
You are looking at preliminary documentation for a future release.
Not what you want? See the
current release documentation.
Elastic Docs
›Elasticsearch Guide [master]
›ES|QL
« ES|QL task management
ES|QL examples »
ES|QL limitationsedit
Result set size limitedit
By default, an ES|QL query returns up to 500 rows. You can increase the number
of rows up to 10,000 using the `LIMIT` command.
Queries do not return more than 10,000 rows, regardless of the `LIMIT` command’s
value.
This limit only applies to the number of rows that are retrieved by the query.
Queries and aggregations run on the full data set.
To overcome this limitation:
Reduce the result set size by modifying the query to only return relevant
data. Use `WHERE` to select a smaller subset of the data.
Shift any post-query processing to the query itself. You can use the ES|QL
`STATS ... BY` command to aggregate data in the query.
The default and maximum limits can be changed using these dynamic cluster
settings:
`esql.query.result_truncation_default_size`
`esql.query.result_truncation_max_size`
Field typesedit
Supported typesedit
ES|QL currently supports the following field types:
`alias`
`boolean`
`date`
`double` (`float`, `half_float`, `scaled_float` are represented as `double`)
`ip`
`keyword` family including `keyword`, `constant_keyword`, and `wildcard`
`int` (`short` and `byte` are represented as `int`)
`long`
`null`
`text`
`unsigned_long`
`version`
Spatial types
`geo_point`
`point`
Unsupported typesedit
ES|QL does not yet support the following field types:
TSDB metrics
`counter`
`position`
`aggregate_metric_double`
Spatial types
`geo_shape`
`shape`
Date/time
`date_nanos`
`date_range`
Other types
`binary`
`completion`
`dense_vector`
`double_range`
`flattened`
`float_range`
`histogram`
`integer_range`
`ip_range`
`long_range`
`nested`
`rank_feature`
`rank_features`
`search_as_you_type`
Querying a column with an unsupported type returns an error. If a column with an
unsupported type is not explicitly used in a query, it is returned with `null`
values, with the exception of nested fields. Nested fields are not returned at
all.
Full-text search is not supportededit
Because of the way ES|QL treats `text` values,
full-text search is not yet supported. Queries on `text` fields are like queries
on `keyword` fields: they are case-sensitive and need to match the full string.
For example, after indexing a field of type `text` with the value `Elasticsearch
query language`, the following `WHERE` clause does not match because the `LIKE`
operator is case-sensitive:
| WHERE field LIKE "elasticsearch query language"
The following `WHERE` clause does not match either, because the `LIKE` operator
tries to match the whole string:
| WHERE field LIKE "Elasticsearch"
As a workaround, use wildcards and regular expressions. For example:
| WHERE field RLIKE "[Ee]lasticsearch.*"
`text` fields behave like `keyword` fieldsedit
While ES|QL supports `text` fields, ES|QL does not treat these fields
like the Search API does. ES|QL queries do not query or aggregate the
analyzed string. Instead, an ES|QL query will try to get a `text`
field’s subfield of the keyword family type and query/aggregate
that. If it’s not possible to retrieve a `keyword` subfield, ES|QL will get the
string from a document’s `_source`. If the `_source` cannot be retrieved, for
example when using synthetic source, `null` is returned.
Note that ES|QL’s retrieval of `keyword` subfields may have unexpected
consequences. An ES|QL query on a `text` field is case-sensitive. Furthermore,
a subfield may have been mapped with a normalizer, which can
transform the original string. Or it may have been mapped with `ignore_above`,
which can truncate the string. None of these mapping operations are applied to
an ES|QL query, which may lead to false positives or negatives.
To avoid these issues, a best practice is to be explicit about the field that
you query, and query `keyword` sub-fields instead of `text` fields.
Time series data streams are not supportededit
ES|QL does not support querying time series data streams (TSDS).
Cross-cluster search is not supportededit
ES|QL does not support cross-cluster search.
Date math limitationsedit
Date math expressions work well when the leftmost expression is a datetime, for
example:
now() + 1 year - 2hour + ...
But using parentheses or putting the datetime to the right is not always supported yet. For example, the following expressions fail:
1year + 2hour + now()
now() + (1year + 2hour)
Date math does not allow subtracting two datetimes, for example:
now() - 2023-10-26
Enrich limitationsedit
The ES|QL `ENRICH` command only supports enrich policies of type `match`.
Furthermore, `ENRICH` only supports enriching on a column of type `keyword`.
Dissect limitationsedit
The `DISSECT` command does not support reference keys.
Grok limitationsedit
The `GROK` command does not support configuring custom
patterns, or multiple patterns. The `GROK` command is not
subject to Grok watchdog settings.
Multivalue limitationsedit
ES|QL supports multivalued fields, but functions
return `null` when applied to a multivalued field, unless documented otherwise.
Work around this limitation by converting the field to single value with one of
the multivalue functions.
Timezone supportedit
ES|QL only supports the UTC timezone.
Kibana limitationsedit
The user interface to filter data is not enabled when Discover is in ES|QL
mode. To filter data, write a query that uses the `WHERE` command
instead.
In ES|QL mode, clicking a field in the field list in Discover does not show
quick statistics for that field.
Discover shows no more than 10,000 rows. This limit only applies to the number
of rows that are retrieved by the query and displayed in Discover. Queries and
aggregations run on the full data set.
Discover shows no more than 50 columns. If a query returns
more than 50 columns, Discover only shows the first 50.
Querying many many indices at once without any filters can cause an error in
kibana which looks like `[esql] > Unexpected error from Elasticsearch: The
content length (536885793) is bigger than the maximum allowed string
(536870888)`. The response from ES|QL is too long. Use `DROP` or
`KEEP` to limit the number of fields returned.
