2.0 KiB
FROM [esql-from]
The FROM source command returns a table with data from a data stream, index,
or alias.
Syntax
FROM index_pattern [METADATA fields]
Parameters
index_pattern- A list of indices, data streams or aliases. Supports wildcards and date math.
fields- A comma-separated list of metadata fields to retrieve.
Description
The FROM source command returns a table with data from a data stream, index,
or alias. Each row in the resulting table represents a document. Each column
corresponds to a field, and can be accessed by the name of that field.
::::{note}
By default, an {{esql}} query without an explicit LIMIT uses an implicit
limit of 1000. This applies to FROM too. A FROM command without LIMIT:
FROM employees
is executed as:
FROM employees
| LIMIT 1000
::::
Examples
FROM employees
You can use date math to refer to indices, aliases and data streams. This can be useful for time series data, for example to access today’s index:
FROM <logs-{now/d}>
Use comma-separated lists or wildcards to query multiple data streams, indices, or aliases:
FROM employees-00001,other-employees-*
Use the format <remote_cluster_name>:<target> to
query data streams and indices on remote clusters:
FROM cluster_one:employees-00001,cluster_two:other-employees-*
Use the optional METADATA directive to enable
metadata fields:
FROM employees METADATA _id
Use enclosing double quotes (") or three enclosing double quotes (""") to escape index names
that contain special characters:
FROM "this=that", """this[that"""