Loading

ES|QL functions and operators reference

Complete mapping of ES|QL functions and operators to their Elastic.Esql equivalents. Functions not yet supported are listed at the bottom of each section.

Aggregations run inside .GroupBy(...).Select(...) or as terminal operators like .Count(). See STATS...BY aggregation for details on the GroupBy pattern.

var topLevels = client.CreateQuery<LogEntry>()
    .GroupBy(l => l.Level)
    .Select(g => new {
        Level = g.Key,
        Count = g.Count(),
        Avg = g.Average(l => l.Duration),
        P99 = EsqlFunctions.Percentile(g, l => l.Duration, 99)
    });
// STATS count = COUNT(*), avg = AVG(duration), p99 = PERCENTILE(duration, 99) BY level = log.level
ES|QL EsqlFunctions C# native
ABSENT EsqlFunctions.Absent(g, x => x.Field)
AVG g.Average(x => x.Field)
COUNT g.Count() or .Count()
COUNT_DISTINCT EsqlFunctions.CountDistinct(g, x => x.Field)
FIRST EsqlFunctions.First(g, x => x.Field)
LAST EsqlFunctions.Last(g, x => x.Field)
MAX g.Max(x => x.Field)
MEDIAN EsqlFunctions.Median(g, x => x.Field)
MEDIAN_ABSOLUTE_DEVIATION EsqlFunctions.MedianAbsoluteDeviation(g, x => x.Field)
MIN g.Min(x => x.Field)
PERCENTILE EsqlFunctions.Percentile(g, x => x.Field, 99)
PRESENT EsqlFunctions.Present(g, x => x.Field)
SAMPLE EsqlFunctions.Sample(g, x => x.Field)
STD_DEV EsqlFunctions.StdDev(g, x => x.Field)
SUM g.Sum(x => x.Field)
TOP EsqlFunctions.Top(g, x => x.Field, n, "asc")
VALUES EsqlFunctions.Values(g, x => x.Field)
VARIANCE EsqlFunctions.Variance(g, x => x.Field)
WEIGHTED_AVG EsqlFunctions.WeightedAvg(g, x => x.Val, x => x.Weight)

Not yet supported: ST_CENTROID_AGG, ST_EXTENT_AGG.

Conditional logic in projections. The ternary operator maps to CASE WHEN.

.Select(l => new { Status = l.StatusCode >= 500 ? "error" : "ok" })
// EVAL status = CASE WHEN statusCode >= 500 THEN "error" ELSE "ok" END
ES|QL EsqlFunctions C# native
CASE condition ? trueVal : falseVal
CLAMP EsqlFunctions.Clamp(n, min, max) Math.Clamp(n, min, max)
COALESCE EsqlFunctions.Coalesce(a, b)
GREATEST Math.Max(a, b)
LEAST Math.Min(a, b)

DateTime properties translate to DATE_EXTRACT. Arithmetic methods like .AddDays() produce date math expressions.

.Where(l => l.Timestamp > DateTime.UtcNow.AddHours(-1) && l.Timestamp.Year == 2025)
// WHERE (@timestamp > (NOW() + -1 hours) AND DATE_EXTRACT("year", @timestamp) == 2025)
ES|QL EsqlFunctions C# native
DATE_DIFF EsqlFunctions.DateDiff(unit, start, end)
DATE_EXTRACT .Year, .Month, .Day, .Hour, .Minute, .Second, .DayOfWeek, .DayOfYear
DATE_FORMAT EsqlFunctions.DateFormat(field, pattern)
DATE_PARSE EsqlFunctions.DateParse(pattern, str)
DATE_TRUNC EsqlFunctions.DateTrunc(unit, field) DateTime.Today
DAY_NAME EsqlFunctions.DayName(date)
MONTH_NAME EsqlFunctions.MonthName(date)
NOW EsqlFunctions.Now() DateTime.Now, DateTime.UtcNow
TRANGE EsqlFunctions.TRange(start, end)
Date arithmetic .AddDays(n), .AddHours(n), .AddMinutes(n), .AddSeconds(n), .AddMilliseconds(n)
Time intervals TimeSpan.FromDays(n), .FromHours(n), .FromMinutes(n), .FromSeconds(n)

Grouping uses standard LINQ .GroupBy(). ES|QL-specific grouping functions are available through EsqlFunctions. See STATS...BY aggregation for the full GroupBy pattern.

.GroupBy(l => EsqlFunctions.Bucket(l.Duration, 10))
.Select(g => new { Bucket = g.Key, Count = g.Count() })
// STATS count = COUNT(*) BY bucket = BUCKET(duration, 10)
ES|QL EsqlFunctions C# native
BUCKET EsqlFunctions.Bucket(field, n) or EsqlFunctions.Bucket(field, span)
CATEGORIZE EsqlFunctions.Categorize(field)
TBUCKET EsqlFunctions.TBucket(field, span) 
using static Elastic.Esql.Functions.EsqlFunctions;
.Where(l => CidrMatch(l.ClientIp, "10.0.0.0/8"))
// WHERE CIDR_MATCH(client_ip, "10.0.0.0/8")
ES|QL EsqlFunctions C# native
CIDR_MATCH EsqlFunctions.CidrMatch(ip, cidr)
IP_PREFIX EsqlFunctions.IpPrefix(ip, prefixLen, ipVer)

Standard Math.* methods translate to their ES|QL equivalents in both Where and Select. EsqlFunctions methods also work in both contexts.

.Select(l => new { Abs = Math.Abs(l.Delta), Root = Math.Sqrt(l.Value) })
// EVAL abs = ABS(delta), root = SQRT(value)
ES|QL EsqlFunctions C# native
ABS EsqlFunctions.Abs(n) Math.Abs(n)
ACOS EsqlFunctions.Acos(n) Math.Acos(n)
ASIN EsqlFunctions.Asin(n) Math.Asin(n)
ATAN EsqlFunctions.Atan(n) Math.Atan(n)
ATAN2 EsqlFunctions.Atan2(y, x) Math.Atan2(y, x)
CBRT EsqlFunctions.Cbrt(n) Math.Cbrt(n)
CEIL EsqlFunctions.Ceil(n) Math.Ceiling(n)
COPY_SIGN EsqlFunctions.CopySign(mag, sign) Math.CopySign(mag, sign)
COS EsqlFunctions.Cos(n) Math.Cos(n)
COSH EsqlFunctions.Cosh(n) Math.Cosh(n)
E EsqlFunctions.E()
EXP EsqlFunctions.Exp(n) Math.Exp(n)
FLOOR EsqlFunctions.Floor(n) Math.Floor(n)
HYPOT EsqlFunctions.Hypot(a, b)
LOG Math.Log(n)
LOG10 Math.Log10(n)
PI EsqlFunctions.Pi()
POW Math.Pow(base, exp)
ROUND EsqlFunctions.Round(n, decimals) Math.Round(n)
ROUND_TO EsqlFunctions.RoundTo(n, dp)
SCALB EsqlFunctions.ScaleB(n, exp) Math.ScaleB(n, exp)
SIGNUM EsqlFunctions.Signum(n) Math.Sign(n)
SIN EsqlFunctions.Sin(n) Math.Sin(n)
SINH EsqlFunctions.Sinh(n) Math.Sinh(n)
SQRT Math.Sqrt(n)
TAN EsqlFunctions.Tan(n) Math.Tan(n)
TANH EsqlFunctions.Tanh(n) Math.Tanh(n)
TAU EsqlFunctions.Tau()

Note: Math.E, Math.PI, and Math.Tau are const fields that the C# compiler inlines as numeric literals. Use EsqlFunctions.E(), .Pi(), .Tau() instead to generate the ES|QL function calls.

Vector search and similarity functions for dense_vector fields. Vectors are passed as DenseVector<T> (with implicit conversion from T[] and ReadOnlyMemory<T>). Use T = float for element_type: "float" and T = byte for both element_type: "byte" and element_type: "bit"; the bundled JSON converter handles the signed-byte wire format for byte vectors so you can pass natural unsigned values. See the vector and hybrid search guide for the full pattern, including FROM ... METADATA, EsqlMetadata.Score, and FORK/FUSE hybrid pipelines.

.From("books", MetadataField.Score)
.Where(b => EsqlFunctions.Knn(b.Embedding, new float[] { 0.5f, 0.25f, 0.75f }, new KnnOptions { K = 10 }))
// FROM books METADATA _score | WHERE KNN(embedding, [0.5, 0.25, 0.75], { "k": 10 })
ES|QL EsqlFunctions C# native
KNN EsqlFunctions.Knn(field, query[, options])
TEXT_EMBEDDING EsqlFunctions.TextEmbedding(text, inferenceId)
V_COSINE EsqlFunctions.VCosine(a, b)
V_DOT_PRODUCT EsqlFunctions.VDotProduct(a, b)
V_HAMMING EsqlFunctions.VHamming(a, b)
V_L1_NORM EsqlFunctions.VL1Norm(a, b)
V_L2_NORM EsqlFunctions.VL2Norm(a, b)

The optional third argument to Knn is a typed KnnOptions record. Set the properties you want to override; only set properties are emitted into the ES|QL named-parameter object (e.g. new KnnOptions { K = 10, MinCandidates = 100 } -> { "k": 10, "min_candidates": 100 }). Available properties: K, MinCandidates, Similarity, Boost, VisitPercentage, RescoreOversample.

Not yet supported: EMBEDDING (planned, currently serverless-only preview).

Full-text search and pattern matching functions available through EsqlFunctions.

using static Elastic.Esql.Functions.EsqlFunctions;
.Where(l => Match(l.Message, "connection error"))
// WHERE MATCH(message, "connection error")
ES|QL EsqlFunctions C# native
DECAY EsqlFunctions.Decay(func, field, origin, scale)
KQL EsqlFunctions.Kql(query)
MATCH EsqlFunctions.Match(field, query)
MATCH_PHRASE EsqlFunctions.MatchPhrase(field, phrase)
QSTR EsqlFunctions.Qstr(query)
SCORE EsqlFunctions.Score()
TOP_SNIPPETS EsqlFunctions.TopSnippets(field, n)

C# string methods translate to ES|QL string functions. Contains, StartsWith, and EndsWith map to LIKE patterns.

.Where(l => l.Host.StartsWith("prod-") && l.Message.ToLower().Contains("timeout"))
// WHERE host LIKE "prod-*" AND TO_LOWER(message) LIKE "*timeout*"
ES|QL EsqlFunctions C# native
BIT_LENGTH EsqlFunctions.BitLength(s)
BYTE_LENGTH EsqlFunctions.ByteLength(s)
CHUNK EsqlFunctions.Chunk(s, size)
CONCAT EsqlFunctions.Concat(a, b)
ENDS_WITH s.EndsWith("suffix") (via LIKE)
FROM_BASE64 EsqlFunctions.FromBase64(s)
HASH EsqlFunctions.Hash(algo, s)
LEFT EsqlFunctions.Left(s, n)
LENGTH EsqlFunctions.Length(s) s.Length
LOCATE EsqlFunctions.Locate(s, substr) s.IndexOf(substr)
LTRIM EsqlFunctions.Ltrim(s) s.TrimStart()
MD5 EsqlFunctions.Md5(s)
REPEAT EsqlFunctions.Repeat(s, n)
REPLACE EsqlFunctions.Replace(s, old, new) s.Replace(old, new)
REVERSE EsqlFunctions.Reverse(s)
RIGHT EsqlFunctions.Right(s, n)
RTRIM EsqlFunctions.Rtrim(s) s.TrimEnd()
SHA1 EsqlFunctions.Sha1(s)
SHA256 EsqlFunctions.Sha256(s)
SPACE EsqlFunctions.Space(n)
SPLIT EsqlFunctions.Split(s, delim) s.Split(delim)
STARTS_WITH s.StartsWith("prefix") (via LIKE)
SUBSTRING EsqlFunctions.Substring(s, start, len) s.Substring(start, len) or s[index]
TO_BASE64 EsqlFunctions.ToBase64(s)
TO_LOWER EsqlFunctions.ToLower(s) s.ToLower() or s.ToLowerInvariant()
TO_UPPER EsqlFunctions.ToUpper(s) s.ToUpper() or s.ToUpperInvariant()
TRIM EsqlFunctions.Trim(s) s.Trim()
URL_DECODE EsqlFunctions.UrlDecode(s)
URL_ENCODE EsqlFunctions.UrlEncode(s)
URL_ENCODE_COMPONENT EsqlFunctions.UrlEncodeComponent(s)
LIKE pattern s.Contains("text")
Null/empty checks string.IsNullOrEmpty(s), string.IsNullOrWhiteSpace(s)

All comparison, arithmetic, logical, and pattern-matching operators are fully supported.

ES|QL C#
== ==
!= !=
< <
<= <=
> >
>= >=
ES|QL C#
+ +
- -
* *
/ /
% %
ES|QL C#
AND &&
OR \|\|
NOT ! 
using static Elastic.Esql.Functions.EsqlFunctions;

.Where(l => Like(l.Path, "/api/v?/users"))     // path LIKE "/api/v?/users"
.Where(l => Rlike(l.Path, "/api/v[0-9]+/.*"))  // path RLIKE "/api/v[0-9]+/.*"
.Where(l => levels.Contains(l.Level))           // log.level IN ("a", "b")
ES|QL EsqlFunctions C# native
LIKE EsqlFunctions.Like(field, pattern)
RLIKE EsqlFunctions.Rlike(field, pattern)
IN list.Contains(field)
IS NULL EsqlFunctions.IsNull(field) field == null
IS NOT NULL EsqlFunctions.IsNotNull(field) field != null
MATCH EsqlFunctions.Match(field, query)

Cast operator (::)

.Select(l => new { IntDuration = EsqlFunctions.CastToInteger(l.Duration) })
// EVAL intDuration = duration::integer
ES|QL EsqlFunctions C# native
field::integer EsqlFunctions.CastToInteger(field)
field::long EsqlFunctions.CastToLong(field)
field::double EsqlFunctions.CastToDouble(field)
field::boolean EsqlFunctions.CastToBoolean(field)
field::keyword EsqlFunctions.CastToKeyword(field)
field::datetime EsqlFunctions.CastToDatetime(field)
field::ip EsqlFunctions.CastToIp(field)

The following ES|QL function categories have no Elastic.Esql equivalents yet:

Spatial functions: ST_CONTAINS, ST_DISTANCE, ST_DISJOINT, ST_ENVELOPE, ST_INTERSECTS, ST_NPOINTS, ST_SIMPLIFY, ST_WITHIN, ST_X, ST_XMAX, ST_XMIN, ST_Y, ST_YMAX, ST_YMIN, ST_GEOTILE, ST_GEOHEX, ST_GEOHASH.

Multivalue functions: MV_APPEND, MV_AVG, MV_CONCAT, MV_CONTAINS, MV_COUNT, MV_DEDUPE, MV_FIRST, MV_INTERSECTION, MV_INTERSECTS, MV_LAST, MV_MAX, MV_MEDIAN, MV_MEDIAN_ABSOLUTE_DEVIATION, MV_MIN, MV_PERCENTILE, MV_PSERIES_WEIGHTED_SUM, MV_SLICE, MV_SORT, MV_SUM, MV_UNION, MV_ZIP.

Type conversion functions: TO_BOOLEAN, TO_CARTESIANPOINT, TO_CARTESIANSHAPE, TO_DATEPERIOD, TO_DATETIME, TO_DATE_NANOS, TO_DEGREES, TO_DENSE_VECTOR, TO_DOUBLE, TO_GEOHASH, TO_GEOHEX, TO_GEOPOINT, TO_GEOSHAPE, TO_GEOTILE, TO_INTEGER, TO_IP, TO_LONG, TO_RADIANS, TO_STRING, TO_TIMEDURATION, TO_UNSIGNED_LONG, TO_VERSION, TO_AGGREGATE_METRIC_DOUBLE.

Time series aggregation functions: ABSENT_OVER_TIME, AVG_OVER_TIME, COUNT_OVER_TIME, COUNT_DISTINCT_OVER_TIME, DELTA, DERIV, FIRST_OVER_TIME, IDELTA, INCREASE, IRATE, LAST_OVER_TIME, MAX_OVER_TIME, MIN_OVER_TIME, PERCENTILE_OVER_TIME, PRESENT_OVER_TIME, RATE, STDDEV_OVER_TIME, VARIANCE_OVER_TIME, SUM_OVER_TIME.