You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/index.asciidoc
+6-10Lines changed: 6 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -234,18 +234,12 @@ The next scheduled run:
234
234
==== ES|QL support
235
235
{es} Query Language (ES|QL) provides a SQL-like interface for querying your {es} data.
236
236
237
-
To utilize the ES|QL feature with this plugin, the following version requirements must be met:
238
-
[cols="1,2",options="header"]
239
-
|===
240
-
|Component |Minimum version
241
-
|{es} |8.11.0 or newer
242
-
|{ls} |8.17.4 or newer
243
-
|This plugin |4.23.0+ (4.x series) or 5.2.0+ (5.x series)
237
+
To use {esql}, this plugin needs to be installed in {ls} 8.17.4 or newer, and must be connected to {es} 8.11 or newer.
244
238
|===
245
239
246
-
To configure ES|QL query in the plugin, set the `response_type` to `esql` and provide your ES|QL query in the `query` parameter.
240
+
To configure {esql} query in the plugin, set the `response_type` to `esql` and provide your {esql} query in the `query` parameter.
247
241
248
-
IMPORTANT: We recommend understanding https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-limitations.html[ES|QL current limitations] before using it in production environments.
242
+
IMPORTANT: {esql} is evolving and may still have limitations with regard to result size or supported field types. We recommend understanding https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-limitations.html[ES|QL current limitations] before using it in production environments.
249
243
250
244
The following is a basic scheduled ES|QL query that runs hourly:
251
245
[source, ruby]
@@ -322,6 +316,8 @@ To illustrate the situation with example, assuming your mapping has a time `time
322
316
}
323
317
324
318
The ES|QL result will contain all three fields but the plugin cannot map them into {ls} event.
319
+
320
+
This a common occurence if your template or mapping follows the pattern of always indexing strings as "text" (`field`) + " keyword" (`field.keyword`) multi-field. In this case it's recommended to do `KEEP field` if the string is identical and there is only one subfield as the engine will optimize and retrieve the keyword, otherwise you can do `KEEP field.keyword | RENAME field.keyword as field` .
325
321
To avoid this, you can use the `RENAME` keyword to rename the `time` parent field to get all three fields with unique fields.
326
322
[source, ruby]
327
323
...
@@ -622,7 +618,7 @@ contents of the `aggregations` object of the query's response. In this case the
622
618
0 regardless of the default or user-defined value set in this plugin.
623
619
624
620
When using the `esql` setting, the query must be a valid ES|QL string.
625
-
When this setting is active, `target`, `size`, `slices`and `search_api` parameters are ignored.
621
+
When this setting is active, `index`, `size`, `slices`, `search_api`, `docinfo`, `docinfo_target` and `docinfo_fields` parameters are not allowed.
0 commit comments