mirror of
https://github.com/elastic/elasticsearch.git
synced 2025-04-25 23:57:20 -04:00
b906ce3d66
* ESQL: change from quoting from backtick to quote
For historical reasons, the source declaration inside FROM command is
treated as an identifier, using backticks (`) for escaping the value.
This is inconsistent since the source is not an identifier (field name)
but an index name which has different semantics.
`index` means a field name index while "index" means a literal with
said value.
In case of FROM, the index name/location is more like a literal (also in
unquoted form) than an identifier (that is a reference to a value).
This PR tweaks the grammar and plugs in the quoted string logic so that
both the single quote (") and triple quote (""") are allowed.
* Update grammar
* Add more tests
* Add a few more tests
* Add extra test
* Update docs/changelog/108395.yaml
* Adress review comments
* Add doc note
* Revert test rename
* Fix quoting with remote cluster
* Update docs/reference/esql/source-commands/from.asciidoc
Co-authored-by: marciw <333176+marciw@users.noreply.github.com>
---------
Co-authored-by: Bogdan Pintea <bogdan.pintea@elastic.co>
Co-authored-by: Bogdan Pintea <pintea@mailbox.org>
Co-authored-by: marciw <333176+marciw@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
92 lines
1.8 KiB
Text
92 lines
1.8 KiB
Text
[discrete]
|
|
[[esql-from]]
|
|
=== `FROM`
|
|
|
|
**Syntax**
|
|
|
|
[source,esql]
|
|
----
|
|
FROM index_pattern [METADATA fields]
|
|
----
|
|
|
|
*Parameters*
|
|
|
|
`index_pattern`::
|
|
A list of indices, data streams or aliases. Supports wildcards and date math.
|
|
|
|
`fields`::
|
|
A comma-separated list of <<esql-metadata-fields,metadata fields>> to retrieve.
|
|
|
|
*Description*
|
|
|
|
The `FROM` source command returns a table with data from a data stream, index,
|
|
or alias. Each row in the resulting table represents a document. Each column
|
|
corresponds to a field, and can be accessed by the name of that field.
|
|
|
|
[NOTE]
|
|
====
|
|
By default, an {esql} query without an explicit <<esql-limit>> uses an implicit
|
|
limit of 1000. This applies to `FROM` too. A `FROM` command without `LIMIT`:
|
|
|
|
[source,esql]
|
|
----
|
|
FROM employees
|
|
----
|
|
|
|
is executed as:
|
|
|
|
[source,esql]
|
|
----
|
|
FROM employees
|
|
| LIMIT 1000
|
|
----
|
|
====
|
|
|
|
*Examples*
|
|
|
|
[source,esql]
|
|
----
|
|
FROM employees
|
|
----
|
|
|
|
You can use <<api-date-math-index-names,date math>> to refer to indices, aliases
|
|
and data streams. This can be useful for time series data, for example to access
|
|
today's index:
|
|
|
|
[source,esql]
|
|
----
|
|
FROM <logs-{now/d}>
|
|
----
|
|
|
|
Use comma-separated lists or wildcards to query multiple data streams, indices,
|
|
or aliases:
|
|
|
|
[source,esql]
|
|
----
|
|
FROM employees-00001,other-employees-*
|
|
----
|
|
|
|
Use the format `<remote_cluster_name>:<target>` to query data streams and indices
|
|
on remote clusters:
|
|
|
|
[source,esql]
|
|
----
|
|
FROM cluster_one:employees-00001,cluster_two:other-employees-*
|
|
----
|
|
|
|
See <<esql-cross-clusters, using {esql} across clusters>>.
|
|
|
|
Use the optional `METADATA` directive to enable <<esql-metadata-fields,metadata fields>>:
|
|
|
|
[source,esql]
|
|
----
|
|
FROM employees METADATA _id
|
|
----
|
|
|
|
Use enclosing double quotes (`"`) or three enclosing double quotes (`"""`) to escape index names
|
|
that contain special characters:
|
|
|
|
[source,esql]
|
|
----
|
|
FROM "this=that", """this[that"""
|
|
----
|