# ES|QL concepts
## FOSS4G Europe - Mostar

July 2025

## Resources

* [Blog post announcement](https://www.elastic.co/blog/esql-elasticsearch-piped-query-language)
* [Documentation](https://www.elastic.co/docs/explore-analyze/query-filter/languages/esql)
* [Reference](https://www.elastic.co/docs/reference/query-languages/esql)
* Webinar: [ES|QL: Search. Aggregate. Transform. Visualize. All with one query](https://www.elastic.co/virtual-events/cd-esql-search-aggregate-transform-visualize-all-with-one-query)
* Technical blog posts in [Search Labs](https://www.elastic.co/search-labs/blog/category/esql)
* [Run this notebook in Google Colaboratory](https://colab.research.google.com/github/jsanz/foss4g_europe_lab/blob/main/02-esql.ipynb)

## Setup

In [2]:
# Install required dependencies using uv, if available, or directly with pip
!pip install -qU elasticsearch geopandas

Start with the necessary imports, a couple tweaks, and defining a "esql" query that will make easier to see the results of a query, by generating a Pandas or Geopandas dataframe.

In [3]:
import os
import io

import warnings

from elasticsearch import Elasticsearch
from elasticsearch import ElasticsearchWarning
from elasticsearch.exceptions import BadRequestError

import pandas as pd
import geopandas as gpd
from shapely import wkb

# Hide the warning when no LIMIT is passed on a ES|QL query
warnings.filterwarnings('ignore', category=ElasticsearchWarning)

# Allow wide columns
pd.set_option('display.max_colwidth', None)

# Convert Well-known Binary to Text
def wkb_to_wkt(wkb_bytes):
    if wkb_bytes is None:
        return None
    try:
        return wkb.loads(wkb_bytes).wkt
    except Exception as e:
        print(f"Error converting WKB: {wkb_bytes} - {e}")
        return None

# Generate a Pandas Dataframe or a Geopandas Dataframe from a ES|QL query
def esql(query, geometry_col:str = "geometry", use_arrow:bool = False):
    try:
        # Query ES and create a Pandas Dataframe
        if use_arrow:
            es_response = client.esql.query(query=query.strip(), format="arrow", columnar=True)
            df = es_response.to_pandas()
        else:
            es_response = client.esql.query(query=query.strip(), format="csv")
            df = pd.read_csv(io.StringIO(str(es_response)))

        # Promote to a Geopandas Dataframe if a "geometry" column
        if geometry_col in df.columns:
            if use_arrow:
                # Arrow geometries are transferred as WKB
                df[geometry_col] = df[geometry_col].apply(wkb_to_wkt)
            gs = gpd.GeoSeries.from_wkt(df[geometry_col])
            gdf = gpd.GeoDataFrame(df, geometry=gs, crs="EPSG:4326")
            if geometry_col != "geometry":
                gdf.drop(columns="geometry")
            return gdf
        else:
            return df
    except BadRequestError as e:
        print("Something went wrong!")
        print(e.message)
        print("\r\n".join([c['reason'] for c in e.info['error']['root_cause']]))

Connect to Elasticsearch and print some cluster details

In [4]:
# Login details
ES_URL=os.getenv("ES_URL","https://foss4geurope.es.us-central1.gcp.cloud.es.io")
KB_URL=os.getenv("KB_URL","https://foss4geurope.kb.us-central1.gcp.cloud.es.io")

# API key that allows reading indices
ES_APIKEY=os.getenv("ES_APIKEY", "WkdPUjZKY0JhVEI4aFAyRmpWM186MmRvQVlLaGVwck1WbV9RSkdJT1N6UQ==")

# Load the client
client = Elasticsearch(hosts=[ES_URL], api_key=ES_APIKEY)
c_info = client.info()
is_serverless = c_info['version']['build_flavor'] == 'serverless'


# Print some cluster details
print(f"Elasticsearch URL: {ES_URL}")
print(f"Cluster name: {c_info['name']}")
print(f"Version: {c_info['version']['number'] if not is_serverless else 'serverless'}")
print("Number of documents indexed: ", client.count(index="*")['count'])

Elasticsearch URL: https://foss4geurope.es.us-central1.gcp.cloud.es.io
Cluster name: instance-0000000001
Version: 9.0.3
Number of documents indexed:  745407


## Syntax and API

### Basic syntax

<https://www.elastic.co/docs/reference/query-languages/esql/esql-syntax>

A ES|QL query is made of a `source` command that sets the data to retrieve and a list of processing commands starting with the pipe `|` character.

```text
source-command
| processing-command1
| processing-command2
```

A query can contain one line and multi line comments.

```
source-command           // Single line comment
| processing-command1    // another comment
/*
a multi
line comment in between
processing commands
*/
| processing-command2
```

About literals:

* Literals are duble quoted
* If a double quote is required in a literal, triple quotes can be used

```text
ROW name = """Indiana "Indy" Jones"""
```


### Query API

* [Documentation](https://www.elastic.co/docs/explore-analyze/query-filter/languages/esql-rest)
* [Reference](https://www.elastic.co/docs/api/doc/elasticsearch/group/endpoint-esql)


Elasticsearch exposes the `_query` endpoint to execute ES|QL queries, with a `format` parameter to select between different output types as `csv`, `tsv`, `arrow`, `json`, etc.

As a `curl` command a request would be as:

```
curl -X POST \
  -H "Authorization: ApiKey $ES_APIKEY" \
  -H "Content-Type: application/json" \
  -d '{"query":"FROM places-* | STATS count = count(name) | LIMIT 1"}'\
  "$ES_URL/_query?pretty&format=txt"

     count     
---------------
230573
```

In the [Kibana Console](https://www.elastic.co/docs/explore-analyze/query-filter/tools/console):

```
POST /_query?format=txt
{
  "query": "FROM places-* | STATS count = count(name) | LIMIT 1"
}
```

And sending multiline queries is possible with triple quotes:

```text
POST /_query?format=txt
{
  "query": """
  FROM places-*
  | STATS count = count(name)
  | LIMIT 1
  """
}
```

A ES|QL API query can also include a filter using Elasticsearch DSL language:


```text
POST /_query?format=txt
{
  "query": """
  FROM places-*
  | STATS count = count(name)
  | LIMIT 1
  """,
  "filter": {
    "range": {
      "confidence": {
        "gte": 0.1,
        "lte": 1
      }
    }
  }
}
```

Other API endpoints available:

* [`_query/async`](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-esql-async-query): start, stop, and get results asynchronously
* [`_query/queries`](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-esql-list-queries): get details about running queries

## ES|QL sources: `ROW`, `SHOW`, `FROM`

In [5]:
# Creating a row directly, useful to test functions
esql('ROW a = 1, b = "two", c = null')

Unnamed: 0,a,b,c
0,1,two,


In [6]:
# SHOW source returns Elasticsearch version
esql("SHOW INFO")

Unnamed: 0,version,date,hash
0,9.0.3,2025-06-18T22:09:56.772581489Z,cc7302afc8499e83262ba2ceaa96451681f0609d


In [7]:
# Basic query against all places indices
esql("FROM places-*")

Unnamed: 0,addresses.country,addresses.freeform,addresses.locality,addresses.postcode,addresses.region,alt_categories,brand,category,confidence,emails,geometry,id,name,phones,socials,source,updated,version,websites
0,BR,"Avenida Serzedelo Corrêa, 1026",Belém,66033-770,PA,"[barber, beauty_and_spa]",,hair_removal,0.978451,,POINT (-48.4879 -1.46144),fe60148f-b558-4a79-a396-b54043d32531,Depyl Action,5.591324e+11,https://www.facebook.com/169388893108340,meta,2025-06-02T07:00:00.000Z,1,http://www.depylaction.com.br/site
1,BR,"Avenida Serzedelo Corrêa, 1030",Belém,66033-770,PA,"[beauty_and_spa, spas]",,beauty_salon,0.920482,,POINT (-48.48777 -1.46149),d810a303-13ca-48e0-a88b-fef0151d91ae,Salão Atrevida,5.591335e+11,https://www.facebook.com/410606755817231,meta,2025-06-02T07:00:00.000Z,1,
2,BR,"Avenida Serzedelo Corrêa, 1030",Belém,66033-770,PA,"[spas, tanning_salon]",,beauty_salon,0.492940,,POINT (-48.4877 -1.46147),17f78665-b6fd-4747-b569-000ce5c367eb,Clínica Carolini Carneiro Estética & Neopilates,,https://www.facebook.com/2105430096357021,meta,2025-06-02T07:00:00.000Z,1,
3,BR,"Avenida Serzedelo Corrêa, 1035",Belém,66033-770,PA,"[accommodation, social_service_organizations]",,landmark_and_historical_building,0.920482,,POINT (-48.48734 -1.46178),e8c08bb7-c996-4ac5-982c-925625e07714,Edificio Ipê,,https://www.facebook.com/399035650658080,meta,2025-06-02T07:00:00.000Z,1,
4,BR,"Avenida Serzedelo Corrêa, 1059",Belém,66033-770,PA,"[bar_and_grill_restaurant, barbecue_restaurant]",,bar,0.941538,,POINT (-48.48718 -1.4618),4f650cfb-85e0-4fcc-b2a0-0eca1128ba6b,Bar e Restaurante Parrilha,5.591322e+11,https://www.facebook.com/226942497322552,meta,2025-06-02T07:00:00.000Z,1,http://www.parrillanet.com.br
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
995,BR,"Avenida Almirante Barroso, 5501",Belém,66645-250,PA,"[car_wash, energy_company]",,gas_station,0.978451,,POINT (-48.43726 -1.40811),a2abf0d4-e153-48ef-a186-1054eb8a62d4,Posto Shell,5.591324e+11,https://www.facebook.com/321430038024834,meta,2025-06-02T07:00:00.000Z,1,http://www.shell.com.br/
996,BR,"Rodovia BR-316, S/N Km 1",,66080-710,,"[cafe, coffee_shop]",,fast_food_restaurant,0.296943,,POINT (-48.43693 -1.40816),ed58d5f4-555e-45c8-99f4-dca6fc388d63,Papa Xibé Food em Castanheira,1.913225e+10,https://www.facebook.com/379534509216590,meta,2025-06-02T07:00:00.000Z,1,
997,BR,"Rod BR 316, s/n km 12",Belém,,PA,business_management_services,,public_service_and_government,0.396144,,POINT (-48.43695 -1.40814),6d0cf9e3-60e5-484c-aa93-f3cd6e96e068,EMATER Empresa Assist Tec e Extensão Rural Geral,,https://www.facebook.com/179829788736502,meta,2025-06-02T07:00:00.000Z,1,http://agriculturafamiliarater.blogspot.com/2011/07/queijos-maely-agroindustria-familiar.html
998,BR,"Rodovia br , 316, 1001",,66645-000,,,,mobile_phone_store,0.838462,,POINT (-48.43691 -1.40815),01369f82-4cbc-49f0-a8fe-85aac22ad8dd,Jóia Celular,5.591323e+11,https://www.facebook.com/103970045785617,meta,2025-06-02T07:00:00.000Z,1,http://www.casadocelular.com.br/


## Control the output: `LIMIT`

By default a ES|QL query result is limited to `1000` rows. Use `LIMIT` to reduce that number

In [8]:
# Basic query against all places indices,
# returing the first 5 rows (in no particular order)

esql("""
FROM places-*
| LIMIT 5
""")

Unnamed: 0,addresses.country,addresses.freeform,addresses.locality,addresses.postcode,addresses.region,alt_categories,brand,category,confidence,emails,geometry,id,name,phones,socials,source,updated,version,websites
0,AL,"N 19°25, 55.6E, Shiroke 42°03'55.8",,4001-4007,,"[boat_service_and_repair, social_service_organizations]",,community_services_non_profits,0.883117,,POINT (19.43207 42.06546),89c58762-5bb6-428c-b32e-64f28e2b0280,The Albanian Motor Boat Club,355694542573,https://www.facebook.com/490137164193589,meta,2025-06-02T07:00:00.000Z,1,http://www.albaniamotorboatclub.org/
1,AL,Zogaj,,4007,,"[bar, seafood_restaurant]",,restaurant,0.978451,,POINT (19.43511 42.06443),c1eee3f6-a7fb-4a8a-a901-a48642ba7e0b,Restaurant Real Te Hilmia,355672034960,https://www.facebook.com/834051840017568,meta,2025-06-02T07:00:00.000Z,1,https://goo.gl/maps/Rsmc3RzECYqdfzNK6
2,AL,SHIROKE-ZOGAJ,,4007,,"[bar_and_grill_restaurant, beer_garden]",,restaurant,0.978451,,POINT (19.43651 42.06392),5405691e-73d3-4659-bed0-7b574fd55c85,Zum Rappen,355692235420,https://www.facebook.com/251351992875,meta,2025-06-02T07:00:00.000Z,1,http://www.shkodrainclick.com/restaurant-zum-rappen/
3,AL,Rruga Zogaj,Shkodër,4001,,"[bar, hotel]",,restaurant,0.825397,,POINT (19.44496 42.06119),d51d6df6-50d8-4607-a468-57a96334a1b5,Labiatan Zogaj,355672059676,https://www.facebook.com/146607798546715,meta,2025-06-02T07:00:00.000Z,1,http://www.labiatan.al/
4,AL,Shirokë,,4001,,"[american_restaurant, fast_food_restaurant]",,restaurant,0.978451,,POINT (19.44501 42.06131),a291b901-ed25-4e3c-b05c-4e7f4db8f457,Sunset Restaurant,355676684401,https://www.facebook.com/100327091692340,meta,2025-06-02T07:00:00.000Z,1,http://sunsetrestaurant.al/


## Change the output with `KEEP`, `RENAME`, and `SORT`

In [9]:
# Rename a field and only return a limited set of fields
esql("""
FROM places-*
| RENAME name as title
| KEEP title, category
| LIMIT 5
""")

Unnamed: 0,title,category
0,Depyl Action,hair_removal
1,Salão Atrevida,beauty_salon
2,Clínica Carolini Carneiro Estética & Neopilates,beauty_salon
3,Edificio Ipê,landmark_and_historical_building
4,Bar e Restaurante Parrilha,bar


In [10]:
# KEEP also establishes the order of the columns returned,
# sometimes relevant for post-processing in client code
esql("""
FROM places-*
| RENAME name as title
| KEEP category, title
| LIMIT 5
""")

Unnamed: 0,category,title
0,hair_removal,Depyl Action
1,beauty_salon,Salão Atrevida
2,beauty_salon,Clínica Carolini Carneiro Estética & Neopilates
3,landmark_and_historical_building,Edificio Ipê
4,bar,Bar e Restaurante Parrilha


In [13]:
# Once renamed, the previous identifier is not available anymore
esql("""
FROM places-*
| RENAME name as title
| KEEP name, category
| LIMIT 5
""")

Something went wrong!
verification_exception
Found 1 problem
line 3:8: Unknown column [name]


In [14]:
# Sort by a field, and reverse another
esql("""
FROM places-bosnia
| RENAME name AS title
| SORT category ASC, title DESC
| KEEP category, title
| LIMIT 5
""")

Unnamed: 0,category,title
0,abuse_and_addiction_treatment,Physio Ben
1,abuse_and_addiction_treatment,Odvikavanje
2,abuse_and_addiction_treatment,MedTim International
3,abuse_and_addiction_treatment,Laser centar
4,abuse_and_addiction_treatment,Klinika MedTiM


## Include metadata with `METADATA`

Use `METADATA` to get access to the `_index` and `_id`:

In [15]:
# Get also the source index using the METADATA keyword
esql("""
FROM places-* METADATA _index, _id
| KEEP _index, _id, name, category
| LIMIT 5
""")

Unnamed: 0,_index,_id,name,category
0,places-belem,fe60148f-b558-4a79-a396-b54043d32531,Depyl Action,hair_removal
1,places-belem,d810a303-13ca-48e0-a88b-fef0151d91ae,Salão Atrevida,beauty_salon
2,places-belem,17f78665-b6fd-4747-b569-000ce5c367eb,Clínica Carolini Carneiro Estética & Neopilates,beauty_salon
3,places-belem,e8c08bb7-c996-4ac5-982c-925625e07714,Edificio Ipê,landmark_and_historical_building
4,places-belem,4f650cfb-85e0-4fcc-b2a0-0eca1128ba6b,Bar e Restaurante Parrilha,bar


## Filtering and processing

In [16]:
# A basic filter
esql("""
FROM places-* METADATA _index
| RENAME _index as dataset
| WHERE name LIKE "*Burger*"
    AND category IN ("restaurant", "burger_restaurant")
    AND confidence < 0.3
| SORT confidence DESC
| KEEP dataset, name, category, confidence
| LIMIT 5
""")

Unnamed: 0,dataset,name,category,confidence
0,places-belem,Purple Burgers,burger_restaurant,0.296943
1,places-belem,Prime Burger food truck,burger_restaurant,0.296943
2,places-bosnia,Burgers by Manzoni,burger_restaurant,0.296943
3,places-valencia,TORO Burger Lounge,restaurant,0.296943
4,places-belem,Nick Burger,burger_restaurant,0.296943


In [17]:
# STATS allows running aggrecations.
# In this count agg, no other data is available afterwards
esql("""
FROM ne_countries
| STATS counts = count(id)
""")

Unnamed: 0,counts
0,257


In [18]:
# When grouping by other fields, those are also available
# for further operations like sorting or filtering
esql("""
FROM ne_countries
| WHERE type in ("Country", "Sovereign country")
| STATS counts = count(id) BY continent
| WHERE counts > 30
| SORT continent
| KEEP continent, counts
| LIMIT 5
""")

Unnamed: 0,continent,counts
0,Africa,53
1,Asia,48
2,Europe,48


In [19]:
# Aggregate: count by more than one grouping field
esql("""
FROM ne_countries
| WHERE type not in ("Country", "Sovereign country")
| STATS counts = count(id) BY continent, type
| WHERE counts > 1
| SORT continent, type
| KEEP continent, type, counts
| LIMIT 50
""")

Unnamed: 0,continent,type,counts
0,Africa,Indeterminate,2
1,Asia,Dependency,3
2,Asia,Indeterminate,5
3,Europe,Disputed,2
4,North America,Dependency,12
5,North America,Indeterminate,2
6,Oceania,Dependency,12
7,Seven seas (open ocean),Dependency,5
8,South America,Indeterminate,2


In [20]:
# Use EVAL to compute new fields
esql("""
FROM ne_countries
| WHERE gdp_md IS NOT NULL
    AND pop_est > 0
    AND type IN ("Country", "Sovereign country")
| EVAL gdp_pop = ROUND(( gdp_md * 1e6) / ( pop_est::double))::integer
| SORT gdp_pop DESC
| KEEP name, type, gdp_md, pop_est, gdp_pop
| LIMIT 10
""")

Unnamed: 0,name,type,gdp_md,pop_est,gdp_pop
0,Monaco,Sovereign country,7188,38964,184478
1,Liechtenstein,Sovereign country,6876,38019,180857
2,Luxembourg,Sovereign country,71104,619896,114703
3,Isle of Man,Country,7491,84584,88563
4,Macao,Country,53859,640445,84096
5,Switzerland,Sovereign country,703082,8574832,81994
6,Ireland,Sovereign country,388698,4941444,78661
7,Norway,Sovereign country,403336,5347896,75420
8,Iceland,Sovereign country,24188,361313,66945
9,United States of America,Country,21433226,328239523,65298


## Joins

Traditionally, Elasticsearch has not been able to join datasets in a comfortable way for developers and analysts. This has changed with ES|QL and with the introduction of the `index.mode: lookup` setting.

More details on:

* [`LOOKUP JOIN` docs](https://www.elastic.co/docs/reference/query-languages/esql/esql-lookup-join)
* [`index.mode`](https://www.elastic.co/docs/reference/elasticsearch/index-settings/index-modules#index-mode-setting)

Our `ne_countries` index was created with that setting so we can now join that dataset with our places indices.

In [21]:
# Let's find outlier data in our places-* indices
esql(
"""
FROM places-*
// Aggregate all our places by country
| STATS counts = count(addresses.country) BY addresses.country

// Filter for only those groups with counts between 1 and 100
| WHERE counts > 1 AND counts < 50

// The lookup common field needs to be the same
| RENAME addresses.country AS iso_a2, counts AS places

// Run the LOOKUP JOIN by the iso_a2 field
| LOOKUP JOIN ne_countries ON iso_a2

// Merge records for repeated iso_a2 entries
| STATS places = SUM(places), names = VALUES(name) BY iso_a2

// Sort and print
| SORT places DESC
| KEEP iso_a2, places, names
"""
)

Unnamed: 0,iso_a2,places,names
0,HU,29,Hungary
1,SA,24,Saudi Arabia
2,FR,20,"[France, Clipperton I.]"
3,AU,16,"[Australia, Indian Ocean Ter., Coral Sea Is., Ashmore and Cartier Is.]"
4,PL,15,Poland
5,SK,14,Slovakia
6,SI,12,Slovenia
7,TR,11,Turkey
8,US,11,United States of America
9,CZ,11,Czechia


## Wrap up

This is just the basics, there are plenty of functions and operators to process your datasets, please refer to the [documentation](https://www.elastic.co/docs/explore-analyze/query-filter/languages/esql) for further details.