql-functions-operators.md#esql-weighted_avg) - -The following [grouping functions](/reference/query-languages/esql/esql-functions-operators.md#esql-group-functions) are supported: - -* [`BUCKET`](/reference/query-languages/esql/esql-functions-operators.md#esql-bucket) -* [preview] [`CATEGORIZE`](/reference/query-languages/esql/esql-functions-operators.md#esql-categorize) - -::::{note} -`STATS` without any groups is much much faster than adding a group. -:::: - - -::::{note} -Grouping on a single expression is currently much more optimized than grouping on many expressions. In some tests we have seen grouping on a single `keyword` column to be five times faster than grouping on two `keyword` columns. Do not try to work around this by combining the two columns together with something like [`CONCAT`](/reference/query-languages/esql/esql-functions-operators.md#esql-concat) and then grouping - that is not going to be faster. -:::: - - -**Examples** - -Calculating a statistic and grouping by the values of another column: - -```esql -FROM employees -| STATS count = COUNT(emp_no) BY languages -| SORT languages -``` - -| count:long | languages:integer | -| --- | --- | -| 15 | 1 | -| 19 | 2 | -| 17 | 3 | -| 18 | 4 | -| 21 | 5 | -| 10 | null | - -Omitting `BY` returns one row with the aggregations applied over the entire dataset: - -```esql -FROM employees -| STATS avg_lang = AVG(languages) -``` - -| avg_lang:double | -| --- | -| 3.1222222222222222 | - -It’s possible to calculate multiple values: - -```esql -FROM employees -| STATS avg_lang = AVG(languages), max_lang = MAX(languages) -``` - -| avg_lang:double | max_lang:integer | -| --- | --- | -| 3.1222222222222222 | 5 | - -To filter the rows that go into an aggregation, use the `WHERE` clause: - -```esql -FROM employees -| STATS avg50s = AVG(salary)::LONG WHERE birth_date < "1960-01-01", - avg60s = AVG(salary)::LONG WHERE birth_date >= "1960-01-01" - BY gender -| SORT gender -``` - -| avg50s:long | avg60s:long | gender:keyword | -| --- | --- | --- | -| 55462 | 46637 | F | -| 48279 | 44879 | M | - -The aggregations can be mixed, with and without a filter and grouping is optional as well: - -```esql -FROM employees -| EVAL Ks = salary / 1000 // thousands -| STATS under_40K = COUNT(*) WHERE Ks < 40, - inbetween = COUNT(*) WHERE 40 <= Ks AND Ks < 60, - over_60K = COUNT(*) WHERE 60 <= Ks, - total = COUNT(*) -``` - -| under_40K:long | inbetween:long | over_60K:long | total:long | -| --- | --- | --- | --- | -| 36 | 39 | 25 | 100 | - -$$$esql-stats-mv-group$$$ -If the grouping key is multivalued then the input row is in all groups: - -```esql -ROW i=1, a=["a", "b"] | STATS MIN(i) BY a | SORT a ASC -``` - -| MIN(i):integer | a:keyword | -| --- | --- | -| 1 | a | -| 1 | b | - -It’s also possible to group by multiple values: - -```esql -FROM employees -| EVAL hired = DATE_FORMAT("yyyy", hire_date) -| STATS avg_salary = AVG(salary) BY hired, languages.long -| EVAL avg_salary = ROUND(avg_salary) -| SORT hired, languages.long -``` - -If all the grouping keys are multivalued then the input row is in all groups: - -```esql -ROW i=1, a=["a", "b"], b=[2, 3] | STATS MIN(i) BY a, b | SORT a ASC, b ASC -``` - -| MIN(i):integer | a:keyword | b:integer | -| --- | --- | --- | -| 1 | a | 2 | -| 1 | a | 3 | -| 1 | b | 2 | -| 1 | b | 3 | - -Both the aggregating functions and the grouping expressions accept other functions. This is useful for using `STATS` on multivalue columns. For example, to calculate the average salary change, you can use `MV_AVG` to first average the multiple values per employee, and use the result with the `AVG` function: - -```esql -FROM employees -| STATS avg_salary_change = ROUND(AVG(MV_AVG(salary_change)), 10) -``` - -| avg_salary_change:double | -| --- | -| 1.3904535865 | - -An example of grouping by an expression is grouping employees on the first letter of their last name: - -```esql -FROM employees -| STATS my_count = COUNT() BY LEFT(last_name, 1) -| SORT `LEFT(last_name, 1)` -``` - -| my_count:long | LEFT(last_name, 1):keyword | -| --- | --- | -| 2 | A | -| 11 | B | -| 5 | C | -| 5 | D | -| 2 | E | -| 4 | F | -| 4 | G | -| 6 | H | -| 2 | J | -| 3 | K | -| 5 | L | -| 12 | M | -| 4 | N | -| 1 | O | -| 7 | P | -| 5 | R | -| 13 | S | -| 4 | T | -| 2 | W | -| 3 | Z | - -Specifying the output column name is optional. If not specified, the new column name is equal to the expression. The following query returns a column named `AVG(salary)`: - -```esql -FROM employees -| STATS AVG(salary) -``` - -| AVG(salary):double | -| --- | -| 48248.55 | - -Because this name contains special characters, [it needs to be quoted](/reference/query-languages/esql/esql-syntax.md#esql-identifiers) with backticks (```) when using it in subsequent commands: - -```esql -FROM employees -| STATS AVG(salary) -| EVAL avg_salary_rounded = ROUND(`AVG(salary)`) -``` - -| AVG(salary):double | avg_salary_rounded:double | -| --- | --- | -| 48248.55 | 48249.0 | - - -## `WHERE` [esql-where] - -The `WHERE` processing command produces a table that contains all the rows from the input table for which the provided condition evaluates to `true`. - -::::{tip} -In case of value exclusions, fields with `null` values will be excluded from search results. In this context a `null` means either there is an explicit `null` value in the document or there is no value at all. For example: `WHERE field != "value"` will be interpreted as `WHERE field != "value" AND field IS NOT NULL`. - -:::: - - -**Syntax** - -```esql -WHERE expression -``` - -**Parameters** - -`expression` -: A boolean expression. - -**Examples** - -```esql -FROM employees -| KEEP first_name, last_name, still_hired -| WHERE still_hired == true -``` - -Which, if `still_hired` is a boolean field, can be simplified to: - -```esql -FROM employees -| KEEP first_name, last_name, still_hired -| WHERE still_hired -``` - -Use date math to retrieve data from a specific time range. For example, to retrieve the last hour of logs: - -```esql -FROM sample_data -| WHERE @timestamp > NOW() - 1 hour -``` - -`WHERE` supports various [functions](/reference/query-languages/esql/esql-functions-operators.md#esql-functions). For example the [`LENGTH`](/reference/query-languages/esql/esql-functions-operators.md#esql-length) function: - -```esql -FROM employees -| KEEP first_name, last_name, height -| WHERE LENGTH(first_name) < 4 -``` - -For a complete list of all functions, refer to [Functions overview](/reference/query-languages/esql/esql-functions-operators.md#esql-functions). - -For NULL comparison, use the `IS NULL` and `IS NOT NULL` predicates: - -```esql -FROM employees -| WHERE birth_date IS NULL -| KEEP first_name, last_name -| SORT first_name -| LIMIT 3 -``` - -| first_name:keyword | last_name:keyword | -| --- | --- | -| Basil | Tramer | -| Florian | Syrotiuk | -| Lucien | Rosenbaum | - -```esql -FROM employees -| WHERE is_rehired IS NOT NULL -| STATS COUNT(emp_no) -``` - -| COUNT(emp_no):long | -| --- | -| 84 | - -For matching text, you can use [full text search functions](/reference/query-languages/esql/esql-functions-operators.md#esql-search-functions) like `MATCH`. - -Use [`MATCH`](/reference/query-languages/esql/esql-functions-operators.md#esql-match) to perform a [match query](/reference/query-languages/query-dsl/query-dsl-match-query.md) on a specified field. - -Match can be used on text fields, as well as other field types like boolean, dates, and numeric types. - -```esql -FROM books -| WHERE MATCH(author, "Faulkner") -| KEEP book_no, author -| SORT book_no -| LIMIT 5 -``` - -| book_no:keyword | author:text | -| --- | --- | -| 2378 | [Carol Faulkner, Holly Byers Ochoa, Lucretia Mott] | -| 2713 | William Faulkner | -| 2847 | Colleen Faulkner | -| 2883 | William Faulkner | -| 3293 | Danny Faulkner | - -::::{tip} -You can also use the shorthand [match operator](/reference/query-languages/esql/esql-functions-operators.md#esql-search-operators) `:` instead of `MATCH`. - -:::: - - -Use `LIKE` to filter data based on string patterns using wildcards. `LIKE` usually acts on a field placed on the left-hand side of the operator, but it can also act on a constant (literal) expression. The right-hand side of the operator represents the pattern. - -The following wildcard characters are supported: - -* `*` matches zero or more characters. -* `?` matches one character. - -**Supported types** - -| str | pattern | result | -| --- | --- | --- | -| keyword | keyword | boolean | -| text | keyword | boolean | - -```esql -FROM employees -| WHERE first_name LIKE """?b*""" -| KEEP first_name, last_name -``` - -| first_name:keyword | last_name:keyword | -| --- | --- | -| Ebbe | Callaway | -| Eberhardt | Terkki | - -Matching the exact characters `*` and `.` will require escaping. The escape character is backslash `\`. Since also backslash is a special character in string literals, it will require further escaping. - -```esql -ROW message = "foo * bar" -| WHERE message LIKE "foo \\* bar" -``` - -To reduce the overhead of escaping, we suggest using triple quotes strings `"""` - -```esql -ROW message = "foo * bar" -| WHERE message LIKE """foo \* bar""" -``` - -Use `RLIKE` to filter data based on string patterns using using [regular expressions](/reference/query-languages/query-dsl/regexp-syntax.md). `RLIKE` usually acts on a field placed on the left-hand side of the operator, but it can also act on a constant (literal) expression. The right-hand side of the operator represents the pattern. - -**Supported types** - -| str | pattern | result | -| --- | --- | --- | -| keyword | keyword | boolean | -| text | keyword | boolean | - -```esql -FROM employees -| WHERE first_name RLIKE """.leja.*""" -| KEEP first_name, last_name -``` - -| first_name:keyword | last_name:keyword | -| --- | --- | -| Alejandro | McAlpine | - -Matching special characters (eg. `.`, `*`, `(`…​) will require escaping. The escape character is backslash `\`. Since also backslash is a special character in string literals, it will require further escaping. - -```esql -ROW message = "foo ( bar" -| WHERE message RLIKE "foo \\( bar" -``` - -To reduce the overhead of escaping, we suggest using triple quotes strings `"""` - -```esql -ROW message = "foo ( bar" -| WHERE message RLIKE """foo \( bar""" -``` - -The `IN` operator allows testing whether a field or expression equals an element in a list of literals, fields or expressions: - -```esql -ROW a = 1, b = 4, c = 3 -| WHERE c-a IN (3, b / 2, a) -``` - -| a:integer | b:integer | c:integer | -| --- | --- | --- | -| 1 | 4 | 3 | - -For a complete list of all operators, refer to [Operators](/reference/query-languages/esql/esql-functions-operators.md#esql-operators). diff --git a/docs/reference/query-languages/esql/esql-enrich-data.md b/docs/reference/query-languages/esql/esql-enrich-data.md index 750d75af3de19..2871120459f40 100644 --- a/docs/reference/query-languages/esql/esql-enrich-data.md +++ b/docs/reference/query-languages/esql/esql-enrich-data.md @@ -7,7 +7,7 @@ mapped_pages: # Data enrichment [esql-enrich-data] -The {{esql}} [`ENRICH`](/reference/query-languages/esql/esql-commands.md#esql-enrich) processing command combines, at query-time, data from one or more source indexes with field-value combinations found in {{es}} enrich indexes. +The {{esql}} [`ENRICH`](/reference/query-languages/esql/commands/processing-commands.md#esql-enrich) processing command combines, at query-time, data from one or more source indexes with field-value combinations found in {{es}} enrich indexes. For example, you can use `ENRICH` to: @@ -15,7 +15,7 @@ For example, you can use `ENRICH` to: * Add product information to retail orders based on product IDs * Supplement contact information based on an email address -[`ENRICH`](/reference/query-languages/esql/esql-commands.md#esql-enrich) is similar to [`LOOKUP join`](/reference/query-languages/esql/esql-commands.md#esql-lookup-join) in the fact that they both help you join data together. You should use `ENRICH` when: +[`ENRICH`](/reference/query-languages/esql/commands/processing-commands.md#esql-enrich) is similar to [`LOOKUP join`](/reference/query-languages/esql/commands/processing-commands.md#esql-lookup-join) in the fact that they both help you join data together. You should use `ENRICH` when: * Enrichment data doesn't change frequently * You can accept index-time overhead @@ -126,7 +126,7 @@ Once the enrich policy is created, you need to execute it using the [execute enr The *enrich index* contains documents from the policy’s source indices. Enrich indices always begin with `.enrich-*`, are read-only, and are [force merged](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-forcemerge). ::::{warning} -Enrich indices should only be used by the [enrich processor](/reference/enrich-processor/enrich-processor.md) or the [{{esql}} `ENRICH` command](/reference/query-languages/esql/esql-commands.md#esql-enrich). Avoid using enrich indices for other purposes. +Enrich indices should only be used by the [enrich processor](/reference/enrich-processor/enrich-processor.md) or the [{{esql}} `ENRICH` command](/reference/query-languages/esql/commands/processing-commands.md#esql-enrich). Avoid using enrich indices for other purposes. :::: @@ -134,7 +134,7 @@ Enrich indices should only be used by the [enrich processor](/reference/enrich-p ### Use the enrich policy [esql-use-enrich] -After the policy has been executed, you can use the [`ENRICH` command](/reference/query-languages/esql/esql-commands.md#esql-enrich) to enrich your data. +After the policy has been executed, you can use the [`ENRICH` command](/reference/query-languages/esql/commands/processing-commands.md#esql-enrich) to enrich your data. :::{image} ../images/esql-enrich-command.png :alt: esql enrich command diff --git a/docs/reference/query-languages/esql/esql-functions-operators.md b/docs/reference/query-languages/esql/esql-functions-operators.md index 1bd2199bf7c27..2c2aa99b038a7 100644 --- a/docs/reference/query-languages/esql/esql-functions-operators.md +++ b/docs/reference/query-languages/esql/esql-functions-operators.md @@ -73,41 +73,3 @@ mapped_pages: :::{include} _snippets/lists/operators.md ::: :::: - -% Below this is the bulk of the real content - -:::{include} _snippets/aggregation-functions.md -::: - -:::{include} _snippets/grouping-functions.md -::: - -:::{include} _snippets/conditional-functions-and-expressions.md -::: - -:::{include} _snippets/date-time-functions.md -::: - -:::{include} _snippets/ip-functions.md -::: - -:::{include} _snippets/math-functions.md -::: - -:::{include} _snippets/search-functions.md -::: - -:::{include} _snippets/spatial-functions.md -::: - -:::{include} _snippets/string-functions.md -::: - -:::{include} _snippets/type-conversion-functions.md -::: - -:::{include} _snippets/mv-functions.md -::: - -:::{include} _snippets/operators.md -::: diff --git a/docs/reference/query-languages/esql/esql-implicit-casting.md b/docs/reference/query-languages/esql/esql-implicit-casting.md index 03d34c0e61efe..583ad436a10fa 100644 --- a/docs/reference/query-languages/esql/esql-implicit-casting.md +++ b/docs/reference/query-languages/esql/esql-implicit-casting.md @@ -7,7 +7,7 @@ mapped_pages: # {{esql}} implicit casting [esql-implicit-casting] -Often users will input `date`, `date_period`, `time_duration`, `ip` or `version` as simple strings in their queries for use in predicates, functions, or expressions. {{esql}} provides [type conversion functions](/reference/query-languages/esql/esql-functions-operators.md#esql-type-conversion-functions) to explicitly convert these strings into the desired data types. +Often users will input `date`, `date_period`, `time_duration`, `ip` or `version` as simple strings in their queries for use in predicates, functions, or expressions. {{esql}} provides [type conversion functions](/reference/query-languages/esql/functions-operators/type-conversion-functions.md) to explicitly convert these strings into the desired data types. Without implicit casting users must explicitly code these `to_X` functions in their queries, when string literals don’t match the target data types they are assigned or compared to. Here is an example of using `to_datetime` to explicitly perform a data type conversion. @@ -39,7 +39,7 @@ FROM employees The following table details which {{esql}} operations support implicit casting for different data types. -| | ScalarFunctions | Operators | [GroupingFunctions](/reference/query-languages/esql/esql-functions-operators.md#esql-group-functions) | [AggregateFunctions](/reference/query-languages/esql/esql-functions-operators.md#esql-agg-functions) | +| | ScalarFunctions | Operators | [GroupingFunctions](/reference/query-languages/esql/functions-operators/grouping-functions.md) | [AggregateFunctions](/reference/query-languages/esql/functions-operators/aggregation-functions.md) | | --- | --- | --- | --- | --- | | DATE | Y | Y | Y | N | | DATE_PERIOD/TIME_DURATION | Y | N | Y | N | @@ -49,13 +49,13 @@ The following table details which {{esql}} operations support implicit casting f ScalarFunctions includes: -* [Conditional Functions and Expressions](/reference/query-languages/esql/esql-functions-operators.md#esql-conditional-functions-and-expressions) -* [Date and Time Functions](/reference/query-languages/esql/esql-functions-operators.md#esql-date-time-functions) -* [IP Functions](/reference/query-languages/esql/esql-functions-operators.md#esql-ip-functions) +* [Conditional Functions and Expressions](/reference/query-languages/esql/functions-operators/conditional-functions-and-expressions.md) +* [Date and Time Functions](/reference/query-languages/esql/functions-operators/date-time-functions.md) +* [IP Functions](/reference/query-languages/esql/functions-operators/ip-functions.md) Operators includes: -* [Binary Operators](/reference/query-languages/esql/esql-functions-operators.md#esql-binary-operators) -* [Unary Operator](/reference/query-languages/esql/esql-functions-operators.md#esql-unary-operators) -* [IN](/reference/query-languages/esql/esql-functions-operators.md#esql-in-operator) +* [Binary Operators](/reference/query-languages/esql/functions-operators/operators.md#esql-binary-operators) +* [Unary Operator](/reference/query-languages/esql/functions-operators/operators.md#esql-unary-operators) +* [IN](/reference/query-languages/esql/functions-operators/operators.md#esql-in-operator) diff --git a/docs/reference/query-languages/esql/esql-lookup-join.md b/docs/reference/query-languages/esql/esql-lookup-join.md index d1e33773fc8f4..6f358161b02ae 100644 --- a/docs/reference/query-languages/esql/esql-lookup-join.md +++ b/docs/reference/query-languages/esql/esql-lookup-join.md @@ -6,7 +6,7 @@ mapped_pages: # LOOKUP JOIN [esql-lookup-join-reference] -The {{esql}} [`LOOKUP JOIN`](/reference/query-languages/esql/esql-commands.md#esql-lookup-join) processing command combines data from your {{esql}} query results table with matching records from a specified lookup index. It adds fields from the lookup index as new columns to your results table based on matching values in the join field. +The {{esql}} [`LOOKUP JOIN`](/reference/query-languages/esql/commands/processing-commands.md#esql-lookup-join) processing command combines data from your {{esql}} query results table with matching records from a specified lookup index. It adds fields from the lookup index as new columns to your results table based on matching values in the join field. Teams often have data scattered across multiple indices – like logs, IPs, user IDs, hosts, employees etc. Without a direct way to enrich or correlate each event with reference data, root-cause analysis, security checks, and operational insights become time-consuming. @@ -16,7 +16,7 @@ For example, you can use `LOOKUP JOIN` to: * Quickly see if any source IPs match known malicious addresses. * Tag logs with the owning team or escalation info for faster triage and incident response. -[`LOOKUP join`](/reference/query-languages/esql/esql-commands.md#esql-lookup-join) is similar to [`ENRICH`](/reference/query-languages/esql/esql-commands.md#esql-enrich) in the fact that they both help you join data together. You should use `LOOKUP JOIN` when: +[`LOOKUP join`](/reference/query-languages/esql/commands/processing-commands.md#esql-lookup-join) is similar to [`ENRICH`](/reference/query-languages/esql/commands/processing-commands.md#esql-enrich) in the fact that they both help you join data together. You should use `LOOKUP JOIN` when: * Your enrichment data changes frequently * You want to avoid index-time processing @@ -99,7 +99,7 @@ FROM employees | 10095 | 5 | null | France| ::::{important} -`LOOKUP JOIN` does not guarantee the output to be in any particular order. If a certain order is required, users should use a [`SORT`](/reference/query-languages/esql/esql-commands.md#esql-sort) somewhere after the `LOOKUP JOIN`. +`LOOKUP JOIN` does not guarantee the output to be in any particular order. If a certain order is required, users should use a [`SORT`](/reference/query-languages/esql/commands/processing-commands.md#esql-sort) somewhere after the `LOOKUP JOIN`. :::: @@ -114,7 +114,7 @@ To use `LOOKUP JOIN`, the following requirements must be met: * `float`, `half_float`, and `scaled_float` are compatible with `double` (all represented as `double`) * For text fields: You can only use text fields as the join key on the left-hand side of the join and only if they have a `.keyword` subfield -To obtain a join key with a compatible type, use a [conversion function](/reference/query-languages/esql/esql-functions-operators.md#esql-type-conversion-functions) if needed. +To obtain a join key with a compatible type, use a [conversion function](/reference/query-languages/esql/functions-operators/type-conversion-functions.md) if needed. For a complete list of supported data types and their internal representations, see the [Supported Field Types documentation](/reference/query-languages/esql/limitations.md#_supported_types). diff --git a/docs/reference/query-languages/esql/esql-metadata-fields.md b/docs/reference/query-languages/esql/esql-metadata-fields.md index b74ab3daa5b48..d58a927ae4bc7 100644 --- a/docs/reference/query-languages/esql/esql-metadata-fields.md +++ b/docs/reference/query-languages/esql/esql-metadata-fields.md @@ -13,9 +13,9 @@ mapped_pages: * [`_id`](/reference/elasticsearch/mapping-reference/mapping-id-field.md): the source document’s ID. The field is of the type [keyword](/reference/elasticsearch/mapping-reference/keyword.md). * `_version`: the source document’s version. The field is of the type [long](/reference/elasticsearch/mapping-reference/number.md). * [`_ignored`](/reference/elasticsearch/mapping-reference/mapping-ignored-field.md): the ignored source document fields. The field is of the type [keyword](/reference/elasticsearch/mapping-reference/keyword.md). -* `_score`: when enabled, the final score assigned to each row matching an ES|QL query. Scoring will be updated when using [full text search functions](/reference/query-languages/esql/esql-functions-operators.md#esql-search-functions). +* `_score`: when enabled, the final score assigned to each row matching an ES|QL query. Scoring will be updated when using [full text search functions](/reference/query-languages/esql/functions-operators/search-functions.md). -To enable the access to these fields, the [`FROM`](/reference/query-languages/esql/esql-commands.md#esql-from) source command needs to be provided with a dedicated directive: +To enable the access to these fields, the [`FROM`](/reference/query-languages/esql/commands/source-commands.md#esql-from) source command needs to be provided with a dedicated directive: ```esql FROM index METADATA _index, _id diff --git a/docs/reference/query-languages/esql/esql-multivalued-fields.md b/docs/reference/query-languages/esql/esql-multivalued-fields.md index b5807b466c417..cf6826e853427 100644 --- a/docs/reference/query-languages/esql/esql-multivalued-fields.md +++ b/docs/reference/query-languages/esql/esql-multivalued-fields.md @@ -244,13 +244,13 @@ POST /_query Work around this limitation by converting the field to single value with one of: -* [`MV_AVG`](/reference/query-languages/esql/esql-functions-operators.md#esql-mv_avg) -* [`MV_CONCAT`](/reference/query-languages/esql/esql-functions-operators.md#esql-mv_concat) -* [`MV_COUNT`](/reference/query-languages/esql/esql-functions-operators.md#esql-mv_count) -* [`MV_MAX`](/reference/query-languages/esql/esql-functions-operators.md#esql-mv_max) -* [`MV_MEDIAN`](/reference/query-languages/esql/esql-functions-operators.md#esql-mv_median) -* [`MV_MIN`](/reference/query-languages/esql/esql-functions-operators.md#esql-mv_min) -* [`MV_SUM`](/reference/query-languages/esql/esql-functions-operators.md#esql-mv_sum) +* [`MV_AVG`](/reference/query-languages/esql/functions-operators/mv-functions.md#esql-mv_avg) +* [`MV_CONCAT`](/reference/query-languages/esql/functions-operators/mv-functions.md#esql-mv_concat) +* [`MV_COUNT`](/reference/query-languages/esql/functions-operators/mv-functions.md#esql-mv_count) +* [`MV_MAX`](/reference/query-languages/esql/functions-operators/mv-functions.md#esql-mv_max) +* [`MV_MEDIAN`](/reference/query-languages/esql/functions-operators/mv-functions.md#esql-mv_median) +* [`MV_MIN`](/reference/query-languages/esql/functions-operators/mv-functions.md#esql-mv_min) +* [`MV_SUM`](/reference/query-languages/esql/functions-operators/mv-functions.md#esql-mv_sum) ```console POST /_query diff --git a/docs/reference/query-languages/esql/esql-process-data-with-dissect-grok.md b/docs/reference/query-languages/esql/esql-process-data-with-dissect-grok.md index 7da563b6b7ab8..40e5d8ad095f0 100644 --- a/docs/reference/query-languages/esql/esql-process-data-with-dissect-grok.md +++ b/docs/reference/query-languages/esql/esql-process-data-with-dissect-grok.md @@ -13,7 +13,7 @@ Your data may contain unstructured strings that you want to structure. This make :alt: unstructured data ::: -{{es}} can structure your data at index time or query time. At index time, you can use the [Dissect](/reference/enrich-processor/dissect-processor.md) and [Grok](/reference/enrich-processor/grok-processor.md) ingest processors, or the {{ls}} [Dissect](logstash-docs-md://lsr//plugins-filters-dissect.md) and [Grok](logstash-docs-md://lsr//plugins-filters-grok.md) filters. At query time, you can use the {{esql}} [`DISSECT`](/reference/query-languages/esql/esql-commands.md#esql-dissect) and [`GROK`](/reference/query-languages/esql/esql-commands.md#esql-grok) commands. +{{es}} can structure your data at index time or query time. At index time, you can use the [Dissect](/reference/enrich-processor/dissect-processor.md) and [Grok](/reference/enrich-processor/grok-processor.md) ingest processors, or the {{ls}} [Dissect](logstash-docs-md://lsr//plugins-filters-dissect.md) and [Grok](logstash-docs-md://lsr//plugins-filters-grok.md) filters. At query time, you can use the {{esql}} [`DISSECT`](/reference/query-languages/esql/commands/processing-commands.md#esql-dissect) and [`GROK`](/reference/query-languages/esql/commands/processing-commands.md#esql-grok) commands. ## `DISSECT` or `GROK`? Or both? [esql-grok-or-dissect] @@ -24,7 +24,7 @@ You can use both `DISSECT` and `GROK` for hybrid use cases. For example when a s ## Process data with `DISSECT` [esql-process-data-with-dissect] -The [`DISSECT`](/reference/query-languages/esql/esql-commands.md#esql-dissect) processing command matches a string against a delimiter-based pattern, and extracts the specified keys as columns. +The [`DISSECT`](/reference/query-languages/esql/commands/processing-commands.md#esql-dissect) processing command matches a string against a delimiter-based pattern, and extracts the specified keys as columns. For example, the following pattern: @@ -50,7 +50,7 @@ A dissect pattern is defined by the parts of the string that will be discarded. An empty key (`%{}`) or [named skip key](#esql-named-skip-key) can be used to match values, but exclude the value from the output. -All matched values are output as keyword string data types. Use the [Type conversion functions](/reference/query-languages/esql/esql-functions-operators.md#esql-type-conversion-functions) to convert to another data type. +All matched values are output as keyword string data types. Use the [Type conversion functions](/reference/query-languages/esql/functions-operators/type-conversion-functions.md) to convert to another data type. Dissect also supports [key modifiers](#esql-dissect-key-modifiers) that can change dissect’s default behavior. For example, you can instruct dissect to ignore certain fields, append fields, skip over padding, etc. @@ -91,7 +91,7 @@ ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1" | --- | --- | --- | | 2023-01-23T12:15:00.000Z | some text | 127.0.0.1 | -By default, `DISSECT` outputs keyword string columns. To convert to another type, use [Type conversion functions](/reference/query-languages/esql/esql-functions-operators.md#esql-type-conversion-functions): +By default, `DISSECT` outputs keyword string columns. To convert to another type, use [Type conversion functions](/reference/query-languages/esql/functions-operators/type-conversion-functions.md): ```esql ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1" @@ -206,7 +206,7 @@ The `DISSECT` command does not support reference keys. ## Process data with `GROK` [esql-process-data-with-grok] -The [`GROK`](/reference/query-languages/esql/esql-commands.md#esql-grok) processing command matches a string against a pattern based on regular expressions, and extracts the specified keys as columns. +The [`GROK`](/reference/query-languages/esql/commands/processing-commands.md#esql-grok) processing command matches a string against a pattern based on regular expressions, and extracts the specified keys as columns. For example, the following pattern: @@ -265,7 +265,7 @@ The `SYNTAX` is the name of the pattern that matches your text. For example, `3. The `SEMANTIC` is the identifier you give to the piece of text being matched. For example, `3.44` could be the duration of an event, so you could call it simply `duration`. Further, a string `55.3.244.1` might identify the `client` making a request. -By default, matched values are output as keyword string data types. To convert a semantic’s data type, suffix it with the target data type. For example `%{NUMBER:num:int}`, which converts the `num` semantic from a string to an integer. Currently the only supported conversions are `int` and `float`. For other types, use the [Type conversion functions](/reference/query-languages/esql/esql-functions-operators.md#esql-type-conversion-functions). +By default, matched values are output as keyword string data types. To convert a semantic’s data type, suffix it with the target data type. For example `%{NUMBER:num:int}`, which converts the `num` semantic from a string to an integer. Currently the only supported conversions are `int` and `float`. For other types, use the [Type conversion functions](/reference/query-languages/esql/functions-operators/type-conversion-functions.md). For an overview of the available patterns, refer to [GitHub](https://github.com/elastic/elasticsearch//blob/master/libs/grok/src/main/resources/patterns). You can also retrieve a list of all patterns using a [REST API](/reference/enrich-processor/grok-processor.md#grok-processor-rest-get). @@ -316,7 +316,7 @@ ROW a = "2023-01-23T12:15:00.000Z 127.0.0.1 some.email@foo.com 42" | --- | --- | --- | --- | | 2023-01-23T12:15:00.000Z | 127.0.0.1 | `some.email@foo.com` | 42 | -For other type conversions, use [Type conversion functions](/reference/query-languages/esql/esql-functions-operators.md#esql-type-conversion-functions): +For other type conversions, use [Type conversion functions](/reference/query-languages/esql/functions-operators/type-conversion-functions.md): ```esql ROW a = "2023-01-23T12:15:00.000Z 127.0.0.1 some.email@foo.com 42" diff --git a/docs/reference/query-languages/esql/esql-syntax.md b/docs/reference/query-languages/esql/esql-syntax.md index e7d6427392703..42cf166d64ceb 100644 --- a/docs/reference/query-languages/esql/esql-syntax.md +++ b/docs/reference/query-languages/esql/esql-syntax.md @@ -97,7 +97,7 @@ The integer numeric literals are implicitly converted to the `integer`, `long` o The floating point literals are implicitly converted the `double` type. -To obtain constant values of different types, use one of the numeric [conversion functions](/reference/query-languages/esql/esql-functions-operators.md#esql-type-conversion-functions). +To obtain constant values of different types, use one of the numeric [conversion functions](/reference/query-languages/esql/functions-operators/type-conversion-functions.md). ### Comments [esql-comments] @@ -140,7 +140,7 @@ Timespan literals are not whitespace sensitive. These expressions are all valid: ### Function named parameters [esql-function-named-params] -Some functions like [match](/reference/query-languages/esql/esql-functions-operators.md#esql-match) use named parameters to provide additional options. +Some functions like [match](/reference/query-languages/esql/functions-operators/search-functions.md#esql-match) use named parameters to provide additional options. Named parameters allow specifying name value pairs, using the following syntax: @@ -148,7 +148,7 @@ Named parameters allow specifying name value pairs, using the following syntax: Valid value types are strings, numbers and booleans. -An example using [match](/reference/query-languages/esql/esql-functions-operators.md#esql-match): +An example using [match](/reference/query-languages/esql/functions-operators/search-functions.md#esql-match): ```console POST /_query diff --git a/docs/reference/query-languages/esql/esql-time-spans.md b/docs/reference/query-languages/esql/esql-time-spans.md index df33676174dca..25d5b65c2603b 100644 --- a/docs/reference/query-languages/esql/esql-time-spans.md +++ b/docs/reference/query-languages/esql/esql-time-spans.md @@ -14,7 +14,13 @@ Time spans represent intervals between two datetime values. There are currently A time span requires two elements: an integer value and a temporal unit. -Time spans work with grouping functions such as [BUCKET](/reference/query-languages/esql/esql-functions-operators.md#esql-bucket), scalar functions such as [DATE_TRUNC](/reference/query-languages/esql/esql-functions-operators.md#esql-date_trunc) and arithmetic operators such as [`+`](/reference/query-languages/esql/esql-functions-operators.md#esql-add) and [`-`](/reference/query-languages/esql/esql-functions-operators.md#esql-sub). Convert strings to time spans using [TO_DATEPERIOD](/reference/query-languages/esql/esql-functions-operators.md#esql-to_dateperiod), [TO_TIMEDURATION](/reference/query-languages/esql/esql-functions-operators.md#esql-to_timeduration), or the cast operators `::DATE_PERIOD`, `::TIME_DURATION`. +Time spans work with grouping functions such as [BUCKET](/reference/query-languages/esql/functions-operators/grouping-functions.md#esql-bucket), +scalar functions such as [DATE_TRUNC](/reference/query-languages/esql/functions-operators/date-time-functions.md#esql-date_trunc) +and arithmetic operators such as [`+`](/reference/query-languages/esql/functions-operators/operators.md#esql-add) +and [`-`](/reference/query-languages/esql/functions-operators/operators.md#esql-sub). +Convert strings to time spans using [TO_DATEPERIOD](/reference/query-languages/esql/functions-operators/type-conversion-functions.md#esql-to_dateperiod), +[TO_TIMEDURATION](/reference/query-languages/esql/functions-operators/type-conversion-functions.md#esql-to_timeduration), +or the [cast operators](/reference/query-languages/esql/functions-operators/operators.md#esql-cast-operator) `::DATE_PERIOD`, `::TIME_DURATION`. ## Examples of using time spans in {{esql}} [esql-time-spans-examples] diff --git a/docs/reference/query-languages/esql/functions-operators/aggregation-functions.md b/docs/reference/query-languages/esql/functions-operators/aggregation-functions.md new file mode 100644 index 0000000000000..d954260eb8f44 --- /dev/null +++ b/docs/reference/query-languages/esql/functions-operators/aggregation-functions.md @@ -0,0 +1,59 @@ +--- +navigation_title: "Aggregation functions" +mapped_pages: + - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html#esql-agg-functions +--- + +# {{esql}} aggregation functions [esql-aggregation-functions] + + +The [`STATS`](/reference/query-languages/esql/commands/processing-commands.md#esql-stats-by) command supports these aggregate functions: + +:::{include} ../_snippets/lists/aggregation-functions.md +::: + +:::{include} ../_snippets/functions/layout/avg.md +::: + +:::{include} ../_snippets/functions/layout/count.md +::: + +:::{include} ../_snippets/functions/layout/count_distinct.md +::: + +:::{include} ../_snippets/functions/layout/max.md +::: + +:::{include} ../_snippets/functions/layout/median.md +::: + +:::{include} ../_snippets/functions/layout/median_absolute_deviation.md +::: + +:::{include} ../_snippets/functions/layout/min.md +::: + +:::{include} ../_snippets/functions/layout/percentile.md +::: + +:::{include} ../_snippets/functions/layout/st_centroid_agg.md +::: + +:::{include} ../_snippets/functions/layout/st_extent_agg.md +::: + +:::{include} ../_snippets/functions/layout/std_dev.md +::: + +:::{include} ../_snippets/functions/layout/sum.md +::: + +:::{include} ../_snippets/functions/layout/top.md +::: + +:::{include} ../_snippets/functions/layout/values.md +::: + +:::{include} ../_snippets/functions/layout/weighted_avg.md +::: + diff --git a/docs/reference/query-languages/esql/functions-operators/conditional-functions-and-expressions.md b/docs/reference/query-languages/esql/functions-operators/conditional-functions-and-expressions.md new file mode 100644 index 0000000000000..47ac5c87a9740 --- /dev/null +++ b/docs/reference/query-languages/esql/functions-operators/conditional-functions-and-expressions.md @@ -0,0 +1,27 @@ +--- +navigation_title: "Conditional functions and expressions" +mapped_pages: + - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html#esql-conditional-functions-and-expressions +--- + +# {{esql}} conditional functions and expressions [esql-conditional-functions-and-expressions] + + +Conditional functions return one of their arguments by evaluating in an if-else manner. {{esql}} supports these conditional functions: + +:::{include} ../_snippets/lists/conditional-functions-and-expressions.md +::: + + +:::{include} ../_snippets/functions/layout/case.md +::: + +:::{include} ../_snippets/functions/layout/coalesce.md +::: + +:::{include} ../_snippets/functions/layout/greatest.md +::: + +:::{include} ../_snippets/functions/layout/least.md +::: + diff --git a/docs/reference/query-languages/esql/functions-operators/date-time-functions.md b/docs/reference/query-languages/esql/functions-operators/date-time-functions.md new file mode 100644 index 0000000000000..f11a3a76e0f75 --- /dev/null +++ b/docs/reference/query-languages/esql/functions-operators/date-time-functions.md @@ -0,0 +1,33 @@ +--- +navigation_title: "Date-time functions" +mapped_pages: + - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html#esql-date-time-functions +--- + +# {{esql}} date-time functions [esql-date-time-functions] + + +{{esql}} supports these date-time functions: + +:::{include} ../_snippets/lists/date-time-functions.md +::: + + +:::{include} ../_snippets/functions/layout/date_diff.md +::: + +:::{include} ../_snippets/functions/layout/date_extract.md +::: + +:::{include} ../_snippets/functions/layout/date_format.md +::: + +:::{include} ../_snippets/functions/layout/date_parse.md +::: + +:::{include} ../_snippets/functions/layout/date_trunc.md +::: + +:::{include} ../_snippets/functions/layout/now.md +::: + diff --git a/docs/reference/query-languages/esql/functions-operators/grouping-functions.md b/docs/reference/query-languages/esql/functions-operators/grouping-functions.md new file mode 100644 index 0000000000000..e2c8857b573bf --- /dev/null +++ b/docs/reference/query-languages/esql/functions-operators/grouping-functions.md @@ -0,0 +1,21 @@ +--- +navigation_title: "Grouping functions" +mapped_pages: + - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html#esql-group-functions +--- + +# {{esql}} grouping functions [esql-group-functions] + + +The [`STATS`](/reference/query-languages/esql/commands/processing-commands.md#esql-stats-by) command supports these grouping functions: + +:::{include} ../_snippets/lists/grouping-functions.md +::: + + +:::{include} ../_snippets/functions/layout/bucket.md +::: + +:::{include} ../_snippets/functions/layout/categorize.md +::: + diff --git a/docs/reference/query-languages/esql/functions-operators/ip-functions.md b/docs/reference/query-languages/esql/functions-operators/ip-functions.md new file mode 100644 index 0000000000000..5df1fac13ad80 --- /dev/null +++ b/docs/reference/query-languages/esql/functions-operators/ip-functions.md @@ -0,0 +1,21 @@ +--- +navigation_title: "IP functions" +mapped_pages: + - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html#esql-ip-functions +--- + +# {{esql}} IP functions [esql-ip-functions] + + +{{esql}} supports these IP functions: + +:::{include} ../_snippets/lists/ip-functions.md +::: + + +:::{include} ../_snippets/functions/layout/cidr_match.md +::: + +:::{include} ../_snippets/functions/layout/ip_prefix.md +::: + diff --git a/docs/reference/query-languages/esql/functions-operators/math-functions.md b/docs/reference/query-languages/esql/functions-operators/math-functions.md new file mode 100644 index 0000000000000..eda587ac26540 --- /dev/null +++ b/docs/reference/query-languages/esql/functions-operators/math-functions.md @@ -0,0 +1,89 @@ +--- +navigation_title: "Math functions" +mapped_pages: + - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html#esql-math-functions +--- + +# {{esql}} mathematical functions [esql-math-functions] + + +{{esql}} supports these mathematical functions: + +:::{include} ../_snippets/lists/math-functions.md +::: + +:::{include} ../_snippets/functions/layout/abs.md +::: + +:::{include} ../_snippets/functions/layout/acos.md +::: + +:::{include} ../_snippets/functions/layout/asin.md +::: + +:::{include} ../_snippets/functions/layout/atan.md +::: + +:::{include} ../_snippets/functions/layout/atan2.md +::: + +:::{include} ../_snippets/functions/layout/cbrt.md +::: + +:::{include} ../_snippets/functions/layout/ceil.md +::: + +:::{include} ../_snippets/functions/layout/cos.md +::: + +:::{include} ../_snippets/functions/layout/cosh.md +::: + +:::{include} ../_snippets/functions/layout/e.md +::: + +:::{include} ../_snippets/functions/layout/exp.md +::: + +:::{include} ../_snippets/functions/layout/floor.md +::: + +:::{include} ../_snippets/functions/layout/hypot.md +::: + +:::{include} ../_snippets/functions/layout/log.md +::: + +:::{include} ../_snippets/functions/layout/log10.md +::: + +:::{include} ../_snippets/functions/layout/pi.md +::: + +:::{include} ../_snippets/functions/layout/pow.md +::: + +:::{include} ../_snippets/functions/layout/round.md +::: + +:::{include} ../_snippets/functions/layout/signum.md +::: + +:::{include} ../_snippets/functions/layout/sin.md +::: + +:::{include} ../_snippets/functions/layout/sinh.md +::: + +:::{include} ../_snippets/functions/layout/sqrt.md +::: + +:::{include} ../_snippets/functions/layout/tan.md +::: + +:::{include} ../_snippets/functions/layout/tanh.md +::: + +:::{include} ../_snippets/functions/layout/tau.md +::: + diff --git a/docs/reference/query-languages/esql/functions-operators/mv-functions.md b/docs/reference/query-languages/esql/functions-operators/mv-functions.md new file mode 100644 index 0000000000000..7eca1a53ab8ff --- /dev/null +++ b/docs/reference/query-languages/esql/functions-operators/mv-functions.md @@ -0,0 +1,65 @@ +--- +navigation_title: "Multivalue functions" +mapped_pages: + - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html#esql-mv-functions +--- + +# {{esql}} multivalue functions [esql-mv-functions] + +{{esql}} supports these multivalue functions: + +:::{include} ../_snippets/lists/mv-functions.md +::: + + +:::{include} ../_snippets/functions/layout/mv_append.md +::: + +:::{include} ../_snippets/functions/layout/mv_avg.md +::: + +:::{include} ../_snippets/functions/layout/mv_concat.md +::: + +:::{include} ../_snippets/functions/layout/mv_count.md +::: + +:::{include} ../_snippets/functions/layout/mv_dedupe.md +::: + +:::{include} ../_snippets/functions/layout/mv_first.md +::: + +:::{include} ../_snippets/functions/layout/mv_last.md +::: + +:::{include} ../_snippets/functions/layout/mv_max.md +::: + +:::{include} ../_snippets/functions/layout/mv_median.md +::: + +:::{include} ../_snippets/functions/layout/mv_median_absolute_deviation.md +::: + +:::{include} ../_snippets/functions/layout/mv_min.md +::: + +:::{include} ../_snippets/functions/layout/mv_percentile.md +::: + +:::{include} ../_snippets/functions/layout/mv_pseries_weighted_sum.md +::: + +:::{include} ../_snippets/functions/layout/mv_slice.md +::: + +:::{include} ../_snippets/functions/layout/mv_sort.md +::: + +:::{include} ../_snippets/functions/layout/mv_sum.md +::: + +:::{include} ../_snippets/functions/layout/mv_zip.md +::: + diff --git a/docs/reference/query-languages/esql/functions-operators/operators.md b/docs/reference/query-languages/esql/functions-operators/operators.md new file mode 100644 index 0000000000000..d7b76c2ff4593 --- /dev/null +++ b/docs/reference/query-languages/esql/functions-operators/operators.md @@ -0,0 +1,29 @@ +--- +navigation_title: "Operators" +mapped_pages: + - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html#esql-operators +--- + +# {{esql}} operators [esql-operators] + +Operators for performing operations on, or comparing against, one or multiple expressions. + +:::{include} ../_snippets/lists/operators.md +::: + +% And now the actual content + +:::{include} ../_snippets/operators/binary.md +::: + +:::{include} ../_snippets/operators/unary.md +::: + +:::{include} ../_snippets/operators/logical.md +::: + +:::{include} ../_snippets/operators/suffix.md +::: + +:::{include} ../_snippets/operators/infix.md +::: diff --git a/docs/reference/query-languages/esql/functions-operators/search-functions.md b/docs/reference/query-languages/esql/functions-operators/search-functions.md new file mode 100644 index 0000000000000..2f5e4731d4ffa --- /dev/null +++ b/docs/reference/query-languages/esql/functions-operators/search-functions.md @@ -0,0 +1,38 @@ +--- +navigation_title: "Search functions" +mapped_pages: + - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html#esql-search-functions +--- + +# {{esql}} Search functions [esql-search-functions] + +Use these functions for [full-text search](docs-content://solutions/search/full-text.md) and [semantic search](docs-content://solutions/search/semantic-search/semantic-search-semantic-text.md). + +Get started with {{esql}} for search use cases with our [hands-on tutorial](docs-content://solutions/search/esql-search-tutorial.md). + +Full text functions can be used to match [multivalued fields](/reference/query-languages/esql/esql-multivalued-fields.md). A multivalued field that contains a value that matches a full text query is considered to match the query. + +Full text functions are significantly more performant for text search use cases on large data sets than using pattern matching or regular expressions with `LIKE` or `RLIKE` + +See [full text search limitations](/reference/query-languages/esql/limitations.md#esql-limitations-full-text-search) for information on the limitations of full text search. + +{{esql}} supports these full-text search functions: + +:::{include} ../_snippets/lists/search-functions.md +::: + + +:::{include} ../_snippets/functions/layout/kql.md +::: + +:::{include} ../_snippets/functions/layout/match.md +::: + +:::{include} ../_snippets/functions/layout/qstr.md +::: + +% TERM is currently a hidden feature +% To make it visible again, uncomment this and the line in lists/search-functions.md +% :::{include} ../_snippets/functions/layout/term.md +% ::: + diff --git a/docs/reference/query-languages/esql/functions-operators/spatial-functions.md b/docs/reference/query-languages/esql/functions-operators/spatial-functions.md new file mode 100644 index 0000000000000..806e5e8157a63 --- /dev/null +++ b/docs/reference/query-languages/esql/functions-operators/spatial-functions.md @@ -0,0 +1,50 @@ +--- +navigation_title: "Spatial functions" +mapped_pages: + - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html#esql-spatial-functions +--- + +# {{esql}} spatial functions [esql-spatial-functions] + +{{esql}} supports these spatial functions: + +:::{include} ../_snippets/lists/spatial-functions.md +::: + + +:::{include} ../_snippets/functions/layout/st_distance.md +::: + +:::{include} ../_snippets/functions/layout/st_intersects.md +::: + +:::{include} ../_snippets/functions/layout/st_disjoint.md +::: + +:::{include} ../_snippets/functions/layout/st_contains.md +::: + +:::{include} ../_snippets/functions/layout/st_within.md +::: + +:::{include} ../_snippets/functions/layout/st_x.md +::: + +:::{include} ../_snippets/functions/layout/st_y.md +::: + +:::{include} ../_snippets/functions/layout/st_envelope.md +::: + +:::{include} ../_snippets/functions/layout/st_xmax.md +::: + +:::{include} ../_snippets/functions/layout/st_xmin.md +::: + +:::{include} ../_snippets/functions/layout/st_ymax.md +::: + +:::{include} ../_snippets/functions/layout/st_ymin.md +::: + diff --git a/docs/reference/query-languages/esql/functions-operators/string-functions.md b/docs/reference/query-languages/esql/functions-operators/string-functions.md new file mode 100644 index 0000000000000..4d053709f0ed3 --- /dev/null +++ b/docs/reference/query-languages/esql/functions-operators/string-functions.md @@ -0,0 +1,92 @@ +--- +navigation_title: "String functions" +mapped_pages: + - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html#esql-string-functions +--- + +# {{esql}} string functions [esql-string-functions] + +{{esql}} supports these string functions: + +:::{include} ../_snippets/lists/string-functions.md +::: + + +:::{include} ../_snippets/functions/layout/bit_length.md +::: + +:::{include} ../_snippets/functions/layout/byte_length.md +::: + +:::{include} ../_snippets/functions/layout/concat.md +::: + +:::{include} ../_snippets/functions/layout/ends_with.md +::: + +:::{include} ../_snippets/functions/layout/from_base64.md +::: + +:::{include} ../_snippets/functions/layout/hash.md +::: + +:::{include} ../_snippets/functions/layout/left.md +::: + +:::{include} ../_snippets/functions/layout/length.md +::: + +:::{include} ../_snippets/functions/layout/locate.md +::: + +:::{include} ../_snippets/functions/layout/ltrim.md +::: + +:::{include} ../_snippets/functions/layout/md5.md +::: + +:::{include} ../_snippets/functions/layout/repeat.md +::: + +:::{include} ../_snippets/functions/layout/replace.md +::: + +:::{include} ../_snippets/functions/layout/reverse.md +::: + +:::{include} ../_snippets/functions/layout/right.md +::: + +:::{include} ../_snippets/functions/layout/rtrim.md +::: + +:::{include} ../_snippets/functions/layout/sha1.md +::: + +:::{include} ../_snippets/functions/layout/sha256.md +::: + +:::{include} ../_snippets/functions/layout/space.md +::: + +:::{include} ../_snippets/functions/layout/split.md +::: + +:::{include} ../_snippets/functions/layout/starts_with.md +::: + +:::{include} ../_snippets/functions/layout/substring.md +::: + +:::{include} ../_snippets/functions/layout/to_base64.md +::: + +:::{include} ../_snippets/functions/layout/to_lower.md +::: + +:::{include} ../_snippets/functions/layout/to_upper.md +::: + +:::{include} ../_snippets/functions/layout/trim.md +::: + diff --git a/docs/reference/query-languages/esql/functions-operators/type-conversion-functions.md b/docs/reference/query-languages/esql/functions-operators/type-conversion-functions.md new file mode 100644 index 0000000000000..246bb4b5fa30f --- /dev/null +++ b/docs/reference/query-languages/esql/functions-operators/type-conversion-functions.md @@ -0,0 +1,75 @@ +--- +navigation_title: "Type conversion functions" +mapped_pages: + - https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-functions-operators.html#esql-type-conversion-functions +--- + +# {{esql}} type conversion functions [esql-type-conversion-functions] + + +::::{tip} +{{esql}} supports implicit casting from string literals to certain data types. Refer to [implicit casting](/reference/query-languages/esql/esql-implicit-casting.md) for details. + +:::: + + +{{esql}} supports these type conversion functions: + +:::{include} ../_snippets/lists/type-conversion-functions.md +::: + + +:::{include} ../_snippets/functions/layout/to_boolean.md +::: + +:::{include} ../_snippets/functions/layout/to_cartesianpoint.md +::: + +:::{include} ../_snippets/functions/layout/to_cartesianshape.md +::: + +:::{include} ../_snippets/functions/layout/to_dateperiod.md +::: + +:::{include} ../_snippets/functions/layout/to_datetime.md +::: + +:::{include} ../_snippets/functions/layout/to_date_nanos.md +::: + +:::{include} ../_snippets/functions/layout/to_degrees.md +::: + +:::{include} ../_snippets/functions/layout/to_double.md +::: + +:::{include} ../_snippets/functions/layout/to_geopoint.md +::: + +:::{include} ../_snippets/functions/layout/to_geoshape.md +::: + +:::{include} ../_snippets/functions/layout/to_integer.md +::: + +:::{include} ../_snippets/functions/layout/to_ip.md +::: + +:::{include} ../_snippets/functions/layout/to_long.md +::: + +:::{include} ../_snippets/functions/layout/to_radians.md +::: + +:::{include} ../_snippets/functions/layout/to_string.md +::: + +:::{include} ../_snippets/functions/layout/to_timeduration.md +::: + +:::{include} ../_snippets/functions/layout/to_unsigned_long.md +::: + +:::{include} ../_snippets/functions/layout/to_version.md +::: + diff --git a/docs/reference/query-languages/esql/images/operators/cast.svg b/docs/reference/query-languages/esql/images/operators/cast.svg index afa7b898c8c70..7a4920bc559d9 100644 --- a/docs/reference/query-languages/esql/images/operators/cast.svg +++ b/docs/reference/query-languages/esql/images/operators/cast.svg @@ -1 +1 @@ -::v \ No newline at end of file +field::type \ No newline at end of file diff --git a/docs/reference/query-languages/esql/images/operators/in.svg b/docs/reference/query-languages/esql/images/operators/in.svg new file mode 100644 index 0000000000000..d5ecd318177c8 --- /dev/null +++ b/docs/reference/query-languages/esql/images/operators/in.svg @@ -0,0 +1 @@ +fieldINvalues \ No newline at end of file diff --git a/docs/reference/query-languages/esql/images/operators/is_not_null.svg b/docs/reference/query-languages/esql/images/operators/is_not_null.svg index 1829ec7bdb9d6..e79a2e7dbb9a3 100644 --- a/docs/reference/query-languages/esql/images/operators/is_not_null.svg +++ b/docs/reference/query-languages/esql/images/operators/is_not_null.svg @@ -1 +1 @@ -IS NOT NULLv \ No newline at end of file +fieldIS NOT NULL \ No newline at end of file diff --git a/docs/reference/query-languages/esql/images/operators/is_null.svg b/docs/reference/query-languages/esql/images/operators/is_null.svg index 1a632b5e49115..366891df8b638 100644 --- a/docs/reference/query-languages/esql/images/operators/is_null.svg +++ b/docs/reference/query-languages/esql/images/operators/is_null.svg @@ -1 +1 @@ -IS NULLv \ No newline at end of file +fieldIS NULL \ No newline at end of file diff --git a/docs/reference/query-languages/esql/images/operators/like.svg b/docs/reference/query-languages/esql/images/operators/like.svg new file mode 100644 index 0000000000000..cce64b446532b --- /dev/null +++ b/docs/reference/query-languages/esql/images/operators/like.svg @@ -0,0 +1 @@ +fieldLIKEpattern \ No newline at end of file diff --git a/docs/reference/query-languages/esql/images/operators/rlike.svg b/docs/reference/query-languages/esql/images/operators/rlike.svg new file mode 100644 index 0000000000000..c79f2be441672 --- /dev/null +++ b/docs/reference/query-languages/esql/images/operators/rlike.svg @@ -0,0 +1 @@ +fieldRLIKEpattern \ No newline at end of file diff --git a/docs/reference/query-languages/esql/kibana/definition/functions/date_trunc.json b/docs/reference/query-languages/esql/kibana/definition/functions/date_trunc.json index fe293c718a55f..c05449214e6a0 100644 --- a/docs/reference/query-languages/esql/kibana/definition/functions/date_trunc.json +++ b/docs/reference/query-languages/esql/kibana/definition/functions/date_trunc.json @@ -2,7 +2,7 @@ "comment" : "This is generated by ESQL’s AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it.", "type" : "scalar", "name" : "date_trunc", - "description": "Rounds down a date to the closest interval since epoch, which starts at `0001-01-01T00:00:00Z`.", + "description" : "Rounds down a date to the closest interval since epoch, which starts at `0001-01-01T00:00:00Z`.", "signatures" : [ { "params" : [ diff --git a/docs/reference/query-languages/esql/kibana/definition/operators/div.json b/docs/reference/query-languages/esql/kibana/definition/operators/div.json index ce69b6b8408ea..5863e18b52b36 100644 --- a/docs/reference/query-languages/esql/kibana/definition/operators/div.json +++ b/docs/reference/query-languages/esql/kibana/definition/operators/div.json @@ -3,6 +3,7 @@ "type" : "operator", "operator" : "/", "name" : "div", + "titleName" : "divide", "description" : "Divide one number by another. If either field is multivalued then the result is `null`.", "note" : "Division of two integer types will yield an integer result, rounding towards 0. If you need floating point division, `Cast (::)` one of the arguments to a `DOUBLE`.", "signatures" : [ diff --git a/docs/reference/query-languages/esql/kibana/definition/operators/is_not_null.json b/docs/reference/query-languages/esql/kibana/definition/operators/is_not_null.json index 9573c5c922406..385d375853683 100644 --- a/docs/reference/query-languages/esql/kibana/definition/operators/is_not_null.json +++ b/docs/reference/query-languages/esql/kibana/definition/operators/is_not_null.json @@ -1,7 +1,7 @@ { "comment" : "This is generated by ESQL’s AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it.", "type" : "operator", - "operator" : "predicates", + "operator" : "IS NOT NULL", "name" : "is_not_null", "description" : "Use `IS NOT NULL` to filter data based on whether the field exists or not.", "signatures" : [ diff --git a/docs/reference/query-languages/esql/kibana/definition/operators/is_null.json b/docs/reference/query-languages/esql/kibana/definition/operators/is_null.json index 7e11a801f0818..e1411c65ef3f4 100644 --- a/docs/reference/query-languages/esql/kibana/definition/operators/is_null.json +++ b/docs/reference/query-languages/esql/kibana/definition/operators/is_null.json @@ -1,7 +1,7 @@ { "comment" : "This is generated by ESQL’s AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it.", "type" : "operator", - "operator" : "predicates", + "operator" : "IS NULL", "name" : "is_null", "description" : "Use `IS NULL` to filter data based on whether the field exists or not.", "signatures" : [ diff --git a/docs/reference/query-languages/esql/kibana/definition/operators/match_operator.json b/docs/reference/query-languages/esql/kibana/definition/operators/match_operator.json index 7dbcf38a7f3d5..e9cd383093d2b 100644 --- a/docs/reference/query-languages/esql/kibana/definition/operators/match_operator.json +++ b/docs/reference/query-languages/esql/kibana/definition/operators/match_operator.json @@ -529,7 +529,7 @@ } ], "examples" : [ - "FROM books\n| WHERE MATCH(author, \"Faulkner\")" + "FROM books\n| WHERE author:\"Faulkner\"" ], "preview" : true, "snapshot_only" : false diff --git a/docs/reference/query-languages/esql/kibana/definition/operators/mod.json b/docs/reference/query-languages/esql/kibana/definition/operators/mod.json index eeda5e37f5f4f..70a284fdbf153 100644 --- a/docs/reference/query-languages/esql/kibana/definition/operators/mod.json +++ b/docs/reference/query-languages/esql/kibana/definition/operators/mod.json @@ -3,6 +3,7 @@ "type" : "operator", "operator" : "%", "name" : "mod", + "titleName" : "modulo", "description" : "Divide one number by another and return the remainder. If either field is multivalued then the result is `null`.", "signatures" : [ { diff --git a/docs/reference/query-languages/esql/kibana/definition/operators/mul.json b/docs/reference/query-languages/esql/kibana/definition/operators/mul.json index feb441b9213ba..2a50ecc8657dd 100644 --- a/docs/reference/query-languages/esql/kibana/definition/operators/mul.json +++ b/docs/reference/query-languages/esql/kibana/definition/operators/mul.json @@ -3,6 +3,7 @@ "type" : "operator", "operator" : "*", "name" : "mul", + "titleName" : "multiply", "description" : "Multiply two numbers together. If either field is multivalued then the result is `null`.", "signatures" : [ { diff --git a/docs/reference/query-languages/esql/kibana/definition/operators/neg.json b/docs/reference/query-languages/esql/kibana/definition/operators/neg.json index 6b8c450ab9fb7..3d1285be42af9 100644 --- a/docs/reference/query-languages/esql/kibana/definition/operators/neg.json +++ b/docs/reference/query-languages/esql/kibana/definition/operators/neg.json @@ -3,6 +3,7 @@ "type" : "operator", "operator" : "-", "name" : "neg", + "titleName" : "negate", "description" : "Returns the negation of the argument.", "signatures" : [ { diff --git a/docs/reference/query-languages/esql/kibana/definition/operators/predicates.json b/docs/reference/query-languages/esql/kibana/definition/operators/predicates.json index 1620d567cba1a..db08e7acc0094 100644 --- a/docs/reference/query-languages/esql/kibana/definition/operators/predicates.json +++ b/docs/reference/query-languages/esql/kibana/definition/operators/predicates.json @@ -1,7 +1,6 @@ { "comment" : "This is generated by ESQL’s AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it.", - "type" : "operator", - "operator" : "predicates", + "type" : "scalar", "name" : "predicates", "description" : "For NULL comparison use the `IS NULL` and `IS NOT NULL` predicates.", "signatures" : [ diff --git a/docs/reference/query-languages/esql/kibana/definition/operators/sub.json b/docs/reference/query-languages/esql/kibana/definition/operators/sub.json index a476a0ae18865..0dcc3133ef9be 100644 --- a/docs/reference/query-languages/esql/kibana/definition/operators/sub.json +++ b/docs/reference/query-languages/esql/kibana/definition/operators/sub.json @@ -3,6 +3,7 @@ "type" : "operator", "operator" : "-", "name" : "sub", + "titleName" : "subtract", "description" : "Subtract one number from another. If either field is multivalued then the result is `null`.", "signatures" : [ { diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/abs.md b/docs/reference/query-languages/esql/kibana/docs/functions/abs.md index 6ca794c8ee38d..f38d4acfa03a2 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/abs.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/abs.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### ABS Returns the absolute value. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/acos.md b/docs/reference/query-languages/esql/kibana/docs/functions/acos.md index 76852b67dc822..c3f8cb4125666 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/acos.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/acos.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### ACOS Returns the [arccosine](https://en.wikipedia.org/wiki/Inverse_trigonometric_functions) of `n` as an angle, expressed in radians. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/asin.md b/docs/reference/query-languages/esql/kibana/docs/functions/asin.md index 58ca0dbf8190c..35355fd9e1168 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/asin.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/asin.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### ASIN Returns the [arcsine](https://en.wikipedia.org/wiki/Inverse_trigonometric_functions) of the input diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/atan.md b/docs/reference/query-languages/esql/kibana/docs/functions/atan.md index ec58452f51b08..6a8bacadcfa45 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/atan.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/atan.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### ATAN Returns the [arctangent](https://en.wikipedia.org/wiki/Inverse_trigonometric_functions) of the input diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/atan2.md b/docs/reference/query-languages/esql/kibana/docs/functions/atan2.md index f23c61d2bfc49..4836519ddb937 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/atan2.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/atan2.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### ATAN2 The [angle](https://en.wikipedia.org/wiki/Atan2) between the positive x-axis and the ray from the diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/avg.md b/docs/reference/query-languages/esql/kibana/docs/functions/avg.md index 5a2313ba09bdb..49ffe5aaa10c6 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/avg.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/avg.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### AVG The average of a numeric field. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/bit_length.md b/docs/reference/query-languages/esql/kibana/docs/functions/bit_length.md index da567362ec994..9f68a431798aa 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/bit_length.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/bit_length.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### BIT_LENGTH +### BIT LENGTH Returns the bit length of a string. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/bucket.md b/docs/reference/query-languages/esql/kibana/docs/functions/bucket.md index cea3272a58a80..33cce59322db7 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/bucket.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/bucket.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### BUCKET Creates groups of values - buckets - out of a datetime or numeric input. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/byte_length.md b/docs/reference/query-languages/esql/kibana/docs/functions/byte_length.md index f26d1c59a3508..143601cfdc113 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/byte_length.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/byte_length.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### BYTE_LENGTH +### BYTE LENGTH Returns the byte length of a string. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/case.md b/docs/reference/query-languages/esql/kibana/docs/functions/case.md index 8f6d508fc5870..7fc586db82bc9 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/case.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/case.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### CASE Accepts pairs of conditions and values. The function returns the value that diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/categorize.md b/docs/reference/query-languages/esql/kibana/docs/functions/categorize.md index aeb7885aa9559..6693954ee263c 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/categorize.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/categorize.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### CATEGORIZE Groups text messages into categories of similarly formatted text values. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/cbrt.md b/docs/reference/query-languages/esql/kibana/docs/functions/cbrt.md index b8b80217b013f..6cec1b29af374 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/cbrt.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/cbrt.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### CBRT Returns the cube root of a number. The input can be any numeric value, the return value is always a double. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/ceil.md b/docs/reference/query-languages/esql/kibana/docs/functions/ceil.md index ff9dad8d87b11..8ba9ec187d949 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/ceil.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/ceil.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### CEIL Round a number up to the nearest integer. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/cidr_match.md b/docs/reference/query-languages/esql/kibana/docs/functions/cidr_match.md index ac2dc9c081cea..42c3a11aead29 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/cidr_match.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/cidr_match.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### CIDR_MATCH +### CIDR MATCH Returns true if the provided IP is contained in one of the provided CIDR blocks. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/coalesce.md b/docs/reference/query-languages/esql/kibana/docs/functions/coalesce.md index 0d69ebf26803d..7ebd61e867b5d 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/coalesce.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/coalesce.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### COALESCE Returns the first of its arguments that is not null. If all arguments are null, it returns `null`. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/concat.md b/docs/reference/query-languages/esql/kibana/docs/functions/concat.md index 20476ff4f5ff9..4488552fc43ea 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/concat.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/concat.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### CONCAT Concatenates two or more strings. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/cos.md b/docs/reference/query-languages/esql/kibana/docs/functions/cos.md index 847895e9eb821..bc1155c9e9193 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/cos.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/cos.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### COS Returns the [cosine](https://en.wikipedia.org/wiki/Sine_and_cosine) of an angle. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/cosh.md b/docs/reference/query-languages/esql/kibana/docs/functions/cosh.md index 652205092eff7..131567cd5f7df 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/cosh.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/cosh.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### COSH Returns the [hyperbolic cosine](https://en.wikipedia.org/wiki/Hyperbolic_functions) of a number. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/count.md b/docs/reference/query-languages/esql/kibana/docs/functions/count.md index 6f2c0c0529807..00773624ac78d 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/count.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/count.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### COUNT Returns the total number (count) of input values. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/count_distinct.md b/docs/reference/query-languages/esql/kibana/docs/functions/count_distinct.md index de590a9facdcc..a6941c99c1da6 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/count_distinct.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/count_distinct.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### COUNT_DISTINCT +### COUNT DISTINCT Returns the approximate number of distinct values. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/date_diff.md b/docs/reference/query-languages/esql/kibana/docs/functions/date_diff.md index 5810623648384..bf479c538c18f 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/date_diff.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/date_diff.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### DATE_DIFF +### DATE DIFF Subtracts the `startTimestamp` from the `endTimestamp` and returns the difference in multiples of `unit`. If `startTimestamp` is later than the `endTimestamp`, negative values are returned. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/date_extract.md b/docs/reference/query-languages/esql/kibana/docs/functions/date_extract.md index 85ef527699968..5b82233da1514 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/date_extract.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/date_extract.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### DATE_EXTRACT +### DATE EXTRACT Extracts parts of a date, like year, month, day, hour. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/date_format.md b/docs/reference/query-languages/esql/kibana/docs/functions/date_format.md index 7d139fbc8727d..62d9a27c0695a 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/date_format.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/date_format.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### DATE_FORMAT +### DATE FORMAT Returns a string representation of a date, in the provided format. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/date_parse.md b/docs/reference/query-languages/esql/kibana/docs/functions/date_parse.md index a51e557809c09..e83db00145af3 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/date_parse.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/date_parse.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### DATE_PARSE +### DATE PARSE Returns a date by parsing the second argument using the format specified in the first argument. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/date_trunc.md b/docs/reference/query-languages/esql/kibana/docs/functions/date_trunc.md index 38d15ccd93e4a..7b6ea933aff7c 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/date_trunc.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/date_trunc.md @@ -1,11 +1,7 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### DATE_TRUNC - -Rounds down a date to the closest interval since epoch, which starts -at `0001-01-01T00:00:00Z`. +### DATE TRUNC +Rounds down a date to the closest interval since epoch, which starts at `0001-01-01T00:00:00Z`. ```esql FROM employees diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/e.md b/docs/reference/query-languages/esql/kibana/docs/functions/e.md index 62fae03da50bb..46873dfde52e9 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/e.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/e.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### E Returns [Euler’s number](https://en.wikipedia.org/wiki/E_(mathematical_constant)). diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/ends_with.md b/docs/reference/query-languages/esql/kibana/docs/functions/ends_with.md index f3de00c2c0905..825cd65e08da2 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/ends_with.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/ends_with.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### ENDS_WITH +### ENDS WITH Returns a boolean that indicates whether a keyword string ends with another string. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/exp.md b/docs/reference/query-languages/esql/kibana/docs/functions/exp.md index 0ac093ba71de2..55c8b3a9bb868 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/exp.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/exp.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### EXP Returns the value of e raised to the power of the given number. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/floor.md b/docs/reference/query-languages/esql/kibana/docs/functions/floor.md index 602a9f28b3f87..f1e675055cc0e 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/floor.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/floor.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### FLOOR Round a number down to the nearest integer. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/from_base64.md b/docs/reference/query-languages/esql/kibana/docs/functions/from_base64.md index 3685659ec81d7..132d6fa870d12 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/from_base64.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/from_base64.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### FROM_BASE64 +### FROM BASE64 Decode a base64 string. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/greatest.md b/docs/reference/query-languages/esql/kibana/docs/functions/greatest.md index fd117be6de935..ea52679eeac24 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/greatest.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/greatest.md @@ -1,9 +1,7 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### GREATEST -Returns the maximum value from multiple columns. This is similar to [`MV_MAX`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-mv_max) +Returns the maximum value from multiple columns. This is similar to [`MV_MAX`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/mv-functions#esql-mv_max) except it is intended to run on multiple columns at once. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/hash.md b/docs/reference/query-languages/esql/kibana/docs/functions/hash.md index 0b9cedf31c377..93c97ad8739a4 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/hash.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/hash.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### HASH Computes the hash of the input using various algorithms such as MD5, SHA, SHA-224, SHA-256, SHA-384, SHA-512. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/hypot.md b/docs/reference/query-languages/esql/kibana/docs/functions/hypot.md index 2d6ec06799c53..15cc45537d222 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/hypot.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/hypot.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### HYPOT Returns the hypotenuse of two numbers. The input can be any numeric values, the return value is always a double. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/ip_prefix.md b/docs/reference/query-languages/esql/kibana/docs/functions/ip_prefix.md index f83d2ea5618cd..08c7aff570b72 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/ip_prefix.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/ip_prefix.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### IP_PREFIX +### IP PREFIX Truncates an IP to a given prefix length. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/kql.md b/docs/reference/query-languages/esql/kibana/docs/functions/kql.md index 112a13f36540f..37cd4d5f43cc9 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/kql.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/kql.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### KQL Performs a KQL query. Returns true if the provided KQL query string matches the row. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/least.md b/docs/reference/query-languages/esql/kibana/docs/functions/least.md index 030eec6c18e61..1aaedd8c7e1ac 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/least.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/least.md @@ -1,9 +1,7 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### LEAST -Returns the minimum value from multiple columns. This is similar to [`MV_MIN`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-mv_min) except it is intended to run on multiple columns at once. +Returns the minimum value from multiple columns. This is similar to [`MV_MIN`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/mv-functions#esql-mv_min) except it is intended to run on multiple columns at once. ```esql ROW a = 10, b = 20 diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/left.md b/docs/reference/query-languages/esql/kibana/docs/functions/left.md index 10b4b0fcf90eb..adf65eb226a46 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/left.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/left.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### LEFT Returns the substring that extracts *length* chars from *string* starting from the left. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/length.md b/docs/reference/query-languages/esql/kibana/docs/functions/length.md index 1343a4a765525..0d194a21c0843 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/length.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/length.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### LENGTH Returns the character length of a string. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/locate.md b/docs/reference/query-languages/esql/kibana/docs/functions/locate.md index 55ebd702ed4ab..eb9c4dc7a75e8 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/locate.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/locate.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### LOCATE Returns an integer that indicates the position of a keyword substring within another string. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/log.md b/docs/reference/query-languages/esql/kibana/docs/functions/log.md index ab3617bfc5016..87af53eb9d920 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/log.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/log.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### LOG Returns the logarithm of a value to a base. The input can be any numeric value, the return value is always a double. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/log10.md b/docs/reference/query-languages/esql/kibana/docs/functions/log10.md index d4947ef815c65..53d4f4110a221 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/log10.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/log10.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### LOG10 Returns the logarithm of a value to base 10. The input can be any numeric value, the return value is always a double. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/ltrim.md b/docs/reference/query-languages/esql/kibana/docs/functions/ltrim.md index 7678780ef1f63..65b4e0e5c13a5 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/ltrim.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/ltrim.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### LTRIM Removes leading whitespaces from a string. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/match.md b/docs/reference/query-languages/esql/kibana/docs/functions/match.md index bf30c6dfea067..88764f806c161 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/match.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/match.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### MATCH Use `MATCH` to perform a [match query](https://www.elastic.co/docs/reference/elasticsearch/query-languages/query-dsl/query-dsl-match-query) on the specified field. @@ -12,7 +10,7 @@ as well as other field types like keyword, boolean, dates, and numeric types. Match can use [function named parameters](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-syntax#esql-function-named-params) to specify additional options for the match query. All [match query parameters](https://www.elastic.co/docs/reference/elasticsearch/query-languages/query-dsl/query-dsl-match-query#match-field-params) are supported. -For a simplified syntax, you can use the [match operator](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-search-operators) `:` operator instead of `MATCH`. +For a simplified syntax, you can use the [match operator](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/operators#esql-match-operator) `:` operator instead of `MATCH`. `MATCH` returns true if the provided query matches the row. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/max.md b/docs/reference/query-languages/esql/kibana/docs/functions/max.md index c4e1c1cf58123..50bc0d8b7a493 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/max.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/max.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### MAX The maximum value of a field. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/md5.md b/docs/reference/query-languages/esql/kibana/docs/functions/md5.md index db3718bb63054..152cbd5c622c4 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/md5.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/md5.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### MD5 Computes the MD5 hash of the input. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/median.md b/docs/reference/query-languages/esql/kibana/docs/functions/median.md index 2a40c1a31387a..0b4bfa90f6801 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/median.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/median.md @@ -1,12 +1,10 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### MEDIAN -The value that is greater than half of all values and less than half of all values, also known as the 50% [`PERCENTILE`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-percentile). +The value that is greater than half of all values and less than half of all values, also known as the 50% [`PERCENTILE`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/aggregation-functions#esql-percentile). ```esql FROM employees | STATS MEDIAN(salary), PERCENTILE(salary, 50) ``` -Note: Like [`PERCENTILE`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-percentile), `MEDIAN` is [usually approximate](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-percentile-approximate). +Note: Like [`PERCENTILE`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/aggregation-functions#esql-percentile), `MEDIAN` is [usually approximate](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/aggregation-functions#esql-percentile-approximate). diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/median_absolute_deviation.md b/docs/reference/query-languages/esql/kibana/docs/functions/median_absolute_deviation.md index 0553e73119aa5..07684cbc61fbf 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/median_absolute_deviation.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/median_absolute_deviation.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MEDIAN_ABSOLUTE_DEVIATION +### MEDIAN ABSOLUTE DEVIATION Returns the median absolute deviation, a measure of variability. It is a robust statistic, meaning that it is useful for describing data that may have outliers, or may not be normally distributed. For such data it can be more descriptive than standard deviation. It is calculated as the median of each data point’s deviation from the median of the entire sample. That is, for a random variable `X`, the median absolute deviation is `median(|median(X) - X|)`. @@ -11,4 +9,4 @@ It is calculated as the median of each data point’s deviation from the median FROM employees | STATS MEDIAN(salary), MEDIAN_ABSOLUTE_DEVIATION(salary) ``` -Note: Like [`PERCENTILE`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-percentile), `MEDIAN_ABSOLUTE_DEVIATION` is [usually approximate](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-percentile-approximate). +Note: Like [`PERCENTILE`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/aggregation-functions#esql-percentile), `MEDIAN_ABSOLUTE_DEVIATION` is [usually approximate](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/aggregation-functions#esql-percentile-approximate). diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/min.md b/docs/reference/query-languages/esql/kibana/docs/functions/min.md index 4747ac7e35687..0f8997243a4af 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/min.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/min.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### MIN The minimum value of a field. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/mv_append.md b/docs/reference/query-languages/esql/kibana/docs/functions/mv_append.md index 18d9c96fc7529..ae7377f995b35 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/mv_append.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/mv_append.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MV_APPEND +### MV APPEND Concatenates values of two multi-value fields. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/mv_avg.md b/docs/reference/query-languages/esql/kibana/docs/functions/mv_avg.md index fe4702a737d42..8b790b29066cb 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/mv_avg.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/mv_avg.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MV_AVG +### MV AVG Converts a multivalued field into a single valued field containing the average of all of the values. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/mv_concat.md b/docs/reference/query-languages/esql/kibana/docs/functions/mv_concat.md index baeae453939d7..78a6215dae0fa 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/mv_concat.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/mv_concat.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MV_CONCAT +### MV CONCAT Converts a multivalued string expression into a single valued column containing the concatenation of all values separated by a delimiter. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/mv_count.md b/docs/reference/query-languages/esql/kibana/docs/functions/mv_count.md index c88d10af8c17b..91dc0cb245c75 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/mv_count.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/mv_count.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MV_COUNT +### MV COUNT Converts a multivalued expression into a single valued column containing a count of the number of values. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/mv_dedupe.md b/docs/reference/query-languages/esql/kibana/docs/functions/mv_dedupe.md index f60ba7e3082fa..0f2bb977f5f86 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/mv_dedupe.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/mv_dedupe.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MV_DEDUPE +### MV DEDUPE Remove duplicate values from a multivalued field. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/mv_first.md b/docs/reference/query-languages/esql/kibana/docs/functions/mv_first.md index 6f12674ebfda0..2686e965155fa 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/mv_first.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/mv_first.md @@ -1,11 +1,9 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MV_FIRST +### MV FIRST Converts a multivalued expression into a single valued column containing the first value. This is most useful when reading from a function that emits -multivalued columns in a known order like [`SPLIT`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-split). +multivalued columns in a known order like [`SPLIT`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/string-functions#esql-split). ```esql ROW a="foo;bar;baz" diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/mv_last.md b/docs/reference/query-languages/esql/kibana/docs/functions/mv_last.md index 773a5b4a5aeab..dfc4735693075 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/mv_last.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/mv_last.md @@ -1,11 +1,9 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MV_LAST +### MV LAST Converts a multivalue expression into a single valued column containing the last value. This is most useful when reading from a function that emits multivalued -columns in a known order like [`SPLIT`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-split). +columns in a known order like [`SPLIT`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/string-functions#esql-split). ```esql ROW a="foo;bar;baz" diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/mv_max.md b/docs/reference/query-languages/esql/kibana/docs/functions/mv_max.md index 6e092aa52864e..8a7b5760bc65a 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/mv_max.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/mv_max.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MV_MAX +### MV MAX Converts a multivalued expression into a single valued column containing the maximum value. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/mv_median.md b/docs/reference/query-languages/esql/kibana/docs/functions/mv_median.md index 75d0f3f76f54d..e3b46407ac23b 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/mv_median.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/mv_median.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MV_MEDIAN +### MV MEDIAN Converts a multivalued field into a single valued field containing the median value. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/mv_median_absolute_deviation.md b/docs/reference/query-languages/esql/kibana/docs/functions/mv_median_absolute_deviation.md index 8cf1e477ea2ec..b356201cdc16d 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/mv_median_absolute_deviation.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/mv_median_absolute_deviation.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MV_MEDIAN_ABSOLUTE_DEVIATION +### MV MEDIAN ABSOLUTE DEVIATION Converts a multivalued field into a single valued field containing the median absolute deviation. It is calculated as the median of each data point’s deviation from the median of the entire sample. That is, for a random variable `X`, the median absolute deviation is `median(|median(X) - X|)`. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/mv_min.md b/docs/reference/query-languages/esql/kibana/docs/functions/mv_min.md index 233386b201ca0..026c42cf20a4d 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/mv_min.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/mv_min.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MV_MIN +### MV MIN Converts a multivalued expression into a single valued column containing the minimum value. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/mv_percentile.md b/docs/reference/query-languages/esql/kibana/docs/functions/mv_percentile.md index 4fa4edee1540d..b4bc59a349775 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/mv_percentile.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/mv_percentile.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MV_PERCENTILE +### MV PERCENTILE Converts a multivalued field into a single valued field containing the value at which a certain percentage of observed values occur. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/mv_pseries_weighted_sum.md b/docs/reference/query-languages/esql/kibana/docs/functions/mv_pseries_weighted_sum.md index 1e71922608911..afe9f4ee881a0 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/mv_pseries_weighted_sum.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/mv_pseries_weighted_sum.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MV_PSERIES_WEIGHTED_SUM +### MV PSERIES WEIGHTED SUM Converts a multivalued expression into a single-valued column by multiplying every element on the input list by its corresponding term in P-Series and computing the sum. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/mv_slice.md b/docs/reference/query-languages/esql/kibana/docs/functions/mv_slice.md index 583153c505ffc..48e9e69e34592 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/mv_slice.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/mv_slice.md @@ -1,11 +1,9 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MV_SLICE +### MV SLICE Returns a subset of the multivalued field using the start and end index values. This is most useful when reading from a function that emits multivalued columns -in a known order like [`SPLIT`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-split) or [`MV_SORT`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-mv_sort). +in a known order like [`SPLIT`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/string-functions#esql-split) or [`MV_SORT`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/mv-functions#esql-mv_sort). ```esql row a = [1, 2, 2, 3] diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/mv_sort.md b/docs/reference/query-languages/esql/kibana/docs/functions/mv_sort.md index 169e62c62e88d..2b3c2579b6937 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/mv_sort.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/mv_sort.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MV_SORT +### MV SORT Sorts a multivalued field in lexicographical order. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/mv_sum.md b/docs/reference/query-languages/esql/kibana/docs/functions/mv_sum.md index 8f5befd70f6eb..9e91511adb60f 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/mv_sum.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/mv_sum.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MV_SUM +### MV SUM Converts a multivalued field into a single valued field containing the sum of all of the values. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/mv_zip.md b/docs/reference/query-languages/esql/kibana/docs/functions/mv_zip.md index fdd0e69e64233..de7fb7bc33c02 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/mv_zip.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/mv_zip.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MV_ZIP +### MV ZIP Combines the values from two multivalued fields with a delimiter that joins them together. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/now.md b/docs/reference/query-languages/esql/kibana/docs/functions/now.md index cfa75ca8f25a6..5b84def735619 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/now.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/now.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### NOW Returns current date and time. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/percentile.md b/docs/reference/query-languages/esql/kibana/docs/functions/percentile.md index 2a34080172c0a..c5fa35b3c65a4 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/percentile.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/percentile.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### PERCENTILE Returns the value at which a certain percentage of observed values occur. For example, the 95th percentile is the value which is greater than 95% of the observed values and the 50th percentile is the `MEDIAN`. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/pi.md b/docs/reference/query-languages/esql/kibana/docs/functions/pi.md index 907408189a250..f2ce8c6bfad7a 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/pi.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/pi.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### PI Returns [Pi](https://en.wikipedia.org/wiki/Pi), the ratio of a circle’s circumference to its diameter. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/pow.md b/docs/reference/query-languages/esql/kibana/docs/functions/pow.md index 258238b740753..461057ba79ee0 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/pow.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/pow.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### POW Returns the value of `base` raised to the power of `exponent`. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/qstr.md b/docs/reference/query-languages/esql/kibana/docs/functions/qstr.md index b2cc44491ec22..bc04fa0afdc10 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/qstr.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/qstr.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### QSTR Performs a [query string query](https://www.elastic.co/docs/reference/elasticsearch/query-languages/query-dsl/query-dsl-query-string-query). Returns true if the provided query string matches the row. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/repeat.md b/docs/reference/query-languages/esql/kibana/docs/functions/repeat.md index 2c7d6fbebfa97..59269388f65d9 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/repeat.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/repeat.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### REPEAT Returns a string constructed by concatenating `string` with itself the specified `number` of times. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/replace.md b/docs/reference/query-languages/esql/kibana/docs/functions/replace.md index 677a86f70e721..b97de39249cc4 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/replace.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/replace.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### REPLACE The function substitutes in the string `str` any match of the regular expression `regex` diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/reverse.md b/docs/reference/query-languages/esql/kibana/docs/functions/reverse.md index 738ecbeb0a62a..0aa9612330055 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/reverse.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/reverse.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### REVERSE Returns a new string representing the input string in reverse order. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/right.md b/docs/reference/query-languages/esql/kibana/docs/functions/right.md index 43759a22f0308..b4618953b114b 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/right.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/right.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### RIGHT Return the substring that extracts *length* chars from *str* starting from the right. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/round.md b/docs/reference/query-languages/esql/kibana/docs/functions/round.md index 6dbfd44efad52..0efa902cb411c 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/round.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/round.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### ROUND Rounds a number to the specified number of decimal places. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/rtrim.md b/docs/reference/query-languages/esql/kibana/docs/functions/rtrim.md index 24ac2510116d0..b94a9be90610e 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/rtrim.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/rtrim.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### RTRIM Removes trailing whitespaces from a string. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/sha1.md b/docs/reference/query-languages/esql/kibana/docs/functions/sha1.md index 05e3289900654..a006c461c8e55 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/sha1.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/sha1.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### SHA1 Computes the SHA1 hash of the input. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/sha256.md b/docs/reference/query-languages/esql/kibana/docs/functions/sha256.md index 79eb2a7e9935a..1d3159d62f0e3 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/sha256.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/sha256.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### SHA256 Computes the SHA256 hash of the input. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/signum.md b/docs/reference/query-languages/esql/kibana/docs/functions/signum.md index c28fbd8a575ac..666668dedc664 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/signum.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/signum.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### SIGNUM Returns the sign of the given number. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/sin.md b/docs/reference/query-languages/esql/kibana/docs/functions/sin.md index 2ebf4a8ca514b..8217a8e30ef6d 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/sin.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/sin.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### SIN Returns the [sine](https://en.wikipedia.org/wiki/Sine_and_cosine) of an angle. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/sinh.md b/docs/reference/query-languages/esql/kibana/docs/functions/sinh.md index 891bd07860502..be37236191cd2 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/sinh.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/sinh.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### SINH Returns the [hyperbolic sine](https://en.wikipedia.org/wiki/Hyperbolic_functions) of a number. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/space.md b/docs/reference/query-languages/esql/kibana/docs/functions/space.md index aa6af229d7b89..4c31a5891c553 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/space.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/space.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### SPACE Returns a string made of `number` spaces. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/split.md b/docs/reference/query-languages/esql/kibana/docs/functions/split.md index e50f9641b4824..81bae03044a9f 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/split.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/split.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### SPLIT Split a single valued string into multiple strings. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/sqrt.md b/docs/reference/query-languages/esql/kibana/docs/functions/sqrt.md index ea4eedea14893..d67e21a8e4c20 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/sqrt.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/sqrt.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### SQRT Returns the square root of a number. The input can be any numeric value, the return value is always a double. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/st_centroid_agg.md b/docs/reference/query-languages/esql/kibana/docs/functions/st_centroid_agg.md index 1c911585101e3..da5a364c840a6 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/st_centroid_agg.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/st_centroid_agg.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### ST_CENTROID_AGG +### ST CENTROID AGG Calculate the spatial centroid over a field with spatial point geometry type. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/st_contains.md b/docs/reference/query-languages/esql/kibana/docs/functions/st_contains.md index 23a263de29656..d94105e2f7b20 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/st_contains.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/st_contains.md @@ -1,10 +1,8 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### ST_CONTAINS +### ST CONTAINS Returns whether the first geometry contains the second geometry. -This is the inverse of the [ST_WITHIN](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-st_within) function. +This is the inverse of the [ST_WITHIN](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/spatial-functions#esql-st_within) function. ```esql FROM airport_city_boundaries diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/st_disjoint.md b/docs/reference/query-languages/esql/kibana/docs/functions/st_disjoint.md index a06003547ee90..7f916969d6cb5 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/st_disjoint.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/st_disjoint.md @@ -1,10 +1,8 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### ST_DISJOINT +### ST DISJOINT Returns whether the two geometries or geometry columns are disjoint. -This is the inverse of the [ST_INTERSECTS](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-st_intersects) function. +This is the inverse of the [ST_INTERSECTS](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/spatial-functions#esql-st_intersects) function. In mathematical terms: ST_Disjoint(A, B) ⇔ A ⋂ B = ∅ ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/st_distance.md b/docs/reference/query-languages/esql/kibana/docs/functions/st_distance.md index 11d84cef696aa..020467051e32a 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/st_distance.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/st_distance.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### ST_DISTANCE +### ST DISTANCE Computes the distance between two points. For cartesian geometries, this is the pythagorean distance in the same units as the original coordinates. For geographic geometries, this is the circular distance along the great circle in meters. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/st_envelope.md b/docs/reference/query-languages/esql/kibana/docs/functions/st_envelope.md index f3c59719f64aa..45cbc3102da6f 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/st_envelope.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/st_envelope.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### ST_ENVELOPE +### ST ENVELOPE Determines the minimum bounding box of the supplied geometry. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/st_extent_agg.md b/docs/reference/query-languages/esql/kibana/docs/functions/st_extent_agg.md index 88d6340ab05b6..49ebc33534108 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/st_extent_agg.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/st_extent_agg.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### ST_EXTENT_AGG +### ST EXTENT AGG Calculate the spatial extent over a field with geometry type. Returns a bounding box for all values of the field. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/st_intersects.md b/docs/reference/query-languages/esql/kibana/docs/functions/st_intersects.md index 966b271572d89..18bead8f7e1e3 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/st_intersects.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/st_intersects.md @@ -1,12 +1,10 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### ST_INTERSECTS +### ST INTERSECTS Returns true if two geometries intersect. They intersect if they have any point in common, including their interior points (points along lines or within polygons). -This is the inverse of the [ST_DISJOINT](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-st_disjoint) function. +This is the inverse of the [ST_DISJOINT](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/spatial-functions#esql-st_disjoint) function. In mathematical terms: ST_Intersects(A, B) ⇔ A ⋂ B ≠ ∅ ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/st_within.md b/docs/reference/query-languages/esql/kibana/docs/functions/st_within.md index cbb062e23f364..12a1dfe54bec3 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/st_within.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/st_within.md @@ -1,10 +1,8 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### ST_WITHIN +### ST WITHIN Returns whether the first geometry is within the second geometry. -This is the inverse of the [ST_CONTAINS](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-st_contains) function. +This is the inverse of the [ST_CONTAINS](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/spatial-functions#esql-st_contains) function. ```esql FROM airport_city_boundaries diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/st_x.md b/docs/reference/query-languages/esql/kibana/docs/functions/st_x.md index 9afffafb1d3e8..13df6fad1aed6 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/st_x.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/st_x.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### ST_X +### ST X Extracts the `x` coordinate from the supplied point. If the points is of type `geo_point` this is equivalent to extracting the `longitude` value. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/st_xmax.md b/docs/reference/query-languages/esql/kibana/docs/functions/st_xmax.md index 2dadcd3bb788d..f84448c68cb0f 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/st_xmax.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/st_xmax.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### ST_XMAX +### ST XMAX Extracts the maximum value of the `x` coordinates from the supplied geometry. If the geometry is of type `geo_point` or `geo_shape` this is equivalent to extracting the maximum `longitude` value. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/st_xmin.md b/docs/reference/query-languages/esql/kibana/docs/functions/st_xmin.md index 9a0d87a793963..13ed253317210 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/st_xmin.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/st_xmin.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### ST_XMIN +### ST XMIN Extracts the minimum value of the `x` coordinates from the supplied geometry. If the geometry is of type `geo_point` or `geo_shape` this is equivalent to extracting the minimum `longitude` value. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/st_y.md b/docs/reference/query-languages/esql/kibana/docs/functions/st_y.md index 9b4205bb21780..8abf61fd276c3 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/st_y.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/st_y.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### ST_Y +### ST Y Extracts the `y` coordinate from the supplied point. If the points is of type `geo_point` this is equivalent to extracting the `latitude` value. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/st_ymax.md b/docs/reference/query-languages/esql/kibana/docs/functions/st_ymax.md index e8da55f43338a..25a42594f74ad 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/st_ymax.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/st_ymax.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### ST_YMAX +### ST YMAX Extracts the maximum value of the `y` coordinates from the supplied geometry. If the geometry is of type `geo_point` or `geo_shape` this is equivalent to extracting the maximum `latitude` value. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/st_ymin.md b/docs/reference/query-languages/esql/kibana/docs/functions/st_ymin.md index 1e805e705c339..cf64f193b4ad6 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/st_ymin.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/st_ymin.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### ST_YMIN +### ST YMIN Extracts the minimum value of the `y` coordinates from the supplied geometry. If the geometry is of type `geo_point` or `geo_shape` this is equivalent to extracting the minimum `latitude` value. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/starts_with.md b/docs/reference/query-languages/esql/kibana/docs/functions/starts_with.md index f024612ed7e2c..fd3f99e852575 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/starts_with.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/starts_with.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### STARTS_WITH +### STARTS WITH Returns a boolean that indicates whether a keyword string starts with another string. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/std_dev.md b/docs/reference/query-languages/esql/kibana/docs/functions/std_dev.md index 8bbe5e9aa22c2..1bc96bf39f6e1 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/std_dev.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/std_dev.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### STD_DEV +### STD DEV The standard deviation of a numeric field. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/substring.md b/docs/reference/query-languages/esql/kibana/docs/functions/substring.md index c327042056f44..852cd5b93b146 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/substring.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/substring.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### SUBSTRING Returns a substring of a string, specified by a start position and an optional length. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/sum.md b/docs/reference/query-languages/esql/kibana/docs/functions/sum.md index f747039ab20cc..9590a0cbf7b76 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/sum.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/sum.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### SUM The sum of a numeric expression. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/tan.md b/docs/reference/query-languages/esql/kibana/docs/functions/tan.md index 18f7dfe22575c..1519a037d877f 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/tan.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/tan.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### TAN Returns the [tangent](https://en.wikipedia.org/wiki/Sine_and_cosine) of an angle. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/tanh.md b/docs/reference/query-languages/esql/kibana/docs/functions/tanh.md index 0e2eb4af258de..7bf9744411368 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/tanh.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/tanh.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### TANH Returns the [hyperbolic tangent](https://en.wikipedia.org/wiki/Hyperbolic_functions) of a number. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/tau.md b/docs/reference/query-languages/esql/kibana/docs/functions/tau.md index 870df3d8aebd4..f445cbe7826a0 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/tau.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/tau.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### TAU Returns the [ratio](https://tauday.com/tau-manifesto) of a circle’s circumference to its radius. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/term.md b/docs/reference/query-languages/esql/kibana/docs/functions/term.md index 9c4efb2a29fa4..5d29071abf661 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/term.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/term.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### TERM Performs a Term query on the specified field. Returns true if the provided term matches the row. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_aggregate_metric_double.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_aggregate_metric_double.md index d461121e036b2..9ac3ee4ba17ad 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_aggregate_metric_double.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_aggregate_metric_double.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_AGGREGATE_METRIC_DOUBLE +### TO AGGREGATE METRIC DOUBLE Encode a numeric to an aggregate_metric_double. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_base64.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_base64.md index dd3d7878affff..b7b5042a26bea 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_base64.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_base64.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_BASE64 +### TO BASE64 Encode a string to a base64 string. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_boolean.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_boolean.md index dee9dcef082aa..b7496b34f6268 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_boolean.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_boolean.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_BOOLEAN +### TO BOOLEAN Converts an input value to a boolean value. A string value of `true` will be case-insensitive converted to the Boolean `true`. For anything else, including the empty string, the function will return `false`. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_cartesianpoint.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_cartesianpoint.md index 47a06790274c5..ffa83c2bc1b1d 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_cartesianpoint.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_cartesianpoint.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_CARTESIANPOINT +### TO CARTESIANPOINT Converts an input value to a `cartesian_point` value. A string will only be successfully converted if it respects the [WKT Point](https://en.wikipedia.org/wiki/Well-known_text_representation_of_geometry) format. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_cartesianshape.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_cartesianshape.md index 40285e1b0d7f8..4e17e1404c127 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_cartesianshape.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_cartesianshape.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_CARTESIANSHAPE +### TO CARTESIANSHAPE Converts an input value to a `cartesian_shape` value. A string will only be successfully converted if it respects the [WKT](https://en.wikipedia.org/wiki/Well-known_text_representation_of_geometry) format. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_date_nanos.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_date_nanos.md index e0537c62d1e37..1c6b55da3f60d 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_date_nanos.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_date_nanos.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_DATE_NANOS +### TO DATE NANOS Converts an input to a nanosecond-resolution date value (aka date_nanos). ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_dateperiod.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_dateperiod.md index 497d0057f9a13..586af47cf5c16 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_dateperiod.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_dateperiod.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_DATEPERIOD +### TO DATEPERIOD Converts an input value into a `date_period` value. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_datetime.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_datetime.md index 05812d8f336e8..c78655998c89d 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_datetime.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_datetime.md @@ -1,11 +1,9 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_DATETIME +### TO DATETIME Converts an input value to a date value. A string will only be successfully converted if it’s respecting the format `yyyy-MM-dd'T'HH:mm:ss.SSS'Z'`. -To convert dates in other formats, use [`DATE_PARSE`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-date_parse). +To convert dates in other formats, use [`DATE_PARSE`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/date-time-functions#esql-date_parse). ```esql ROW string = ["1953-09-02T00:00:00.000Z", "1964-06-02T00:00:00.000Z", "1964-06-02 00:00:00"] diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_degrees.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_degrees.md index 703eeee9d7f9c..3612606099a34 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_degrees.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_degrees.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_DEGREES +### TO DEGREES Converts a number in [radians](https://en.wikipedia.org/wiki/Radian) to [degrees](https://en.wikipedia.org/wiki/Degree_(angle)). ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_double.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_double.md index 4b7733865560a..60aa688463509 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_double.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_double.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_DOUBLE +### TO DOUBLE Converts an input value to a double value. If the input parameter is of a date type, its value will be interpreted as milliseconds since the [Unix epoch](https://en.wikipedia.org/wiki/Unix_time), converted to double. Boolean `true` will be converted to double `1.0`, `false` to `0.0`. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_geopoint.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_geopoint.md index 4f73435f68bf4..ab9cdbb067bd8 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_geopoint.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_geopoint.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_GEOPOINT +### TO GEOPOINT Converts an input value to a `geo_point` value. A string will only be successfully converted if it respects the [WKT Point](https://en.wikipedia.org/wiki/Well-known_text_representation_of_geometry) format. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_geoshape.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_geoshape.md index 9c59033e5d1ec..42e096df38c20 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_geoshape.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_geoshape.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_GEOSHAPE +### TO GEOSHAPE Converts an input value to a `geo_shape` value. A string will only be successfully converted if it respects the [WKT](https://en.wikipedia.org/wiki/Well-known_text_representation_of_geometry) format. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_integer.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_integer.md index 9e42a0d8e93d2..33154029fb656 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_integer.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_integer.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_INTEGER +### TO INTEGER Converts an input value to an integer value. If the input parameter is of a date type, its value will be interpreted as milliseconds since the [Unix epoch](https://en.wikipedia.org/wiki/Unix_time), converted to integer. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_ip.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_ip.md index e6490b3546981..d2bc129946c8c 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_ip.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_ip.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_IP +### TO IP Converts an input string to an IP value. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_long.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_long.md index 5fc4b5ec152c9..96948ae00809f 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_long.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_long.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_LONG +### TO LONG Converts an input value to a long value. If the input parameter is of a date type, its value will be interpreted as milliseconds since the [Unix epoch](https://en.wikipedia.org/wiki/Unix_time), converted to long. Boolean `true` will be converted to long `1`, `false` to `0`. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_lower.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_lower.md index 0fff52322b7ec..9ac436e7b024d 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_lower.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_lower.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_LOWER +### TO LOWER Returns a new string representing the input string converted to lower case. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_radians.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_radians.md index 5cfa5c60dfacc..306cf9a3e948f 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_radians.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_radians.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_RADIANS +### TO RADIANS Converts a number in [degrees](https://en.wikipedia.org/wiki/Degree_(angle)) to [radians](https://en.wikipedia.org/wiki/Radian). ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_string.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_string.md index cab203c05067c..8958678d2a328 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_string.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_string.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_STRING +### TO STRING Converts an input value into a string. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_timeduration.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_timeduration.md index e5511ba2a4f12..e0c1fb1484910 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_timeduration.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_timeduration.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_TIMEDURATION +### TO TIMEDURATION Converts an input value into a `time_duration` value. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_unsigned_long.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_unsigned_long.md index 6c58253306994..280c1695ac183 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_unsigned_long.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_unsigned_long.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_UNSIGNED_LONG +### TO UNSIGNED LONG Converts an input value to an unsigned long value. If the input parameter is of a date type, its value will be interpreted as milliseconds since the [Unix epoch](https://en.wikipedia.org/wiki/Unix_time), converted to unsigned long. Boolean `true` will be converted to unsigned long `1`, `false` to `0`. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_upper.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_upper.md index 8735d88dd4e07..051dd2bc47c22 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_upper.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_upper.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_UPPER +### TO UPPER Returns a new string representing the input string converted to upper case. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/to_version.md b/docs/reference/query-languages/esql/kibana/docs/functions/to_version.md index 42292a8129280..c21e457f0edf8 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/to_version.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/to_version.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### TO_VERSION +### TO VERSION Converts an input string to a version value. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/top.md b/docs/reference/query-languages/esql/kibana/docs/functions/top.md index f6359061c2016..29adf319bbf48 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/top.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/top.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### TOP Collects the top values for a field. Includes repeated values. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/trim.md b/docs/reference/query-languages/esql/kibana/docs/functions/trim.md index f4c46dc491547..3927ea6adc0e6 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/trim.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/trim.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### TRIM Removes leading and trailing whitespaces from a string. diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/values.md b/docs/reference/query-languages/esql/kibana/docs/functions/values.md index c1a618733860f..41232d2a29e9c 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/values.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/values.md @@ -1,9 +1,7 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### VALUES -Returns all values in a group as a multivalued field. The order of the returned values isn’t guaranteed. If you need the values returned in order use [`MV_SORT`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-mv_sort). +Returns all values in a group as a multivalued field. The order of the returned values isn’t guaranteed. If you need the values returned in order use [`MV_SORT`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/mv-functions#esql-mv_sort). ```esql FROM employees diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/weighted_avg.md b/docs/reference/query-languages/esql/kibana/docs/functions/weighted_avg.md index 15b36f8b1dd30..f355891e34a9d 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/weighted_avg.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/weighted_avg.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### WEIGHTED_AVG +### WEIGHTED AVG The weighted average of a numeric expression. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/add.md b/docs/reference/query-languages/esql/kibana/docs/operators/add.md index 46ef8b2421df5..fd1579d4d1fe1 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/add.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/add.md @@ -1,7 +1,5 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### ADD +### ADD `+` Add two numbers together. If either field is [multivalued](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-multivalued-fields) then the result is `null`. diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/cast.md b/docs/reference/query-languages/esql/kibana/docs/operators/cast.md index 860716afe4771..32e864b590862 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/cast.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/cast.md @@ -1,9 +1,7 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### CAST -The `::` operator provides a convenient alternative syntax to the TO_ [conversion functions](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-type-conversion-functions). +### CAST `::` +The `::` operator provides a convenient alternative syntax to the TO_ [conversion functions](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/type-conversion-functions). ```esql ROW ver = CONCAT(("0"::INT + 1)::STRING, ".2.3")::VERSION diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/div.md b/docs/reference/query-languages/esql/kibana/docs/operators/div.md index e5f6b30b616e7..d4ccba73c0f7d 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/div.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/div.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### DIV +### DIVIDE `/` Divide one number by another. If either field is [multivalued](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-multivalued-fields) then the result is `null`. -Note: Division of two integer types will yield an integer result, rounding towards 0. If you need floating point division, [`Cast (::)`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-cast-operator) one of the arguments to a `DOUBLE`. +Note: Division of two integer types will yield an integer result, rounding towards 0. If you need floating point division, [`Cast (::)`](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/operators#esql-cast-operator) one of the arguments to a `DOUBLE`. diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/equals.md b/docs/reference/query-languages/esql/kibana/docs/operators/equals.md index ab3d0f6d7cdf7..dec8fa939c7f6 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/equals.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/equals.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### EQUALS +### EQUALS `==` Check if two fields are equal. If either field is [multivalued](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-multivalued-fields) then the result is `null`. Note: This is pushed to the underlying search index if one side of the comparison is constant and the other side is a field in the index that has both an [mapping-index](https://www.elastic.co/docs/reference/elasticsearch/elasticsearch/mapping-reference/mapping-index) and [doc-values](https://www.elastic.co/docs/reference/elasticsearch/elasticsearch/mapping-reference/doc-values). diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/greater_than.md b/docs/reference/query-languages/esql/kibana/docs/operators/greater_than.md index 58e018cf4b90e..35b2303d5e24c 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/greater_than.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/greater_than.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### GREATER_THAN +### GREATER THAN `>` Check if one field is greater than another. If either field is [multivalued](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-multivalued-fields) then the result is `null`. Note: This is pushed to the underlying search index if one side of the comparison is constant and the other side is a field in the index that has both an [mapping-index](https://www.elastic.co/docs/reference/elasticsearch/elasticsearch/mapping-reference/mapping-index) and [doc-values](https://www.elastic.co/docs/reference/elasticsearch/elasticsearch/mapping-reference/doc-values). diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/greater_than_or_equal.md b/docs/reference/query-languages/esql/kibana/docs/operators/greater_than_or_equal.md index 67a8fcfae3ee1..5c72277dd79ab 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/greater_than_or_equal.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/greater_than_or_equal.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### GREATER_THAN_OR_EQUAL +### GREATER THAN OR EQUAL `>=` Check if one field is greater than or equal to another. If either field is [multivalued](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-multivalued-fields) then the result is `null`. Note: This is pushed to the underlying search index if one side of the comparison is constant and the other side is a field in the index that has both an [mapping-index](https://www.elastic.co/docs/reference/elasticsearch/elasticsearch/mapping-reference/mapping-index) and [doc-values](https://www.elastic.co/docs/reference/elasticsearch/elasticsearch/mapping-reference/doc-values). diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/in.md b/docs/reference/query-languages/esql/kibana/docs/operators/in.md index e3dd2ba252231..549a1094dc5fc 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/in.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/in.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### IN The `IN` operator allows testing whether a field or expression equals an element in a list of literals, fields or expressions. diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/is_not_null.md b/docs/reference/query-languages/esql/kibana/docs/operators/is_not_null.md index 0cd8c059dd4e3..3d9f1e5b81508 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/is_not_null.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/is_not_null.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### IS_NOT_NULL +### IS NOT NULL Use `IS NOT NULL` to filter data based on whether the field exists or not. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/is_null.md b/docs/reference/query-languages/esql/kibana/docs/operators/is_null.md index 88f719877aa1c..18abd83b5755f 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/is_null.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/is_null.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### IS_NULL +### IS NULL Use `IS NULL` to filter data based on whether the field exists or not. ```esql diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/less_than.md b/docs/reference/query-languages/esql/kibana/docs/operators/less_than.md index 7d1d1f1e50dd9..dafc87aaf4069 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/less_than.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/less_than.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### LESS_THAN +### LESS THAN `<` Check if one field is less than another. If either field is [multivalued](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-multivalued-fields) then the result is `null`. Note: This is pushed to the underlying search index if one side of the comparison is constant and the other side is a field in the index that has both an [mapping-index](https://www.elastic.co/docs/reference/elasticsearch/elasticsearch/mapping-reference/mapping-index) and [doc-values](https://www.elastic.co/docs/reference/elasticsearch/elasticsearch/mapping-reference/doc-values). diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/less_than_or_equal.md b/docs/reference/query-languages/esql/kibana/docs/operators/less_than_or_equal.md index 44d8ed667e498..190fbb9b974cb 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/less_than_or_equal.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/less_than_or_equal.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### LESS_THAN_OR_EQUAL +### LESS THAN OR EQUAL `<=` Check if one field is less than or equal to another. If either field is [multivalued](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-multivalued-fields) then the result is `null`. Note: This is pushed to the underlying search index if one side of the comparison is constant and the other side is a field in the index that has both an [mapping-index](https://www.elastic.co/docs/reference/elasticsearch/elasticsearch/mapping-reference/mapping-index) and [doc-values](https://www.elastic.co/docs/reference/elasticsearch/elasticsearch/mapping-reference/doc-values). diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/like.md b/docs/reference/query-languages/esql/kibana/docs/operators/like.md index e0f709b26a823..cc69e7cd48557 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/like.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/like.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### LIKE Use `LIKE` to filter data based on string patterns using wildcards. `LIKE` diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/match_operator.md b/docs/reference/query-languages/esql/kibana/docs/operators/match_operator.md index 847f5262d3004..6fe5e5d76dbbe 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/match_operator.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/match_operator.md @@ -1,19 +1,17 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MATCH_OPERATOR +### MATCH OPERATOR `:` Use the match operator (`:`) to perform a [match query](https://www.elastic.co/docs/reference/elasticsearch/query-languages/query-dsl/query-dsl-match-query) on the specified field. Using `:` is equivalent to using the `match` query in the Elasticsearch Query DSL. -The match operator is equivalent to the [match function](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-match). +The match operator is equivalent to the [match function](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/aggregation-functions#esql-match). For using the function syntax, or adding [match query parameters](https://www.elastic.co/docs/reference/elasticsearch/query-languages/query-dsl/query-dsl-match-query#match-field-params), you can use the -[match function](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-functions-operators#esql-match). +[match function](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/functions-operators/aggregation-functions#esql-match). `:` returns true if the provided query matches the row. ```esql FROM books -| WHERE MATCH(author, "Faulkner") +| WHERE author:"Faulkner" ``` diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/mod.md b/docs/reference/query-languages/esql/kibana/docs/operators/mod.md index 1e10ad5921ae0..fd0dffbe1de0a 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/mod.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/mod.md @@ -1,7 +1,5 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MOD +### MODULO `%` Divide one number by another and return the remainder. If either field is [multivalued](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-multivalued-fields) then the result is `null`. diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/mul.md b/docs/reference/query-languages/esql/kibana/docs/operators/mul.md index 9d36631f81ee4..0c3042f3c1c5e 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/mul.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/mul.md @@ -1,7 +1,5 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### MUL +### MULTIPLY `*` Multiply two numbers together. If either field is [multivalued](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-multivalued-fields) then the result is `null`. diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/neg.md b/docs/reference/query-languages/esql/kibana/docs/operators/neg.md index 3a14923e81d03..99785ba83ff71 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/neg.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/neg.md @@ -1,7 +1,5 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### NEG +### NEGATE `-` Returns the negation of the argument. diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/not in.md b/docs/reference/query-languages/esql/kibana/docs/operators/not in.md index 91d5130fae394..4ac4485952933 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/not in.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/not in.md @@ -1,7 +1,5 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### NOT_IN +### NOT IN The `NOT IN` operator allows testing whether a field or expression does *not* equal any element in a list of literals, fields or expressions. diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/not like.md b/docs/reference/query-languages/esql/kibana/docs/operators/not like.md index f3db44b92f02a..5422fe04265b9 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/not like.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/not like.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### NOT_LIKE +### NOT LIKE Use `LIKE` to filter data based on string patterns using wildcards. `LIKE` usually acts on a field placed on the left-hand side of the operator, but it can also act on a constant (literal) expression. The right-hand side of the operator diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/not rlike.md b/docs/reference/query-languages/esql/kibana/docs/operators/not rlike.md index a1422f66a2369..f3b617ac12a0c 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/not rlike.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/not rlike.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### NOT_RLIKE +### NOT RLIKE Use `RLIKE` to filter data based on string patterns using using [regular expressions](https://www.elastic.co/docs/reference/elasticsearch/query-languages/query-dsl/regexp-syntax). `RLIKE` usually acts on a field placed on the left-hand side of the operator, but it can also act on a constant (literal) diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/not_equals.md b/docs/reference/query-languages/esql/kibana/docs/operators/not_equals.md index 251d4ab0ce418..51555912b456b 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/not_equals.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/not_equals.md @@ -1,8 +1,6 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### NOT_EQUALS +### NOT EQUALS `!=` Check if two fields are unequal. If either field is [multivalued](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-multivalued-fields) then the result is `null`. Note: This is pushed to the underlying search index if one side of the comparison is constant and the other side is a field in the index that has both an [mapping-index](https://www.elastic.co/docs/reference/elasticsearch/elasticsearch/mapping-reference/mapping-index) and [doc-values](https://www.elastic.co/docs/reference/elasticsearch/elasticsearch/mapping-reference/doc-values). diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/predicates.md b/docs/reference/query-languages/esql/kibana/docs/operators/predicates.md index 2ae6d49936cc9..1a907369e284b 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/predicates.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/predicates.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### PREDICATES For NULL comparison use the `IS NULL` and `IS NOT NULL` predicates. diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/rlike.md b/docs/reference/query-languages/esql/kibana/docs/operators/rlike.md index 72b34318ee189..62c1d84f452af 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/rlike.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/rlike.md @@ -1,6 +1,4 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. ### RLIKE Use `RLIKE` to filter data based on string patterns using using diff --git a/docs/reference/query-languages/esql/kibana/docs/operators/sub.md b/docs/reference/query-languages/esql/kibana/docs/operators/sub.md index 44f6233e27743..cbfbb3b23a6c0 100644 --- a/docs/reference/query-languages/esql/kibana/docs/operators/sub.md +++ b/docs/reference/query-languages/esql/kibana/docs/operators/sub.md @@ -1,7 +1,5 @@ - +% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it. -### SUB +### SUBTRACT `-` Subtract one number from another. If either field is [multivalued](https://www.elastic.co/docs/reference/elasticsearch/query-languages/esql/esql-multivalued-fields) then the result is `null`. diff --git a/docs/reference/query-languages/esql/limitations.md b/docs/reference/query-languages/esql/limitations.md index c1f38a613ab70..77f98538a09f7 100644 --- a/docs/reference/query-languages/esql/limitations.md +++ b/docs/reference/query-languages/esql/limitations.md @@ -10,54 +10,10 @@ mapped_pages: ## Result set size limit [esql-max-rows] -By default, an {{esql}} query returns up to 1,000 rows. You can increase the number of rows up to 10,000 using the [`LIMIT`](/reference/query-languages/esql/esql-commands.md#esql-limit) command. - -For instance, -```esql -FROM index | WHERE field = "value" -``` -is equivalent to: -```esql -FROM index | WHERE field = "value" | LIMIT 1000 -``` - -Queries do not return more than 10,000 rows, regardless of the `LIMIT` command’s value. This is a configurable upper limit. - -To overcome this limitation: - -* Reduce the result set size by modifying the query to only return relevant data. Use [`WHERE`](/reference/query-languages/esql/esql-commands.md#esql-where) to select a smaller subset of the data. -* Shift any post-query processing to the query itself. You can use the {{esql}} [`STATS`](/reference/query-languages/esql/esql-commands.md#esql-stats-by) command to aggregate data in the query. - -The upper limit only applies to the number of rows that are output by the query, not to the number of documents it processes: the query runs on the full data set. - -Consider the following two queries: -```esql -FROM index | WHERE field0 == "value" | LIMIT 20000 -``` -and -```esql -FROM index | STATS AVG(field1) BY field2 | LIMIT 20000 -``` - -In both cases, the filtering by `field0` in the first query or the grouping by `field2` in the second is applied over all the documents present in the `index`, irrespective of their number or indexes size. However, both queries will return at most 10,000 rows, even if there were more rows available to return. - -The default and maximum limits can be changed using these dynamic cluster settings: - -* `esql.query.result_truncation_default_size` -* `esql.query.result_truncation_max_size` - -However, doing so involves trade-offs. A larger result-set involves a higher memory pressure and increased processing times; the internode traffic within and across clusters can also increase. - -These limitations are similar to those enforced by the [search API for pagination](/reference/elasticsearch/rest-apis/paginate-search-results.md). - -| Functionality | Search | {{esql}} | -|----------------------------------|-------------------------|-------------------------------------------| -| Results returned by default | 10 | 1.000 | -| Default upper limit | 10,000 | 10,000 | -| Specify number of results | `size` | `LIMIT` | -| Change default number of results | n/a | esql.query.result_truncation_default_size | -| Change default upper limit | index-max-result-window | esql.query.result_truncation_max_size | +By default, an {{esql}} query returns up to 1,000 rows. You can increase the number of rows up to 10,000 using the [`LIMIT`](/reference/query-languages/esql/commands/processing-commands.md#esql-limit) command. +:::{include} _snippets/common/result-set-size-limitation.md +::: ## Field types [esql-supported-types] @@ -131,7 +87,7 @@ Querying a column with an unsupported type returns an error. If a column with an Some [field types](/reference/elasticsearch/mapping-reference/field-data-types.md) are not supported in all contexts: -* Spatial types are not supported in the [SORT](/reference/query-languages/esql/esql-commands.md#esql-sort) processing command. Specifying a column of one of these types as a sort parameter will result in an error: +* Spatial types are not supported in the [SORT](/reference/query-languages/esql/commands/processing-commands.md#esql-sort) processing command. Specifying a column of one of these types as a sort parameter will result in an error: * `geo_point` * `geo_shape` @@ -151,7 +107,12 @@ In addition, when [querying multiple indexes](docs-content://explore-analyze/que ## Full-text search [esql-limitations-full-text-search] -[preview] {{esql}}'s support for [full-text search](/reference/query-languages/esql/esql-functions-operators.md#esql-search-functions) is currently in Technical Preview. One limitation of full-text search is that it is necessary to use the search function, like [`MATCH`](/reference/query-languages/esql/esql-functions-operators.md#esql-match), in a [`WHERE`](/reference/query-languages/esql/esql-commands.md#esql-where) command directly after the [`FROM`](/reference/query-languages/esql/esql-commands.md#esql-from) source command, or close enough to it. Otherwise, the query will fail with a validation error. +[preview] {{esql}}'s support for [full-text search](/reference/query-languages/esql/functions-operators/search-functions.md) is currently in Technical Preview. +One limitation of full-text search is that it is necessary to use the search function, +like [`MATCH`](/reference/query-languages/esql/functions-operators/search-functions.md#esql-match), +in a [`WHERE`](/reference/query-languages/esql/commands/processing-commands.md#esql-where) command directly after the +[`FROM`](/reference/query-languages/esql/commands/source-commands.md#esql-from) source command, or close enough to it. +Otherwise, the query will fail with a validation error. For example, this query is valid: @@ -160,7 +121,7 @@ FROM books | WHERE MATCH(author, "Faulkner") AND MATCH(author, "Tolkien") ``` -But this query will fail due to the [STATS](/reference/query-languages/esql/esql-commands.md#esql-stats-by) command: +But this query will fail due to the [STATS](/reference/query-languages/esql/commands/processing-commands.md#esql-stats-by) command: ```esql FROM books @@ -168,7 +129,12 @@ FROM books | WHERE MATCH(author, "Faulkner") ``` -Note that, because of [the way {{esql}} treats `text` values](#esql-limitations-text-fields), any queries on `text` fields that do not explicitly use the full-text functions, [`MATCH`](/reference/query-languages/esql/esql-functions-operators.md#esql-match), [`QSTR`](/reference/query-languages/esql/esql-functions-operators.md#esql-qstr) or [`KQL`](/reference/query-languages/esql/esql-functions-operators.md#esql-kql), will behave as if the fields are actually `keyword` fields: they are case-sensitive and need to match the full string. +Note that, because of [the way {{esql}} treats `text` values](#esql-limitations-text-fields), +any queries on `text` fields that do not explicitly use the full-text functions, +[`MATCH`](/reference/query-languages/esql/functions-operators/search-functions.md#esql-match), +[`QSTR`](/reference/query-languages/esql/functions-operators/search-functions.md#esql-qstr) or +[`KQL`](/reference/query-languages/esql/functions-operators/search-functions.md#esql-kql), +will behave as if the fields are actually `keyword` fields: they are case-sensitive and need to match the full string. ## `text` fields behave like `keyword` fields [esql-limitations-text-fields] @@ -184,7 +150,11 @@ For example, the following query will return a column `greatest` of type `keywor | EVAL greatest = GREATEST(field1, field2, field3) ``` -Note that {{esql}}'s retrieval of `keyword` subfields may have unexpected consequences. Other than when explicitly using the full-text functions, [`MATCH`](/reference/query-languages/esql/esql-functions-operators.md#esql-match) and [`QSTR`](/reference/query-languages/esql/esql-functions-operators.md#esql-qstr), any {{esql}} query on a `text` field is case-sensitive. +Note that {{esql}}'s retrieval of `keyword` subfields may have unexpected consequences. +Other than when explicitly using the full-text functions, +[`MATCH`](/reference/query-languages/esql/functions-operators/search-functions.md#esql-match) and +[`QSTR`](/reference/query-languages/esql/functions-operators/search-functions.md#esql-qstr), +any {{esql}} query on a `text` field is case-sensitive. For example, after indexing a field of type `text` with the value `Elasticsearch query language`, the following `WHERE` clause does not match because the `LIKE` operator is case-sensitive: @@ -206,14 +176,16 @@ As a workaround, use wildcards and regular expressions. For example: Furthermore, a subfield may have been mapped with a [normalizer](/reference/elasticsearch/mapping-reference/normalizer.md), which can transform the original string. Or it may have been mapped with [`ignore_above`](/reference/elasticsearch/mapping-reference/ignore-above.md), which can truncate the string. None of these mapping operations are applied to an {{esql}} query, which may lead to false positives or negatives. -To avoid these issues, a best practice is to be explicit about the field that you query, and query `keyword` sub-fields instead of `text` fields. Or consider using one of the [full-text search](/reference/query-languages/esql/esql-functions-operators.md#esql-search-functions) functions. +To avoid these issues, a best practice is to be explicit about the field that you query, +and query `keyword` sub-fields instead of `text` fields. +Or consider using one of the [full-text search](/reference/query-languages/esql/functions-operators/search-functions.md) functions. ## Using {{esql}} to query multiple indices [esql-multi-index-limitations] As discussed in more detail in [Using {{esql}} to query multiple indices](docs-content://explore-analyze/query-filter/languages/esql-multi-index.md), {{esql}} can execute a single query across multiple indices, data streams, or aliases. However, there are some limitations to be aware of: -* All underlying indexes and shards must be active. Using admin commands or UI, it is possible to pause an index or shard, for example by disabling a frozen tier instance, but then any {{esql}} query that includes that index or shard will fail, even if the query uses [`WHERE`](/reference/query-languages/esql/esql-commands.md#esql-where) to filter out the results from the paused index. If you see an error of type `search_phase_execution_exception`, with the message `Search rejected due to missing shards`, you likely have an index or shard in `UNASSIGNED` state. +* All underlying indexes and shards must be active. Using admin commands or UI, it is possible to pause an index or shard, for example by disabling a frozen tier instance, but then any {{esql}} query that includes that index or shard will fail, even if the query uses [`WHERE`](/reference/query-languages/esql/commands/processing-commands.md#esql-where) to filter out the results from the paused index. If you see an error of type `search_phase_execution_exception`, with the message `Search rejected due to missing shards`, you likely have an index or shard in `UNASSIGNED` state. * The same field must have the same type across all indexes. If the same field is mapped to different types it is still possible to query the indexes, but the field must be [explicitly converted to a single type](docs-content://explore-analyze/query-filter/languages/esql-multi-index.md#esql-multi-index-union-types). @@ -265,7 +237,10 @@ The `GROK` command does not support configuring [custom patterns](/reference/enr ## Multivalue limitations [esql-limitations-mv] -{{esql}} [supports multivalued fields](/reference/query-languages/esql/esql-multivalued-fields.md), but functions return `null` when applied to a multivalued field, unless documented otherwise. Work around this limitation by converting the field to single value with one of the [multivalue functions](/reference/query-languages/esql/esql-functions-operators.md#esql-mv-functions). +{{esql}} [supports multivalued fields](/reference/query-languages/esql/esql-multivalued-fields.md), +but functions return `null` when applied to a multivalued field, unless documented otherwise. +Work around this limitation by converting the field to single value with one of the +[multivalue functions](/reference/query-languages/esql/functions-operators/mv-functions.md). ## Timezone support [esql-limitations-timezone] @@ -275,9 +250,9 @@ The `GROK` command does not support configuring [custom patterns](/reference/enr ## Kibana limitations [esql-limitations-kibana] -* The user interface to filter data is not enabled when Discover is in {{esql}} mode. To filter data, write a query that uses the [`WHERE`](/reference/query-languages/esql/esql-commands.md#esql-where) command instead. +* The user interface to filter data is not enabled when Discover is in {{esql}} mode. To filter data, write a query that uses the [`WHERE`](/reference/query-languages/esql/commands/processing-commands.md#esql-where) command instead. * Discover shows no more than 10,000 rows. This limit only applies to the number of rows that are retrieved by the query and displayed in Discover. Queries and aggregations run on the full data set. * Discover shows no more than 50 columns. If a query returns more than 50 columns, Discover only shows the first 50. * CSV export from Discover shows no more than 10,000 rows. This limit only applies to the number of rows that are retrieved by the query and displayed in Discover. Queries and aggregations run on the full data set. -* Querying many indices at once without any filters can cause an error in kibana which looks like `[esql] > Unexpected error from Elasticsearch: The content length (536885793) is bigger than the maximum allowed string (536870888)`. The response from {{esql}} is too long. Use [`DROP`](/reference/query-languages/esql/esql-commands.md#esql-drop) or [`KEEP`](/reference/query-languages/esql/esql-commands.md#esql-keep) to limit the number of fields returned. +* Querying many indices at once without any filters can cause an error in kibana which looks like `[esql] > Unexpected error from Elasticsearch: The content length (536885793) is bigger than the maximum allowed string (536870888)`. The response from {{esql}} is too long. Use [`DROP`](/reference/query-languages/esql/commands/processing-commands.md#esql-drop) or [`KEEP`](/reference/query-languages/esql/commands/processing-commands.md#esql-keep) to limit the number of fields returned. diff --git a/docs/reference/query-languages/toc.yml b/docs/reference/query-languages/toc.yml index deadd649b9129..aa442511d1e71 100644 --- a/docs/reference/query-languages/toc.yml +++ b/docs/reference/query-languages/toc.yml @@ -86,7 +86,23 @@ toc: children: - file: esql/esql-syntax.md - file: esql/esql-commands.md + children: + - file: esql/commands/source-commands.md + - file: esql/commands/processing-commands.md - file: esql/esql-functions-operators.md + children: + - file: esql/functions-operators/aggregation-functions.md + - file: esql/functions-operators/grouping-functions.md + - file: esql/functions-operators/conditional-functions-and-expressions.md + - file: esql/functions-operators/date-time-functions.md + - file: esql/functions-operators/ip-functions.md + - file: esql/functions-operators/math-functions.md + - file: esql/functions-operators/search-functions.md + - file: esql/functions-operators/spatial-functions.md + - file: esql/functions-operators/string-functions.md + - file: esql/functions-operators/type-conversion-functions.md + - file: esql/functions-operators/mv-functions.md + - file: esql/functions-operators/operators.md - file: esql/esql-metadata-fields.md - file: esql/esql-multivalued-fields.md - file: esql/esql-process-data-with-dissect-grok.md diff --git a/x-pack/plugin/esql/build.gradle b/x-pack/plugin/esql/build.gradle index becc39f6fd37c..513f340b9930c 100644 --- a/x-pack/plugin/esql/build.gradle +++ b/x-pack/plugin/esql/build.gradle @@ -90,10 +90,27 @@ tasks.named("test").configure { if (buildParams.ci == false) { systemProperty 'generateDocs', true def injected = project.objects.newInstance(Injected) + // Define the folder to delete and recreate + def tempDir = file("build/testrun/test/temp/esql") + def commandsExamplesFile = new File(tempDir, "commands.examples") + // Find all matching .md files for commands examples + def mdFiles = fileTree("${rootDir}/docs/reference/query-languages/esql/_snippets/commands/examples/") { + include("**/*.csv-spec/*.md") + } doFirst { injected.fs.delete { - it.delete("build/testrun/test/temp/esql") + it.delete(tempDir) } + // Re-create this folder so we can save a table of generated examples to extract from csv-spec tests + tempDir.mkdirs() // Recreate the folder + + // Write directory name and filename of each .md file to the output file + commandsExamplesFile.withWriter { writer -> + mdFiles.each { file -> + writer.writeLine("${file.parentFile.name}/${file.name}") + } + } + println "File 'commands.examples' created with ${mdFiles.size()} example specifications from csv-spec files." } File imagesFolder = file("build/testrun/test/temp/esql/images") File snippetsFolder = file("build/testrun/test/temp/esql/_snippets") @@ -104,6 +121,9 @@ tasks.named("test").configure { def snippetsTree = fileTree(snippetsFolder).matching { include "**/types/*.md" // Recursively include all types/*.md files (effectively counting functions and operators) } + def commandsExamplesTree = fileTree(snippetsFolder).matching { + include "**/*.csv-spec/*.md" // Recursively include all generated *.csv-spec/*.md files (created by CommandDocsTests) + } def imagesTree = fileTree(imagesFolder).matching { include "**/*.svg" // Recursively include all SVG files } @@ -114,10 +134,12 @@ tasks.named("test").configure { doLast { def snippets = snippetsTree.files.collect { it.name } int countSnippets = snippets.size() - if (countSnippets == 0) { + def commandsExamples = commandsExamplesTree.files.collect { it.name } + int countCommandsExamples = commandsExamples.size() + if (countSnippets == 0 && countCommandsExamples == 0) { logger.quiet("ESQL Docs: No function/operator snippets created. Skipping sync.") } else { - logger.quiet("ESQL Docs: Found $countSnippets generated markdown files to patch into docs") + logger.quiet("ESQL Docs: Found $countSnippets generated function/operator snippets and $countCommandsExamples command examples to patch into docs") injected.fs.sync { from snippetsFolder into snippetsDocFolder @@ -131,8 +153,8 @@ tasks.named("test").configure { } else { // If we do run the full test of tests, be careful about what we need to preserve preserve { - // The lists are static, and the operators are a mix of generated and static content - include '*.md', '**/operators/*.md', '**/operators/**/*.md', '**/lists/*.md' + // The lists and commands are static, and the operators are a mix of generated and static content + include '*.md', '**/operators/*.md', '**/operators/**/*.md', '**/lists/*.md', '**/commands/**/*.md', '**/common/**/*.md' } } } diff --git a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/date.csv-spec b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/date.csv-spec index 2e3bad8f7371c..59fe1126b5ef7 100644 --- a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/date.csv-spec +++ b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/date.csv-spec @@ -1141,9 +1141,7 @@ FROM sample_data // end::docsNowWhere[] ; -// tag::docsNowWhere-result[] @timestamp:date | client_ip:ip | event_duration:long | message:keyword -// end::docsNowWhere-result[] ; mvSort diff --git a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/docs.csv-spec b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/docs.csv-spec index 2207bb1ce3a09..a6bb68de16b78 100644 --- a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/docs.csv-spec +++ b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/docs.csv-spec @@ -37,9 +37,9 @@ FROM employees // end::keepWildcard[] | LIMIT 0; -// tag::keep-wildcard-result[] +// tag::keepWildcard-result[] height:double | height.float:double | height.half_float:double | height.scaled_float:double | hire_date:date -// end::keep-wildcard-result[] +// end::keepWildcard-result[] ; docsKeepDoubleWildcard @@ -49,9 +49,9 @@ FROM employees // end::keepDoubleWildcard[] | LIMIT 0; -// tag::keep-double-wildcard-result[] +// tag::keepDoubleWildcard-result[] height:double | height.float:double | height.half_float:double | height.scaled_float:double | hire_date:date | avg_worked_seconds:long | birth_date:date | emp_no:integer | first_name:keyword | gender:keyword | is_rehired:boolean | job_positions:keyword | languages:integer | languages.byte:integer | languages.long:long | languages.short:integer | last_name:keyword | salary:integer | salary_change:double | salary_change.int:integer |salary_change.keyword:keyword |salary_change.long:long |still_hired:boolean -// end::keep-double-wildcard-result[] +// end::keepDoubleWildcard-result[] ; docsKeepCompleteName#[skip:-8.12.99, reason:duplicate precedence rules added in 8.13] @@ -61,9 +61,9 @@ FROM employees // end::keepCompleteName[] | LIMIT 0; -// tag::keep-complete-name-result[] +// tag::keepCompleteName-result[] first_name:keyword | last_name:keyword -// end::keep-complete-name-result[] +// end::keepCompleteName-result[] ; docsKeepWildcardPrecedence#[skip:-8.12.99, reason:duplicate precedence rules added in 8.13] @@ -73,9 +73,9 @@ FROM employees // end::keepWildcardPrecedence[] | LIMIT 0; -// tag::keep-wildcard-precedence-result[] +// tag::keepWildcardPrecedence-result[] last_name:keyword | first_name:keyword -// end::keep-wildcard-precedence-result[] +// end::keepWildcardPrecedence-result[] ; docsKeepWildcardLowest#[skip:-8.12.99, reason:duplicate precedence rules added in 8.13] @@ -85,9 +85,9 @@ FROM employees // end::keepWildcardLowest[] | LIMIT 0; -// tag::keep-wildcard-lowest-result[] +// tag::keepWildcardLowest-result[] avg_worked_seconds:long|birth_date:date|emp_no:integer|gender:keyword|height:double|height.float:double|height.half_float:double|height.scaled_float:double|hire_date:date|is_rehired:boolean|job_positions:keyword|languages:integer|languages.byte:integer|languages.long:long|languages.short:integer|last_name:keyword|salary:integer|salary_change:double|salary_change.int:integer|salary_change.keyword:keyword|salary_change.long:long|still_hired:boolean|first_name:keyword -// end::keep-wildcard-lowest-result[] +// end::keepWildcardLowest-result[] ; docsRename diff --git a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/row.csv-spec b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/row.csv-spec index da640b6306299..17ca3ff072ea6 100644 --- a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/row.csv-spec +++ b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/row.csv-spec @@ -30,10 +30,8 @@ ROW a = [2, 1] // end::multivalue[] ; -// tag::multivalue-result[] a:integer [2, 1] -// end::multivalue-result[] ; shadowingInternal @@ -67,10 +65,8 @@ ROW a = ROUND(1.23, 0) // end::function[] ; -// tag::function-result[] a:double 1.0 -// end::function-result[] ; evalRow diff --git a/x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/fulltext/Match.java b/x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/fulltext/Match.java index 89ea09012f326..0c1d9ba56eba9 100644 --- a/x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/fulltext/Match.java +++ b/x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/fulltext/Match.java @@ -154,7 +154,7 @@ public class Match extends FullTextFunction implements OptionalArgument, PostAna Match can use <> to specify additional options for the match query. All <> are supported. - For a simplified syntax, you can use the <> `:` operator instead of `MATCH`. + For a simplified syntax, you can use the <> `:` operator instead of `MATCH`. `MATCH` returns true if the provided query matches the row.""", examples = { diff --git a/x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/fulltext/MatchOperator.java b/x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/fulltext/MatchOperator.java index 5a613407d273f..535eb15d29038 100644 --- a/x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/fulltext/MatchOperator.java +++ b/x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/fulltext/MatchOperator.java @@ -39,7 +39,7 @@ Use the match operator (`:`) to perform a <> <>. `:` returns true if the provided query matches the row.""", - examples = { @Example(file = "match-function", tag = "match-with-field") } + examples = { @Example(file = "match-operator", tag = "match-with-field") } ) public MatchOperator( Source source, diff --git a/x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/grouping/Bucket.java b/x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/grouping/Bucket.java index 8bc6dd532cd15..b707794717591 100644 --- a/x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/grouping/Bucket.java +++ b/x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/grouping/Bucket.java @@ -113,7 +113,7 @@ another in which the bucket size is provided directly (two parameters). it’s to pick a range that people are comfortable with that provides at most the target number of buckets.""" ), @Example( - description = "Combine `BUCKET` with an <> to create a histogram:", + description = "Combine `BUCKET` with an <> to create a histogram:", file = "bucket", tag = "docsBucketMonthlyHistogram", explanation = """ diff --git a/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/CommandDocsTests.java b/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/CommandDocsTests.java new file mode 100644 index 0000000000000..bc8b17b8ce81b --- /dev/null +++ b/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/CommandDocsTests.java @@ -0,0 +1,145 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +package org.elasticsearch.xpack.esql; + +import org.elasticsearch.core.PathUtils; +import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.xpack.esql.core.type.DataType; +import org.elasticsearch.xpack.esql.expression.function.DocsV3Support; +import org.junit.AfterClass; + +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.util.List; +import java.util.Map; + +/** + * This test class is used to generate examples for the commands documentation. + */ +public class CommandDocsTests extends ESTestCase { + public void testDummy() { + assert true; + } + + @AfterClass + public static void renderDocs() throws IOException { + if (System.getProperty("generateDocs") == null) { + return; + } + TestDocsV3Support docs = new TestDocsV3Support(); + docs.renderExamples(); + } + + public static Map, DataType> signatures() { + // The cast operator cannot produce sensible signatures unless we consider the type as an extra parameter + return Map.of(); + } + + /** + * This class only exists to provide access to the examples rendering capabilities. + * It implements the normal renderSignature and renderDocs methods with empty implementations. + * Instead, it has a new renderExamples method that loads all the examples based on a file written by the gradle task. + * This task finds all files in esql/_snippets/commands/examples/*.csv-spec/*.md and writes them to a file in the temp directory. + * This task will then overwrite those files with the current examples, so that changes to the examples will be reflected + * in the documentation. + */ + public static class TestDocsV3Support extends DocsV3Support { + public TestDocsV3Support() { + super("commands", "commands", CommandDocsTests.class, null); + } + + @Override + protected void renderSignature() throws IOException { + // Not implemented + } + + @Override + protected void renderDocs() throws IOException { + // Not implemented + } + + protected void renderExamples() throws IOException { + // We want to render all examples for the commands documentation + // Load all files from the temporary directory used by tests + int count = 0; + for (String line : readFromTempDir("commands.examples")) { + if (renderExample(line)) { + count++; + } + } + logger.info("Rendered {} examples", count); + } + + protected boolean renderExample(String lineSpec) throws IOException { + // We read this from a file written by gradle, derived from the existing sample files in the commands documentation + // Each line should have the format: drop.csv-spec/heightWithWildcard.md + // In other words, the csv-spec file as a directory, and the examples tag as a file name + String[] parts = lineSpec.split("/"); + if (parts.length != 2) { + logger.error("Invalid example specification: {}", lineSpec); + return false; + } + String csvFile = parts[0]; + String tagFile = parts[1]; + String tag = tagFile.substring(0, tagFile.lastIndexOf('.')); + if (csvFile.endsWith(".csv-spec") == false) { + logger.error("Invalid example specification, csv-spec file must end with csv-spec: {}", csvFile); + return false; + } + StringBuilder builder = new StringBuilder(); + builder.append(DOCS_WARNING); + String exampleQuery = loadExample(csvFile, tag); + if (exampleQuery == null) { + logger.error("Failed to load example [{}:{}]", csvFile, tag); + return false; + } + builder.append("```esql\n").append(exampleQuery).append("\n```\n"); + String exampleResult = loadExample(csvFile, tag + "-result"); + if (exampleResult == null) { + logger.warn("Failed to load example result [{}:{}]", csvFile, tag + "-result"); + } else { + builder.append("\n").append(exampleResult); + } + String rendered = builder.toString(); + logger.info("Writing example for [{}]:\n{}", name, rendered); + writeExampleFile(csvFile, tagFile, rendered); + return true; + } + + protected void writeExampleFile(String csvFile, String tagFile, String str) throws IOException { + // We have to write to a tempdir because it’s all test are allowed to write to. Gradle can move them. + Path dir = PathUtils.get(System.getProperty("java.io.tmpdir")) + .resolve("esql") + .resolve("_snippets") + .resolve(category) + .resolve("examples") + .resolve(csvFile); + Files.createDirectories(dir); + Path file = dir.resolve(tagFile); + Files.writeString(file, str); + logger.info("Wrote to file: {}", file); + } + + @SuppressWarnings("SameParameterValue") + protected List readFromTempDir(String filename) throws IOException { + // We have to read from a tempdir because it’s all test are allowed to read to. Gradle can write this file before the tests + Path file = PathUtils.get(System.getProperty("java.io.tmpdir")).resolve("esql").resolve(filename); + if (Files.exists(file)) { + logger.info("Reading commands examples file: {}", file); + List lines = Files.readAllLines(file); + logger.info("Read {} examples specifications from: {}", lines.size(), file); + return lines; + } else { + logger.info("Examples file missing: {}", file); + throw new IllegalArgumentException("Examples file missing: " + file); + } + } + } + +} diff --git a/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/expression/function/DocsV3Support.java b/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/expression/function/DocsV3Support.java index fd45abc23e123..9442585baa3d2 100644 --- a/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/expression/function/DocsV3Support.java +++ b/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/expression/function/DocsV3Support.java @@ -90,7 +90,7 @@ */ public abstract class DocsV3Support { - static final String DOCS_WARNING = + protected static final String DOCS_WARNING = "% This is generated by ESQL's AbstractFunctionTestCase. Do no edit it. See ../README.md for how to regenerate it.\n\n"; static final String PREVIEW_CALLOUT = """ @@ -148,6 +148,7 @@ public static void renderNegatedOperator( entry("esql-enrich-data", "esql/esql-enrich-data.md"), entry("esql-examples", "esql/esql-examples.md"), entry("esql-functions-operators", "esql/esql-functions-operators.md"), + entry("esql-agg-functions", "esql/functions-operators/aggregation-functions.md"), entry("esql-implicit-casting", "esql/esql-implicit-casting.md"), entry("esql-metadata-fields", "esql/esql-metadata-fields.md"), entry("esql-multivalued-fields", "esql/esql-multivalued-fields.md"), @@ -183,12 +184,12 @@ public static void renderNegatedOperator( operatorEntry("less_than", "<", LessThan.class, OperatorCategory.BINARY), operatorEntry("less_than_or_equal", "<=", LessThanOrEqual.class, OperatorCategory.BINARY), operatorEntry("add", "+", Add.class, OperatorCategory.BINARY), - operatorEntry("sub", "-", Sub.class, OperatorCategory.BINARY), - operatorEntry("mul", "*", Mul.class, OperatorCategory.BINARY), - operatorEntry("div", "/", Div.class, OperatorCategory.BINARY), - operatorEntry("mod", "%", Mod.class, OperatorCategory.BINARY), + operatorEntry("sub", "-", Sub.class, OperatorCategory.BINARY, "subtract"), + operatorEntry("mul", "*", Mul.class, OperatorCategory.BINARY, "multiply"), + operatorEntry("div", "/", Div.class, OperatorCategory.BINARY, "divide"), + operatorEntry("mod", "%", Mod.class, OperatorCategory.BINARY, "modulo"), // Unary - operatorEntry("neg", "-", Neg.class, OperatorCategory.UNARY), + operatorEntry("neg", "-", Neg.class, OperatorCategory.UNARY, "negate"), // Logical operatorEntry("and", "AND", And.class, OperatorCategory.LOGICAL), operatorEntry("or", "OR", Or.class, OperatorCategory.LOGICAL), @@ -212,13 +213,25 @@ public enum OperatorCategory { UNARY, LOGICAL, NULL_PREDICATES, + CAST, IN, LIKE_AND_RLIKE, SEARCH } /** Since operators do not exist in the function registry, we need an equivalent registry here in the docs generating code */ - public record OperatorConfig(String name, String symbol, Class clazz, OperatorCategory category, boolean variadic) {} + public record OperatorConfig( + String name, + String symbol, + Class clazz, + OperatorCategory category, + boolean variadic, + String titleName + ) { + public OperatorConfig(String name, String symbol, Class clazz, OperatorCategory category) { + this(name, symbol, clazz, category, false, null); + } + } private static Map.Entry operatorEntry( String name, @@ -227,11 +240,21 @@ private static Map.Entry operatorEntry( OperatorCategory category, boolean variadic ) { - return entry(name, new OperatorConfig(name, symbol, clazz, category, variadic)); + return entry(name, new OperatorConfig(name, symbol, clazz, category, variadic, null)); + } + + private static Map.Entry operatorEntry( + String name, + String symbol, + Class clazz, + OperatorCategory category, + String displayName + ) { + return entry(name, new OperatorConfig(name, symbol, clazz, category, false, displayName)); } private static Map.Entry operatorEntry(String name, String symbol, Class clazz, OperatorCategory category) { - return operatorEntry(name, symbol, clazz, category, false); + return entry(name, new OperatorConfig(name, symbol, clazz, category)); } @FunctionalInterface @@ -256,7 +279,7 @@ public void writeToTempDir(Path dir, String extension, String str) throws IOExce private final Supplier, DataType>> signatures; private TempFileWriter tempFileWriter; - private DocsV3Support(String category, String name, Class testClass, Supplier, DataType>> signatures) { + protected DocsV3Support(String category, String name, Class testClass, Supplier, DataType>> signatures) { this(category, name, null, testClass, signatures); } @@ -343,9 +366,7 @@ private String getLink(String key) { // Old-style links within ES|QL reference if (key.startsWith("esql-")) { String cmd = parts[0].replace("esql-", ""); - String parentFile = knownCommands.containsKey(cmd) - ? "/reference/query-languages/esql/esql-commands.md" - : "/reference/query-languages/esql/esql-functions-operators.md"; + String parentFile = parentFileFor(cmd); return makeLink(key, "esql-", parentFile); } // Old-style links to Query DSL pages @@ -371,6 +392,26 @@ private String getLink(String key) { }; } + private String parentFileFor(String cmd) { + if (knownCommands.containsKey(cmd)) { + return "/reference/query-languages/esql/commands/processing-commands.md"; + } else if (cmd.startsWith("mv_")) { + return "/reference/query-languages/esql/functions-operators/mv-functions.md"; + } else if (cmd.contains("-operator")) { + return "/reference/query-languages/esql/functions-operators/operators.md"; + } else if (cmd.startsWith("st_")) { + return "/reference/query-languages/esql/functions-operators/spatial-functions.md"; + } else if (cmd.startsWith("to_")) { + return "/reference/query-languages/esql/functions-operators/type-conversion-functions.md"; + } else if (cmd.startsWith("date_")) { + return "/reference/query-languages/esql/functions-operators/date-time-functions.md"; + } else if (cmd.equals("split")) { + return "/reference/query-languages/esql/functions-operators/string-functions.md"; + } else { + return "/reference/query-languages/esql/functions-operators/aggregation-functions.md"; + } + } + private String makeLink(String key, String prefix, String parentFile) { String displayText = key.substring(prefix.length()); if (knownCommands.containsKey(displayText)) { @@ -382,13 +423,13 @@ private String makeLink(String key, String prefix, String parentFile) { if (comma > 0) { key = prefix + displayText.substring(0, comma); displayText = displayText.substring(comma + 1).trim(); - } else if (parentFile.contains("esql/esql-")) { + } else if (parentFile.contains("esql/esql-") || parentFile.contains("esql/functions-operators")) { // For ES|QL commands and functions we normally make uppercase code displayText = "`" + displayText.toUpperCase(Locale.ROOT) + "`"; } } - if (parentFile.contains("/" + key + ".md")) { - // The current docs-builder trips off all link targets that match the filename, so we need to do the same + if (parentFile.contains("/" + key + ".md") || parentFile.contains("/" + key.replaceAll("esql-", "") + ".md")) { + // The current docs-builder strips off all link targets that match the filename, so we need to do the same return String.format(Locale.ROOT, "[%s](%s)", displayText, parentFile); } else { return String.format(Locale.ROOT, "[%s](%s#%s)", displayText, parentFile, key); @@ -496,8 +537,8 @@ private void renderDocs(FunctionDefinition definition) throws IOException { boolean hasExamples = renderExamples(info); boolean hasAppendix = renderAppendix(info.appendix()); renderFullLayout(info.preview(), info.appliesTo(), hasExamples, hasAppendix, hasFunctionOptions); - renderKibanaInlineDocs(name, info); - renderKibanaFunctionDefinition(name, info, description.args(), description.variadic()); + renderKibanaInlineDocs(name, null, info); + renderKibanaFunctionDefinition(name, null, info, description.args(), description.variadic()); } private void renderFunctionNamedParams(EsqlFunctionRegistry.MapArgSignature mapArgSignature) throws IOException { @@ -655,9 +696,13 @@ public OperatorsDocsSupport( @Override public void renderSignature() throws IOException { String rendered = (switch (op.category()) { - case BINARY -> RailRoadDiagram.binaryOperator(op.symbol()); - case UNARY -> RailRoadDiagram.unaryOperator(op.symbol()); - case SEARCH -> RailRoadDiagram.searchOperator(op.symbol()); + case BINARY -> RailRoadDiagram.infixOperator("lhs", op.symbol(), "rhs"); + case UNARY -> RailRoadDiagram.prefixOperator(op.symbol(), "v"); + case SEARCH -> RailRoadDiagram.infixOperator("field", op.symbol(), "query"); + case NULL_PREDICATES -> RailRoadDiagram.suffixOperator("field", op.symbol()); + case IN -> RailRoadDiagram.infixOperator("field", op.symbol(), "values"); + case LIKE_AND_RLIKE -> RailRoadDiagram.infixOperator("field", op.symbol(), "pattern"); + case CAST -> RailRoadDiagram.infixOperator("field", op.symbol(), "type"); default -> buildFunctionSignatureSvg(); }); if (rendered == null) { @@ -674,7 +719,7 @@ public void renderDocs() throws IOException { if (ctor != null) { FunctionInfo functionInfo = ctor.getAnnotation(FunctionInfo.class); assert functionInfo != null; - renderDocsForOperators(op.name(), ctor, functionInfo, op.variadic()); + renderDocsForOperators(op.name(), op.titleName(), ctor, functionInfo, op.variadic()); } else { logger.info("Skipping rendering docs for operator '" + op.name() + "' with no @FunctionInfo"); } @@ -743,11 +788,13 @@ public Example[] examples() { return new Example[] {}; } }; - renderDocsForOperators("not_" + baseName, ctor, functionInfo, op.variadic()); + String name = "not_" + baseName; + renderDocsForOperators(name, null, ctor, functionInfo, op.variadic()); } - void renderDocsForOperators(String name, Constructor ctor, FunctionInfo info, boolean variadic) throws IOException { - renderKibanaInlineDocs(name, info); + void renderDocsForOperators(String name, String titleName, Constructor ctor, FunctionInfo info, boolean variadic) + throws IOException { + renderKibanaInlineDocs(name, titleName, info); var params = ctor.getParameters(); @@ -763,7 +810,7 @@ void renderDocsForOperators(String name, Constructor ctor, FunctionInfo info, } } } - renderKibanaFunctionDefinition(name, info, args, variadic); + renderKibanaFunctionDefinition(name, titleName, info, args, variadic); renderDetailedDescription(info.detailedDescription(), info.note()); renderTypes(name, args); renderExamples(info); @@ -902,7 +949,10 @@ protected boolean renderExamples(FunctionInfo info) throws IOException { } String exampleQuery = loadExampleQuery(example); String exampleResult = loadExampleResult(example); - builder.append(exampleQuery).append("\n").append(exampleResult).append("\n"); + builder.append(exampleQuery).append("\n"); + if (exampleResult != null && exampleResult.isEmpty() == false) { + builder.append(exampleResult).append("\n"); + } if (example.explanation().isEmpty() == false) { builder.append("\n"); builder.append(replaceLinks(example.explanation().trim())); @@ -916,15 +966,15 @@ protected boolean renderExamples(FunctionInfo info) throws IOException { return true; } - void renderKibanaInlineDocs(String name, FunctionInfo info) throws IOException { + void renderKibanaInlineDocs(String name, String titleName, FunctionInfo info) throws IOException { + titleName = titleName == null ? name.replace("_", " ") : titleName; + if (false == info.operator().isEmpty() + && false == titleName.toUpperCase(Locale.ROOT).replaceAll("_", " ").equals(info.operator().toUpperCase(Locale.ROOT))) { + titleName = titleName + " `" + info.operator() + "`"; + } StringBuilder builder = new StringBuilder(); - builder.append(""" - - - """); - builder.append("### ").append(name.toUpperCase(Locale.ROOT)).append("\n"); + builder.append(DOCS_WARNING); + builder.append("### ").append(titleName.toUpperCase(Locale.ROOT)).append("\n"); builder.append(replaceLinks(info.description())).append("\n\n"); if (info.examples().length > 0) { @@ -941,8 +991,13 @@ void renderKibanaInlineDocs(String name, FunctionInfo info) throws IOException { writeToTempKibanaDir("docs", "md", rendered); } - void renderKibanaFunctionDefinition(String name, FunctionInfo info, List args, boolean variadic) - throws IOException { + void renderKibanaFunctionDefinition( + String name, + String titleName, + FunctionInfo info, + List args, + boolean variadic + ) throws IOException { try (XContentBuilder builder = JsonXContent.contentBuilder().prettyPrint().lfAtEnd().startObject()) { builder.field( @@ -962,6 +1017,9 @@ void renderKibanaFunctionDefinition(String name, FunctionInfo info, List>."; - String expected = "The value that is greater than half of all values and less than half of all values, " - + "also known as the 50% [`PERCENTILE`](/reference/query-languages/esql/esql-functions-operators.md#esql-percentile)."; + String expected = "The value that is greater than half of all values and less than half of all values, also known as the 50% " + + "[`PERCENTILE`](" + + ESQL + + "/functions-operators/aggregation-functions.md#esql-percentile)."; + assertThat(docs.replaceLinks(text), equalTo(expected)); + } + + public void testFunctionHeaderLink() { + String text = "Combine `BUCKET` with an <> to create"; + String expected = "Combine `BUCKET` with an [aggregation](" + ESQL + "/functions-operators/aggregation-functions.md) to create"; + assertThat(docs.replaceLinks(text), equalTo(expected)); + } + + public void testSpatialFunctionLink() { + String text = "This is the inverse of the <> function"; + String expected = "This is the inverse of the [ST_DISJOINT](" + + ESQL + + "/functions-operators/spatial-functions.md#esql-st_disjoint) function"; + assertThat(docs.replaceLinks(text), equalTo(expected)); + } + + public void testStringFunctionLink() { + String text = "a known order like <>."; + String expected = "a known order like [`SPLIT`](" + ESQL + "/functions-operators/string-functions.md#esql-split)."; assertThat(docs.replaceLinks(text), equalTo(expected)); } @@ -39,27 +62,31 @@ public void testOperatorLink() { String text = "If you need floating point division, <> one of the arguments to a `DOUBLE`."; String expected = """ If you need floating point division, - [`Cast (::)`](/reference/query-languages/esql/esql-functions-operators.md#esql-cast-operator) - one of the arguments to a `DOUBLE`.""".replaceAll("\n", " "); + [`Cast (::)`](ESQL/functions-operators/operators.md#esql-cast-operator) + one of the arguments to a `DOUBLE`.""".replaceAll("ESQL", ESQL).replaceAll("\n", " "); assertThat(docs.replaceLinks(text), equalTo(expected)); } public void testCommandLink() { String text = "use a <> command to remove rows"; - String expected = "use a [`WHERE`](/reference/query-languages/esql/esql-commands.md#esql-where) command to remove rows"; + String expected = "use a [`WHERE`](" + ESQL + "/commands/processing-commands.md#esql-where) command to remove rows"; assertThat(docs.replaceLinks(text), equalTo(expected)); } public void testStatsCommandLink() { String text = "Combine `DATE_TRUNC` with <>"; - String expected = "Combine `DATE_TRUNC` with [`STATS`](/reference/query-languages/esql/esql-commands.md#esql-stats-by)"; + String expected = "Combine `DATE_TRUNC` with [`STATS`](" + ESQL + "/commands/processing-commands.md#esql-stats-by)"; assertThat(docs.replaceLinks(text), equalTo(expected)); } public void testFunctionAndHeaderLinks() { String text = "Like <>, `MEDIAN` is <>."; - String expected = "Like [`PERCENTILE`](/reference/query-languages/esql/esql-functions-operators.md#esql-percentile), " - + "`MEDIAN` is [usually approximate](/reference/query-languages/esql/esql-functions-operators.md#esql-percentile-approximate)."; + String expected = "Like [`PERCENTILE`](" + + ESQL + + "/functions-operators/aggregation-functions.md#esql-percentile), " + + "`MEDIAN` is [usually approximate](" + + ESQL + + "/functions-operators/aggregation-functions.md#esql-percentile-approximate)."; assertThat(docs.replaceLinks(text), equalTo(expected)); } @@ -246,7 +273,7 @@ public void testRenderingExampleFromClass() throws IOException { | 6 | To count the number of times an expression returns `TRUE` use a - [`WHERE`](/reference/query-languages/esql/esql-commands.md#esql-where) command + [`WHERE`](/reference/query-languages/esql/commands/processing-commands.md#esql-where) command to remove rows that shouldn’t be included ```esql diff --git a/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/expression/function/RailRoadDiagram.java b/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/expression/function/RailRoadDiagram.java index 95997564ff7f4..dba6facde2b25 100644 --- a/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/expression/function/RailRoadDiagram.java +++ b/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/expression/function/RailRoadDiagram.java @@ -113,37 +113,44 @@ private static boolean hasComma(Expression exp, boolean atEnd) { } /** - * Generate a railroad diagram for binary operator. The output would look like - * {@code lhs + rhs}. + * Generate a railroad diagram for an infix operator like the binary operators, search operator or cast operator. + * Example output would look like: + *
+ *
Addition (binary operator)
+ *
{@code lhs + rhs}
+ *
Search
+ *
{@code field : query}
+ *
Cast
+ *
{@code field :: type}
+ *
*/ - static String binaryOperator(String operator) throws IOException { + static String infixOperator(String lhs, String operator, String rhs) throws IOException { List expressions = new ArrayList<>(); - expressions.add(new Literal("lhs")); + expressions.add(new Literal(lhs)); expressions.add(new Syntax(operator)); - expressions.add(new Literal("rhs")); + expressions.add(new Literal(rhs)); return toSvg(new Sequence(expressions.toArray(Expression[]::new))); } /** - * Generate a railroad diagram for a search operator. The output would look like - * {@code field : value}. + * Generate a railroad diagram for prefix operators like the unary operators. + * For example, for negation the output would look like {@code -v}. */ - static String searchOperator(String operator) throws IOException { + static String prefixOperator(String operator, String suffix) throws IOException { List expressions = new ArrayList<>(); - expressions.add(new Literal("field")); expressions.add(new Syntax(operator)); - expressions.add(new Literal("query")); + expressions.add(new Literal(suffix)); return toSvg(new Sequence(expressions.toArray(Expression[]::new))); } /** - * Generate a railroad diagram for unary operator. The output would look like - * {@code -v}. + * Generate a railroad diagram for suffix operators like the NULL predicates. + * For example, for null checks the output would look like {@code field IS NOT NULL}. */ - static String unaryOperator(String operator) throws IOException { + static String suffixOperator(String prefix, String operator) throws IOException { List expressions = new ArrayList<>(); + expressions.add(new Literal(prefix)); expressions.add(new Syntax(operator)); - expressions.add(new Literal("v")); return toSvg(new Sequence(expressions.toArray(Expression[]::new))); } diff --git a/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/expression/predicate/operator/CastOperatorTests.java b/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/expression/predicate/operator/CastOperatorTests.java index 97f2d02f07c9b..c1f5b9faed8e4 100644 --- a/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/expression/predicate/operator/CastOperatorTests.java +++ b/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/expression/predicate/operator/CastOperatorTests.java @@ -34,8 +34,7 @@ public static void renderDocs() throws IOException { "cast", "::", TestCastOperator.class, - DocsV3Support.OperatorCategory.UNARY, - false + DocsV3Support.OperatorCategory.CAST ); var docs = new DocsV3Support.OperatorsDocsSupport("cast", CastOperatorTests.class, op, CastOperatorTests::signatures); docs.renderSignature(); @@ -55,7 +54,7 @@ public class TestCastOperator { operator = "::", returnType = {}, description = "The `::` operator provides a convenient alternative syntax to the TO_ " - + "[conversion functions](/reference/query-languages/esql/esql-functions-operators.md#esql-type-conversion-functions).", + + "[conversion functions](/reference/query-languages/esql/functions-operators/type-conversion-functions.md).", examples = { @Example(file = "convert", tag = "docsCastOperator") } ) public TestCastOperator( diff --git a/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/expression/predicate/operator/NullPredicatesTests.java b/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/expression/predicate/operator/NullPredicatesTests.java index 24c27db35a8bc..7af61532fed4c 100644 --- a/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/expression/predicate/operator/NullPredicatesTests.java +++ b/x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/expression/predicate/operator/NullPredicatesTests.java @@ -41,20 +41,23 @@ public static void renderDocs() throws IOException { "predicates", "IS NULL and IS NOT NULL", TestNullPredicates.class, - DocsV3Support.OperatorCategory.UNARY, - false + DocsV3Support.OperatorCategory.UNARY ) ); renderNullPredicate( - new DocsV3Support.OperatorConfig("is_null", "IS NULL", TestIsNullPredicate.class, DocsV3Support.OperatorCategory.UNARY, false) + new DocsV3Support.OperatorConfig( + "is_null", + "IS NULL", + TestIsNullPredicate.class, + DocsV3Support.OperatorCategory.NULL_PREDICATES + ) ); renderNullPredicate( new DocsV3Support.OperatorConfig( "is_not_null", "IS NOT NULL", TestIsNotNullPredicate.class, - DocsV3Support.OperatorCategory.UNARY, - false + DocsV3Support.OperatorCategory.NULL_PREDICATES ) ); } @@ -81,7 +84,6 @@ public static Map, DataType> signatures() { */ public class TestNullPredicates { @FunctionInfo( - operator = "predicates", returnType = {}, description = "For NULL comparison use the `IS NULL` and `IS NOT NULL` predicates.", examples = { @Example(file = "null", tag = "is-null"), @Example(file = "null", tag = "is-not-null") } @@ -115,7 +117,7 @@ public TestNullPredicates( */ public class TestIsNullPredicate { @FunctionInfo( - operator = "predicates", + operator = "IS NULL", returnType = {}, description = "Use `IS NULL` to filter data based on whether the field exists or not.", examples = { @Example(file = "null", tag = "is-null") } @@ -149,7 +151,7 @@ public TestIsNullPredicate( */ public class TestIsNotNullPredicate { @FunctionInfo( - operator = "predicates", + operator = "IS NOT NULL", returnType = {}, description = "Use `IS NOT NULL` to filter data based on whether the field exists or not.", examples = { @Example(file = "null", tag = "is-not-null") }