github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 09:48:58 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security GenAI] Remove assistantNaturalLanguageESQLTool feature flag and enable by default (#195480)

Browse source
This commit is contained in:
Steph Milovic 2024-10-09 08:13:05 -06:00 committed by GitHub
parent c103d2d214
commit 3dd1ee8ae0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
208 changed files with 56 additions and 5626 deletions
Download patch file Download diff file Expand all files Collapse all files

4
api_docs/kbn_elastic_assistant_common.devdocs.json
View file

@ -3443,7 +3443,7 @@
"label": "ReadKnowledgeBaseResponse",
"description": [],
"signature": [
"{ elser_exists?: boolean | undefined; esql_exists?: boolean | undefined; index_exists?: boolean | undefined; is_setup_available?: boolean | undefined; is_setup_in_progress?: boolean | undefined; pipeline_exists?: boolean | undefined; security_labs_exists?: boolean | undefined; }"
"{ elser_exists?: boolean | undefined; index_exists?: boolean | undefined; is_setup_available?: boolean | undefined; is_setup_in_progress?: boolean | undefined; pipeline_exists?: boolean | undefined; security_labs_exists?: boolean | undefined; }"
],
"path": "x-pack/packages/kbn-elastic-assistant-common/impl/schemas/knowledge_base/crud_kb_route.gen.ts",
"deprecated": false,
@ -5737,7 +5737,7 @@
"label": "ReadKnowledgeBaseResponse",
"description": [],
"signature": [
"Zod.ZodObject<{ elser_exists: Zod.ZodOptional<Zod.ZodBoolean>; esql_exists: Zod.ZodOptional<Zod.ZodBoolean>; index_exists: Zod.ZodOptional<Zod.ZodBoolean>; is_setup_available: Zod.ZodOptional<Zod.ZodBoolean>; is_setup_in_progress: Zod.ZodOptional<Zod.ZodBoolean>; pipeline_exists: Zod.ZodOptional<Zod.ZodBoolean>; security_labs_exists: Zod.ZodOptional<Zod.ZodBoolean>; }, \"strip\", Zod.ZodTypeAny, { elser_exists?: boolean | undefined; esql_exists?: boolean | undefined; index_exists?: boolean | undefined; is_setup_available?: boolean | undefined; is_setup_in_progress?: boolean | undefined; pipeline_exists?: boolean | undefined; security_labs_exists?: boolean | undefined; }, { elser_exists?: boolean | undefined; esql_exists?: boolean | undefined; index_exists?: boolean | undefined; is_setup_available?: boolean | undefined; is_setup_in_progress?: boolean | undefined; pipeline_exists?: boolean | undefined; security_labs_exists?: boolean | undefined; }>"
"Zod.ZodObject<{ elser_exists: Zod.ZodOptional<Zod.ZodBoolean>; index_exists: Zod.ZodOptional<Zod.ZodBoolean>; is_setup_available: Zod.ZodOptional<Zod.ZodBoolean>; is_setup_in_progress: Zod.ZodOptional<Zod.ZodBoolean>; pipeline_exists: Zod.ZodOptional<Zod.ZodBoolean>; security_labs_exists: Zod.ZodOptional<Zod.ZodBoolean>; }, \"strip\", Zod.ZodTypeAny, { elser_exists?: boolean | undefined; esql_exists?: boolean | undefined; index_exists?: boolean | undefined; is_setup_available?: boolean | undefined; is_setup_in_progress?: boolean | undefined; pipeline_exists?: boolean | undefined; security_labs_exists?: boolean | undefined; }, { elser_exists?: boolean | undefined; esql_exists?: boolean | undefined; index_exists?: boolean | undefined; is_setup_available?: boolean | undefined; is_setup_in_progress?: boolean | undefined; pipeline_exists?: boolean | undefined; security_labs_exists?: boolean | undefined; }>"
],
"path": "x-pack/packages/kbn-elastic-assistant-common/impl/schemas/knowledge_base/crud_kb_route.gen.ts",
"deprecated": false,

12
api_docs/security_solution.devdocs.json
View file

@ -420,7 +420,7 @@
"\nExperimental flag needed to enable the link"
],
"signature": [
"\"assistantKnowledgeBaseByDefault\" | \"assistantModelEvaluation\" | \"excludePoliciesInFilterEnabled\" | \"kubernetesEnabled\" | \"donutChartEmbeddablesEnabled\" | \"previewTelemetryUrlEnabled\" | \"extendedRuleExecutionLoggingEnabled\" | \"socTrendsEnabled\" | \"responseActionUploadEnabled\" | \"automatedProcessActionsEnabled\" | \"responseActionsSentinelOneV1Enabled\" | \"responseActionsSentinelOneV2Enabled\" | \"responseActionsSentinelOneGetFileEnabled\" | \"responseActionsSentinelOneKillProcessEnabled\" | \"responseActionsSentinelOneProcessesEnabled\" | \"responseActionsCrowdstrikeManualHostIsolationEnabled\" | \"endpointManagementSpaceAwarenessEnabled\" | \"securitySolutionNotesEnabled\" | \"entityAlertPreviewDisabled\" | \"assistantNaturalLanguageESQLTool\" | \"newUserDetailsFlyoutManagedUser\" | \"riskScoringPersistence\" | \"riskScoringRoutesEnabled\" | \"esqlRulesDisabled\" | \"loggingRequestsEnabled\" | \"protectionUpdatesEnabled\" | \"disableTimelineSaveTour\" | \"riskEnginePrivilegesRouteEnabled\" | \"sentinelOneDataInAnalyzerEnabled\" | \"sentinelOneManualHostActionsEnabled\" | \"crowdstrikeDataInAnalyzerEnabled\" | \"responseActionsTelemetryEnabled\" | \"jamfDataInAnalyzerEnabled\" | \"timelineEsqlTabDisabled\" | \"unifiedComponentsInTimelineDisabled\" | \"analyzerDatePickersAndSourcererDisabled\" | \"prebuiltRulesCustomizationEnabled\" | \"malwareOnWriteScanOptionAvailable\" | \"unifiedManifestEnabled\" | \"valueListItemsModalEnabled\" | \"manualRuleRunEnabled\" | \"filterProcessDescendantsForEventFiltersEnabled\" | \"dataIngestionHubEnabled\" | \"entityStoreEnabled\" | undefined"
"\"assistantKnowledgeBaseByDefault\" | \"assistantModelEvaluation\" | \"excludePoliciesInFilterEnabled\" | \"kubernetesEnabled\" | \"donutChartEmbeddablesEnabled\" | \"previewTelemetryUrlEnabled\" | \"extendedRuleExecutionLoggingEnabled\" | \"socTrendsEnabled\" | \"responseActionUploadEnabled\" | \"automatedProcessActionsEnabled\" | \"responseActionsSentinelOneV1Enabled\" | \"responseActionsSentinelOneV2Enabled\" | \"responseActionsSentinelOneGetFileEnabled\" | \"responseActionsSentinelOneKillProcessEnabled\" | \"responseActionsSentinelOneProcessesEnabled\" | \"responseActionsCrowdstrikeManualHostIsolationEnabled\" | \"endpointManagementSpaceAwarenessEnabled\" | \"securitySolutionNotesEnabled\" | \"entityAlertPreviewDisabled\" | \"newUserDetailsFlyoutManagedUser\" | \"riskScoringPersistence\" | \"riskScoringRoutesEnabled\" | \"esqlRulesDisabled\" | \"loggingRequestsEnabled\" | \"protectionUpdatesEnabled\" | \"disableTimelineSaveTour\" | \"riskEnginePrivilegesRouteEnabled\" | \"sentinelOneDataInAnalyzerEnabled\" | \"sentinelOneManualHostActionsEnabled\" | \"crowdstrikeDataInAnalyzerEnabled\" | \"responseActionsTelemetryEnabled\" | \"jamfDataInAnalyzerEnabled\" | \"timelineEsqlTabDisabled\" | \"unifiedComponentsInTimelineDisabled\" | \"analyzerDatePickersAndSourcererDisabled\" | \"prebuiltRulesCustomizationEnabled\" | \"malwareOnWriteScanOptionAvailable\" | \"unifiedManifestEnabled\" | \"valueListItemsModalEnabled\" | \"manualRuleRunEnabled\" | \"filterProcessDescendantsForEventFiltersEnabled\" | \"dataIngestionHubEnabled\" | \"entityStoreEnabled\" | undefined"
],
"path": "x-pack/plugins/security_solution/public/common/links/types.ts",
"deprecated": false,
@ -500,7 +500,7 @@
"\nExperimental flag needed to disable the link. Opposite of experimentalKey"
],
"signature": [
"\"assistantKnowledgeBaseByDefault\" | \"assistantModelEvaluation\" | \"excludePoliciesInFilterEnabled\" | \"kubernetesEnabled\" | \"donutChartEmbeddablesEnabled\" | \"previewTelemetryUrlEnabled\" | \"extendedRuleExecutionLoggingEnabled\" | \"socTrendsEnabled\" | \"responseActionUploadEnabled\" | \"automatedProcessActionsEnabled\" | \"responseActionsSentinelOneV1Enabled\" | \"responseActionsSentinelOneV2Enabled\" | \"responseActionsSentinelOneGetFileEnabled\" | \"responseActionsSentinelOneKillProcessEnabled\" | \"responseActionsSentinelOneProcessesEnabled\" | \"responseActionsCrowdstrikeManualHostIsolationEnabled\" | \"endpointManagementSpaceAwarenessEnabled\" | \"securitySolutionNotesEnabled\" | \"entityAlertPreviewDisabled\" | \"assistantNaturalLanguageESQLTool\" | \"newUserDetailsFlyoutManagedUser\" | \"riskScoringPersistence\" | \"riskScoringRoutesEnabled\" | \"esqlRulesDisabled\" | \"loggingRequestsEnabled\" | \"protectionUpdatesEnabled\" | \"disableTimelineSaveTour\" | \"riskEnginePrivilegesRouteEnabled\" | \"sentinelOneDataInAnalyzerEnabled\" | \"sentinelOneManualHostActionsEnabled\" | \"crowdstrikeDataInAnalyzerEnabled\" | \"responseActionsTelemetryEnabled\" | \"jamfDataInAnalyzerEnabled\" | \"timelineEsqlTabDisabled\" | \"unifiedComponentsInTimelineDisabled\" | \"analyzerDatePickersAndSourcererDisabled\" | \"prebuiltRulesCustomizationEnabled\" | \"malwareOnWriteScanOptionAvailable\" | \"unifiedManifestEnabled\" | \"valueListItemsModalEnabled\" | \"manualRuleRunEnabled\" | \"filterProcessDescendantsForEventFiltersEnabled\" | \"dataIngestionHubEnabled\" | \"entityStoreEnabled\" | undefined"
"\"assistantKnowledgeBaseByDefault\" | \"assistantModelEvaluation\" | \"excludePoliciesInFilterEnabled\" | \"kubernetesEnabled\" | \"donutChartEmbeddablesEnabled\" | \"previewTelemetryUrlEnabled\" | \"extendedRuleExecutionLoggingEnabled\" | \"socTrendsEnabled\" | \"responseActionUploadEnabled\" | \"automatedProcessActionsEnabled\" | \"responseActionsSentinelOneV1Enabled\" | \"responseActionsSentinelOneV2Enabled\" | \"responseActionsSentinelOneGetFileEnabled\" | \"responseActionsSentinelOneKillProcessEnabled\" | \"responseActionsSentinelOneProcessesEnabled\" | \"responseActionsCrowdstrikeManualHostIsolationEnabled\" | \"endpointManagementSpaceAwarenessEnabled\" | \"securitySolutionNotesEnabled\" | \"entityAlertPreviewDisabled\" | \"newUserDetailsFlyoutManagedUser\" | \"riskScoringPersistence\" | \"riskScoringRoutesEnabled\" | \"esqlRulesDisabled\" | \"loggingRequestsEnabled\" | \"protectionUpdatesEnabled\" | \"disableTimelineSaveTour\" | \"riskEnginePrivilegesRouteEnabled\" | \"sentinelOneDataInAnalyzerEnabled\" | \"sentinelOneManualHostActionsEnabled\" | \"crowdstrikeDataInAnalyzerEnabled\" | \"responseActionsTelemetryEnabled\" | \"jamfDataInAnalyzerEnabled\" | \"timelineEsqlTabDisabled\" | \"unifiedComponentsInTimelineDisabled\" | \"analyzerDatePickersAndSourcererDisabled\" | \"prebuiltRulesCustomizationEnabled\" | \"malwareOnWriteScanOptionAvailable\" | \"unifiedManifestEnabled\" | \"valueListItemsModalEnabled\" | \"manualRuleRunEnabled\" | \"filterProcessDescendantsForEventFiltersEnabled\" | \"dataIngestionHubEnabled\" | \"entityStoreEnabled\" | undefined"
],
"path": "x-pack/plugins/security_solution/public/common/links/types.ts",
"deprecated": false,
@ -1864,7 +1864,7 @@
"label": "experimentalFeatures",
"description": [],
"signature": [
"{ readonly excludePoliciesInFilterEnabled: boolean; readonly kubernetesEnabled: boolean; readonly donutChartEmbeddablesEnabled: boolean; readonly previewTelemetryUrlEnabled: boolean; readonly extendedRuleExecutionLoggingEnabled: boolean; readonly socTrendsEnabled: boolean; readonly responseActionUploadEnabled: boolean; readonly automatedProcessActionsEnabled: boolean; readonly responseActionsSentinelOneV1Enabled: boolean; readonly responseActionsSentinelOneV2Enabled: boolean; readonly responseActionsSentinelOneGetFileEnabled: boolean; readonly responseActionsSentinelOneKillProcessEnabled: boolean; readonly responseActionsSentinelOneProcessesEnabled: boolean; readonly responseActionsCrowdstrikeManualHostIsolationEnabled: boolean; readonly endpointManagementSpaceAwarenessEnabled: boolean; readonly securitySolutionNotesEnabled: boolean; readonly entityAlertPreviewDisabled: boolean; readonly assistantModelEvaluation: boolean; readonly assistantKnowledgeBaseByDefault: boolean; readonly assistantNaturalLanguageESQLTool: boolean; readonly newUserDetailsFlyoutManagedUser: boolean; readonly riskScoringPersistence: boolean; readonly riskScoringRoutesEnabled: boolean; readonly esqlRulesDisabled: boolean; readonly loggingRequestsEnabled: boolean; readonly protectionUpdatesEnabled: boolean; readonly disableTimelineSaveTour: boolean; readonly riskEnginePrivilegesRouteEnabled: boolean; readonly sentinelOneDataInAnalyzerEnabled: boolean; readonly sentinelOneManualHostActionsEnabled: boolean; readonly crowdstrikeDataInAnalyzerEnabled: boolean; readonly responseActionsTelemetryEnabled: boolean; readonly jamfDataInAnalyzerEnabled: boolean; readonly timelineEsqlTabDisabled: boolean; readonly unifiedComponentsInTimelineDisabled: boolean; readonly analyzerDatePickersAndSourcererDisabled: boolean; readonly prebuiltRulesCustomizationEnabled: boolean; readonly malwareOnWriteScanOptionAvailable: boolean; readonly unifiedManifestEnabled: boolean; readonly valueListItemsModalEnabled: boolean; readonly manualRuleRunEnabled: boolean; readonly filterProcessDescendantsForEventFiltersEnabled: boolean; readonly dataIngestionHubEnabled: boolean; readonly entityStoreEnabled: boolean; }"
"{ readonly excludePoliciesInFilterEnabled: boolean; readonly kubernetesEnabled: boolean; readonly donutChartEmbeddablesEnabled: boolean; readonly previewTelemetryUrlEnabled: boolean; readonly extendedRuleExecutionLoggingEnabled: boolean; readonly socTrendsEnabled: boolean; readonly responseActionUploadEnabled: boolean; readonly automatedProcessActionsEnabled: boolean; readonly responseActionsSentinelOneV1Enabled: boolean; readonly responseActionsSentinelOneV2Enabled: boolean; readonly responseActionsSentinelOneGetFileEnabled: boolean; readonly responseActionsSentinelOneKillProcessEnabled: boolean; readonly responseActionsSentinelOneProcessesEnabled: boolean; readonly responseActionsCrowdstrikeManualHostIsolationEnabled: boolean; readonly endpointManagementSpaceAwarenessEnabled: boolean; readonly securitySolutionNotesEnabled: boolean; readonly entityAlertPreviewDisabled: boolean; readonly assistantModelEvaluation: boolean; readonly assistantKnowledgeBaseByDefault: boolean; readonly newUserDetailsFlyoutManagedUser: boolean; readonly riskScoringPersistence: boolean; readonly riskScoringRoutesEnabled: boolean; readonly esqlRulesDisabled: boolean; readonly loggingRequestsEnabled: boolean; readonly protectionUpdatesEnabled: boolean; readonly disableTimelineSaveTour: boolean; readonly riskEnginePrivilegesRouteEnabled: boolean; readonly sentinelOneDataInAnalyzerEnabled: boolean; readonly sentinelOneManualHostActionsEnabled: boolean; readonly crowdstrikeDataInAnalyzerEnabled: boolean; readonly responseActionsTelemetryEnabled: boolean; readonly jamfDataInAnalyzerEnabled: boolean; readonly timelineEsqlTabDisabled: boolean; readonly unifiedComponentsInTimelineDisabled: boolean; readonly analyzerDatePickersAndSourcererDisabled: boolean; readonly prebuiltRulesCustomizationEnabled: boolean; readonly malwareOnWriteScanOptionAvailable: boolean; readonly unifiedManifestEnabled: boolean; readonly valueListItemsModalEnabled: boolean; readonly manualRuleRunEnabled: boolean; readonly filterProcessDescendantsForEventFiltersEnabled: boolean; readonly dataIngestionHubEnabled: boolean; readonly entityStoreEnabled: boolean; }"
],
"path": "x-pack/plugins/security_solution/public/types.ts",
"deprecated": false,
@ -3032,7 +3032,7 @@
"\nThe security solution generic experimental features"
],
"signature": [
"{ readonly excludePoliciesInFilterEnabled: boolean; readonly kubernetesEnabled: boolean; readonly donutChartEmbeddablesEnabled: boolean; readonly previewTelemetryUrlEnabled: boolean; readonly extendedRuleExecutionLoggingEnabled: boolean; readonly socTrendsEnabled: boolean; readonly responseActionUploadEnabled: boolean; readonly automatedProcessActionsEnabled: boolean; readonly responseActionsSentinelOneV1Enabled: boolean; readonly responseActionsSentinelOneV2Enabled: boolean; readonly responseActionsSentinelOneGetFileEnabled: boolean; readonly responseActionsSentinelOneKillProcessEnabled: boolean; readonly responseActionsSentinelOneProcessesEnabled: boolean; readonly responseActionsCrowdstrikeManualHostIsolationEnabled: boolean; readonly endpointManagementSpaceAwarenessEnabled: boolean; readonly securitySolutionNotesEnabled: boolean; readonly entityAlertPreviewDisabled: boolean; readonly assistantModelEvaluation: boolean; readonly assistantKnowledgeBaseByDefault: boolean; readonly assistantNaturalLanguageESQLTool: boolean; readonly newUserDetailsFlyoutManagedUser: boolean; readonly riskScoringPersistence: boolean; readonly riskScoringRoutesEnabled: boolean; readonly esqlRulesDisabled: boolean; readonly loggingRequestsEnabled: boolean; readonly protectionUpdatesEnabled: boolean; readonly disableTimelineSaveTour: boolean; readonly riskEnginePrivilegesRouteEnabled: boolean; readonly sentinelOneDataInAnalyzerEnabled: boolean; readonly sentinelOneManualHostActionsEnabled: boolean; readonly crowdstrikeDataInAnalyzerEnabled: boolean; readonly responseActionsTelemetryEnabled: boolean; readonly jamfDataInAnalyzerEnabled: boolean; readonly timelineEsqlTabDisabled: boolean; readonly unifiedComponentsInTimelineDisabled: boolean; readonly analyzerDatePickersAndSourcererDisabled: boolean; readonly prebuiltRulesCustomizationEnabled: boolean; readonly malwareOnWriteScanOptionAvailable: boolean; readonly unifiedManifestEnabled: boolean; readonly valueListItemsModalEnabled: boolean; readonly manualRuleRunEnabled: boolean; readonly filterProcessDescendantsForEventFiltersEnabled: boolean; readonly dataIngestionHubEnabled: boolean; readonly entityStoreEnabled: boolean; }"
"{ readonly excludePoliciesInFilterEnabled: boolean; readonly kubernetesEnabled: boolean; readonly donutChartEmbeddablesEnabled: boolean; readonly previewTelemetryUrlEnabled: boolean; readonly extendedRuleExecutionLoggingEnabled: boolean; readonly socTrendsEnabled: boolean; readonly responseActionUploadEnabled: boolean; readonly automatedProcessActionsEnabled: boolean; readonly responseActionsSentinelOneV1Enabled: boolean; readonly responseActionsSentinelOneV2Enabled: boolean; readonly responseActionsSentinelOneGetFileEnabled: boolean; readonly responseActionsSentinelOneKillProcessEnabled: boolean; readonly responseActionsSentinelOneProcessesEnabled: boolean; readonly responseActionsCrowdstrikeManualHostIsolationEnabled: boolean; readonly endpointManagementSpaceAwarenessEnabled: boolean; readonly securitySolutionNotesEnabled: boolean; readonly entityAlertPreviewDisabled: boolean; readonly assistantModelEvaluation: boolean; readonly assistantKnowledgeBaseByDefault: boolean; readonly newUserDetailsFlyoutManagedUser: boolean; readonly riskScoringPersistence: boolean; readonly riskScoringRoutesEnabled: boolean; readonly esqlRulesDisabled: boolean; readonly loggingRequestsEnabled: boolean; readonly protectionUpdatesEnabled: boolean; readonly disableTimelineSaveTour: boolean; readonly riskEnginePrivilegesRouteEnabled: boolean; readonly sentinelOneDataInAnalyzerEnabled: boolean; readonly sentinelOneManualHostActionsEnabled: boolean; readonly crowdstrikeDataInAnalyzerEnabled: boolean; readonly responseActionsTelemetryEnabled: boolean; readonly jamfDataInAnalyzerEnabled: boolean; readonly timelineEsqlTabDisabled: boolean; readonly unifiedComponentsInTimelineDisabled: boolean; readonly analyzerDatePickersAndSourcererDisabled: boolean; readonly prebuiltRulesCustomizationEnabled: boolean; readonly malwareOnWriteScanOptionAvailable: boolean; readonly unifiedManifestEnabled: boolean; readonly valueListItemsModalEnabled: boolean; readonly manualRuleRunEnabled: boolean; readonly filterProcessDescendantsForEventFiltersEnabled: boolean; readonly dataIngestionHubEnabled: boolean; readonly entityStoreEnabled: boolean; }"
],
"path": "x-pack/plugins/security_solution/server/plugin_contract.ts",
"deprecated": false,
@ -3208,7 +3208,7 @@
"label": "ExperimentalFeatures",
"description": [],
"signature": [
"{ readonly excludePoliciesInFilterEnabled: boolean; readonly kubernetesEnabled: boolean; readonly donutChartEmbeddablesEnabled: boolean; readonly previewTelemetryUrlEnabled: boolean; readonly extendedRuleExecutionLoggingEnabled: boolean; readonly socTrendsEnabled: boolean; readonly responseActionUploadEnabled: boolean; readonly automatedProcessActionsEnabled: boolean; readonly responseActionsSentinelOneV1Enabled: boolean; readonly responseActionsSentinelOneV2Enabled: boolean; readonly responseActionsSentinelOneGetFileEnabled: boolean; readonly responseActionsSentinelOneKillProcessEnabled: boolean; readonly responseActionsSentinelOneProcessesEnabled: boolean; readonly responseActionsCrowdstrikeManualHostIsolationEnabled: boolean; readonly endpointManagementSpaceAwarenessEnabled: boolean; readonly securitySolutionNotesEnabled: boolean; readonly entityAlertPreviewDisabled: boolean; readonly assistantModelEvaluation: boolean; readonly assistantKnowledgeBaseByDefault: boolean; readonly assistantNaturalLanguageESQLTool: boolean; readonly newUserDetailsFlyoutManagedUser: boolean; readonly riskScoringPersistence: boolean; readonly riskScoringRoutesEnabled: boolean; readonly esqlRulesDisabled: boolean; readonly loggingRequestsEnabled: boolean; readonly protectionUpdatesEnabled: boolean; readonly disableTimelineSaveTour: boolean; readonly riskEnginePrivilegesRouteEnabled: boolean; readonly sentinelOneDataInAnalyzerEnabled: boolean; readonly sentinelOneManualHostActionsEnabled: boolean; readonly crowdstrikeDataInAnalyzerEnabled: boolean; readonly responseActionsTelemetryEnabled: boolean; readonly jamfDataInAnalyzerEnabled: boolean; readonly timelineEsqlTabDisabled: boolean; readonly unifiedComponentsInTimelineDisabled: boolean; readonly analyzerDatePickersAndSourcererDisabled: boolean; readonly prebuiltRulesCustomizationEnabled: boolean; readonly malwareOnWriteScanOptionAvailable: boolean; readonly unifiedManifestEnabled: boolean; readonly valueListItemsModalEnabled: boolean; readonly manualRuleRunEnabled: boolean; readonly filterProcessDescendantsForEventFiltersEnabled: boolean; readonly dataIngestionHubEnabled: boolean; readonly entityStoreEnabled: boolean; }"
"{ readonly excludePoliciesInFilterEnabled: boolean; readonly kubernetesEnabled: boolean; readonly donutChartEmbeddablesEnabled: boolean; readonly previewTelemetryUrlEnabled: boolean; readonly extendedRuleExecutionLoggingEnabled: boolean; readonly socTrendsEnabled: boolean; readonly responseActionUploadEnabled: boolean; readonly automatedProcessActionsEnabled: boolean; readonly responseActionsSentinelOneV1Enabled: boolean; readonly responseActionsSentinelOneV2Enabled: boolean; readonly responseActionsSentinelOneGetFileEnabled: boolean; readonly responseActionsSentinelOneKillProcessEnabled: boolean; readonly responseActionsSentinelOneProcessesEnabled: boolean; readonly responseActionsCrowdstrikeManualHostIsolationEnabled: boolean; readonly endpointManagementSpaceAwarenessEnabled: boolean; readonly securitySolutionNotesEnabled: boolean; readonly entityAlertPreviewDisabled: boolean; readonly assistantModelEvaluation: boolean; readonly assistantKnowledgeBaseByDefault: boolean; readonly newUserDetailsFlyoutManagedUser: boolean; readonly riskScoringPersistence: boolean; readonly riskScoringRoutesEnabled: boolean; readonly esqlRulesDisabled: boolean; readonly loggingRequestsEnabled: boolean; readonly protectionUpdatesEnabled: boolean; readonly disableTimelineSaveTour: boolean; readonly riskEnginePrivilegesRouteEnabled: boolean; readonly sentinelOneDataInAnalyzerEnabled: boolean; readonly sentinelOneManualHostActionsEnabled: boolean; readonly crowdstrikeDataInAnalyzerEnabled: boolean; readonly responseActionsTelemetryEnabled: boolean; readonly jamfDataInAnalyzerEnabled: boolean; readonly timelineEsqlTabDisabled: boolean; readonly unifiedComponentsInTimelineDisabled: boolean; readonly analyzerDatePickersAndSourcererDisabled: boolean; readonly prebuiltRulesCustomizationEnabled: boolean; readonly malwareOnWriteScanOptionAvailable: boolean; readonly unifiedManifestEnabled: boolean; readonly valueListItemsModalEnabled: boolean; readonly manualRuleRunEnabled: boolean; readonly filterProcessDescendantsForEventFiltersEnabled: boolean; readonly dataIngestionHubEnabled: boolean; readonly entityStoreEnabled: boolean; }"
],
"path": "x-pack/plugins/security_solution/common/experimental_features.ts",
"deprecated": false,
@ -3274,7 +3274,7 @@
"\nA list of allowed values that can be used in `xpack.securitySolution.enableExperimental`.\nThis object is then used to validate and parse the value entered."
],
"signature": [
"{ readonly excludePoliciesInFilterEnabled: false; readonly kubernetesEnabled: true; readonly donutChartEmbeddablesEnabled: false; readonly previewTelemetryUrlEnabled: false; readonly extendedRuleExecutionLoggingEnabled: false; readonly socTrendsEnabled: false; readonly responseActionUploadEnabled: true; readonly automatedProcessActionsEnabled: true; readonly responseActionsSentinelOneV1Enabled: true; readonly responseActionsSentinelOneV2Enabled: true; readonly responseActionsSentinelOneGetFileEnabled: true; readonly responseActionsSentinelOneKillProcessEnabled: true; readonly responseActionsSentinelOneProcessesEnabled: true; readonly responseActionsCrowdstrikeManualHostIsolationEnabled: true; readonly endpointManagementSpaceAwarenessEnabled: false; readonly securitySolutionNotesEnabled: false; readonly entityAlertPreviewDisabled: false; readonly assistantModelEvaluation: false; readonly assistantKnowledgeBaseByDefault: false; readonly assistantNaturalLanguageESQLTool: false; readonly newUserDetailsFlyoutManagedUser: false; readonly riskScoringPersistence: true; readonly riskScoringRoutesEnabled: true; readonly esqlRulesDisabled: false; readonly loggingRequestsEnabled: false; readonly protectionUpdatesEnabled: true; readonly disableTimelineSaveTour: false; readonly riskEnginePrivilegesRouteEnabled: true; readonly sentinelOneDataInAnalyzerEnabled: true; readonly sentinelOneManualHostActionsEnabled: true; readonly crowdstrikeDataInAnalyzerEnabled: true; readonly responseActionsTelemetryEnabled: false; readonly jamfDataInAnalyzerEnabled: true; readonly timelineEsqlTabDisabled: false; readonly unifiedComponentsInTimelineDisabled: false; readonly analyzerDatePickersAndSourcererDisabled: false; readonly prebuiltRulesCustomizationEnabled: false; readonly malwareOnWriteScanOptionAvailable: true; readonly unifiedManifestEnabled: true; readonly valueListItemsModalEnabled: true; readonly manualRuleRunEnabled: false; readonly filterProcessDescendantsForEventFiltersEnabled: true; readonly dataIngestionHubEnabled: false; readonly entityStoreEnabled: false; }"
"{ readonly excludePoliciesInFilterEnabled: false; readonly kubernetesEnabled: true; readonly donutChartEmbeddablesEnabled: false; readonly previewTelemetryUrlEnabled: false; readonly extendedRuleExecutionLoggingEnabled: false; readonly socTrendsEnabled: false; readonly responseActionUploadEnabled: true; readonly automatedProcessActionsEnabled: true; readonly responseActionsSentinelOneV1Enabled: true; readonly responseActionsSentinelOneV2Enabled: true; readonly responseActionsSentinelOneGetFileEnabled: true; readonly responseActionsSentinelOneKillProcessEnabled: true; readonly responseActionsSentinelOneProcessesEnabled: true; readonly responseActionsCrowdstrikeManualHostIsolationEnabled: true; readonly endpointManagementSpaceAwarenessEnabled: false; readonly securitySolutionNotesEnabled: false; readonly entityAlertPreviewDisabled: false; readonly assistantModelEvaluation: false; readonly assistantKnowledgeBaseByDefault: false; readonly newUserDetailsFlyoutManagedUser: false; readonly riskScoringPersistence: true; readonly riskScoringRoutesEnabled: true; readonly esqlRulesDisabled: false; readonly loggingRequestsEnabled: false; readonly protectionUpdatesEnabled: true; readonly disableTimelineSaveTour: false; readonly riskEnginePrivilegesRouteEnabled: true; readonly sentinelOneDataInAnalyzerEnabled: true; readonly sentinelOneManualHostActionsEnabled: true; readonly crowdstrikeDataInAnalyzerEnabled: true; readonly responseActionsTelemetryEnabled: false; readonly jamfDataInAnalyzerEnabled: true; readonly timelineEsqlTabDisabled: false; readonly unifiedComponentsInTimelineDisabled: false; readonly analyzerDatePickersAndSourcererDisabled: false; readonly prebuiltRulesCustomizationEnabled: false; readonly malwareOnWriteScanOptionAvailable: true; readonly unifiedManifestEnabled: true; readonly valueListItemsModalEnabled: true; readonly manualRuleRunEnabled: false; readonly filterProcessDescendantsForEventFiltersEnabled: true; readonly dataIngestionHubEnabled: false; readonly entityStoreEnabled: false; }"
],
"path": "x-pack/plugins/security_solution/common/experimental_features.ts",
"deprecated": false,

1
x-pack/packages/kbn-elastic-assistant-common/impl/schemas/knowledge_base/crud_kb_route.gen.ts
View file

@ -76,7 +76,6 @@ export type ReadKnowledgeBaseRequestParamsInput = z.input<typeof ReadKnowledgeBa
export type ReadKnowledgeBaseResponse = z.infer<typeof ReadKnowledgeBaseResponse>;
export const ReadKnowledgeBaseResponse = z.object({
elser_exists: z.boolean().optional(),
esql_exists: z.boolean().optional(),
index_exists: z.boolean().optional(),
is_setup_available: z.boolean().optional(),
is_setup_in_progress: z.boolean().optional(),

2
x-pack/packages/kbn-elastic-assistant-common/impl/schemas/knowledge_base/crud_kb_route.schema.yaml
View file

@ -68,8 +68,6 @@ paths:
properties:
elser_exists:
type: boolean
esql_exists:
type: boolean
index_exists:
type: boolean
is_setup_available:

1
x-pack/packages/kbn-elastic-assistant/impl/assistant/api/knowledge_base/use_knowledge_base_status.test.tsx
View file

@ -32,7 +32,6 @@ jest.mock('@tanstack/react-query', () => ({
const statusResponse = {
elser_exists: true,
esql_exists: true,
index_exists: true,
pipeline_exists: true,
};

18
x-pack/packages/kbn-elastic-assistant/impl/assistant/api/knowledge_base/use_knowledge_base_status.tsx
View file

@ -78,21 +78,3 @@ export const useInvalidateKnowledgeBaseStatus = () => {
});
}, [queryClient]);
};
/**
* Helper for determining if Knowledge Base setup is complete.
*
* Note: Consider moving to API
*
* @param kbStatus ReadKnowledgeBaseResponse
*/
export const isKnowledgeBaseSetup = (kbStatus: ReadKnowledgeBaseResponse | undefined): boolean => {
return (
(kbStatus?.elser_exists &&
kbStatus?.esql_exists &&
kbStatus?.security_labs_exists &&
kbStatus?.index_exists &&
kbStatus?.pipeline_exists) ??
false
);
};

4
x-pack/packages/kbn-elastic-assistant/impl/assistant/chat_send/use_chat_send.tsx
View file

@ -10,7 +10,6 @@ import { HttpSetup } from '@kbn/core-http-browser';
import { i18n } from '@kbn/i18n';
import { Replacements } from '@kbn/elastic-assistant-common';
import { useKnowledgeBaseStatus } from '../api/knowledge_base/use_knowledge_base_status';
import { ESQL_RESOURCE } from '../../knowledge_base/setup_knowledge_base_button';
import { DataStreamApis } from '../use_data_stream_apis';
import { NEW_CHAT } from '../conversations/conversation_sidepanel/translations';
import type { ClientMessage } from '../../assistant_context/types';
@ -58,12 +57,11 @@ export const useChatSend = ({
const { isLoading, sendMessage, abortStream } = useSendMessage();
const { clearConversation, removeLastMessage } = useConversation();
const { data: kbStatus } = useKnowledgeBaseStatus({ http, resource: ESQL_RESOURCE });
const { data: kbStatus } = useKnowledgeBaseStatus({ http });
const isSetupComplete =
kbStatus?.elser_exists &&
kbStatus?.index_exists &&
kbStatus?.pipeline_exists &&
kbStatus?.esql_exists &&
kbStatus?.security_labs_exists;
// Handles sending latest user prompt to API

9
x-pack/packages/kbn-elastic-assistant/impl/knowledge_base/const.ts
View file

@ -1,9 +0,0 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export const ESQL_RESOURCE = 'esql';
export const KNOWLEDGE_BASE_INDEX_PATTERN_OLD = '.kibana-elastic-ai-assistant-kb';
export const KNOWLEDGE_BASE_INDEX_PATTERN = '.kibana-elastic-ai-assistant-knowledge-base-(SPACE)';

15
x-pack/packages/kbn-elastic-assistant/impl/knowledge_base/knowledge_base_settings.test.tsx
View file

@ -69,7 +69,6 @@ jest.mock('../assistant/api/knowledge_base/use_knowledge_base_status', () => ({
return {
data: {
elser_exists: true,
esql_exists: true,
index_exists: true,
pipeline_exists: true,
},
@ -83,22 +82,11 @@ describe('Knowledge base settings', () => {
beforeEach(() => {
jest.clearAllMocks();
});
it('Shows correct description when esql is installed', () => {
const { getByTestId, queryByTestId } = render(
<TestProviders>
<KnowledgeBaseSettings {...defaultProps} />
</TestProviders>
);
expect(getByTestId('esql-installed')).toBeInTheDocument();
expect(queryByTestId('install-esql')).not.toBeInTheDocument();
});
it('On enable knowledge base, call setup knowledge base setup', () => {
(useKnowledgeBaseStatus as jest.Mock).mockImplementation(() => {
return {
data: {
elser_exists: true,
esql_exists: false,
index_exists: false,
pipeline_exists: false,
is_setup_available: true,
@ -115,14 +103,13 @@ describe('Knowledge base settings', () => {
expect(queryByTestId('kb-installed')).not.toBeInTheDocument();
expect(getByTestId('install-kb')).toBeInTheDocument();
fireEvent.click(getByTestId('setupKnowledgeBaseButton'));
expect(mockSetup).toHaveBeenCalledWith('esql');
expect(mockSetup).toHaveBeenCalled();
});
it('If elser does not exist, do not offer knowledge base', () => {
(useKnowledgeBaseStatus as jest.Mock).mockImplementation(() => {
return {
data: {
elser_exists: false,
esql_exists: false,
index_exists: false,
pipeline_exists: false,
},

36
x-pack/packages/kbn-elastic-assistant/impl/knowledge_base/knowledge_base_settings.tsx
View file

@ -31,7 +31,6 @@ import { useKnowledgeBaseStatus } from '../assistant/api/knowledge_base/use_know
import { useSetupKnowledgeBase } from '../assistant/api/knowledge_base/use_setup_knowledge_base';
import { SETUP_KNOWLEDGE_BASE_BUTTON_TOOLTIP } from './translations';
const ESQL_RESOURCE = 'esql';
const KNOWLEDGE_BASE_INDEX_PATTERN = '.kibana-elastic-ai-assistant-knowledge-base-(SPACE)';
interface Props {
@ -45,20 +44,14 @@ interface Props {
export const KnowledgeBaseSettings: React.FC<Props> = React.memo(
({ knowledgeBase, setUpdatedKnowledgeBaseSettings }) => {
const { http, toasts } = useAssistantContext();
const {
data: kbStatus,
isLoading,
isFetching,
} = useKnowledgeBaseStatus({ http, resource: ESQL_RESOURCE });
const { data: kbStatus, isLoading, isFetching } = useKnowledgeBaseStatus({ http });
const { mutate: setupKB, isLoading: isSettingUpKB } = useSetupKnowledgeBase({ http, toasts });
// Resource enabled state
const isElserEnabled = kbStatus?.elser_exists ?? false;
const isESQLEnabled = kbStatus?.esql_exists ?? false;
const isSecurityLabsEnabled = kbStatus?.security_labs_exists ?? false;
const isKnowledgeBaseSetup =
(isElserEnabled &&
isESQLEnabled &&
isSecurityLabsEnabled &&
kbStatus?.index_exists &&
kbStatus?.pipeline_exists) ??
@ -72,12 +65,11 @@ export const KnowledgeBaseSettings: React.FC<Props> = React.memo(
// Calculated health state for EuiHealth component
const elserHealth = isElserEnabled ? 'success' : 'subdued';
const knowledgeBaseHealth = isKnowledgeBaseSetup ? 'success' : 'subdued';
const esqlHealth = isESQLEnabled ? 'success' : 'subdued';
//////////////////////////////////////////////////////////////////////////////////////////
// Main `Knowledge Base` setup button
const onSetupKnowledgeBaseButtonClick = useCallback(() => {
setupKB(ESQL_RESOURCE);
setupKB();
}, [setupKB]);
const toolTipContent = !isSetupAvailable ? SETUP_KNOWLEDGE_BASE_BUTTON_TOOLTIP : undefined;
@ -119,16 +111,6 @@ export const KnowledgeBaseSettings: React.FC<Props> = React.memo(
);
}, [isKnowledgeBaseSetup]);
//////////////////////////////////////////////////////////////////////////////////////////
// ESQL Resource
const esqlDescription = useMemo(() => {
return isESQLEnabled ? (
<span data-test-subj="esql-installed">{i18n.ESQL_DESCRIPTION_INSTALLED}</span>
) : (
<span data-test-subj="install-esql">{i18n.ESQL_DESCRIPTION}</span>
);
}, [isESQLEnabled]);
return (
<>
<EuiTitle size={'s'}>
@ -208,20 +190,6 @@ export const KnowledgeBaseSettings: React.FC<Props> = React.memo(
</EuiText>
</div>
</EuiFlexItem>
<EuiFlexItem grow={false}>
<span>
<EuiHealth color={esqlHealth}>{i18n.ESQL_LABEL}</EuiHealth>
<EuiText
size={'xs'}
color={'subdued'}
css={css`
padding-left: 20px;
`}
>
{esqlDescription}
</EuiText>
</span>
</EuiFlexItem>
</EuiFlexGroup>
<EuiSpacer size="s" />

7
x-pack/packages/kbn-elastic-assistant/impl/knowledge_base/setup_knowledge_base_button.tsx
View file

@ -13,8 +13,6 @@ import { useAssistantContext } from '../..';
import { useSetupKnowledgeBase } from '../assistant/api/knowledge_base/use_setup_knowledge_base';
import { useKnowledgeBaseStatus } from '../assistant/api/knowledge_base/use_knowledge_base_status';
export const ESQL_RESOURCE = 'esql';
interface Props {
display?: 'mini';
}
@ -26,7 +24,7 @@ interface Props {
export const SetupKnowledgeBaseButton: React.FC<Props> = React.memo(({ display }: Props) => {
const { http, toasts } = useAssistantContext();
const { data: kbStatus } = useKnowledgeBaseStatus({ http, resource: ESQL_RESOURCE });
const { data: kbStatus } = useKnowledgeBaseStatus({ http });
const { mutate: setupKB, isLoading: isSettingUpKB } = useSetupKnowledgeBase({ http, toasts });
const isSetupInProgress = kbStatus?.is_setup_in_progress || isSettingUpKB;
@ -34,11 +32,10 @@ export const SetupKnowledgeBaseButton: React.FC<Props> = React.memo(({ display }
kbStatus?.elser_exists &&
kbStatus?.index_exists &&
kbStatus?.pipeline_exists &&
kbStatus?.esql_exists &&
kbStatus?.security_labs_exists;
const onInstallKnowledgeBase = useCallback(() => {
setupKB(ESQL_RESOURCE);
setupKB();
}, [setupKB]);
if (isSetupComplete) {

38
x-pack/plugins/elastic_assistant/server/__mocks__/docs_from_directory_loader.ts
View file

@ -8,43 +8,7 @@
import { Document } from 'langchain/document';
/**
* Mock LangChain `Document`s from `knowledge_base/esql/documentation`, loaded from a LangChain `DirectoryLoader`
*/
export const mockEsqlDocsFromDirectoryLoader: Document[] = [
{
pageContent:
'[[esql-agg-avg]]\n=== `AVG`\nThe average of a numeric field.\n\n[source.merge.styled,esql]\n----\ninclude::{esql-specs}/stats.csv-spec[tag=avg]\n----\n[%header.monospaced.styled,format=dsv,separator=|]\n|===\ninclude::{esql-specs}/stats.csv-spec[tag=avg-result]\n|===\n\nThe result is always a `double` not matter the input type.\n',
metadata: {
source:
'/Users/andrew.goldstein/Projects/forks/andrew-goldstein/kibana/x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/aggregation_functions/avg.asciidoc',
},
},
];
/**
* Mock LangChain `Document`s from `knowledge_base/esql/language_definition`, loaded from a LangChain `DirectoryLoader`
*/
export const mockEsqlLanguageDocsFromDirectoryLoader: Document[] = [
{
pageContent:
"lexer grammar EsqlBaseLexer;\n\nDISSECT : 'dissect' -> pushMode(EXPRESSION);\nDROP : 'drop' -> pushMode(SOURCE_IDENTIFIERS);\nENRICH : 'enrich' -> pushMode(SOURCE_IDENTIFIERS);\nEVAL : 'eval' -> pushMode(EXPRESSION);\nEXPLAIN : 'explain' -> pushMode(EXPLAIN_MODE);\nFROM : 'from' -> pushMode(SOURCE_IDENTIFIERS);\nGROK : 'grok' -> pushMode(EXPRESSION);\nINLINESTATS : 'inlinestats' -> pushMode(EXPRESSION);\nKEEP : 'keep' -> pushMode(SOURCE_IDENTIFIERS);\nLIMIT : 'limit' -> pushMode(EXPRESSION);\nMV_EXPAND : 'mv_expand' -> pushMode(SOURCE_IDENTIFIERS);\nPROJECT : 'project' -> pushMode(SOURCE_IDENTIFIERS);\nRENAME : 'rename' -> pushMode(SOURCE_IDENTIFIERS);\nROW : 'row' -> pushMode(EXPRESSION);\nSHOW : 'show' -> pushMode(EXPRESSION);\nSORT : 'sort' -> pushMode(EXPRESSION);\nSTATS : 'stats' -> pushMode(EXPRESSION);\nWHERE : 'where' -> pushMode(EXPRESSION);\nUNKNOWN_CMD : ~[ \\r\\n\\t[\\]/]+ -> pushMode(EXPRESSION);\n\nLINE_COMMENT\n : '//' ~[\\r\\n]* '\\r'? '\\n'? -> channel(HIDDEN)\n ;\n\nMULTILINE_COMMENT\n : '/*' (MULTILINE_COMMENT|.)*? '*/' -> channel(HIDDEN)\n ;\n\nWS\n : [ \\r\\n\\t]+ -> channel(HIDDEN)\n ;\n\n\nmode EXPLAIN_MODE;\nEXPLAIN_OPENING_BRACKET : '[' -> type(OPENING_BRACKET), pushMode(DEFAULT_MODE);\nEXPLAIN_PIPE : '|' -> type(PIPE), popMode;\nEXPLAIN_WS : WS -> channel(HIDDEN);\nEXPLAIN_LINE_COMMENT : LINE_COMMENT -> channel(HIDDEN);\nEXPLAIN_MULTILINE_COMMENT : MULTILINE_COMMENT -> channel(HIDDEN);\n\nmode EXPRESSION;\n\nPIPE : '|' -> popMode;\n\nfragment DIGIT\n : [0-9]\n ;\n\nfragment LETTER\n : [A-Za-z]\n ;\n\nfragment ESCAPE_SEQUENCE\n : '\\\\' [tnr\"\\\\]\n ;\n\nfragment UNESCAPED_CHARS\n : ~[\\r\\n\"\\\\]\n ;\n\nfragment EXPONENT\n : [Ee] [+-]? DIGIT+\n ;\n\nSTRING\n : '\"' (ESCAPE_SEQUENCE | UNESCAPED_CHARS)* '\"'\n | '\"\"\"' (~[\\r\\n])*? '\"\"\"' '\"'? '\"'?\n ;\n\nINTEGER_LITERAL\n : DIGIT+\n ;\n\nDECIMAL_LITERAL\n : DIGIT+ DOT DIGIT*\n | DOT DIGIT+\n | DIGIT+ (DOT DIGIT*)? EXPONENT\n | DOT DIGIT+ EXPONENT\n ;\n\nBY : 'by';\n\nAND : 'and';\nASC : 'asc';\nASSIGN : '=';\nCOMMA : ',';\nDESC : 'desc';\nDOT : '.';\nFALSE : 'false';\nFIRST : 'first';\nLAST : 'last';\nLP : '(';\nIN: 'in';\nIS: 'is';\nLIKE: 'like';\nNOT : 'not';\nNULL : 'null';\nNULLS : 'nulls';\nOR : 'or';\nPARAM: '?';\nRLIKE: 'rlike';\nRP : ')';\nTRUE : 'true';\nINFO : 'info';\nFUNCTIONS : 'functions';\n\nEQ : '==';\nNEQ : '!=';\nLT : '<';\nLTE : '<=';\nGT : '>';\nGTE : '>=';\n\nPLUS : '+';\nMINUS : '-';\nASTERISK : '*';\nSLASH : '/';\nPERCENT : '%';\n\n// Brackets are funny. We can happen upon a CLOSING_BRACKET in two ways - one\n// way is to start in an explain command which then shifts us to expression\n// mode. Thus, the two popModes on CLOSING_BRACKET. The other way could as\n// the start of a multivalued field constant. To line up with the double pop\n// the explain mode needs, we double push when we see that.\nOPENING_BRACKET : '[' -> pushMode(EXPRESSION), pushMode(EXPRESSION);\nCLOSING_BRACKET : ']' -> popMode, popMode;\n\n\nUNQUOTED_IDENTIFIER\n : LETTER (LETTER | DIGIT | '_')*\n // only allow @ at beginning of identifier to keep the option to allow @ as infix operator in the future\n // also, single `_` and `@` characters are not valid identifiers\n | ('_' | '@') (LETTER | DIGIT | '_')+\n ;\n\nQUOTED_IDENTIFIER\n : '`' ( ~'`' | '``' )* '`'\n ;\n\nEXPR_LINE_COMMENT\n : LINE_COMMENT -> channel(HIDDEN)\n ;\n\nEXPR_MULTILINE_COMMENT\n : MULTILINE_COMMENT -> channel(HIDDEN)\n ;\n\nEXPR_WS\n : WS -> channel(HIDDEN)\n ;\n\n\n\nmode SOURCE_IDENTIFIERS;\n\nSRC_PIPE : '|' -> type(PIPE), popMode;\nSRC_OPENING_BRACKET : '[' -> type(OPENING_BRACKET), pushMode(SOURCE_IDENTIFIERS), pushMode(SOURCE_IDENTIFIERS);\nSRC_CLOSING_BRACKET : ']' -> popMode, popMode, type(CLOSING_BRACKET);\nSRC_COMMA : ',' -> type(COMMA);\nSRC_ASSIGN : '=' -> type(ASSIGN);\nAS : 'as';\nMETADATA: 'metadata';\nON : 'on';\nWITH : 'with';\n\nSRC_UNQUOTED_IDENTIFIER\n : SRC_UNQUOTED_IDENTIFIER_PART+\n ;\n\nfragment SRC_UNQUOTED_IDENTIFIER_PART\n : ~[=`|,[\\]/ \\t\\r\\n]+\n | '/' ~[*/] // allow single / but not followed by another / or * which would start a comment\n ;\n\nSRC_QUOTED_IDENTIFIER\n : QUOTED_IDENTIFIER\n ;\n\nSRC_LINE_COMMENT\n : LINE_COMMENT -> channel(HIDDEN)\n ;\n\nSRC_MULTILINE_COMMENT\n : MULTILINE_COMMENT -> channel(HIDDEN)\n ;\n\nSRC_WS\n : WS -> channel(HIDDEN)\n ;\n",
metadata: {
source:
'/Users/andrew.goldstein/Projects/forks/andrew-goldstein/kibana/x-pack/plugins/elastic_assistant/server/knowledge_base/esql/language_definition/esql_base_lexer.g4',
},
},
{
pageContent:
"DISSECT=1\nDROP=2\nENRICH=3\nEVAL=4\nEXPLAIN=5\nFROM=6\nGROK=7\nINLINESTATS=8\nKEEP=9\nLIMIT=10\nMV_EXPAND=11\nPROJECT=12\nRENAME=13\nROW=14\nSHOW=15\nSORT=16\nSTATS=17\nWHERE=18\nUNKNOWN_CMD=19\nLINE_COMMENT=20\nMULTILINE_COMMENT=21\nWS=22\nEXPLAIN_WS=23\nEXPLAIN_LINE_COMMENT=24\nEXPLAIN_MULTILINE_COMMENT=25\nPIPE=26\nSTRING=27\nINTEGER_LITERAL=28\nDECIMAL_LITERAL=29\nBY=30\nAND=31\nASC=32\nASSIGN=33\nCOMMA=34\nDESC=35\nDOT=36\nFALSE=37\nFIRST=38\nLAST=39\nLP=40\nIN=41\nIS=42\nLIKE=43\nNOT=44\nNULL=45\nNULLS=46\nOR=47\nPARAM=48\nRLIKE=49\nRP=50\nTRUE=51\nINFO=52\nFUNCTIONS=53\nEQ=54\nNEQ=55\nLT=56\nLTE=57\nGT=58\nGTE=59\nPLUS=60\nMINUS=61\nASTERISK=62\nSLASH=63\nPERCENT=64\nOPENING_BRACKET=65\nCLOSING_BRACKET=66\nUNQUOTED_IDENTIFIER=67\nQUOTED_IDENTIFIER=68\nEXPR_LINE_COMMENT=69\nEXPR_MULTILINE_COMMENT=70\nEXPR_WS=71\nAS=72\nMETADATA=73\nON=74\nWITH=75\nSRC_UNQUOTED_IDENTIFIER=76\nSRC_QUOTED_IDENTIFIER=77\nSRC_LINE_COMMENT=78\nSRC_MULTILINE_COMMENT=79\nSRC_WS=80\nEXPLAIN_PIPE=81\n'dissect'=1\n'drop'=2\n'enrich'=3\n'eval'=4\n'explain'=5\n'from'=6\n'grok'=7\n'inlinestats'=8\n'keep'=9\n'limit'=10\n'mv_expand'=11\n'project'=12\n'rename'=13\n'row'=14\n'show'=15\n'sort'=16\n'stats'=17\n'where'=18\n'by'=30\n'and'=31\n'asc'=32\n'desc'=35\n'.'=36\n'false'=37\n'first'=38\n'last'=39\n'('=40\n'in'=41\n'is'=42\n'like'=43\n'not'=44\n'null'=45\n'nulls'=46\n'or'=47\n'?'=48\n'rlike'=49\n')'=50\n'true'=51\n'info'=52\n'functions'=53\n'=='=54\n'!='=55\n'<'=56\n'<='=57\n'>'=58\n'>='=59\n'+'=60\n'-'=61\n'*'=62\n'/'=63\n'%'=64\n']'=66\n'as'=72\n'metadata'=73\n'on'=74\n'with'=75\n",
metadata: {
source:
'/Users/andrew.goldstein/Projects/forks/andrew-goldstein/kibana/x-pack/plugins/elastic_assistant/server/knowledge_base/esql/language_definition/esql_base_lexer.tokens',
},
},
];
/**
* Mock LangChain `Document`s from `knowledge_base/esql/example_queries`, loaded from a LangChain `DirectoryLoader`
* Mock LangChain `Document`s loaded from a LangChain `DirectoryLoader`
*/
export const mockExampleQueryDocsFromDirectoryLoader: Document[] = [
{

13
x-pack/plugins/elastic_assistant/server/ai_assistant_data_clients/knowledge_base/index.ts
View file

@ -25,7 +25,6 @@ import { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/typesWith
import { StructuredTool } from '@langchain/core/tools';
import { ElasticsearchClient } from '@kbn/core/server';
import { AIAssistantDataClient, AIAssistantDataClientParams } from '..';
import { loadESQL } from '../../lib/langchain/content_loaders/esql_loader';
import { AssistantToolParams, GetElser } from '../../types';
import {
createKnowledgeBaseEntry,
@ -200,17 +199,14 @@ export class AIAssistantKnowledgeBaseDataClient extends AIAssistantDataClient {
*
* @param options
* @param options.soClient SavedObjectsClientContract for installing ELSER so that ML SO's are in sync
* @param options.installEsqlDocs Whether to install ESQL documents as part of setup (e.g. not needed in test env)
*
* @returns Promise<void>
*/
public setupKnowledgeBase = async ({
soClient,
installEsqlDocs = true,
installSecurityLabsDocs = true,
}: {
soClient: SavedObjectsClientContract;
installEsqlDocs?: boolean;
installSecurityLabsDocs?: boolean;
}): Promise<void> => {
if (this.options.getIsKBSetupInProgress()) {
@ -254,15 +250,6 @@ export class AIAssistantKnowledgeBaseDataClient extends AIAssistantDataClient {
}
this.options.logger.debug(`Checking if Knowledge Base docs have been loaded...`);
if (installEsqlDocs) {
const kbDocsLoaded = await this.isESQLDocsLoaded();
if (!kbDocsLoaded) {
this.options.logger.debug(`Loading KB docs...`);
await loadESQL(this, this.options.logger);
} else {
this.options.logger.debug(`Knowledge Base docs already loaded!`);
}
}
if (installSecurityLabsDocs) {
const labsDocsLoaded = await this.isSecurityLabsDocsLoaded();

63
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/esql_commands.asciidoc
View file

@ -1,63 +0,0 @@
[[esql-commands]]
=== {esql} commands
++++
<titleabbrev>Commands</titleabbrev>
++++
// tag::source_commands[]
==== Source commands
An {esql} source command produces a table, typically with data from {es}. An {esql} query must start with a source command.
image::images/esql/source-command.svg[A source command producing a table from {es},align="center"]
{esql} supports these source commands:
* <<esql-from>>
* <<esql-row>>
* <<esql-show>>
// end::source_command[]
// tag::proc_commands[]
==== Processing commands
{esql} processing commands change an input table by adding, removing, or changing
rows and columns.
image::images/esql/processing-command.svg[A processing command changing an input table,align="center"]
{esql} supports these processing commands:
* <<esql-dissect>>
* <<esql-drop>>
* <<esql-enrich>>
* <<esql-eval>>
* <<esql-grok>>
* <<esql-keep>>
* <<esql-limit>>
* <<esql-mv_expand>>
* <<esql-rename>>
* <<esql-sort>>
* <<esql-stats-by>>
* <<esql-where>>
// end::proc_command[]
include::source-commands/from.asciidoc[]
include::source-commands/row.asciidoc[]
include::source-commands/show.asciidoc[]
include::processing-commands/dissect.asciidoc[]
include::processing-commands/drop.asciidoc[]
include::processing-commands/enrich.asciidoc[]
include::processing-commands/eval.asciidoc[]
include::processing-commands/grok.asciidoc[]
include::processing-commands/keep.asciidoc[]
include::processing-commands/limit.asciidoc[]
include::processing-commands/mv_expand.asciidoc[]
include::processing-commands/rename.asciidoc[]
include::processing-commands/sort.asciidoc[]
include::processing-commands/stats.asciidoc[]
include::processing-commands/where.asciidoc[]

126
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/esql_enrich_data.asciidoc
View file

@ -1,126 +0,0 @@
[[esql-enrich-data]]
=== Enrich data
++++
<titleabbrev>Enrich data</titleabbrev>
++++
You can use {esql}'s <<esql-enrich>> processing command to enrich a table with
data from indices in {es}.
For example, you can use `ENRICH` to:
* Identify web services or vendors based on known IP addresses
* Add product information to retail orders based on product IDs
* Supplement contact information based on an email address
[[esql-how-enrich-works]]
==== How the `ENRICH` command works
The `ENRICH` command adds new columns to a table, with data from {es} indices.
It requires a few special components:
image::images/esql/esql-enrich.png[align="center"]
[[esql-enrich-policy]]
Enrich policy::
+
--
A set of configuration options used to add the right enrich data to the input
table.
An enrich policy contains:
include::../ingest/enrich.asciidoc[tag=enrich-policy-fields]
After <<esql-create-enrich-policy,creating a policy>>, it must be
<<esql-execute-enrich-policy,executed>> before it can be used. Executing an
enrich policy uses data from the policy's source indices to create a streamlined
system index called the _enrich index_. The `ENRICH` command uses this index to
match and enrich an input table.
--
[[esql-source-index]]
Source index::
An index which stores enrich data that the `ENRICH` command can add to input
tables. You can create and manage these indices just like a regular {es} index.
You can use multiple source indices in an enrich policy. You also can use the
same source index in multiple enrich policies.
[[esql-enrich-index]]
Enrich index::
+
--
A special system index tied to a specific enrich policy.
Directly matching rows from input tables to documents in source indices could be
slow and resource intensive. To speed things up, the `ENRICH` command uses an
enrich index.
include::../ingest/enrich.asciidoc[tag=enrich-index]
--
[[esql-set-up-enrich-policy]]
==== Set up an enrich policy
To start using `ENRICH`, follow these steps:
. Check the <<enrich-prereqs, prerequisites>>.
. <<esql-create-enrich-source-index>>.
. <<esql-create-enrich-policy>>.
. <<esql-execute-enrich-policy>>.
. <<esql-use-enrich>>
Once you have enrich policies set up, you can <<esql-update-enrich-data,update
your enrich data>> and <<esql-update-enrich-policies, update your enrich
policies>>.
[IMPORTANT]
====
The `ENRICH` command performs several operations and may impact the speed of
your query.
====
[[esql-enrich-prereqs]]
==== Prerequisites
include::{es-repo-dir}/ingest/apis/enrich/put-enrich-policy.asciidoc[tag=enrich-policy-api-prereqs]
[[esql-create-enrich-source-index]]
==== Add enrich data
include::../ingest/enrich.asciidoc[tag=create-enrich-source-index]
[[esql-create-enrich-policy]]
==== Create an enrich policy
include::../ingest/enrich.asciidoc[tag=create-enrich-policy]
[[esql-execute-enrich-policy]]
==== Execute the enrich policy
include::../ingest/enrich.asciidoc[tag=execute-enrich-policy1]
image::images/esql/esql-enrich-policy.png[align="center"]
include::../ingest/enrich.asciidoc[tag=execute-enrich-policy2]
[[esql-use-enrich]]
==== Use the enrich policy
After the policy has been executed, you can use the <<esql-enrich,`ENRICH`
command>> to enrich your data.
image::images/esql/esql-enrich-command.png[align="center",width=50%]
include::processing-commands/enrich.asciidoc[tag=examples]
[[esql-update-enrich-data]]
==== Update an enrich index
include::{es-repo-dir}/ingest/apis/enrich/execute-enrich-policy.asciidoc[tag=update-enrich-index]
[[esql-update-enrich-policies]]
==== Update an enrich policy
include::../ingest/enrich.asciidoc[tag=update-enrich-policy]

140
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/esql_functions.asciidoc
View file

@ -1,140 +0,0 @@
[[esql-functions]]
== {esql} functions
++++
<titleabbrev>Functions</titleabbrev>
++++
<<esql-row,`ROW`>>, <<esql-eval,`EVAL`>> and <<esql-where,`WHERE`>> support
these functions:
* <<esql-abs>>
* <<esql-acos>>
* <<esql-asin>>
* <<esql-atan>>
* <<esql-atan2>>
* <<esql-auto_bucket>>
* <<esql-case>>
* <<esql-ceil>>
* <<esql-cidr_match>>
* <<esql-coalesce>>
* <<esql-concat>>
* <<esql-cos>>
* <<esql-cosh>>
* <<esql-date_extract>>
* <<esql-date_format>>
* <<esql-date_parse>>
* <<esql-date_trunc>>
* <<esql-e>>
* <<esql-ends_with>>
* <<esql-floor>>
* <<esql-greatest>>
* <<esql-is_finite>>
* <<esql-is_infinite>>
* <<esql-is_nan>>
* <<esql-least>>
* <<esql-left>>
* <<esql-length>>
* <<esql-log10>>
* <<esql-ltrim>>
* <<esql-mv_avg>>
* <<esql-mv_concat>>
* <<esql-mv_count>>
* <<esql-mv_dedupe>>
* <<esql-mv_max>>
* <<esql-mv_median>>
* <<esql-mv_min>>
* <<esql-mv_sum>>
* <<esql-now>>
* <<esql-pi>>
* <<esql-pow>>
* <<esql-replace>>
* <<esql-right>>
* <<esql-round>>
* <<esql-rtrim>>
* <<esql-sin>>
* <<esql-sinh>>
* <<esql-split>>
* <<esql-starts_with>>
* <<esql-substring>>
* <<esql-tan>>
* <<esql-tanh>>
* <<esql-tau>>
* <<esql-to_boolean>>
* <<esql-to_datetime>>
* <<esql-to_degrees>>
* <<esql-to_double>>
* <<esql-to_integer>>
* <<esql-to_ip>>
* <<esql-to_long>>
* <<esql-to_radians>>
* <<esql-to_string>>
* <<esql-to_unsigned_long>>
* <<esql-to_version>>
* <<esql-trim>>
include::functions/abs.asciidoc[]
include::functions/acos.asciidoc[]
include::functions/asin.asciidoc[]
include::functions/atan.asciidoc[]
include::functions/atan2.asciidoc[]
include::functions/auto_bucket.asciidoc[]
include::functions/case.asciidoc[]
include::functions/ceil.asciidoc[]
include::functions/cidr_match.asciidoc[]
include::functions/coalesce.asciidoc[]
include::functions/concat.asciidoc[]
include::functions/cos.asciidoc[]
include::functions/cosh.asciidoc[]
include::functions/date_extract.asciidoc[]
include::functions/date_format.asciidoc[]
include::functions/date_parse.asciidoc[]
include::functions/date_trunc.asciidoc[]
include::functions/e.asciidoc[]
include::functions/ends_with.asciidoc[]
include::functions/floor.asciidoc[]
include::functions/greatest.asciidoc[]
include::functions/is_finite.asciidoc[]
include::functions/is_infinite.asciidoc[]
include::functions/is_nan.asciidoc[]
include::functions/least.asciidoc[]
include::functions/left.asciidoc[]
include::functions/length.asciidoc[]
include::functions/log10.asciidoc[]
include::functions/ltrim.asciidoc[]
include::functions/mv_avg.asciidoc[]
include::functions/mv_concat.asciidoc[]
include::functions/mv_count.asciidoc[]
include::functions/mv_dedupe.asciidoc[]
include::functions/mv_max.asciidoc[]
include::functions/mv_median.asciidoc[]
include::functions/mv_min.asciidoc[]
include::functions/mv_sum.asciidoc[]
include::functions/now.asciidoc[]
include::functions/pi.asciidoc[]
include::functions/pow.asciidoc[]
include::functions/replace.asciidoc[]
include::functions/right.asciidoc[]
include::functions/round.asciidoc[]
include::functions/rtrim.asciidoc[]
include::functions/sin.asciidoc[]
include::functions/sinh.asciidoc[]
include::functions/split.asciidoc[]
include::functions/sqrt.asciidoc[]
include::functions/starts_with.asciidoc[]
include::functions/substring.asciidoc[]
include::functions/tan.asciidoc[]
include::functions/tanh.asciidoc[]
include::functions/tau.asciidoc[]
include::functions/to_boolean.asciidoc[]
include::functions/to_datetime.asciidoc[]
include::functions/to_degrees.asciidoc[]
include::functions/to_double.asciidoc[]
include::functions/to_integer.asciidoc[]
include::functions/to_ip.asciidoc[]
include::functions/to_long.asciidoc[]
include::functions/to_radians.asciidoc[]
include::functions/to_string.asciidoc[]
include::functions/to_unsigned_long.asciidoc[]
include::functions/to_version.asciidoc[]
include::functions/trim.asciidoc[]

43
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/esql_functions_operators.asciidoc
View file

@ -1,43 +0,0 @@
[[esql-functions-operators]]
=== {esql} functions and operators
++++
<titleabbrev>Functions and operators</titleabbrev>
++++
{esql} provides a comprehensive set of functions and operators for working with data.
The functions are divided into the following categories:
[[esql-functions]]
<<esql-agg-functions>>::
include::functions/aggregation-functions.asciidoc[tag=agg_list]
<<esql-math-functions>>::
include::functions/math-functions.asciidoc[tag=math_list]
<<esql-string-functions>>::
include::functions/string-functions.asciidoc[tag=string_list]
<<esql-date-time-functions>>::
include::functions/date-time-functions.asciidoc[tag=date_list]
<<esql-type-conversion-functions>>::
include::functions/type-conversion-functions.asciidoc[tag=type_list]
<<esql-conditional-functions-and-expressions>>::
include::functions/conditional-functions-and-expressions.asciidoc[tag=cond_list]
<<esql-mv-functions>>::
include::functions/mv-functions.asciidoc[tag=mv_list]
<<esql-operators>>::
include::functions/operators.asciidoc[tag=op_list]
include::functions/aggregation-functions.asciidoc[]
include::functions/math-functions.asciidoc[]
include::functions/string-functions.asciidoc[]
include::functions/date-time-functions.asciidoc[]
include::functions/type-conversion-functions.asciidoc[]
include::functions/conditional-functions-and-expressions.asciidoc[]
include::functions/mv-functions.asciidoc[]
include::functions/operators.asciidoc[]

8
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/esql_get_started.asciidoc
View file

@ -1,8 +0,0 @@
[[esql-getting-started]]
== Getting started with {esql}
++++
<titleabbrev>Getting started</titleabbrev>
++++
coming::[8.11]

15
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/esql_kibana.asciidoc
View file

@ -1,15 +0,0 @@
[[esql-kibana]]
== Using {esql} in {kib}
++++
<titleabbrev>Kibana</titleabbrev>
++++
Use {esql} in Discover to explore a data set. From the data view dropdown,
select *Try {esql}* to get started.
NOTE: {esql} queries in Discover and Lens are subject to the time range selected
with the time filter.

23
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/esql_language.asciidoc
View file

@ -1,23 +0,0 @@
[[esql-language]]
== Working with the {esql} language
++++
<titleabbrev>Working with the {esql} language</titleabbrev>
++++
Detailed information about the {esql} language:
* <<esql-syntax>>
* <<esql-commands>>
* <<esql-functions>>
* <<esql-multivalued-fields>>
* <<esql-metadata-fields>>
* <<esql-enrich-data>>
include::esql-syntax.asciidoc[]
include::esql-commands.asciidoc[]
include::esql-functions-operators.asciidoc[]
include::multivalued-fields.asciidoc[]
include::metadata-fields.asciidoc[]
include::esql-enrich-data.asciidoc[]

32
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/esql_limitations.asciidoc
View file

@ -1,32 +0,0 @@
[[esql-limitations]]
== {esql} limitations
++++
<titleabbrev>Limitations</titleabbrev>
++++
[discrete]
[[esql-supported-types]]
=== Supported types
* {esql} currently supports the following <<mapping-types,field types>>:
** `alias`
** `boolean`
** `date`
** `double` (`float`, `half_float`, `scaled_float` are represented as `double`)
** `ip`
** `keyword` family including `keyword`, `constant_keyword`, and `wildcard`
** `int` (`short` and `byte` are represented as `int`)
** `long`
** `null`
** `text`
** `unsigned_long`
** `version`
[discrete]
[[esql-max-rows]]
=== 10,000 row maximum
A single query will not return more than 10,000 rows, regardless of the
`LIMIT` command's value.

97
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/esql_query_api.asciidoc
View file

@ -1,97 +0,0 @@
[[esql-query-api]]
== {esql} query API
++++
<titleabbrev>{esql} query API</titleabbrev>
++++
Returns search results for an <<esql,ES|QL ({es} query language)>> query.
[source,console]
----
POST /_query
{
"query": """
FROM library
| EVAL year = DATE_TRUNC(1 YEARS, release_date)
| STATS MAX(page_count) BY year
| SORT year
| LIMIT 5
"""
}
----
// TEST[setup:library]
[discrete]
[[esql-query-api-request]]
=== {api-request-title}
`POST _query`
[discrete]
[[esql-query-api-prereqs]]
=== {api-prereq-title}
* If the {es} {security-features} are enabled, you must have the `read`
<<privileges-list-indices,index privilege>> for the data stream, index,
or alias you search.
[discrete]
[[esql-query-api-query-params]]
=== {api-query-parms-title}
`delimiter`::
(Optional, string) Separator for CSV results. Defaults to `,`. The API only
supports this parameter for CSV responses.
`format`::
(Optional, string) Format for the response. For valid values, refer to
<<esql-rest-format>>.
+
You can also specify a format using the `Accept` HTTP header. If you specify
both this parameter and the `Accept` HTTP header, this parameter takes
precedence.
[discrete]
[role="child_attributes"]
[[esql-query-api-request-body]]
=== {api-request-body-title}
`columnar`::
(Optional, Boolean) If `true`, returns results in a columnar format. Defaults to
`false`. The API only supports this parameter for CBOR, JSON, SMILE, and YAML
responses. See <<esql-rest-columnar>>.
`params`::
(Optional, array) Values for parameters in the `query`. For syntax, refer to
<<esql-rest-params>>.
`query`::
(Required, object) {esql} query to run. For syntax, refer to <<esql-syntax>>.
[[esql-search-api-time-zone]]
`time_zone`::
(Optional, string) ISO-8601 time zone ID for the search. Several {esql}
date/time functions use this time zone. Defaults to `Z` (UTC).
[discrete]
[role="child_attributes"]
[[esql-query-api-response-body]]
=== {api-response-body-title}
`columns`::
(array of objects)
Column headings for the search results. Each object is a column.
+
.Properties of `columns` objects
[%collapsible%open]
====
`name`::
(string) Name of the column.
`type`::
(string) Data type for the column.
====
`rows`::
(array of arrays)
Values for the search results.

249
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/esql_rest.asciidoc
View file

@ -1,249 +0,0 @@
[[esql-rest]]
== {esql} REST API
++++
<titleabbrev>REST API</titleabbrev>
++++
[discrete]
[[esql-rest-overview]]
=== Overview
The <<esql-query-api,{esql} query API>> accepts an {esql} query string in the
`query` parameter, runs it, and returns the results. For example:
[source,console]
----
POST /_query?format=txt
{
"query": "FROM library | KEEP author, name, page_count, release_date | SORT page_count DESC | LIMIT 5"
}
----
// TEST[setup:library]
Which returns:
[source,text]
----
author | name | page_count | release_date
-----------------+--------------------+---------------+------------------------
Peter F. Hamilton|Pandora's Star |768 |2004-03-02T00:00:00.000Z
Vernor Vinge |A Fire Upon the Deep|613 |1992-06-01T00:00:00.000Z
Frank Herbert |Dune |604 |1965-06-01T00:00:00.000Z
Alastair Reynolds|Revelation Space |585 |2000-03-15T00:00:00.000Z
James S.A. Corey |Leviathan Wakes |561 |2011-06-02T00:00:00.000Z
----
// TESTRESPONSE[s/\|/\\|/ s/\+/\\+/]
// TESTRESPONSE[non_json]
[discrete]
[[esql-kibana-console]]
=== Kibana Console
If you are using {kibana-ref}/console-kibana.html[Kibana Console] (which is
highly recommended), take advantage of the triple quotes `"""` when creating the
query. This not only automatically escapes double quotes (`"`) inside the query
string but also supports multi-line requests:
// tag::esql-query-api[]
[source,console]
----
POST /_query?format=txt
{
"query": """
FROM library
| KEEP author, name, page_count, release_date
| SORT page_count DESC
| LIMIT 5
"""
}
----
// TEST[setup:library]
[discrete]
[[esql-rest-format]]
=== Response formats
{esql} can return the data in the following human readable and binary formats.
You can set the format by specifying the `format` parameter in the URL or by
setting the `Accept` or `Content-Type` HTTP header.
NOTE: The URL parameter takes precedence over the HTTP headers. If neither is
specified then the response is returned in the same format as the request.
[cols="m,4m,8"]
|===
s|`format`
s|HTTP header
s|Description
3+h| Human readable
|csv
|text/csv
|{wikipedia}/Comma-separated_values[Comma-separated values]
|json
|application/json
|https://www.json.org/[JSON] (JavaScript Object Notation) human-readable format
|tsv
|text/tab-separated-values
|{wikipedia}/Tab-separated_values[Tab-separated values]
|txt
|text/plain
|CLI-like representation
|yaml
|application/yaml
|{wikipedia}/YAML[YAML] (YAML Ain't Markup Language) human-readable format
3+h| Binary
|cbor
|application/cbor
|https://cbor.io/[Concise Binary Object Representation]
|smile
|application/smile
|{wikipedia}/Smile_(data_interchange_format)[Smile] binary data format similar
to CBOR
|===
The `csv` format accepts a formatting URL query attribute, `delimiter`, which
indicates which character should be used to separate the CSV values. It defaults
to comma (`,`) and cannot take any of the following values: double quote (`"`),
carriage-return (`\r`) and new-line (`\n`). The tab (`\t`) can also not be used.
Use the `tsv` format instead.
[discrete]
[[esql-rest-filtering]]
=== Filtering using {es} Query DSL
Specify a Query DSL query in the `filter` parameter to filter the set of
documents that an {esql} query runs on.
[source,console]
----
POST /_query?format=txt
{
"query": """
FROM library
| KEEP author, name, page_count, release_date
| SORT page_count DESC
| LIMIT 5
""",
"filter": {
"range": {
"page_count": {
"gte": 100,
"lte": 200
}
}
}
}
----
// TEST[setup:library]
Which returns:
[source,text]
--------------------------------------------------
author | name | page_count | release_date
---------------+------------------------------------+---------------+------------------------
Douglas Adams |The Hitchhiker's Guide to the Galaxy|180 |1979-10-12T00:00:00.000Z
--------------------------------------------------
// TESTRESPONSE[s/\|/\\|/ s/\+/\\+/]
// TESTRESPONSE[non_json]
[discrete]
[[esql-rest-columnar]]
=== Columnar results
By default, {esql} returns results as rows. For example, `FROM` returns each
individual document as one row. For the `json`, `yaml`, `cbor` and `smile`
<<esql-rest-format,formats>>, {esql} can return the results in a columnar
fashion where one row represents all the values of a certain column in the
results.
[source,console]
----
POST /_query?format=json
{
"query": """
FROM library
| KEEP author, name, page_count, release_date
| SORT page_count DESC
| LIMIT 5
""",
"columnar": true
}
----
// TEST[setup:library]
Which returns:
[source,console-result]
----
{
"columns": [
{"name": "author", "type": "text"},
{"name": "name", "type": "text"},
{"name": "page_count", "type": "integer"},
{"name": "release_date", "type": "date"}
],
"values": [
["Peter F. Hamilton", "Vernor Vinge", "Frank Herbert", "Alastair Reynolds", "James S.A. Corey"],
["Pandora's Star", "A Fire Upon the Deep", "Dune", "Revelation Space", "Leviathan Wakes"],
[768, 613, 604, 585, 561],
["2004-03-02T00:00:00.000Z", "1992-06-01T00:00:00.000Z", "1965-06-01T00:00:00.000Z", "2000-03-15T00:00:00.000Z", "2011-06-02T00:00:00.000Z"]
]
}
----
[discrete]
[[esql-rest-params]]
=== Passing parameters to a query
Values, for example for a condition, can be passed to a query "inline", by
integrating the value in the query string itself:
[source,console]
----
POST /_query
{
"query": """
FROM library
| EVAL year = DATE_EXTRACT("year", release_date)
| WHERE page_count > 300 AND author == "Frank Herbert"
| STATS count = COUNT(*) by year
| WHERE count > 0
| LIMIT 5
"""
}
----
// TEST[setup:library]
To avoid any attempts of hacking or code injection, extract the values in a
separate list of parameters. Use question mark placeholders (`?`) in the query
string for each of the parameters:
[source,console]
----
POST /_query
{
"query": """
FROM library
| EVAL year = DATE_EXTRACT("year", release_date)
| WHERE page_count > ? AND author == ?
| STATS count = COUNT(*) by year
| WHERE count > ?
| LIMIT 5
""",
"params": [300, "Frank Herbert", 0]
}
----
// TEST[setup:library]

90
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/esql_syntax.asciidoc
View file

@ -1,90 +0,0 @@
[[esql-syntax]]
=== {esql} syntax reference
++++
<titleabbrev>Syntax reference</titleabbrev>
++++
[discrete]
[[esql-basic-syntax]]
=== Basic syntax
An {esql} query is composed of a <<esql-commands,source_command>> followed
by an optional series of <<esql-commands,processing commands>>,
separated by a pipe character: `|`. For example:
[source,esql]
----
source-command
| processing-command1
| processing-command2
----
The result of a query is the table produced by the final processing command.
For an overview of all supported commands, functions, and operators, refer to <<esql-commands>> and <<esql-functions-operators>>.
[NOTE]
====
For readability, this documentation puts each processing command on a new
line. However, you can write an {esql} query as a single line. The following
query is identical to the previous one:
[source,esql]
----
source-command | processing-command1 | processing-command2
----
====
[discrete]
[[esql-comments]]
==== Comments
{esql} uses C++ style comments:
* double slash `//` for single line comments
* `/*` and `*/` for block comments
[source,esql]
----
// Query the employees index
FROM employees
| WHERE height > 2
----
[source,esql]
----
FROM /* Query the employees index */ employees
| WHERE height > 2
----
[source,esql]
----
FROM employees
/* Query the
* employees
* index */
| WHERE height > 2
----
[discrete]
[[esql-timespan-literals]]
==== Timespan literals
Datetime intervals and timespans can be expressed using timespan literals.
Timespan literals are a combination of a number and a qualifier. These
qualifiers are supported:
* `millisecond`/`milliseconds`
* `second`/`seconds`
* `minute`/`minutes`
* `hour`/`hours`
* `day`/`days`
* `week`/`weeks`
* `month`/`months`
* `year`/`years`
Timespan literals are not whitespace sensitive. These expressions are all valid:
* `1day`
* `1 day`
* `1 day`

18
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/abs.asciidoc
View file

@ -1,18 +0,0 @@
[discrete]
[[esql-abs]]
=== `ABS`
[.text-center]
image::esql/functions/signature/abs.svg[Embedded,opts=inline]
Returns the absolute value.
[source,esql]
----
FROM employees
| KEEP first_name, last_name, height
| EVAL abs_height = ABS(0.0 - height)
----
Supported types:
include::types/abs.asciidoc[]

33
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/acos.asciidoc
View file

@ -1,33 +0,0 @@
[discrete]
[[esql-acos]]
=== `ACOS`
*Syntax*
[.text-center]
image::esql/functions/signature/acos.svg[Embedded,opts=inline]
*Parameters*
`n`::
Numeric expression. If `null`, the function returns `null`.
*Description*
Returns the {wikipedia}/Inverse_trigonometric_functions[arccosine] of `n` as an
angle, expressed in radians.
*Supported types*
include::types/acos.asciidoc[]
*Example*
[source.merge.styled,esql]
----
include::{esql-specs}/floats.csv-spec[tag=acos]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/floats.csv-spec[tag=acos-result]
|===

30
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/aggregation_functions.asciidoc
View file

@ -1,30 +0,0 @@
[[esql-agg-functions]]
==== {esql} aggregate functions
++++
<titleabbrev>Aggregate functions</titleabbrev>
++++
The <<esql-stats-by>> function supports these aggregate functions:
// tag::agg_list[]
* <<esql-agg-avg>>
* <<esql-agg-count>>
* <<esql-agg-count-distinct>>
* <<esql-agg-max>>
* <<esql-agg-median>>
* <<esql-agg-median-absolute-deviation>>
* <<esql-agg-min>>
* <<esql-agg-percentile>>
* <<esql-agg-sum>>
// end::agg_list[]
include::avg.asciidoc[]
include::count.asciidoc[]
include::count-distinct.asciidoc[]
include::max.asciidoc[]
include::median.asciidoc[]
include::median-absolute-deviation.asciidoc[]
include::min.asciidoc[]
include::percentile.asciidoc[]
include::sum.asciidoc[]

20
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/asin.asciidoc
View file

@ -1,20 +0,0 @@
[discrete]
[[esql-asin]]
=== `ASIN`
[.text-center]
image::esql/functions/signature/asin.svg[Embedded,opts=inline]
Inverse https://en.wikipedia.org/wiki/Inverse_trigonometric_functions[sine] trigonometric function.
[source.merge.styled,esql]
----
include::{esql-specs}/floats.csv-spec[tag=asin]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/floats.csv-spec[tag=asin-result]
|===
Supported types:
include::types/asin.asciidoc[]

20
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/atan.asciidoc
View file

@ -1,20 +0,0 @@
[discrete]
[[esql-atan]]
=== `ATAN`
[.text-center]
image::esql/functions/signature/atan.svg[Embedded,opts=inline]
Inverse https://en.wikipedia.org/wiki/Inverse_trigonometric_functions[tangent] trigonometric function.
[source.merge.styled,esql]
----
include::{esql-specs}/floats.csv-spec[tag=atan]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/floats.csv-spec[tag=atan-result]
|===
Supported types:
include::types/atan.asciidoc[]

21
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/atan2.asciidoc
View file

@ -1,21 +0,0 @@
[discrete]
[[esql-atan2]]
=== `ATAN2`
[.text-center]
image::esql/functions/signature/atan2.svg[Embedded,opts=inline]
The https://en.wikipedia.org/wiki/Atan2[angle] between the positive x-axis and the
ray from the origin to the point (x , y) in the Cartesian plane.
[source.merge.styled,esql]
----
include::{esql-specs}/floats.csv-spec[tag=atan2]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/floats.csv-spec[tag=atan2-result]
|===
Supported types:
include::types/atan2.asciidoc[]

72
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/auto_bucket.asciidoc
View file

@ -1,72 +0,0 @@
[discrete]
[[esql-auto_bucket]]
=== `AUTO_BUCKET`
Creates human-friendly buckets and returns a `datetime` value for each row that
corresponds to the resulting bucket the row falls into. Combine `AUTO_BUCKET`
with <<esql-stats-by>> to create a date histogram.
You provide a target number of buckets, a start date, and an end date, and it
picks an appropriate bucket size to generate the target number of buckets or
fewer. For example, this asks for at most 20 buckets over a whole year, which
picks monthly buckets:
[source.merge.styled,esql]
----
include::{esql-specs}/date.csv-spec[tag=auto_bucket_month]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/date.csv-spec[tag=auto_bucket_month-result]
|===
The goal isn't to provide *exactly* the target number of buckets, it's to pick a
range that people are comfortable with that provides at most the target number of
buckets.
If you ask for more buckets then `AUTO_BUCKET` can pick a smaller range. For example,
asking for at most 100 buckets in a year will get you week long buckets:
[source.merge.styled,esql]
----
include::{esql-specs}/date.csv-spec[tag=auto_bucket_week]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/date.csv-spec[tag=auto_bucket_week-result]
|===
`AUTO_BUCKET` does not filter any rows. It only uses the provided time range to
pick a good bucket size. For rows with a date outside of the range, it returns a
`datetime` that corresponds to a bucket outside the range. Combine `AUTO_BUCKET`
with <<esql-where>> to filter rows.
A more complete example might look like:
[source.merge.styled,esql]
----
include::{esql-specs}/date.csv-spec[tag=auto_bucket_in_agg]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/date.csv-spec[tag=auto_bucket_in_agg-result]
|===
NOTE: `AUTO_BUCKET` does not create buckets that don't match any documents. That's
why the example above is missing `1985-03-01` and other dates.
==== Numeric fields
`auto_bucket` can also operate on numeric fields like this:
[source.merge.styled,esql]
----
include::{esql-specs}/ints.csv-spec[tag=auto_bucket]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/ints.csv-spec[tag=auto_bucket-result]
|===
Unlike the example above where you are intentionally filtering on a date range,
you rarely want to filter on a numeric range. So you have find the `min` and `max`
separately. We don't yet have an easy way to do that automatically. Improvements
coming!

15
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/avg.asciidoc
View file

@ -1,15 +0,0 @@
[discrete]
[[esql-agg-avg]]
=== `AVG`
The average of a numeric field.
[source.merge.styled,esql]
----
include::{esql-specs}/stats.csv-spec[tag=avg]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/stats.csv-spec[tag=avg-result]
|===
The result is always a `double` not matter the input type.

12
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/binary.asciidoc
View file

@ -1,12 +0,0 @@
[discrete]
[[esql-binary-operators]]
=== Binary operators
These binary comparison operators are supported:
* equality: `==`
* inequality: `!=`
* less than: `<`
* less than or equal: `<=`
* larger than: `>`
* larger than or equal: `>=`

42
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/case.asciidoc
View file

@ -1,42 +0,0 @@
[discrete]
[[esql-case]]
=== `CASE`
*Syntax*
[source,txt]
----
CASE(condition1, value1[, ..., conditionN, valueN][, default_value])
----
*Parameters*
`conditionX`::
A condition.
`valueX`::
The value that's returned when the corresponding condition is the first to
evaluate to `true`.
`default_value`::
The default value that's is returned when no condition matches.
*Description*
Accepts pairs of conditions and values. The function returns the value that
belongs to the first condition that evaluates to `true`.
If the number of arguments is odd, the last argument is the default value which
is returned when no condition matches.
*Example*
[source,esql]
[source.merge.styled,esql]
----
include::{esql-specs}/docs.csv-spec[tag=case]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/docs.csv-spec[tag=case-result]
|===

24
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/ceil.asciidoc
View file

@ -1,24 +0,0 @@
[discrete]
[[esql-ceil]]
=== `CEIL`
[.text-center]
image::esql/functions/signature/ceil.svg[Embedded,opts=inline]
Round a number up to the nearest integer.
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=ceil]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=ceil-result]
|===
NOTE: This is a noop for `long` (including unsigned) and `integer`.
For `double` this picks the the closest `double` value to the integer ala
{javadoc}/java.base/java/lang/Math.html#ceil(double)[Math.ceil].
Supported types:
include::types/ceil.asciidoc[]

16
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/cidr_match.asciidoc
View file

@ -1,16 +0,0 @@
[discrete]
[[esql-cidr_match]]
=== `CIDR_MATCH`
Returns `true` if the provided IP is contained in one of the provided CIDR
blocks.
`CIDR_MATCH` accepts two or more arguments. The first argument is the IP
address of type `ip` (both IPv4 and IPv6 are supported). Subsequent arguments
are the CIDR blocks to test the IP against.
[source,esql]
----
FROM hosts
| WHERE CIDR_MATCH(ip, "127.0.0.2/32", "127.0.0.3/32")
----

14
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/coalesce.asciidoc
View file

@ -1,14 +0,0 @@
[discrete]
[[esql-coalesce]]
=== `COALESCE`
Returns the first non-null value.
[source.merge.styled,esql]
----
include::{esql-specs}/null.csv-spec[tag=coalesce]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/null.csv-spec[tag=coalesce-result]
|===

11
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/concat.asciidoc
View file

@ -1,11 +0,0 @@
[discrete]
[[esql-concat]]
=== `CONCAT`
Concatenates two or more strings.
[source,esql]
----
FROM employees
| KEEP first_name, last_name, height
| EVAL fullname = CONCAT(first_name, " ", last_name)
----

21
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/conditional_functions_and_expressions.asciidoc
View file

@ -1,21 +0,0 @@
[[esql-conditional-functions-and-expressions]]
==== {esql} conditional functions and expressions
++++
<titleabbrev>Conditional functions and expressions</titleabbrev>
++++
Conditional functions return one of their arguments by evaluating in an if-else
manner. {esql} supports these conditional functions:
// tag::cond_list[]
* <<esql-case>>
* <<esql-coalesce>>
* <<esql-greatest>>
* <<esql-least>>
// end::cond_list[]
include::case.asciidoc[]
include::coalesce.asciidoc[]
include::greatest.asciidoc[]
include::least.asciidoc[]

20
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/cos.asciidoc
View file

@ -1,20 +0,0 @@
[discrete]
[[esql-cos]]
=== `COS`
[.text-center]
image::esql/functions/signature/cos.svg[Embedded,opts=inline]
https://en.wikipedia.org/wiki/Sine_and_cosine[Cosine] trigonometric function.
[source.merge.styled,esql]
----
include::{esql-specs}/floats.csv-spec[tag=cos]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/floats.csv-spec[tag=cos-result]
|===
Supported types:
include::types/cos.asciidoc[]

20
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/cosh.asciidoc
View file

@ -1,20 +0,0 @@
[discrete]
[[esql-cosh]]
=== `COSH`
[.text-center]
image::esql/functions/signature/cosh.svg[Embedded,opts=inline]
https://en.wikipedia.org/wiki/Hyperbolic_functions[Cosine] hyperbolic function.
[source.merge.styled,esql]
----
include::{esql-specs}/floats.csv-spec[tag=cosh]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/floats.csv-spec[tag=cosh-result]
|===
Supported types:
include::types/cosh.asciidoc[]

27
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/count.asciidoc
View file

@ -1,27 +0,0 @@
[discrete]
[[esql-agg-count]]
=== `COUNT`
Counts field values.
[source.merge.styled,esql]
----
include::{esql-specs}/stats.csv-spec[tag=count]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/stats.csv-spec[tag=count-result]
|===
Can take any field type as input and the result is always a `long` not matter
the input type.
To count the number of rows, use `COUNT(*)`:
[source.merge.styled,esql]
----
include::{esql-specs}/docs.csv-spec[tag=countAll]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/docs.csv-spec[tag=countAll-result]
|===

46
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/count_distinct.asciidoc
View file

@ -1,46 +0,0 @@
[discrete]
[[esql-agg-count-distinct]]
=== `COUNT_DISTINCT`
The approximate number of distinct values.
[source.merge.styled,esql]
----
include::{esql-specs}/stats_count_distinct.csv-spec[tag=count-distinct]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/stats_count_distinct.csv-spec[tag=count-distinct-result]
|===
Can take any field type as input and the result is always a `long` not matter
the input type.
[discrete]
==== Counts are approximate
Computing exact counts requires loading values into a set and returning its
size. This doesn't scale when working on high-cardinality sets and/or large
values as the required memory usage and the need to communicate those
per-shard sets between nodes would utilize too many resources of the cluster.
This `COUNT_DISTINCT` function is based on the
https://static.googleusercontent.com/media/research.google.com/fr//pubs/archive/40671.pdf[HyperLogLog++]
algorithm, which counts based on the hashes of the values with some interesting
properties:
include::../../aggregations/metrics/cardinality-aggregation.asciidoc[tag=explanation]
[discrete]
==== Precision is configurable
The `COUNT_DISTINCT` function takes an optional second parameter to configure the
precision discussed previously.
[source.merge.styled,esql]
----
include::{esql-specs}/stats_count_distinct.csv-spec[tag=count-distinct-precision]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/stats_count_distinct.csv-spec[tag=count-distinct-precision-result]
|===

15
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/date_extract.asciidoc
View file

@ -1,15 +0,0 @@
[discrete]
[[esql-date_extract]]
=== `DATE_EXTRACT`
Extracts parts of a date, like year, month, day, hour.
The supported field types are those provided by https://docs.oracle.com/javase/8/docs/api/java/time/temporal/ChronoField.html[java.time.temporal.ChronoField].
[source.merge.styled,esql]
----
include::{esql-specs}/docs.csv-spec[tag=dateExtract]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/docs.csv-spec[tag=dateExtract-result]
|===

12
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/date_format.asciidoc
View file

@ -1,12 +0,0 @@
[discrete]
[[esql-date_format]]
=== `DATE_FORMAT`
Returns a string representation of a date in the provided format. If no format
is specified, the `yyyy-MM-dd'T'HH:mm:ss.SSSZ` format is used.
[source,esql]
----
FROM employees
| KEEP first_name, last_name, hire_date
| EVAL hired = DATE_FORMAT("YYYY-MM-dd", hire_date)
----

37
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/date_parse.asciidoc
View file

@ -1,37 +0,0 @@
[discrete]
[[esql-date_parse]]
=== `DATE_PARSE`
*Syntax*
[source,txt]
----
DATE_PARSE([format,] date_string)
----
*Parameters*
`format`::
The date format. Refer to the
https://docs.oracle.com/en/java/javase/14/docs/api/java.base/java/time/format/DateTimeFormatter.html[`DateTimeFormatter`
documentation] for the syntax. If `null`, the function returns `null`.
`date_string`::
Date expression as a string. If `null` or an empty string, the function returns
`null`.
*Description*
Returns a date by parsing the second argument using the format specified in the
first argument.
*Example*
[source.merge.styled,esql]
----
include::{esql-specs}/docs.csv-spec[tag=dateParse]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/docs.csv-spec[tag=dateParse-result]
|===

24
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/date_time_functions.asciidoc
View file

@ -1,24 +0,0 @@
[[esql-date-time-functions]]
==== {esql} date-time functions
++++
<titleabbrev>Date-time functions</titleabbrev>
++++
{esql} supports these date-time functions:
// tag::date_list[]
* <<esql-auto_bucket>>
* <<esql-date_extract>>
* <<esql-date_format>>
* <<esql-date_parse>>
* <<esql-date_trunc>>
* <<esql-now>>
// end::date_list[]
include::auto_bucket.asciidoc[]
include::date_extract.asciidoc[]
include::date_format.asciidoc[]
include::date_parse.asciidoc[]
include::date_trunc.asciidoc[]
include::now.asciidoc[]

13
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/date_trunc.asciidoc
View file

@ -1,13 +0,0 @@
[discrete]
[[esql-date_trunc]]
=== `DATE_TRUNC`
Rounds down a date to the closest interval. Intervals can be expressed using the
<<esql-timespan-literals,timespan literal syntax>>.
[source,esql]
----
FROM employees
| EVAL year_hired = DATE_TRUNC(1 year, hire_date)
| STATS count(emp_no) BY year_hired
| SORT year_hired
----

16
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/e.asciidoc
View file

@ -1,16 +0,0 @@
[discrete]
[[esql-e]]
=== `E`
[.text-center]
image::esql/functions/signature/e.svg[Embedded,opts=inline]
{wikipedia}/E_(mathematical_constant)[Euler's number].
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=e]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=e-result]
|===

21
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/ends_with.asciidoc
View file

@ -1,21 +0,0 @@
[discrete]
[[esql-ends_with]]
=== `ENDS_WITH`
[.text-center]
image::esql/functions/signature/ends_with.svg[Embedded,opts=inline]
Returns a boolean that indicates whether a keyword string ends with another
string:
[source.merge.styled,esql]
----
include::{esql-specs}/string.csv-spec[tag=endsWith]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/string.csv-spec[tag=endsWith-result]
|===
Supported types:
include::types/ends_with.asciidoc[]

24
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/floor.asciidoc
View file

@ -1,24 +0,0 @@
[discrete]
[[esql-floor]]
=== `FLOOR`
[.text-center]
image::esql/functions/signature/floor.svg[Embedded,opts=inline]
Round a number down to the nearest integer.
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=floor]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=floor-result]
|===
NOTE: This is a noop for `long` (including unsigned) and `integer`.
For `double` this picks the the closest `double` value to the integer ala
{javadoc}/java.base/java/lang/Math.html#floor(double)[Math.floor].
Supported types:
include::types/floor.asciidoc[]

25
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/greatest.asciidoc
View file

@ -1,25 +0,0 @@
[discrete]
[[esql-greatest]]
=== `GREATEST`
[.text-center]
image::esql/functions/signature/greatest.svg[Embedded,opts=inline]
Returns the maximum value from many columns. This is similar to <<esql-mv_max>>
except it's intended to run on multiple columns at once.
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=greatest]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=greatest-result]
|===
NOTE: When run on `keyword` or `text` fields, this'll return the last string
in alphabetical order. When run on `boolean` columns this will return
`true` if any values are `true`.
Supported types:
include::types/greatest.asciidoc[]

11
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/in.asciidoc
View file

@ -1,11 +0,0 @@
[discrete]
[[esql-in-operator]]
=== `IN`
The `IN` operator allows testing whether a field or expression equals
an element in a list of literals, fields or expressions:
[source,esql]
----
include::{esql-specs}/row.csv-spec[tag=in-with-expressions]
----

10
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/is_finite.asciidoc
View file

@ -1,10 +0,0 @@
[discrete]
[[esql-is_finite]]
=== `IS_FINITE`
Returns a boolean that indicates whether its input is a finite number.
[source,esql]
----
ROW d = 1.0
| EVAL s = IS_FINITE(d/0)
----

10
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/is_infinite.asciidoc
View file

@ -1,10 +0,0 @@
[discrete]
[[esql-is_infinite]]
=== `IS_INFINITE`
Returns a boolean that indicates whether its input is infinite.
[source,esql]
----
ROW d = 1.0
| EVAL s = IS_INFINITE(d/0)
----

10
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/is_nan.asciidoc
View file

@ -1,10 +0,0 @@
[discrete]
[[esql-is_nan]]
=== `IS_NAN`
Returns a boolean that indicates whether its input is not a number.
[source,esql]
----
ROW d = 1.0
| EVAL s = IS_NAN(d)
----

25
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/least.asciidoc
View file

@ -1,25 +0,0 @@
[discrete]
[[esql-least]]
=== `LEAST`
[.text-center]
image::esql/functions/signature/least.svg[Embedded,opts=inline]
Returns the minimum value from many columns. This is similar to <<esql-mv_min>>
except it's intended to run on multiple columns at once.
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=least]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=least-result]
|===
NOTE: When run on `keyword` or `text` fields, this'll return the first string
in alphabetical order. When run on `boolean` columns this will return
`false` if any values are `false`.
Supported types:
include::types/least.asciidoc[]

20
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/left.asciidoc
View file

@ -1,20 +0,0 @@
[discrete]
[[esql-left]]
=== `LEFT`
[.text-center]
image::esql/functions/signature/left.svg[Embedded,opts=inline]
Return the substring that extracts 'length' chars from the 'string' starting from the left.
[source.merge.styled,esql]
----
include::{esql-specs}/string.csv-spec[tag=left]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/string.csv-spec[tag=left-result]
|===
Supported types:
include::types/left.asciidoc[]

11
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/length.asciidoc
View file

@ -1,11 +0,0 @@
[discrete]
[[esql-length]]
=== `LENGTH`
Returns the character length of a string.
[source,esql]
----
FROM employees
| KEEP first_name, last_name, height
| EVAL fn_length = LENGTH(first_name)
----

20
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/like.asciidoc
View file

@ -1,20 +0,0 @@
[discrete]
[[esql-like-operator]]
=== `LIKE`
Use `LIKE` to filter data based on string patterns using wildcards. `LIKE`
usually acts on a field placed on the left-hand side of the operator, but it can
also act on a constant (literal) expression. The right-hand side of the operator
represents the pattern.
The following wildcard characters are supported:
* `*` matches zero or more characters.
* `?` matches one character.
[source,esql]
----
FROM employees
| WHERE first_name LIKE "?b*"
| KEEP first_name, last_name
----

23
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/log10.asciidoc
View file

@ -1,23 +0,0 @@
[discrete]
[[esql-log10]]
=== `LOG10`
[.text-center]
image::esql/functions/signature/log10.svg[Embedded,opts=inline]
Returns the log base 10. The input can be any numeric value, the return value
is always a double.
Logs of negative numbers are NaN. Logs of infinites are infinite, as is the log of 0.
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=log10]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=log10-result]
|===
Supported types:
include::types/log10.asciidoc[]

9
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/logical.asciidoc
View file

@ -1,9 +0,0 @@
[discrete]
[[esql-logical-operators]]
=== Logical operators
The following logical operators are supported:
* `AND`
* `OR`
* `NOT`

13
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/ltrim.asciidoc
View file

@ -1,13 +0,0 @@
[discrete]
[[esql-ltrim]]
=== `LTRIM`
Removes leading whitespaces from strings.
[source.merge.styled,esql]
----
include::{esql-specs}/string.csv-spec[tag=ltrim]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/string.csv-spec[tag=ltrim-result]
|===

52
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/math_functions.asciidoc
View file

@ -1,52 +0,0 @@
[[esql-math-functions]]
==== {esql} mathematical functions
++++
<titleabbrev>Mathematical functions</titleabbrev>
++++
{esql} supports these mathematical functions:
// tag::math_list[]
* <<esql-abs>>
* <<esql-acos>>
* <<esql-asin>>
* <<esql-atan>>
* <<esql-atan2>>
* <<esql-ceil>>
* <<esql-cos>>
* <<esql-cosh>>
* <<esql-e>>
* <<esql-floor>>
* <<esql-log10>>
* <<esql-pi>>
* <<esql-pow>>
* <<esql-round>>
* <<esql-sin>>
* <<esql-sinh>>
* <<esql-sqrt>>
* <<esql-tan>>
* <<esql-tanh>>
* <<esql-tau>>
// end::math_list[]
include::abs.asciidoc[]
include::acos.asciidoc[]
include::asin.asciidoc[]
include::atan.asciidoc[]
include::atan2.asciidoc[]
include::ceil.asciidoc[]
include::cos.asciidoc[]
include::cosh.asciidoc[]
include::e.asciidoc[]
include::floor.asciidoc[]
include::log10.asciidoc[]
include::pi.asciidoc[]
include::pow.asciidoc[]
include::round.asciidoc[]
include::sin.asciidoc[]
include::sinh.asciidoc[]
include::sqrt.asciidoc[]
include::tan.asciidoc[]
include::tanh.asciidoc[]
include::tau.asciidoc[]

13
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/max.asciidoc
View file

@ -1,13 +0,0 @@
[discrete]
[[esql-agg-max]]
=== `MAX`
The maximum value of a numeric field.
[source.merge.styled,esql]
----
include::{esql-specs}/stats.csv-spec[tag=max]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/stats.csv-spec[tag=max-result]
|===

22
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/median.asciidoc
View file

@ -1,22 +0,0 @@
[discrete]
[[esql-agg-median]]
=== `MEDIAN`
The value that is greater than half of all values and less than half of
all values, also known as the 50% <<esql-agg-percentile>>.
[source.merge.styled,esql]
----
include::{esql-specs}/stats_percentile.csv-spec[tag=median]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/stats_percentile.csv-spec[tag=median-result]
|===
NOTE: Like <<esql-agg-percentile>>, `MEDIAN` is <<esql-agg-percentile-approximate,usually approximate>>.
[WARNING]
====
`MEDIAN` is also {wikipedia}/Nondeterministic_algorithm[non-deterministic].
This means you can get slightly different results using the same data.
====

29
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/median_absolute_deviation.asciidoc
View file

@ -1,29 +0,0 @@
[discrete]
[[esql-agg-median-absolute-deviation]]
=== `MEDIAN_ABSOLUTE_DEVIATION`
The median absolute deviation, a measure of variability. It is a robust
statistic, meaning that it is useful for describing data that may have outliers,
or may not be normally distributed. For such data it can be more descriptive than
standard deviation.
It is calculated as the median of each data points deviation from the median of
the entire sample. That is, for a random variable `X`, the median absolute deviation
is `median(|median(X) - Xi|)`.
[source.merge.styled,esql]
----
include::{esql-specs}/stats_percentile.csv-spec[tag=median-absolute-deviation]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/stats_percentile.csv-spec[tag=median-absolute-deviation-result]
|===
NOTE: Like <<esql-agg-percentile>>, `MEDIAN_ABSOLUTE_DEVIATION` is
<<esql-agg-percentile-approximate,usually approximate>>.
[WARNING]
====
`MEDIAN_ABSOLUTE_DEVIATION` is also {wikipedia}/Nondeterministic_algorithm[non-deterministic].
This means you can get slightly different results using the same data.
====

13
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/min.asciidoc
View file

@ -1,13 +0,0 @@
[discrete]
[[esql-agg-min]]
=== `MIN`
The minimum value of a numeric field.
[source.merge.styled,esql]
----
include::{esql-specs}/stats.csv-spec[tag=min]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/stats.csv-spec[tag=min-result]
|===

17
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/mv_avg.asciidoc
View file

@ -1,17 +0,0 @@
[discrete]
[[esql-mv_avg]]
=== `MV_AVG`
Converts a multivalued field into a single valued field containing the average
of all of the values. For example:
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=mv_avg]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=mv_avg-result]
|===
NOTE: The output type is always a `double` and the input type can be any number.

26
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/mv_concat.asciidoc
View file

@ -1,26 +0,0 @@
[discrete]
[[esql-mv_concat]]
=== `MV_CONCAT`
Converts a multivalued string field into a single valued field containing the
concatenation of all values separated by a delimiter:
[source.merge.styled,esql]
----
include::{esql-specs}/string.csv-spec[tag=mv_concat]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/string.csv-spec[tag=mv_concat-result]
|===
If you want to concat non-string fields call <<esql-to_string>> on them first:
[source.merge.styled,esql]
----
include::{esql-specs}/string.csv-spec[tag=mv_concat-to_string]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/string.csv-spec[tag=mv_concat-to_string-result]
|===

16
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/mv_count.asciidoc
View file

@ -1,16 +0,0 @@
[discrete]
[[esql-mv_count]]
=== `MV_COUNT`
Converts a multivalued field into a single valued field containing a count of the number
of values:
[source.merge.styled,esql]
----
include::{esql-specs}/string.csv-spec[tag=mv_count]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/string.csv-spec[tag=mv_count-result]
|===
NOTE: This function accepts all types and always returns an `integer`.

15
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/mv_dedupe.asciidoc
View file

@ -1,15 +0,0 @@
[discrete]
[[esql-mv_dedupe]]
=== `MV_DEDUPE`
Removes duplicates from a multivalued field. For example:
[source.merge.styled,esql]
----
include::{esql-specs}/string.csv-spec[tag=mv_dedupe]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/string.csv-spec[tag=mv_dedupe-result]
|===
NOTE: `MV_DEDUPE` may, but won't always, sort the values in the field.

28
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/mv_functions.asciidoc
View file

@ -1,28 +0,0 @@
[[esql-mv-functions]]
==== {esql} multivalue functions
++++
<titleabbrev>Multivalue functions</titleabbrev>
++++
{esql} supports these multivalue functions:
// tag::mv_list[]
* <<esql-mv_avg>>
* <<esql-mv_concat>>
* <<esql-mv_count>>
* <<esql-mv_dedupe>>
* <<esql-mv_max>>
* <<esql-mv_median>>
* <<esql-mv_min>>
* <<esql-mv_sum>>
// end::mv_list[]
include::mv_avg.asciidoc[]
include::mv_concat.asciidoc[]
include::mv_count.asciidoc[]
include::mv_dedupe.asciidoc[]
include::mv_max.asciidoc[]
include::mv_median.asciidoc[]
include::mv_min.asciidoc[]
include::mv_sum.asciidoc[]

25
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/mv_max.asciidoc
View file

@ -1,25 +0,0 @@
[discrete]
[[esql-mv_max]]
=== `MV_MAX`
Converts a multivalued field into a single valued field containing the maximum value. For example:
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=mv_max]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=mv_max-result]
|===
It can be used by any field type, including `keyword` fields. In that case picks the
last string, comparing their utf-8 representation byte by byte:
[source.merge.styled,esql]
----
include::{esql-specs}/string.csv-spec[tag=mv_max]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/string.csv-spec[tag=mv_max-result]
|===

27
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/mv_median.asciidoc
View file

@ -1,27 +0,0 @@
[discrete]
[[esql-mv_median]]
=== `MV_MEDIAN`
Converts a multivalued field into a single valued field containing the median value. For example:
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=mv_median]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=mv_median-result]
|===
It can be used by any numeric field type and returns a value of the same type. If the
row has an even number of values for a column the result will be the average of the
middle two entries. If the field is not floating point then the average rounds *down*:
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=mv_median_round_down]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=mv_median_round_down-result]
|===

25
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/mv_min.asciidoc
View file

@ -1,25 +0,0 @@
[discrete]
[[esql-mv_min]]
=== `MV_MIN`
Converts a multivalued field into a single valued field containing the minimum value. For example:
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=mv_min]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=mv_min-result]
|===
It can be used by any field type, including `keyword` fields. In that case picks the
first string, comparing their utf-8 representation byte by byte:
[source.merge.styled,esql]
----
include::{esql-specs}/string.csv-spec[tag=mv_min]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/string.csv-spec[tag=mv_min-result]
|===

16
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/mv_sum.asciidoc
View file

@ -1,16 +0,0 @@
[discrete]
[[esql-mv_sum]]
=== `MV_SUM`
Converts a multivalued field into a single valued field containing the sum
of all of the values. For example:
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=mv_sum]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=mv_sum-result]
|===
NOTE: The input type can be any number and the output type is the same as the input type.

9
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/now.asciidoc
View file

@ -1,9 +0,0 @@
[discrete]
[[esql-now]]
=== `NOW`
Returns current date and time.
[source,esql]
----
ROW current_date = NOW()
----

36
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/operators.asciidoc
View file

@ -1,36 +0,0 @@
[[esql-operators]]
==== {esql} operators
++++
<titleabbrev>Operators</titleabbrev>
++++
Boolean operators for comparing against one or multiple expressions.
// tag::op_list[]
* <<esql-binary-operators>>
* <<esql-logical-operators>>
* <<esql-predicates>>
* <<esql-cidr_match>>
* <<esql-ends_with>>
* <<esql-in-operator>>
* <<esql-is_finite>>
* <<esql-is_infinite>>
* <<esql-is_nan>>
* <<esql-like-operator>>
* <<esql-rlike-operator>>
* <<esql-starts_with>>
// end::op_list[]
include::binary.asciidoc[]
include::logical.asciidoc[]
include::predicates.asciidoc[]
include::cidr_match.asciidoc[]
include::ends_with.asciidoc[]
include::in.asciidoc[]
include::is_finite.asciidoc[]
include::is_infinite.asciidoc[]
include::is_nan.asciidoc[]
include::like.asciidoc[]
include::rlike.asciidoc[]
include::starts_with.asciidoc[]

30
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/percentile.asciidoc
View file

@ -1,30 +0,0 @@
[discrete]
[[esql-agg-percentile]]
=== `PERCENTILE`
The value at which a certain percentage of observed values occur. For example,
the 95th percentile is the value which is greater than 95% of the observed values and
the 50th percentile is the <<esql-agg-median>>.
[source.merge.styled,esql]
----
include::{esql-specs}/stats_percentile.csv-spec[tag=percentile]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/stats_percentile.csv-spec[tag=percentile-result]
|===
[discrete]
[[esql-agg-percentile-approximate]]
==== `PERCENTILE` is (usually) approximate
include::../../aggregations/metrics/percentile-aggregation.asciidoc[tag=approximate]
[WARNING]
====
`PERCENTILE` is also {wikipedia}/Nondeterministic_algorithm[non-deterministic].
This means you can get slightly different results using the same data.
====

16
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/pi.asciidoc
View file

@ -1,16 +0,0 @@
[discrete]
[[esql-pi]]
=== `PI`
[.text-center]
image::esql/functions/signature/pi.svg[Embedded,opts=inline]
The {wikipedia}/Pi[ratio] of a circle's circumference to its diameter.
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=pi]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=pi-result]
|===

96
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/pow.asciidoc
View file

@ -1,96 +0,0 @@
[discrete]
[[esql-pow]]
=== `POW`
[.text-center]
image::esql/functions/signature/pow.svg[Embedded,opts=inline]
Returns the value of a base (first argument) raised to the power of an exponent (second argument).
Both arguments must be numeric.
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=powDI]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=powDI-result]
|===
[discrete]
==== Type rules
The type of the returned value is determined by the types of the base and exponent.
The following rules are applied to determine the result type:
* If either of the base or exponent are of a floating point type, the result will be a double
* Otherwise, if either the base or the exponent are 64-bit (long or unsigned long), the result will be a long
* Otherwise, the result will be a 32-bit integer (this covers all other numeric types, including int, short and byte)
For example, using simple integers as arguments will lead to an integer result:
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=powII]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=powII-result]
|===
NOTE: The actual power function is performed using double precision values for all cases.
This means that for very large non-floating point values there is a small chance that the
operation can lead to slightly different answers than expected.
However, a more likely outcome of very large non-floating point values is numerical overflow.
[discrete]
==== Arithmetic errors
Arithmetic errors and numeric overflow do not result in an error. Instead, the result will be `null`
and a warning for the `ArithmeticException` added.
For example:
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=powULOverrun]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=powULOverrun-warning]
|===
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=powULOverrun-result]
|===
If it is desired to protect against numerical overruns, use `TO_DOUBLE` on either of the arguments:
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=pow2d]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=pow2d-result]
|===
[discrete]
==== Fractional exponents
The exponent can be a fraction, which is similar to performing a root.
For example, the exponent of `0.5` will give the square root of the base:
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=powID-sqrt]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=powID-sqrt-result]
|===
[discrete]
==== Table of supported input and output types
For clarity, the following table describes the output result type for all combinations of numeric input types:
include::types/pow.asciidoc[]

23
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/predicates.asciidoc
View file

@ -1,23 +0,0 @@
[discrete]
[[esql-predicates]]
=== `IS NULL` and `IS NOT NULL` predicates
For NULL comparison, use the `IS NULL` and `IS NOT NULL` predicates:
[source.merge.styled,esql]
----
include::{esql-specs}/null.csv-spec[tag=is-null]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/null.csv-spec[tag=is-null-result]
|===
[source.merge.styled,esql]
----
include::{esql-specs}/null.csv-spec[tag=is-not-null]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/null.csv-spec[tag=is-not-null-result]
|===

17
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/replace.asciidoc
View file

@ -1,17 +0,0 @@
[discrete]
[[esql-replace]]
=== `REPLACE`
The function substitutes in the string (1st argument) any match of the regular expression (2nd argument) with the replacement string (3rd argument).
If any of the arguments are `NULL`, the result is `NULL`.
. This example replaces an occurrence of the word "World" with the word "Universe":
[source.merge.styled,esql]
----
include::{esql-specs}/docs.csv-spec[tag=replaceString]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/docs.csv-spec[tag=replaceString-result]
|===

20
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/right.asciidoc
View file

@ -1,20 +0,0 @@
[discrete]
[[esql-right]]
=== `RIGHT`
[.text-center]
image::esql/functions/signature/right.svg[Embedded,opts=inline]
Return the substring that extracts 'length' chars from the 'string' starting from the right.
[source.merge.styled,esql]
----
include::{esql-specs}/string.csv-spec[tag=right]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/string.csv-spec[tag=right-result]
|===
Supported types:
include::types/right.asciidoc[]

15
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/rlike.asciidoc
View file

@ -1,15 +0,0 @@
[discete]
[[esql-rlike-operator]]
==== `RLIKE`
Use `RLIKE` to filter data based on string patterns using using
<<regexp-syntax,regular expressions>>. `RLIKE` usually acts on a field placed on
the left-hand side of the operator, but it can also act on a constant (literal)
expression. The right-hand side of the operator represents the pattern.
[source,esql]
----
FROM employees
| WHERE first_name RLIKE ".leja.*"
| KEEP first_name, last_name
----

15
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/round.asciidoc
View file

@ -1,15 +0,0 @@
[discrete]
[[esql-round]]
=== `ROUND`
Rounds a number to the closest number with the specified number of digits.
Defaults to 0 digits if no number of digits is provided. If the specified number
of digits is negative, rounds to the number of digits left of the decimal point.
[source.merge.styled,esql]
----
include::{esql-specs}/docs.csv-spec[tag=round]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/docs.csv-spec[tag=round-result]
|===

13
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/rtrim.asciidoc
View file

@ -1,13 +0,0 @@
[discrete]
[[esql-rtrim]]
=== `RTRIM`
Removes trailing whitespaces from strings.
[source.merge.styled,esql]
----
include::{esql-specs}/string.csv-spec[tag=rtrim]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/string.csv-spec[tag=rtrim-result]
|===

20
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/sin.asciidoc
View file

@ -1,20 +0,0 @@
[discrete]
[[esql-sin]]
=== `SIN`
[.text-center]
image::esql/functions/signature/sin.svg[Embedded,opts=inline]
https://en.wikipedia.org/wiki/Sine_and_cosine[Sine] trigonometric function.
[source.merge.styled,esql]
----
include::{esql-specs}/floats.csv-spec[tag=sin]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/floats.csv-spec[tag=sin-result]
|===
Supported types:
include::types/sin.asciidoc[]

20
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/sinh.asciidoc
View file

@ -1,20 +0,0 @@
[discrete]
[[esql-sinh]]
=== `SINH`
[.text-center]
image::esql/functions/signature/sinh.svg[Embedded,opts=inline]
https://en.wikipedia.org/wiki/Hyperbolic_functions[Sine] hyperbolic function.
[source.merge.styled,esql]
----
include::{esql-specs}/floats.csv-spec[tag=sinh]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/floats.csv-spec[tag=sinh-result]
|===
Supported types:
include::types/sinh.asciidoc[]

18
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/split.asciidoc
View file

@ -1,18 +0,0 @@
[discrete]
[[esql-split]]
=== `SPLIT`
Split a single valued string into multiple strings. For example:
[source,esql]
----
include::{esql-specs}/string.csv-spec[tag=split]
----
Which splits `"foo;bar;baz;qux;quux;corge"` on `;` and returns an array:
[%header,format=dsv,separator=|]
|===
include::{esql-specs}/string.csv-spec[tag=split-result]
|===
WARNING: Only single byte delimiters are currently supported.

23
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/sqrt.asciidoc
View file

@ -1,23 +0,0 @@
[discrete]
[[esql-sqrt]]
=== `SQRT`
[.text-center]
image::esql/functions/signature/sqrt.svg[Embedded,opts=inline]
Returns the square root of a number. The input can be any numeric value, the return value
is always a double.
Square roots of negative numbers are NaN. Square roots of infinites are infinite.
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=sqrt]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=sqrt-result]
|===
Supported types:
include::types/sqrt.asciidoc[]

21
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/starts_with.asciidoc
View file

@ -1,21 +0,0 @@
[discrete]
[[esql-starts_with]]
=== `STARTS_WITH`
[.text-center]
image::esql/functions/signature/ends_with.svg[Embedded,opts=inline]
Returns a boolean that indicates whether a keyword string starts with another
string:
[source.merge.styled,esql]
----
include::{esql-specs}/docs.csv-spec[tag=startsWith]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/docs.csv-spec[tag=startsWith-result]
|===
Supported types:
include::types/starts_with.asciidoc[]

32
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/string_functions.asciidoc
View file

@ -1,32 +0,0 @@
[[esql-string-functions]]
==== {esql} string functions
++++
<titleabbrev>String functions</titleabbrev>
++++
{esql} supports these string functions:
// tag::string_list[]
* <<esql-concat>>
* <<esql-left>>
* <<esql-length>>
* <<esql-ltrim>>
* <<esql-replace>>
* <<esql-right>>
* <<esql-rtrim>>
* <<esql-split>>
* <<esql-substring>>
* <<esql-trim>>
// end::string_list[]
include::concat.asciidoc[]
include::left.asciidoc[]
include::length.asciidoc[]
include::ltrim.asciidoc[]
include::replace.asciidoc[]
include::right.asciidoc[]
include::rtrim.asciidoc[]
include::split.asciidoc[]
include::substring.asciidoc[]
include::trim.asciidoc[]

38
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/substring.asciidoc
View file

@ -1,38 +0,0 @@
[discrete]
[[esql-substring]]
=== `SUBSTRING`
Returns a substring of a string, specified by a start position and an optional
length. This example returns the first three characters of every last name:
[source.merge.styled,esql]
----
include::{esql-specs}/docs.csv-spec[tag=substring]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/docs.csv-spec[tag=substring-result]
|===
A negative start position is interpreted as being relative to the end of the
string. This example returns the last three characters of of every last name:
[source.merge.styled,esql]
----
include::{esql-specs}/docs.csv-spec[tag=substringEnd]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/docs.csv-spec[tag=substringEnd-result]
|===
If length is omitted, substring returns the remainder of the string. This
example returns all characters except for the first:
[source.merge.styled,esql]
----
include::{esql-specs}/docs.csv-spec[tag=substringRemainder]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/docs.csv-spec[tag=substringRemainder-result]
|===

13
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/sum.asciidoc
View file

@ -1,13 +0,0 @@
[discrete]
[[esql-agg-sum]]
=== `SUM`
The sum of a numeric field.
[source.merge.styled,esql]
----
include::{esql-specs}/stats.csv-spec[tag=sum]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/stats.csv-spec[tag=sum-result]
|===

20
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/tan.asciidoc
View file

@ -1,20 +0,0 @@
[discrete]
[[esql-tan]]
=== `TAN`
[.text-center]
image::esql/functions/signature/tan.svg[Embedded,opts=inline]
https://en.wikipedia.org/wiki/Sine_and_cosine[Tangent] trigonometric function.
[source.merge.styled,esql]
----
include::{esql-specs}/floats.csv-spec[tag=tan]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/floats.csv-spec[tag=tan-result]
|===
Supported types:
include::types/tan.asciidoc[]

20
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/tanh.asciidoc
View file

@ -1,20 +0,0 @@
[discrete]
[[esql-tanh]]
=== `TANH`
[.text-center]
image::esql/functions/signature/tanh.svg[Embedded,opts=inline]
https://en.wikipedia.org/wiki/Hyperbolic_functions[Tangent] hyperbolic function.
[source.merge.styled,esql]
----
include::{esql-specs}/floats.csv-spec[tag=tanh]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/floats.csv-spec[tag=tanh-result]
|===
Supported types:
include::types/tanh.asciidoc[]

16
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/tau.asciidoc
View file

@ -1,16 +0,0 @@
[discrete]
[[esql-tau]]
=== `TAU`
[.text-center]
image::esql/functions/signature/tau.svg[Embedded,opts=inline]
The https://tauday.com/tau-manifesto[ratio] of a circle's circumference to its radius.
[source.merge.styled,esql]
----
include::{esql-specs}/math.csv-spec[tag=tau]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/math.csv-spec[tag=tau-result]
|===

25
x-pack/plugins/elastic_assistant/server/knowledge_base/esql/documentation/functions/to_boolean.asciidoc
View file

@ -1,25 +0,0 @@
[discrete]
[[esql-to_boolean]]
=== `TO_BOOLEAN`
Converts an input value to a boolean value.
The input can be a single- or multi-valued field or an expression. The input
type must be of a string or numeric type.
A string value of *"true"* will be case-insensitive converted to the Boolean
*true*. For anything else, including the empty string, the function will
return *false*. For example:
[source.merge.styled,esql]
----
include::{esql-specs}/boolean.csv-spec[tag=to_boolean]
----
[%header.monospaced.styled,format=dsv,separator=|]
|===
include::{esql-specs}/boolean.csv-spec[tag=to_boolean-result]
|===
The numerical value of *0* will be converted to *false*, anything else will be
converted to *true*.
Alias: TO_BOOL

Some files were not shown because too many files have changed in this diff Show more