Loading

ES|QL functions and operators reference

Complete mapping of ES|QL functions and operators to their Elastic.Esql equivalents. Functions not yet supported are listed at the bottom of each section.

Aggregations run inside .GroupBy(...).Select(...) or as terminal operators like .Count(). See STATS...BY aggregation for details on the GroupBy pattern.

var topLevels = client.CreateQuery<LogEntry>()
    .GroupBy(l => l.Level)
    .Select(g => new {
        Level = g.Key,
        Count = g.Count(),
        Avg = g.Average(l => l.Duration),
        P99 = EsqlFunctions.Percentile(g, l => l.Duration, 99)
    });
// STATS count = COUNT(*), avg = AVG(duration), p99 = PERCENTILE(duration, 99) BY level = log.level
ES|QL EsqlFunctions C# native
ABSENT EsqlFunctions.Absent(g, x => x.Field)
AVG g.Average(x => x.Field)
COUNT g.Count() or .Count()
COUNT_DISTINCT EsqlFunctions.CountDistinct(g, x => x.Field)
FIRST EsqlFunctions.First(g, x => x.Field)
LAST EsqlFunctions.Last(g, x => x.Field)
MAX g.Max(x => x.Field)
MEDIAN EsqlFunctions.Median(g, x => x.Field)
MEDIAN_ABSOLUTE_DEVIATION EsqlFunctions.MedianAbsoluteDeviation(g, x => x.Field)
MIN g.Min(x => x.Field)
PERCENTILE EsqlFunctions.Percentile(g, x => x.Field, 99)
PRESENT EsqlFunctions.Present(g, x => x.Field)
SAMPLE EsqlFunctions.Sample(g, x => x.Field)
STD_DEV EsqlFunctions.StdDev(g, x => x.Field)
SUM g.Sum(x => x.Field)
TOP EsqlFunctions.Top(g, x => x.Field, n, "asc")
VALUES EsqlFunctions.Values(g, x => x.Field)
VARIANCE EsqlFunctions.Variance(g, x => x.Field)
WEIGHTED_AVG EsqlFunctions.WeightedAvg(g, x => x.Val, x => x.Weight)

Not yet supported: ST_CENTROID_AGG, ST_EXTENT_AGG.

Conditional logic in projections. The ternary operator maps to CASE WHEN.

.Select(l => new { Status = l.StatusCode >= 500 ? "error" : "ok" })
// EVAL status = CASE WHEN statusCode >= 500 THEN "error" ELSE "ok" END
ES|QL EsqlFunctions C# native
CASE condition ? trueVal : falseVal
CLAMP EsqlFunctions.Clamp(n, min, max) Math.Clamp(n, min, max)
COALESCE EsqlFunctions.Coalesce(a, b)
GREATEST Math.Max(a, b)
LEAST Math.Min(a, b)

DateTime properties translate to DATE_EXTRACT. Arithmetic methods like .AddDays() produce date math expressions.

.Where(l => l.Timestamp > DateTime.UtcNow.AddHours(-1) && l.Timestamp.Year == 2025)
// WHERE (@timestamp > (NOW() + -1 hours) AND DATE_EXTRACT("year", @timestamp) == 2025)
ES|QL EsqlFunctions C# native
DATE_DIFF EsqlFunctions.DateDiff(unit, start, end)
DATE_EXTRACT .Year, .Month, .Day, .Hour, .Minute, .Second, .DayOfWeek, .DayOfYear
DATE_FORMAT EsqlFunctions.DateFormat(field, pattern)
DATE_PARSE EsqlFunctions.DateParse(pattern, str)
DATE_TRUNC EsqlFunctions.DateTrunc(unit, field) DateTime.Today
DAY_NAME EsqlFunctions.DayName(date)
MONTH_NAME EsqlFunctions.MonthName(date)
NOW EsqlFunctions.Now() DateTime.Now, DateTime.UtcNow
TRANGE EsqlFunctions.TRange(start, end)
Date arithmetic .AddDays(n), .AddHours(n), .AddMinutes(n), .AddSeconds(n), .AddMilliseconds(n)
Time intervals TimeSpan.FromDays(n), .FromHours(n), .FromMinutes(n), .FromSeconds(n)

Grouping uses standard LINQ .GroupBy(). ES|QL-specific grouping functions are available through EsqlFunctions. See STATS...BY aggregation for the full GroupBy pattern.

.GroupBy(l => EsqlFunctions.Bucket(l.Duration, 10))
.Select(g => new { Bucket = g.Key, Count = g.Count() })
// STATS count = COUNT(*) BY bucket = BUCKET(duration, 10)
ES|QL EsqlFunctions C# native
BUCKET EsqlFunctions.Bucket(field, n) or EsqlFunctions.Bucket(field, span)
CATEGORIZE EsqlFunctions.Categorize(field)
TBUCKET EsqlFunctions.TBucket(field, span) 
using static Elastic.Esql.Functions.EsqlFunctions;
.Where(l => CidrMatch(l.ClientIp, "10.0.0.0/8"))
// WHERE CIDR_MATCH(client_ip, "10.0.0.0/8")
ES|QL EsqlFunctions C# native
CIDR_MATCH EsqlFunctions.CidrMatch(ip, cidr)
IP_PREFIX EsqlFunctions.IpPrefix(ip, prefixLen, ipVer)

Standard Math.* methods translate to their ES|QL equivalents in both Where and Select. EsqlFunctions methods also work in both contexts.

.Select(l => new { Abs = Math.Abs(l.Delta), Root = Math.Sqrt(l.Value) })
// EVAL abs = ABS(delta), root = SQRT(value)
ES|QL EsqlFunctions C# native
ABS EsqlFunctions.Abs(n) Math.Abs(n)
ACOS EsqlFunctions.Acos(n) Math.Acos(n)
ASIN EsqlFunctions.Asin(n) Math.Asin(n)
ATAN EsqlFunctions.Atan(n) Math.Atan(n)
ATAN2 EsqlFunctions.Atan2(y, x) Math.Atan2(y, x)
CBRT EsqlFunctions.Cbrt(n) Math.Cbrt(n)
CEIL EsqlFunctions.Ceil(n) Math.Ceiling(n)
COPY_SIGN EsqlFunctions.CopySign(mag, sign) Math.CopySign(mag, sign)
COS EsqlFunctions.Cos(n) Math.Cos(n)
COSH EsqlFunctions.Cosh(n) Math.Cosh(n)
E EsqlFunctions.E()
EXP EsqlFunctions.Exp(n) Math.Exp(n)
FLOOR EsqlFunctions.Floor(n) Math.Floor(n)
HYPOT EsqlFunctions.Hypot(a, b)
LOG Math.Log(n)
LOG10 Math.Log10(n)
PI EsqlFunctions.Pi()
POW Math.Pow(base, exp)
ROUND EsqlFunctions.Round(n, decimals) Math.Round(n)
ROUND_TO EsqlFunctions.RoundTo(n, dp)
SCALB EsqlFunctions.ScaleB(n, exp) Math.ScaleB(n, exp)
SIGNUM EsqlFunctions.Signum(n) Math.Sign(n)
SIN EsqlFunctions.Sin(n) Math.Sin(n)
SINH EsqlFunctions.Sinh(n) Math.Sinh(n)
SQRT Math.Sqrt(n)
TAN EsqlFunctions.Tan(n) Math.Tan(n)
TANH EsqlFunctions.Tanh(n) Math.Tanh(n)
TAU EsqlFunctions.Tau()

Note: Math.E, Math.PI, and Math.Tau are const fields that the C# compiler inlines as numeric literals. Use EsqlFunctions.E(), .Pi(), .Tau() instead to generate the ES|QL function calls.

Full-text search and pattern matching functions available through EsqlFunctions.

using static Elastic.Esql.Functions.EsqlFunctions;
.Where(l => Match(l.Message, "connection error"))
// WHERE MATCH(message, "connection error")
ES|QL EsqlFunctions C# native
DECAY EsqlFunctions.Decay(func, field, origin, scale)
KQL EsqlFunctions.Kql(query)
MATCH EsqlFunctions.Match(field, query)
MATCH_PHRASE EsqlFunctions.MatchPhrase(field, phrase)
QSTR EsqlFunctions.Qstr(query)
SCORE EsqlFunctions.Score()
TOP_SNIPPETS EsqlFunctions.TopSnippets(field, n)

C# string methods translate to ES|QL string functions. Contains, StartsWith, and EndsWith map to LIKE patterns.

.Where(l => l.Host.StartsWith("prod-") && l.Message.ToLower().Contains("timeout"))
// WHERE host LIKE "prod-*" AND TO_LOWER(message) LIKE "*timeout*"
ES|QL EsqlFunctions C# native
BIT_LENGTH EsqlFunctions.BitLength(s)
BYTE_LENGTH EsqlFunctions.ByteLength(s)
CHUNK EsqlFunctions.Chunk(s, size)
CONCAT EsqlFunctions.Concat(a, b)
ENDS_WITH s.EndsWith("suffix") (via LIKE)
FROM_BASE64 EsqlFunctions.FromBase64(s)
HASH EsqlFunctions.Hash(algo, s)
LEFT EsqlFunctions.Left(s, n)
LENGTH EsqlFunctions.Length(s) s.Length
LOCATE EsqlFunctions.Locate(s, substr) s.IndexOf(substr)
LTRIM EsqlFunctions.Ltrim(s) s.TrimStart()
MD5 EsqlFunctions.Md5(s)
REPEAT EsqlFunctions.Repeat(s, n)
REPLACE EsqlFunctions.Replace(s, old, new) s.Replace(old, new)
REVERSE EsqlFunctions.Reverse(s)
RIGHT EsqlFunctions.Right(s, n)
RTRIM EsqlFunctions.Rtrim(s) s.TrimEnd()
SHA1 EsqlFunctions.Sha1(s)
SHA256 EsqlFunctions.Sha256(s)
SPACE EsqlFunctions.Space(n)
SPLIT EsqlFunctions.Split(s, delim) s.Split(delim)
STARTS_WITH s.StartsWith("prefix") (via LIKE)
SUBSTRING EsqlFunctions.Substring(s, start, len) s.Substring(start, len) or s[index]
TO_BASE64 EsqlFunctions.ToBase64(s)
TO_LOWER EsqlFunctions.ToLower(s) s.ToLower() or s.ToLowerInvariant()
TO_UPPER EsqlFunctions.ToUpper(s) s.ToUpper() or s.ToUpperInvariant()
TRIM EsqlFunctions.Trim(s) s.Trim()
URL_DECODE EsqlFunctions.UrlDecode(s)
URL_ENCODE EsqlFunctions.UrlEncode(s)
URL_ENCODE_COMPONENT EsqlFunctions.UrlEncodeComponent(s)
LIKE pattern s.Contains("text")
Null/empty checks string.IsNullOrEmpty(s), string.IsNullOrWhiteSpace(s)

All comparison, arithmetic, logical, and pattern-matching operators are fully supported.

ES|QL C#
== ==
!= !=
< <
<= <=
> >
>= >=
ES|QL C#
+ +
- -
* *
/ /
% %
ES|QL C#
AND &&
OR \|\|
NOT ! 
using static Elastic.Esql.Functions.EsqlFunctions;

.Where(l => Like(l.Path, "/api/v?/users"))     // path LIKE "/api/v?/users"
.Where(l => Rlike(l.Path, "/api/v[0-9]+/.*"))  // path RLIKE "/api/v[0-9]+/.*"
.Where(l => levels.Contains(l.Level))           // log.level IN ("a", "b")
ES|QL EsqlFunctions C# native
LIKE EsqlFunctions.Like(field, pattern)
RLIKE EsqlFunctions.Rlike(field, pattern)
IN list.Contains(field)
IS NULL EsqlFunctions.IsNull(field) field == null
IS NOT NULL EsqlFunctions.IsNotNull(field) field != null
MATCH EsqlFunctions.Match(field, query)

Cast operator (::)

.Select(l => new { IntDuration = EsqlFunctions.CastToInteger(l.Duration) })
// EVAL intDuration = duration::integer
ES|QL EsqlFunctions C# native
field::integer EsqlFunctions.CastToInteger(field)
field::long EsqlFunctions.CastToLong(field)
field::double EsqlFunctions.CastToDouble(field)
field::boolean EsqlFunctions.CastToBoolean(field)
field::keyword EsqlFunctions.CastToKeyword(field)
field::datetime EsqlFunctions.CastToDatetime(field)
field::ip EsqlFunctions.CastToIp(field)

The following ES|QL function categories have no Elastic.Esql equivalents yet:

Spatial functions: ST_CONTAINS, ST_DISTANCE, ST_DISJOINT, ST_ENVELOPE, ST_INTERSECTS, ST_NPOINTS, ST_SIMPLIFY, ST_WITHIN, ST_X, ST_XMAX, ST_XMIN, ST_Y, ST_YMAX, ST_YMIN, ST_GEOTILE, ST_GEOHEX, ST_GEOHASH.

Multivalue functions: MV_APPEND, MV_AVG, MV_CONCAT, MV_CONTAINS, MV_COUNT, MV_DEDUPE, MV_FIRST, MV_INTERSECTION, MV_INTERSECTS, MV_LAST, MV_MAX, MV_MEDIAN, MV_MEDIAN_ABSOLUTE_DEVIATION, MV_MIN, MV_PERCENTILE, MV_PSERIES_WEIGHTED_SUM, MV_SLICE, MV_SORT, MV_SUM, MV_UNION, MV_ZIP.

Type conversion functions: TO_BOOLEAN, TO_CARTESIANPOINT, TO_CARTESIANSHAPE, TO_DATEPERIOD, TO_DATETIME, TO_DATE_NANOS, TO_DEGREES, TO_DENSE_VECTOR, TO_DOUBLE, TO_GEOHASH, TO_GEOHEX, TO_GEOPOINT, TO_GEOSHAPE, TO_GEOTILE, TO_INTEGER, TO_IP, TO_LONG, TO_RADIANS, TO_STRING, TO_TIMEDURATION, TO_UNSIGNED_LONG, TO_VERSION, TO_AGGREGATE_METRIC_DOUBLE.

Dense vector functions: KNN, TEXT_EMBEDDING, V_COSINE, V_DOT_PRODUCT, V_HAMMING, V_L1_NORM, V_L2_NORM.

Time series aggregation functions: ABSENT_OVER_TIME, AVG_OVER_TIME, COUNT_OVER_TIME, COUNT_DISTINCT_OVER_TIME, DELTA, DERIV, FIRST_OVER_TIME, IDELTA, INCREASE, IRATE, LAST_OVER_TIME, MAX_OVER_TIME, MIN_OVER_TIME, PERCENTILE_OVER_TIME, PRESENT_OVER_TIME, RATE, STDDEV_OVER_TIME, VARIANCE_OVER_TIME, SUM_OVER_TIME.