ES|QL and the _size field

pilarjin · February 19, 2025, 10:48am

Hi, is it possible to use _size field in ES|QL? I didn't find it mentioned in the limitations documentation.

We are trying to identify traces that generate too much data as feedback for developers what to optimize.

Example query summing size of all traces with the same name per service:

FROM .ds-traces-apm-default-2025.02.18-007935
| EVAL traceName=CASE(parent.id IS NULL, transaction.name, null) 
| STATS traceSize=SUM(_size), traceName=MAX(traceName) BY trace.id, service.name, service.environment 
| EVAL traceName=CASE(traceName IS NOT NULL, traceName, trace.id) 
| STATS sumTraceSizeMiB=TO_DOUBLE(SUM(traceSize))/(1024*1024) by traceName, service.name, service.environment 
| SORT sumTraceSizeMiB DESC 
| LIMIT 30

Results in error

Unable to retrieve search results

[esql] > Unexpected error from Elasticsearch: verification_exception - Found 1 problem
line 3:23: Unknown column [_size]

In discover I see _size correctly.

We are using Elastic Cloud 8.17.1.

ahmed_charafouddine · February 19, 2025, 11:13am

I don't think it's possible to play with _size. _size is a metadata field, and I can't find it on the list of metadata fields that can be used with ESQL

Topic		Replies	Views
ES\|QL fails with 'Data too large message for a small dataset Elasticsearch esql	5	48	March 20, 2025
Size parameter - how to check all stats in field Elasticsearch elastic-stack-alerting	2	664	September 19, 2018
_size pluging not creating field 6.2.4 Elasticsearch	7	489	June 13, 2018
Need Clarification Regarding Size Parameter in ES Query Elasticsearch	4	535	August 12, 2021
Retrieving all records from query search without having to use .size -ElasticsSearch Elasticsearch	6	1439	August 9, 2021

ES|QL and the _size field

Related topics