The Open Distro project is archived. Open Distro development has moved to OpenSearch. The Open Distro plugins will continue to work with legacy versions of Elasticsearch OSS, but we recommend upgrading to OpenSearch to take advantage of the latest features and improvements.
Piped Processing Language
Piped Processing Language (PPL) is a query language that lets you use pipe (|
) syntax to explore, discover, and query data stored in Elasticsearch.
To quickly get up and running with PPL, use Query Workbench in Kibana. To learn more, see Workbench.
The PPL syntax consists of commands delimited by the pipe character (|
) where data flows from left to right through each pipeline.
search command | command 1 | command 2 ...
You can only use read-only commands like search
, where
, fields
, rename
, dedup
, stats
, sort
, eval
, head
, top
, and rare
.
Quick start
To get started with PPL, choose Dev Tools in Kibana and use the bulk
operation to index some sample data:
PUT accounts/_bulk?refresh
{"index":{"_id":"1"}}
{"account_number":1,"balance":39225,"firstname":"Amber","lastname":"Duke","age":32,"gender":"M","address":"880 Holmes Lane","employer":"Pyrami","email":"amberduke@pyrami.com","city":"Brogan","state":"IL"}
{"index":{"_id":"6"}}
{"account_number":6,"balance":5686,"firstname":"Hattie","lastname":"Bond","age":36,"gender":"M","address":"671 Bristol Street","employer":"Netagy","email":"hattiebond@netagy.com","city":"Dante","state":"TN"}
{"index":{"_id":"13"}}
{"account_number":13,"balance":32838,"firstname":"Nanette","lastname":"Bates","age":28,"gender":"F","address":"789 Madison Street","employer":"Quility","city":"Nogal","state":"VA"}
{"index":{"_id":"18"}}
{"account_number":18,"balance":4180,"firstname":"Dale","lastname":"Adams","age":33,"gender":"M","address":"467 Hutchinson Court","email":"daleadams@boink.com","city":"Orick","state":"MD"}
Go to Query Workbench and select PPL.
The following example returns firstname
and lastname
fields for documents in an accounts
index with age
greater than 18:
search source=accounts
| where age > 18
| fields firstname, lastname
Sample Response
id | firstname | lastname |
---|---|---|
0 | Amber | Duke |
1 | Hattie | Bond |
2 | Nanette | Bates |
3 | Dale | Adams |