Dec 24th, 2024: [EN] Introduction to the ES|QL editor

ES|QL is a big deal :muscle:

As you've probably heard by now, ES|QL is Elastic's new query language. We're betting big on ES|QL. It's already shining, but over time it will become the most powerful and expressive way to interact with data in Elasticsearch.

This doesn't mean our users will always be writing ES|QL. Sometimes they'll be using a GUI in Kibana and/or our AI capabilities. But, under the hood, those interfaces will (eventually) boil down to generating and executing ES|QL queries.

However, one of the best things about ES|QL is that you can write it yourself. It is a learnable language. You can write your own queries to do everything from simple investigations to complex tasks that harness the most advanced capabilities of the Elastic platform.

To learn more about the language itself, visit our docs!

Welcome to the editor :sparkles:

The ES|QL editor is our humble attempt to make your life easier as you author your queries. It is designed to be your companion through your first experiments with ES|QL into true language proficiency.

With all that said, here are a few of my favorite features.

Bells and whistles

First off, doesn't the syntax highlighting look nice? You won't find a color theme quite like this anywhere else in Elastic's products.

Speaking of beauty, the editor has a button to prettify your queries. Click that and voila! :nail_care:

Prettify

But maybe this isn't the query you're looking for. You can always select one of our recommended queries to get started instead:

Recommended queries

This recommended query creates a date histogram, one of the most popular operations in Kibana.

But, what are those funny-looking parameters ?t_start and ?t_end? Hovering my mouse over them gives me the answer:

They represent the values from the Kibana date picker! That means that this query is dynamically adjusted whenever the Kibana time range is changed. This is super useful if I am using an ES|QL query to power a visualization on a dashboard, for example.

But, ok, maybe you want to go totally custom. Great! In that case, type FROM and select an index or an integration dataset.

Here's an example: for every security log from the System integration, let's calculate the number of days between the log and the end of November:

Custom query

Notice that

  • I was able to select the integration name and then the dataset I wanted. In my environment, there is very little data, but in a production cluster this is a very helpful organizing device.
  • I wasn't left hanging when I needed to type out a date in ISO format. Instead, I selected the date from the date picker widget.

Validation

We all make mistakes. But, what if I told you that we have an entire language validation engine running in your browser to help you notice them?

See! It points out syntactical errors (such as an extra comma):

...and semantic errors (such as a wrong argument type):

In closing

Well, phew! We've come a long way, yet we are only getting started. As we continue to invest in ES|QL, we will continue to invest in the editor until it is a feature that makes you feel like an ES|QL genius. Because... well... you are :clap:

4 Likes