Skip to content

Support ES|QL #221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jsvd opened this issue Jan 28, 2025 · 1 comment · May be fixed by #233
Open

Support ES|QL #221

jsvd opened this issue Jan 28, 2025 · 1 comment · May be fixed by #233
Assignees
@mashhurs
Labels
meta

Comments

@jsvd
Copy link
Member

jsvd commented Jan 28, 2025
edited by mashhurs
Loading

Description

Support executing ES|QL queries with the plugin.

Design note: https://docs.google.com/document/d/1jPtz3IeYx8LyoIyJua3RgjVsW4bC9hvWNw3CYhrHUIY

Upgrade elasticsearch-ruby

  • needs upgrading elasticsearch-ruby client to 8.x to support ES|QL, ES|QL introduced in 8.11
  • logstash core currently locks it at 7.x
  • the manticore adapter has been moved to the "elastic-transport" gem and the namespace changed to Elastic:: instead of Elasticsearch:: (same with the requires)

this would be an alternative to the search or aggregations type of query.

Following issues and PR addressed the es-ruby client upgrades:
@mashhurs
Copy link
Contributor

mashhurs commented Mar 10, 2025
edited
Loading

High level thoughts

  • to support ES|QL
    For the ES|QL, we can use either ES-ruby client helper or directly utilize the client.esql.
    ESQL capabilities were added in elasticsearch-v8.11 version, so we need at least 8.11 version to run ES|QL queries (add s.add_runtime_dependency 'elasticsearch', '>= 8.11.0' to plugin gemspec file)
  def query(client, query, params = {}, parser: {})
        response = client.esql.query({ body: { query: query }, format: 'json' }.merge(params))

        columns = response['columns']
        response['values'].map do |value|
          (value.length - 1).downto(0).map do |index|
            key = columns[index]['name']
            value[index] = parser[key].call(value[index]) if value[index] && parser[key]
            { key => value[index] }
          end.reduce({}, :merge)
        end
  end

and call it with defined parser

    parser = {
      '@timestamp' => Proc.new { |t| DateTime.parse(t) },
      'client.ip' => Proc.new { |i| IPAddr.new(i) },
      'event.duration' => Proc.new { |d| d.to_s }
    }
    @client = Elasticsearch::Client.new(@client_options)
    query = "FROM example-index"
    response = query(@client, query, parser: parser)
  • Currently, the plugin bases ES-DSL search, we probably need to define a mode (query_mode => es-dsl | es-ql)

What would be the best practise to handle limitations?

Documentation

  • document changed params for added ES|QL functionality
  • add multiple examples (including how plugin behaves on the limitations)
  • add a separate section for ES|QL and forward to ES|QL getting started and limitations pages

@robbavey robbavey added meta and removed discuss labels Mar 26, 2025
@mashhurs mashhurs linked a pull request Apr 4, 2025 that will close this issue
Esql support #233
Open
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mashhurs mashhurs

Labels
meta
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Esql support mashhurs/logstash-input-elasticsearch
4 participants
@jsvd @robbavey @mashhurs @flexitrev