```markdown
# ES|QL Syntax Reference

## Overview

The Elasticsearch Query Language (ES|QL) provides a powerful and flexible way to query, filter, transform, and analyze data stored in Elasticsearch. ES|QL uses a piped syntax (`|`) to chain commands and functions, enabling users to compose complex queries in a step-by-step manner. Each query starts with a source command (e.g., `FROM`) and can be followed by one or more processing commands.

### Basic Syntax

An ES|QL query is composed of:
1. A **source command**: Retrieves data from indices, data streams, or aliases.
2. A series of **processing commands**: Transform or filter the data.

Commands are separated by the pipe character (`|`), and the result of one command is passed as input to the next. For example:

```esql
FROM employees
| WHERE height > 2
| SORT height DESC
```

The result of the query is the table produced by the final processing command.

### Identifiers

Identifiers must be quoted with backticks (`` ` ``) if:
- They don’t start with a letter, `_`, or `@`.
- They contain characters other than letters, numbers, or `_`.

For example:
```esql
FROM index
| KEEP `1.field`
```

### Literals

#### String Literals
String literals are enclosed in double quotes (`"`). If the string contains quotes, escape them with `\\` or use triple quotes (`"""`):
```esql
ROW name = """Indiana "Indy" Jones"""
```

#### Numeric Literals
Numeric literals can be expressed in decimal or scientific notation:
```esql
ROW value1 = 1969, value2 = 3.14, value3 = 4E5
```

### Comments

ES|QL supports C++-style comments:
- Single-line comments: `//`
- Multi-line comments: `/* */`

```esql
// Query the employees index
FROM employees
| WHERE height > 2
```

### Timespan Literals

Timespan literals represent datetime intervals and are expressed as a combination of a number and a temporal unit (e.g., `1 day`, `24h`, `7 weeks`). They are not whitespace-sensitive:
```esql
1day
1 day
1       day
```

Timespan literals can be used in various commands and functions, such as `WHERE`, `DATE_TRUNC`, and `BUCKET`.

---

## Example Queries Using Timespan Literals

Below are five example queries showcasing the use of timespan literals in combination with different commands and functions.

Filtering Logs from the Last 24 Hours
This query retrieves logs from the last 24 hours and calculates the total number of logs per hour.

```esql
FROM logs-*
| WHERE @timestamp >= NOW() - 24h
| EVAL hour = DATE_TRUNC(1 hour, @timestamp)
| STATS log_count = COUNT(*) BY hour
| SORT hour
```

Grouping by Weekly Buckets
This query groups employee hire dates into weekly buckets for the last 7 weeks and calculates the number of hires per week.

```esql
FROM employees
| WHERE hire_date >= NOW() - 7 weeks
| STATS hires_per_week = COUNT(*) BY week = BUCKET(hire_date, 1 week)
| SORT week
```

Calculating Monthly Averages
This query calculates the average salary of employees grouped by monthly buckets for the year 2023.

```esql
FROM employees
| WHERE hire_date >= "2023-01-01T00:00:00Z" AND hire_date < "2024-01-01T00:00:00Z"
| EVAL month = DATE_TRUNC(1 month, hire_date)
| STATS avg_salary = AVG(salary) BY month
| SORT month
```

Creating Hourly Buckets for the Last Day
This query creates hourly buckets for the last 1 day and calculates the total number of events in each bucket.

```esql
FROM events
| WHERE @timestamp >= NOW() - 1 day
| STATS event_count = COUNT(*) BY hour = BUCKET(@timestamp, 1 hour)
| SORT hour
```

Filtering and Aggregating by Custom Time Range
This query filters logs within a custom time range and calculates the maximum response time for each 6-hour interval.

```esql
FROM logs-*
| WHERE @timestamp >= "2023-10-01T00:00:00Z" AND @timestamp < "2023-10-02T00:00:00Z"
| EVAL interval = DATE_TRUNC(6 hours, @timestamp)
| STATS max_response_time = MAX(response_time) BY interval
| SORT interval
```

---

## Key Features of ES|QL Syntax

### Named Parameters in Functions
Some functions, like `MATCH`, support named parameters for additional options:
```esql
FROM library
| WHERE MATCH(author, "Frank Herbert", {"minimum_should_match": 2, "operator": "AND"})
| LIMIT 5
```

### Supported Commands and Functions
ES|QL supports a wide range of commands and functions for filtering, transforming, and analyzing data. For example:
- **Commands**: `FROM`, `WHERE`, `SORT`, `STATS`, `EVAL`, `KEEP`, `DROP`, `LIMIT`, `BUCKET`, `DATE_TRUNC`
- **Functions**: `COUNT`, `AVG`, `MAX`, `MIN`, `DATE_EXTRACT`, `DATE_DIFF`, `CASE`

Refer to the [Commands](#commands) and [Functions](#functions) sections for detailed descriptions and examples.

---

## Conclusion

ES|QL provides a robust and intuitive syntax for querying and analyzing data in Elasticsearch. By leveraging its piped syntax, timespan literals, and rich set of commands and functions, users can perform complex data transformations and aggregations with ease. The examples above demonstrate the flexibility and power of ES|QL, making it a valuable tool for data exploration and analysis.
```
