I’m really trying to start to use ES|QL…
About six months ago, I generated some queries (saved search sessions) and was wondering why (unlike the Classic search) there was no date histogram displayed. I was playing around with another ES|QL query just now, and wanted to check out how to structure a WHERE clause and stumbled across this documentation section: Analyze and Visualize Data and - wait, there’s a date histogram!
I composed and ran a simple query and I see a histogram; my saved ES|QL query does not have one. My saved query has a KEEP @timestamp along with other fields (the query is “FROM | WHERE | LIMIT | KEEP”) and it appears the KEEP is what breaks the functionality to show the date histogram. This surprises me because I got the impression that ES|QL was supposed to provide all the logic for a query/report.
I have updated my saved search session to use the ES|QL query without a KEEP and my formatting (i.e., fields to display) specified using the Result pane (choosing the “Toggle Column in Table” tick box for the fields) for the search. Now I have a date histogram but I’m wondering if this is as intended - or whether this is explained somewhere.
I will say that I’d been so used to date histograms for situational awareness of documents from a query that I’d reserved trying ES|QL unless it seemed it might offer some advantage that outweighed this; now I expect I can make more use of ES|QL going forward, so this is good news. Maybe I had just missed it, but if this is new functionality (I’m on 9.2) then I’m very appreciative.
