ES|QL 参考

ROW a = 1, b = "two", c = null

ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1"
| DISSECT a "%{date} - %{msg} - %{ip}"
| KEEP date, msg, ip

ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1"
| DISSECT a "%{date} - %{msg} - %{ip}"
| KEEP date, msg, ip
| EVAL date = TO_DATETIME(date)

ROW language_code = "1"
| ENRICH languages_policy

ROW a = "1"
| ENRICH languages_policy ON a

ROW a = "1"
| ENRICH languages_policy ON a WITH language_name

ROW a = "1"
| ENRICH languages_policy ON a WITH name = language_name

FROM employees
| SORT emp_no
| KEEP first_name, last_name, height
| EVAL height_feet = height * 3.281, height_cm = height * 100

FROM employees
| SORT emp_no
| KEEP first_name, last_name, height
| EVAL height = height * 3.281

FROM employees
| SORT emp_no
| KEEP first_name, last_name, height
| EVAL height * 3.281

FROM employees
| EVAL height * 3.281
| STATS avg_height_feet = AVG(`height * 3.281`)

ROW a = "2023-01-23T12:15:00.000Z 127.0.0.1 some.email@foo.com 42"
| GROK a "%{TIMESTAMP_ISO8601:date} %{IP:ip} %{EMAILADDRESS:email} %{NUMBER:num}"
| KEEP date, ip, email, num

ROW a = "2023-01-23T12:15:00.000Z 127.0.0.1 some.email@foo.com 42"
| GROK a "%{TIMESTAMP_ISO8601:date} %{IP:ip} %{EMAILADDRESS:email} %{NUMBER:num:int}"
| KEEP date, ip, email, num

ROW a = "2023-01-23T12:15:00.000Z 127.0.0.1 some.email@foo.com 42"
| GROK a "%{TIMESTAMP_ISO8601:date} %{IP:ip} %{EMAILADDRESS:email} %{NUMBER:num:int}"
| KEEP date, ip, email, num
| EVAL date = TO_DATETIME(date)

FROM addresses
| KEEP city.name, zip_code
| GROK zip_code "%{WORD:zip_parts} %{WORD:zip_parts}"

FROM employees
| KEEP emp_no, languages
| INLINESTATS max_lang = MAX(languages)
| WHERE max_lang == languages
| SORT emp_no ASC
| LIMIT 5

FROM employees
| KEEP emp_no, avg_worked_seconds, last_name
| INLINESTATS max_avg_worked_seconds = MAX(avg_worked_seconds) BY SUBSTRING(last_name, 0, 1)
| WHERE max_avg_worked_seconds == avg_worked_seconds
| SORT last_name ASC
| LIMIT 5

FROM airports
| MV_EXPAND type
| EVAL lat = ST_Y(location)
| INLINESTATS most_northern=MAX(lat), most_southern=MIN(lat) BY type
| WHERE lat == most_northern OR lat == most_southern
| SORT lat DESC
| KEEP type, name, location

FROM airports
| INLINESTATS min_scalerank=MIN(scalerank) BY type
| EVAL type=MV_SORT(type), min_scalerank=MV_SORT(min_scalerank)
| KEEP abbrev, type, scalerank, min_scalerank
| WHERE abbrev == "GWL"

FROM airports
| KEEP abbrev, type, scalerank
| MV_EXPAND type
| INLINESTATS min_scalerank=MIN(scalerank) BY type
| SORT min_scalerank ASC
| WHERE abbrev == "GWL"

FROM employees
| KEEP emp_no, first_name, last_name, height

ROW a=[1,2,3], b="b", j=["a","b"]
| MV_EXPAND a

FROM employees
| STATS count = COUNT(emp_no) BY languages
| SORT languages

FROM employees
| STATS avg_lang = AVG(languages)

FROM employees
| STATS avg_lang = AVG(languages), max_lang = MAX(languages)

ROW i=1, a=["a", "b"] | STATS MIN(i) BY a | SORT a ASC

ROW i=1, a=["a", "b"], b=[2, 3] | STATS MIN(i) BY a, b | SORT a ASC, b ASC

FROM employees
| STATS avg_salary_change = ROUND(AVG(MV_AVG(salary_change)), 10)

FROM employees
| STATS my_count = COUNT() BY LEFT(last_name, 1)
| SORT `LEFT(last_name, 1)`

FROM employees
| STATS AVG(salary)

FROM employees
| STATS AVG(salary)
| EVAL avg_salary_rounded = ROUND(`AVG(salary)`)

FROM employees
| WHERE birth_date IS NULL
| KEEP first_name, last_name
| SORT first_name
| LIMIT 3

FROM employees
| WHERE is_rehired IS NOT NULL
| STATS COUNT(emp_no)

FROM employees
| WHERE first_name LIKE "?b*"
| KEEP first_name, last_name

FROM employees
| WHERE first_name RLIKE ".leja.*"
| KEEP first_name, last_name

ROW a = 1, b = 4, c = 3
| WHERE c-a IN (3, b / 2, a)

FROM employees
| STATS AVG(height)

FROM employees
| STATS avg_salary_change = ROUND(AVG(MV_AVG(salary_change)), 10)

FROM employees
| STATS COUNT(height)

FROM employees
| STATS count = COUNT(*) BY languages
| SORT languages DESC

ROW words="foo;bar;baz;qux;quux;foo"
| STATS word_count = COUNT(SPLIT(words, ";"))

ROW n=1
| WHERE n < 0
| STATS COUNT(n)

ROW n=1
| STATS COUNT(n > 0 OR NULL), COUNT(n < 0 OR NULL)

FROM hosts
| STATS COUNT_DISTINCT(ip0), COUNT_DISTINCT(ip1)

FROM hosts
| STATS COUNT_DISTINCT(ip0, 80000), COUNT_DISTINCT(ip1, 5)

ROW words="foo;bar;baz;qux;quux;foo"
| STATS distinct_word_count = COUNT_DISTINCT(SPLIT(words, ";"))

FROM employees
| STATS MAX(languages)

FROM employees
| STATS max_avg_salary_change = MAX(MV_AVG(salary_change))

FROM employees
| STATS MEDIAN(salary), PERCENTILE(salary, 50)

FROM employees
| STATS median_max_salary_change = MEDIAN(MV_MAX(salary_change))

FROM employees
| STATS MEDIAN(salary), MEDIAN_ABSOLUTE_DEVIATION(salary)

FROM employees
| STATS m_a_d_max_salary_change = MEDIAN_ABSOLUTE_DEVIATION(MV_MAX(salary_change))

FROM employees
| STATS MIN(languages)

FROM employees
| STATS min_avg_salary_change = MIN(MV_AVG(salary_change))

FROM employees
| STATS p0 = PERCENTILE(salary,  0)
     , p50 = PERCENTILE(salary, 50)
     , p99 = PERCENTILE(salary, 99)

FROM employees
| STATS p80_max_salary_change = PERCENTILE(MV_MAX(salary_change), 80)

FROM airports
| STATS centroid=ST_CENTROID_AGG(location)

FROM employees
| STATS SUM(languages)

FROM employees
| STATS total_salary_changes = SUM(MV_MAX(salary_change))

FROM employees
| STATS top_salaries = TOP(salary, 3, "desc"), top_salary = MAX(salary)

  FROM employees
| EVAL first_letter = SUBSTRING(first_name, 0, 1)
| STATS first_name=MV_SORT(VALUES(first_name)) BY first_letter
| SORT first_letter

FROM employees
| STATS w_avg = WEIGHTED_AVG(salary, height) by languages
| EVAL w_avg = ROUND(w_avg)
| KEEP w_avg, languages
| SORT languages

FROM employees
| WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z"
| STATS hire_date = MV_SORT(VALUES(hire_date)) BY month = BUCKET(hire_date, 20, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z")
| SORT hire_date

FROM employees
| WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z"
| STATS hires_per_month = COUNT(*) BY month = BUCKET(hire_date, 20, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z")
| SORT month

FROM employees
| WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z"
| STATS hires_per_week = COUNT(*) BY week = BUCKET(hire_date, 100, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z")
| SORT week

FROM employees
| WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z"
| STATS hires_per_week = COUNT(*) BY week = BUCKET(hire_date, 1 week)
| SORT week

FROM employees
| STATS COUNT(*) by bs = BUCKET(salary, 20, 25324, 74999)
| SORT bs

FROM employees
| WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z"
| STATS c = COUNT(1) BY b = BUCKET(salary, 5000.)
| SORT b

FROM sample_data
| WHERE @timestamp >= NOW() - 1 day and @timestamp < NOW()
| STATS COUNT(*) BY bucket = BUCKET(@timestamp, 25, NOW() - 1 day, NOW())

FROM employees
| WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z"
| STATS AVG(salary) BY bucket = BUCKET(hire_date, 20, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z")
| SORT bucket

FROM employees
| STATS s1 = b1 + 1, s2 = BUCKET(salary / 1000 + 999, 50.) + 2 BY b1 = BUCKET(salary / 100 + 99, 50.), b2 = BUCKET(salary / 1000 + 999, 50.)
| SORT b1, b2
| KEEP s1, b1, s2, b2

FROM employees
| EVAL type = CASE(
    languages <= 1, "monolingual",
    languages <= 2, "bilingual",
     "polyglot")
| KEEP emp_no, languages, type

FROM sample_data
| EVAL successful = CASE(
    STARTS_WITH(message, "Connected to"), 1,
    message == "Connection error", 0
  )
| STATS success_rate = AVG(successful)

FROM sample_data
| EVAL error = CASE(message LIKE "*error*", 1, 0)
| EVAL hour = DATE_TRUNC(1 hour, @timestamp)
| STATS error_rate = AVG(error) by hour
| SORT hour

ROW a=null, b="b"
| EVAL COALESCE(a, b)

ROW a = 10, b = 20
| EVAL g = GREATEST(a, b)

ROW a = 10, b = 20
| EVAL l = LEAST(a, b)

ROW date1 = TO_DATETIME("2023-12-02T11:00:00.000Z"), date2 = TO_DATETIME("2023-12-02T11:00:00.001Z")
| EVAL dd_ms = DATE_DIFF("microseconds", date1, date2)

ROW end_23=TO_DATETIME("2023-12-31T23:59:59.999Z"),
  start_24=TO_DATETIME("2024-01-01T00:00:00.000Z"),
    end_24=TO_DATETIME("2024-12-31T23:59:59.999")
| EVAL end23_to_start24=DATE_DIFF("year", end_23, start_24)
| EVAL end23_to_end24=DATE_DIFF("year", end_23, end_24)
| EVAL start_to_end_24=DATE_DIFF("year", start_24, end_24)

ROW date = DATE_PARSE("yyyy-MM-dd", "2022-05-06")
| EVAL year = DATE_EXTRACT("year", date)

FROM sample_data
| WHERE DATE_EXTRACT("hour_of_day", @timestamp) < 9 AND DATE_EXTRACT("hour_of_day", @timestamp) >= 17

FROM employees
| KEEP first_name, last_name, hire_date
| EVAL hired = DATE_FORMAT("yyyy-MM-dd", hire_date)