--- title: "Elasticsearch query editor | Grafana Cloud documentation" description: "Guide for using the Elasticsearch data source's query editor" --- # Elasticsearch query editor Grafana provides a query editor for Elasticsearch. Elasticsearch queries are in Lucene format. For more information about query syntax, refer to [Lucene query syntax](https://www.elastic.co/guide/en/kibana/current/lucene-query.html) and [Query string syntax](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#query-string-syntax). > Note > > When composing Lucene queries, ensure that you use uppercase boolean operators: `AND`, `OR`, and `NOT`. Lowercase versions of these operators are not supported by the Lucene query syntax. [Elasticsearch query editor](/static/img/docs/elasticsearch/elastic-query-editor-10.1.png) For general documentation on querying data sources in Grafana, including options and functions common to all query editors, refer to [Query and transform data](/docs/grafana/next/panels-visualizations/query-transform-data/). ## Aggregation types Elasticsearch groups aggregations into three categories: - **Bucket** - Bucket aggregations don’t calculate metrics, they create buckets of documents based on field values, ranges and a variety of other criteria. Refer to [Bucket aggregations](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket.html) for additional information. Use bucket aggregations under `Group by` when creating a metrics query in the query builder. - **Metrics** - Metrics aggregations perform calculations such as sum, average, min, etc. They can be single-value or multi-value. Refer to [Metrics aggregations](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics.html) for additional information. Use metrics aggregations in the metrics query type in the query builder. - **Pipeline** - Pipeline aggregations work on the output of other aggregations rather than on documents or fields. Refer to [Pipeline aggregations](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-pipeline.html) for additional information. ## Select a query type There are two types of queries you can create with the Elasticsearch query builder. Each type is explained in detail below. ### Metrics query type Metrics queries aggregate data and produce calculations such as count, min, max, and more. Click the metric box to view options in the drop-down menu. The default is `count`. - **Alias** - Aliasing only applies to **time series queries**, where the last group is `date histogram`. This is ignored for any other type of query. - **Metric** - Metrics aggregations include: - count - refer to [Value count aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-valuecount-aggregation.html) - average - refer to [Avg aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-avg-aggregation.html) - sum - refer to [Sum aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-sum-aggregation.html) - max - refer to [Max aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-max-aggregation.html) - min - refer to [Min aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-min-aggregation.html) - extended stats - refer to [Extended stats aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-extendedstats-aggregation.html) - percentiles - refer to [Percentiles aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-percentile-aggregation.html) - unique count - refer to [Cardinality aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-cardinality-aggregation.html) - top metrics - refer to [Top metrics aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-top-metrics.html) - rate - refer to [Rate aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-rate-aggregation.html) - **Pipeline aggregations** - Pipeline aggregations work on the output of other aggregations rather than on documents. The following pipeline aggregations are available: - moving function - Calculates a value based on a sliding window of aggregated values. Refer to [Moving function aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-pipeline-movfn-aggregation.html). - derivative - Calculates the derivative of a metric. Refer to [Derivative aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-pipeline-derivative-aggregation.html). - cumulative sum - Calculates the cumulative sum of a metric. Refer to [Cumulative sum aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-pipeline-cumulative-sum-aggregation.html). - serial difference - Calculates the difference between values in a time series. Refer to [Serial differencing aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-pipeline-serialdiff-aggregation.html). - bucket script - Executes a script on metric values from other aggregations. Refer to [Bucket script aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-pipeline-bucket-script-aggregation.html). You can select multiple metrics and group by multiple terms or filters when using the Elasticsearch query editor. Use the **+ sign** to the right to add multiple metrics to your query. Click on the **eye icon** next to **Metric** to hide metrics, and the **garbage can icon** to remove metrics. - **Group by options** - Create multiple group by options when constructing your Elasticsearch query. Date histogram is the default option. The following options are available in the drop-down menu: - terms - refer to [Terms aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html). - filter - refer to [Filter aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-filter-aggregation.html). - geo hash grid - refer to [Geohash grid aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-geohashgrid-aggregation.html). - date histogram - for time series queries. Refer to [Date histogram aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-datehistogram-aggregation.html). - histogram - Depicts frequency distributions. Refer to [Histogram aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-histogram-aggregation.html). - nested (experimental) - Refer to [Nested aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-nested-aggregation.html). Each group by option will have a different subset of options to further narrow your query. The following options are specific to the **date histogram** bucket aggregation option. - **Time field** - The field used for time-based queries. The default can be set when configuring the data source in the **Time field name** setting under [Elasticsearch details](/docs/grafana-cloud/connect-externally-hosted/data-sources/elasticsearch/configure/#elasticsearch-details). The default is `@timestamp`. - **Interval** - The time interval for grouping data. Select from the drop-down menu or enter a custom interval such as `30d` (30 days). The default is `Auto`. - **Min doc count** - The minimum number of documents required to include a bucket. The default is `0`. - **Trim edges** - Removes partial buckets at the edges of the time range. The default is `0`. - **Offset** - Shifts the start of each bucket by the specified duration. Use positive (`+`) or negative (`-`) values. Examples: `1h`, `5s`, `1d`. - **Timezone** - The timezone for date calculations. The default is `Coordinated Universal Time`. Configure the following options for the **terms** bucket aggregation option: - **Order** - Sets the order of data. Options are `top` or `bottom.` - **Size** - Limits the number of documents, or size of the data set. You can set a custom number or `no limit`. - **Min doc count** - The minimum amount of data to include in your query. The default is `0`. - **Order by** - Order terms by `term value`, `doc count` or `count`. - **Missing** - Defines how documents missing a value should be treated. Missing values are ignored by default, but they can be treated as if they had a value. Refer to [Missing value](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html#_missing_value_5) in the Elasticsearch documentation for more information. Configure the following options for the **filters** bucket aggregation option: - **Query** - Specify the query to create a bucket of documents (data). Examples are `hostname:"hostname1"`, `product:"widget5"`. Use the * wildcard to match any number of characters. - **Label** - Add a label or name to the bucket. Configure the following options for the **geo hash grid** bucket aggregation option: - **Precision** - Specifies the number of characters of the geo hash. Configure the following options for the **histogram** bucket aggregation option: - **Interval** - The numeric interval for grouping values into buckets. - **Min doc count** - The minimum number of documents required to include a bucket. The default is `0`. The **nested** group by option is currently experimental, you can select a field and then settings specific to that field. Click the **+ sign** to add multiple group by options. The data will grouped in order (first by, then by). [Group by options](/static/img/docs/elasticsearch/group-by-then-by-10.2.png) ### Logs query type Logs queries analyze Elasticsearch log data. You can configure the following options: - **Logs Options/Limit** - Limits the number of logs to analyze. The default is `500`. ## Raw query editor > Note > > The raw query editor is an [experimental feature](/docs/release-life-cycle/). Engineering and on-call support is not available. Documentation is either limited or not provided outside of code comments. No SLA is provided. Enable the elasticsearchRawDSLQuery feature toggle in Grafana to use this feature. Do not enable this feature in production environments. The raw query editor allows you to write Elasticsearch queries using the native [Elasticsearch Query DSL](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html). ### Switch between Builder and Code modes To access the raw query editor, click the **Code** toggle in the top-right corner of the query editor. You can switch between **Builder** and **Code** modes: - **Builder** - Visual query builder with dropdown menus and forms - **Code** - JSON editor for writing raw Elasticsearch DSL queries ### Write raw DSL queries When in Code mode, you can write complete Elasticsearch query DSL in JSON format. The editor provides: - **Syntax highlighting** for JSON - **Auto-formatting** - Click the **Format** button or press `Shift+Alt+F` to format your query - **Keyboard shortcuts** - Press `Ctrl+Enter` (or `Cmd+Enter` on Mac) to run the query - **Real-time validation** - Invalid JSON will be highlighted with error messages ### Time range handling If you want to filter by time range in a dashboard, you need to use the `$__from` and `$__to` macros in your raw DSL. An example query applying dashboard time range using the `@timestamp` field: JSON ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```json { "query": { "bool": { "must": [ { "range": { "@timestamp": { "gte": "$__from", "lte": "$__to", "format": "epoch_millis" } } } ] } } } ``` ### Supported query types The raw query editor supports all query types: - **Metrics queries** are used to query time series data with aggregations. The query parser will automatically extract bucket and metric aggregations from your DSL and use them for response processing. - **Logs queries** are used to query log data. ## ES|QL query editor > Note > > The ES|QL query editor is an [experimental feature](/docs/release-life-cycle/). Engineering and on-call support is not available. Documentation is either limited or not provided outside of code comments. No SLA is provided. Enable the elasticsearchESQLQuery feature toggle in Grafana to use this feature. Do not enable this feature in production environments. Introduced in Grafana v13.0, the ES|QL query editor lets you query Elasticsearch using [ES|QL (Elasticsearch Query Language)](https://www.elastic.co/docs/reference/query-languages/esql), a pipe-based query language. Unlike Lucene queries that rely on aggregation configuration in the builder UI, ES|QL lets you express filtering, aggregation, and transformation in a single query string. For an introduction to ES|QL syntax and concepts, refer to [Get started with ES|QL queries](https://www.elastic.co/docs/reference/query-languages/esql/esql-getting-started) in the Elasticsearch documentation. ### Index selection How the editor handles index selection depends on your data source configuration: - **No index name configured:** You specify which index to query using the `FROM` command directly in your ES|QL query. This lets you query any index without creating a separate data source for each one. - **Index name configured:** The editor automatically inserts `FROM $__index` when the ES|QL field receives focus. You can override this and query a different index if needed. ### Editor features The ES|QL code editor provides: - **Code suggestions** – Auto-complete for ES|QL commands and functions - **Error highlighting** – Syntax errors are highlighted in the editor and error messages from Elasticsearch are displayed directly - **Syntax highlighting** – ES|QL keywords, operators, and values are color-coded for readability ### Example queries The following examples show common ES|QL query patterns. #### Basic aggregation Count documents grouped by a field: esql ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```esql FROM logs-* | STATS count = COUNT(*) BY host.name | SORT count DESC | LIMIT 10 ``` #### Filter and aggregate over time Filter by a field value and compute an average over time intervals: esql ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```esql FROM metrics-* | WHERE service.name == "api-gateway" | STATS avg_duration = AVG(transaction.duration.us) BY @timestamp = BUCKET(@timestamp, 1 minute) | SORT @timestamp ``` #### Search log messages Search for specific patterns in log data: esql ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```esql FROM logs-* | WHERE message LIKE "*error*" AND log.level == "ERROR" | KEEP @timestamp, message, host.name, log.level | SORT @timestamp DESC | LIMIT 100 ``` ### Learn more about ES|QL For more information about ES|QL syntax, commands, and functions, refer to the following Elasticsearch documentation: - [ES|QL reference](https://www.elastic.co/docs/reference/query-languages/esql) – Overview of the ES|QL query language - [ES|QL commands](https://www.elastic.co/docs/reference/query-languages/esql/commands) – Source and processing commands (`FROM`, `WHERE`, `STATS`, `EVAL`, `KEEP`, `SORT`, `LIMIT`, and more) - [ES|QL functions and operators](https://www.elastic.co/docs/reference/query-languages/esql/functions-operators) – Aggregation, math, string, date, and other functions - [ES|QL syntax](https://www.elastic.co/docs/reference/query-languages/esql/esql-syntax) – Identifiers, literals, operators, and special characters ## Use template variables You can also augment queries by using [template variables](/docs/grafana-cloud/connect-externally-hosted/data-sources/elasticsearch/template-variables/). Queries of `terms` have a 500-result limit by default. To set a custom limit, set the `size` property in your query.