ESQL where the field value is a list

duckasylum · April 8, 2025, 11:52am

Hi, I have an index created from JSON files and due to the structure of the JSON with multiple same name keys I have now fields which are lists. I am wondering how to use such fields in ESQL queries. For example in the index named someindex there is a document with a field someIDs with the value [123,456]. The query
FROM someindex* | WHERE someIDs IN ("456")
does not find that document. I also tried the query the other way around as in
FROM someindex* | WHERE "456" IN someIDs
but that gave an error.

stephenb · April 8, 2025, 1:33pm

Hi @duckasylum

Yeah it is kinda weird... try MV_EXPAND

FROM logs-* 
| MV_EXPAND someIDs
| where someIDs == "456"
| LIMIT 10

Topic		Replies	Views
ESQL to compare data in two indexes based on a unique key Kibana esql	1	68	February 11, 2025
ESQL - fieldnames with slash('/') not supported just removed in kibana Elasticsearch	1	26	January 8, 2025
Data View, Canvas, and ESQL Kibana	2	306	July 18, 2023
Latest value in ESQL Elasticsearch piped query language on kibana Kibana kql-kibana-query-language , eql-elastic-query-language , esql	2	38	January 23, 2025
How to work with Array fields and their mapping for efficient search and results Kibana	5	310	November 26, 2020

ESQL where the field value is a list

Related topics