So I have som data in filebeat where the following query will return some data: FROM filebeat-* | WHERE event.dataset == "cert-info.log" | KEEP tags | LIMIT 2000 this results in something like this: Certificate [Private key, issuer_missing, subject_missing] [Private key, issuer_missing] What I w…

@cjessing Perhaps review the docs LIKE RLIKE [image] Christian_Dahlqvist: which is what I believe ES/QL does behind the scenes, i Actually it is mostly a new execution framework and specifically does not translate to DSL.:). But the actual issue is tags is an array so it needs to be expa…

[image] cjessing: What I would like to do is only get the rows where tags contain the phrase Private key. [image] cjessing: Is it possible to succeed in what I'm trying to do or does ES|QL simply not support such a relatively basic feature? I do not know whether ES|QL supports this or …

[image] stephenb: Actually it is mostly a new execution framework and specifically does not translate to DSL.:). Even if it does not directly translate to DSL I do not see how it could execute this type of logic in a much more efficient way against Lucene. If that was possible, would the wild…

MV_EXPAND!!! That was it! You're a life saver. Thanks a million!

Actually... to elaborate a bit... what if I want ONE hit if two conditions are met? I would like 3 seperate counts for tags == "Private key" (and nothing else) tags == [Private key, issuer_missing] (no more, no less) tags == [Private key, issuer_missing, subject_missing] (no more, no less) I real…

[Q]: Is there a 'LIKE' function in ES|QL?

Elastic Search

stephenb (Stephen Brown) December 13, 2024, 6:46am 3

@cjessing

Perhaps review the docs

RLIKE

Actually it is mostly a new execution framework and specifically does not translate to DSL.:).

But the actual issue is tags is an array so it needs to be expanded first

You can use MV_EXPAND

FROM logs-* 
| MV_EXPAND tags
| where tags == "Private key" 
| LIMIT 10

1 Like

Topic		Replies	Views
SNMP output and ES\|QL Kibana esql	4	79	September 13, 2024
Need Help for ES query Elasticsearch	2	346	August 23, 2018
Dec 18th, 2024: [ES] Filtrando texto con ES\|QL Advent Calendar esql	0	49	December 18, 2024
What is equivalent query as SQL LIKE clause? Elasticsearch	2	5061	January 13, 2017
How to query like mysql? Elasticsearch	3	2800	July 5, 2017

[Q]: Is there a 'LIKE' function in ES|QL?

Related topics