ES|QL string functions

Serverless Stack

ES|QL supports these string functions:

• BIT_LENGTH
• BYTE_LENGTH
• CONCAT
• CONTAINS
• ENDS_WITH
• FROM_BASE64
• HASH
• LEFT
• LENGTH
• LOCATE
• LTRIM
• MD5
• REPEAT
• REPLACE
• REVERSE
• RIGHT
• RTRIM
• SHA1
• SHA256
• SPACE
• SPLIT
• STARTS_WITH
• SUBSTRING
• TO_BASE64
• TO_LOWER
• TO_UPPER
• TRIM
• URL_ENCODE
• URL_ENCODE_COMPONENT
• URL_DECODE

Syntax

×

Parameters

string

String expression. If null, the function returns null.

Description

Returns the bit length of a string.

Supported types

Example

FROM airports
| WHERE country == "India"
| KEEP city
| EVAL fn_length = LENGTH(city), fn_bit_length = BIT_LENGTH(city)
		

Syntax

×

Parameters

string

String expression. If null, the function returns null.

Description

Returns the byte length of a string.

Supported types

Example

FROM airports
| WHERE country == "India"
| KEEP city
| EVAL fn_length = LENGTH(city), fn_byte_length = BYTE_LENGTH(city)
		

Syntax

×

Parameters

string1

Strings to concatenate.

string2

Strings to concatenate.

Description

Concatenates two or more strings.

Supported types

Example

FROM employees
| KEEP first_name, last_name
| EVAL fullname = CONCAT(first_name, " ", last_name)
		

Stack 9.2.0

Syntax

×

Parameters

string

String expression: input string to check against. If null, the function returns null.

substring

String expression: A substring to find in the input string. If null, the function returns null.

Description

Returns a boolean that indicates whether a keyword substring is within another string. Returns null if either parameter is null.

Supported types

Example

ROW a = "hello"
| EVAL has_ll = CONTAINS(a, "ll")
		

Syntax

×

Parameters

str

String expression. If null, the function returns null.

suffix

String expression. If null, the function returns null.

Description

Returns a boolean that indicates whether a keyword string ends with another string.

Supported types

Example

FROM employees
| KEEP last_name
| EVAL ln_E = ENDS_WITH(last_name, "d")
		

Syntax

×

Parameters

string

A base64 string.

Description

Decode a base64 string.

Supported types

Example

ROW a = "ZWxhc3RpYw=="
| EVAL d = FROM_BASE64(a)
		

Syntax

×

Parameters

algorithm

Hash algorithm to use.

input

Input to hash.

Description

Computes the hash of the input using various algorithms such as MD5, SHA, SHA-224, SHA-256, SHA-384, SHA-512.

Supported types

Example

FROM sample_data
| WHERE message != "Connection error"
| EVAL md5 = hash("md5", message), sha256 = hash("sha256", message)
| KEEP message, md5, sha256
		

Syntax

×

Parameters

string

The string from which to return a substring.

length

The number of characters to return.

Description

Returns the substring that extracts length chars from string starting from the left.

Supported types

Example

FROM employees
| KEEP last_name
| EVAL left = LEFT(last_name, 3)
		

Syntax

×

Parameters

string

String expression. If null, the function returns null.

Description

Returns the character length of a string.

Supported types

Example

FROM airports
| WHERE country == "India"
| KEEP city
| EVAL fn_length = LENGTH(city)
		

Syntax

×

Parameters

string

An input string

substring

A substring to locate in the input string

start

The start index

Description

Returns an integer that indicates the position of a keyword substring within another string. Returns 0 if the substring cannot be found. Note that string positions start from 1.

Supported types

Example

ROW a = "hello"
| EVAL a_ll = LOCATE(a, "ll")
		

Syntax

×

Parameters

string

String expression. If null, the function returns null.

Description

Removes leading whitespaces from a string.

Supported types

Example

ROW message = "   some text  ",  color = " red "
| EVAL message = LTRIM(message)
| EVAL color = LTRIM(color)
| EVAL message = CONCAT("'", message, "'")
| EVAL color = CONCAT("'", color, "'")
		

Syntax

×

Parameters

input

Input to hash.

Description

Computes the MD5 hash of the input (if the MD5 hash is available on the JVM).

Supported types

Example

FROM sample_data
| WHERE message != "Connection error"
| EVAL md5 = md5(message)
| KEEP message, md5
		

Syntax

×

Parameters

string

String expression.

number

Number times to repeat.

Description

Returns a string constructed by concatenating string with itself the specified number of times.

Supported types

Example

ROW a = "Hello!"
| EVAL triple_a = REPEAT(a, 3)
		

Syntax

×

Parameters

string

String expression.

regex

Regular expression.

newString

Replacement string.

Description

The function substitutes in the string str any match of the regular expression regex with the replacement string newStr.

Supported types

Examples

This example replaces any occurrence of the word "World" with the word "Universe":

ROW str = "Hello World"
| EVAL str = REPLACE(str, "World", "Universe")
		

This example removes all spaces:

ROW str = "Hello World"
| EVAL str = REPLACE(str, "\\\\s+", "")
		

Syntax

×

Parameters

str

String expression. If null, the function returns null.

Description

Returns a new string representing the input string in reverse order.

Supported types

Examples

ROW message = "Some Text" | EVAL message_reversed = REVERSE(message);
		

REVERSE works with unicode, too! It keeps unicode grapheme clusters together during reversal.

ROW bending_arts = "💧🪨🔥💨" | EVAL bending_arts_reversed = REVERSE(bending_arts);
		

Syntax

×

Parameters

string

The string from which to returns a substring.

length

The number of characters to return.

Description

Return the substring that extracts length chars from str starting from the right.

Supported types

Example

FROM employees
| KEEP last_name
| EVAL right = RIGHT(last_name, 3)
		

Syntax

×

Parameters

string

String expression. If null, the function returns null.

Description

Removes trailing whitespaces from a string.

Supported types

Example

ROW message = "   some text  ",  color = " red "
| EVAL message = RTRIM(message)
| EVAL color = RTRIM(color)
| EVAL message = CONCAT("'", message, "'")
| EVAL color = CONCAT("'", color, "'")
		

Syntax

×

Parameters

input

Input to hash.

Description

Computes the SHA1 hash of the input.

Supported types

Example

FROM sample_data
| WHERE message != "Connection error"
| EVAL sha1 = sha1(message)
| KEEP message, sha1
		

Syntax

×

Parameters

input

Input to hash.

Description

Computes the SHA256 hash of the input.

Supported types

Example

FROM sample_data
| WHERE message != "Connection error"
| EVAL sha256 = sha256(message)
| KEEP message, sha256
		

Syntax

×

Parameters

number

Number of spaces in result.

Description

Returns a string made of number spaces.

Supported types

Example

ROW message = CONCAT("Hello", SPACE(1), "World!");
		

Syntax

×

Parameters

string

String expression. If null, the function returns null.

delim

Delimiter. Only single byte delimiters are currently supported.

Description

Split a single valued string into multiple strings.

Supported types

Example

ROW words="foo;bar;baz;qux;quux;corge"
| EVAL word = SPLIT(words, ";")
		

Syntax

×

Parameters

str

String expression. If null, the function returns null.

prefix

String expression. If null, the function returns null.

Description

Returns a boolean that indicates whether a keyword string starts with another string.

Supported types

Example

FROM employees
| KEEP last_name
| EVAL ln_S = STARTS_WITH(last_name, "B")
		

Syntax

×

Parameters

string

String expression. If null, the function returns null.

start

Start position.

length

Length of the substring from the start position. Optional; if omitted, all positions after start are returned.

Description

Returns a substring of a string, specified by a start position and an optional length.

Supported types

Examples

This example returns the first three characters of every last name:

FROM employees
| KEEP last_name
| EVAL ln_sub = SUBSTRING(last_name, 1, 3)
		

A negative start position is interpreted as being relative to the end of the string. This example returns the last three characters of every last name:

FROM employees
| KEEP last_name
| EVAL ln_sub = SUBSTRING(last_name, -3, 3)
		

If length is omitted, substring returns the remainder of the string. This example returns all characters except for the first:

FROM employees
| KEEP last_name
| EVAL ln_sub = SUBSTRING(last_name, 2)
		

Syntax

×

Parameters

string

A string.

Description

Encode a string to a base64 string.

Supported types

Example

ROW a = "elastic"
| EVAL e = TO_BASE64(a)
		

Syntax

×

Parameters

str

String expression. If null, the function returns null. The input can be a single-valued column or expression, or a multi-valued column or expression Stack 9.1.0 .

Description

Returns a new string representing the input string converted to lower case.

Supported types

Examples

ROW message = "Some Text"
| EVAL message_lower = TO_LOWER(message)
		

Stack 9.1.0

ROW v = TO_LOWER(["Some", "Text"])
		

Syntax

×

Parameters

str

String expression. If null, the function returns null. The input can be a single-valued column or expression, or a multi-valued column or expression Stack 9.1.0 .

Description

Returns a new string representing the input string converted to upper case.

Supported types

Example

ROW message = "Some Text"
| EVAL message_upper = TO_UPPER(message)
		

Syntax

×

Parameters

string

String expression. If null, the function returns null.

Description

Removes leading and trailing whitespaces from a string.

Supported types

Example

ROW message = "   some text  ",  color = " red "
| EVAL message = TRIM(message)
| EVAL color = TRIM(color)
		

Stack 9.2.0

Syntax

×

Parameters

string

The URL to encode.

Description

URL-encodes the input. All characters are percent-encoded except for alphanumerics, ., -, _, and ~. Spaces are encoded as +.

Supported types

Example

ROW u = "https://example.com/?x=foo bar&y=baz" | EVAL u = URL_ENCODE(u)
		

Stack 9.2.0

Syntax

×

Parameters

string

The URL to encode.

Description

URL-encodes the input. All characters are percent-encoded except for alphanumerics, ., -, _, and ~. Spaces are encoded as %20.

Supported types

Example

ROW u = "https://example.com/?x=foo bar&y=baz"
| EVAL u = URL_ENCODE_COMPONENT(u)
		

Stack 9.2.0

Syntax

×

Parameters

string

The URL-encoded string to decode.

Description

URL-decodes the input, or returns null and adds a warning header to the response if the input cannot be decoded.

Supported types

Example

ROW u = "https%3A%2F%2Fexample.com%2F%3Fx%3Dfoo%20bar%26y%3Dbaz"
| EVAL u = URL_DECODE(u)