grafana/docs/sources/datasources/elasticsearch/query-editor/index.md
Ivana Huckova 154896b47e
Docs: Update documentation for Elasticsearch (#84350)
* Docs: Update documentation for Elasticsearch lucene query

* Update docs/sources/datasources/elasticsearch/query-editor/index.md

Co-authored-by: Sven Grossmann <sven.grossmann@grafana.com>

* Update docs/sources/datasources/elasticsearch/query-editor/index.md

---------

Co-authored-by: Sven Grossmann <sven.grossmann@grafana.com>
2024-03-13 12:25:28 +02:00

10 KiB

aliases description keywords labels menuTitle title weight
../../data-sources/elasticsearch/query-editor/
../../data-sources/elasticsearch/template-variables/
Guide for using the Elasticsearch data source's query editor
grafana
elasticsearch
lucene
metrics
logs
queries
products
cloud
enterprise
oss
data source
Query editor Elasticsearch query editor 300

Elasticsearch query editor

Grafana provides a query editor for Elasticsearch. Elasticsearch queries are in Lucene format. See Lucene query syntax and Query string syntax if you are new to working with Lucene queries in Elasticsearch.

{{% admonition type="note" %}} When composing Lucene queries, ensure that you use uppercase boolean operators: AND, OR, and NOT. Lowercase versions of these operators are not supported by the Lucene query syntax. {{% /admonition %}}

{{< figure src="/static/img/docs/elasticsearch/elastic-query-editor-10.1.png" max-width="800px" class="docs-image--no-shadow" caption="Elasticsearch query editor" >}}

For general documentation on querying data sources in Grafana, including options and functions common to all query editors, see [Query and transform data][].

Aggregation types

Elasticsearch groups aggregations into three categories:

  • Bucket - Bucket aggregations don't calculate metrics, they create buckets of documents based on field values, ranges and a variety of other criteria. See Bucket aggregations for additional information. Use bucket aggregations under Group by when creating a metrics query in the query builder.

  • Metrics - Metrics aggregations perform calculations such as sum, average, min, etc. They can be single-value or multi-value. See Metrics aggregations for additional information. Use metrics aggregations in the metrics query type in the query builder.

  • Pipeline - Elasticsearch pipeline aggregations work with inputs or metrics created from other aggregations (not documents or fields). There are parent and sibling and sibling pipeline aggregations. See Pipeline aggregations for additional information.

Select a query type

There are three types of queries you can create with the Elasticsearch query builder. Each type is explained in detail below.

Metrics query type

Metrics queries aggregate data and produce a variety of calculations such as count, min, max, etc. Click on the metric box to view a list of options in the dropdown menu. The default is count.

You can select multiple metrics and group by multiple terms or filters when using the Elasticsearch query editor.

Use the + sign to the right to add multiple metrics to your query. Click on the eye icon next to Metric to hide metrics, and the garbage can icon to remove metrics.

Each group by option will have a different subset of options to further narrow your query.

The following options are specific to the date histogram bucket aggregation option.

  • Time field - Depicts date data options. The default option can be specified when configuring the Elasticsearch data source in the Time field name under the Elasticsearch details section. Otherwise @timestamp field will be used as a default option.
  • Interval - Group by a type of interval. There are option to choose from the dropdown menu to select seconds, minutes, hours or day. You can also add a custom interval such as 30d (30 days). Auto is the default option.
  • Min doc count - The minimum amount of data to include in your query. The default is 0.
  • Thin edges - Select to trim edges on the time series data points. The default is 0.
  • Offset - Changes the start value of each bucket by the specified positive(+) or negative (-) offset duration. Examples include 1h for 1 hour, 5s for 5 seconds or 1d for 1 day.
  • Timezone - Select a timezone from the dropdown menu. The default is Coordinated universal time.

Configure the following options for the terms bucket aggregation option:

  • Order - Sets the order of data. Options are top or bottom.
  • Size - Limits the number of documents, or size of the data set. You can set a custom number or no limit.
  • Min doc count - The minimum amount of data to include in your query. The default is 0.
  • Order by - Order terms by term value, doc count or count.
  • Missing - Defines how documents missing a value should be treated. Missing values are ignored by default, but they can be treated as if they had a value. See Missing value in Elasticsearch's documentation for more information.

Configure the following options for the filters bucket aggregation option:

  • Query - Specify the query to create a bucket of documents (data). Examples are hostname:"hostname1", product:"widget5". Use the * wildcard to match any number of characters.
  • Label - Add a label or name to the bucket.

Configure the following options for the geo hash grid bucket aggregation option:

  • Precision - Specifies the number of characters of the geo hash.

Configure the following options for the histogram bucket aggregation option:

  • Interval - Group by a type of interval. There are option to choose from the dropdown menu to select seconds, minutes, hours or day. You can also add a custom interval such as 30d (30 days). Auto is the default option.
  • Min doc count - The minimum amount of data to include in your query. The default is 0

The nested group by option is currently experimental, you can select a field and then settings specific to that field.

Click the + sign to add multiple group by options. The data will grouped in order (first by, then by).

{{< figure src="/static/img/docs/elasticsearch/group-by-then-by-10.2.png" max-width="850px" class="docs-image--no-shadow" caption="Group by options" >}}

Logs query type

Logs queries analyze Elasticsearch log data. You can configure the following options:

  • Logs Options/Limit - Limits the number of logs to analyze. The default is 500.

Raw data query type

Run a raw data query to retrieve a table of all fields that are associated with each log line.

  • Raw data size - Number of raw data documents. You can specify a different amount. The default is 500.

{{% admonition type="note" %}} The option to run a raw document query is deprecated as of Grafana v10.1. {{% /admonition %}}

Use template variables

You can also augment queries by using [template variables]({{< relref "./template-variables/" >}}).

Queries of terms have a 500-result limit by default. To set a custom limit, set the size property in your query.

{{% docs/reference %}} [Query and transform data]: "/docs/grafana/ -> /docs/grafana//panels-visualizations/query-transform-data" [Query and transform data]: "/docs/grafana-cloud/ -> /docs/grafana-cloud/visualizations/panels-visualizations/query-transform-data" {{% /docs/reference %}}