<examples>
    <example>
        <natural-language>
            What are the 10 latest errors from the logs?
        </natural-language>
        <esql>
            FROM logs
            | WHERE level == "ERROR"
            | SORT @timestamp DESC
            | LIMIT 10
        </esql>
    </example>

    <example>
        <natural-language>
            What are the titles and descriptions of the blog articles published last month?
        </natural-language>
        <esql>
            FROM blogposts
            | WHERE published > NOW() - 1 month
            | KEEP title, description
            | SORT title
            | LIMIT 100
        </esql>
    </example>

    <example>
        <natural-language>
            How many employees are from the Netherlands?
        </natural-language>
        <esql>
            FROM employees
            | WHERE country == "NL"
            | STATS COUNT(*)
        </esql>
    </example>

    <example>
        <natural-language>
            How many orders were placed each month over the last year?
        </natural-language>
        <esql>
            FROM orders
            | WHERE order_date > NOW() - 1 year
            | STATS count = COUNT(*) BY date_bucket = BUCKET(order_date, 1 month)
        </esql>
    </example>

    <example>
        <natural-language>
            Extract the date, message and IP address from the logs using DISSECT
        </natural-language>
        <esql>
            FROM postgres-logs*
            | DISSECT message "%{date} - %{msg} - %{ip}"
            | KEEP date, msg, ip
            | EVAL date = DATE_PARSE("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'", date)
            | LIMIT 100
        </esql>
    </example>

    <example>
        <natural-language>
            Find contributors which first name starts with "b", sort them by number of commits and then returns their first and last names for the top 5
        </natural-language>
        <esql>
            FROM commits
            | WHERE TO_LOWER(first_name) LIKE "b*"
            | STATS doc_count = COUNT(*) by first_name, last_name
            | SORT doc_count DESC
            | KEEP first_name, last_name
            | LIMIT 5
        </esql>
    </example>

    <example>
        <natural-language>
            What is the average salary of employees hired in 1985 split in 20 buckets?
        </natural-language>
        <esql>
            FROM employees
            | WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z"
            | STATS avg_salary = AVG(salary) BY date_bucket = BUCKET(hire_date, 20, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z")
            | SORT bucket
        </esql>
    </example>

    <example>
        <natural-language>
            How many employees were hired in 1985 and what is their salary distribution?
        </natural-language>
        <esql>
            FROM employees
            | WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z"
            | STATS c = COUNT(1) BY b = BUCKET(salary, 5000.)
            | SORT b
        </esql>
    </example>

    <example>
        <natural-language>
            How many employees were hired after 2023-01-01 and what is the recent hiring rate by country?
        </natural-language>
        <esql>
            FROM employees
            | EVAL is_recent_hire = CASE(hire_date <= "2023-01-01T00:00:00Z", 1, 0)
            | STATS total_recent_hires = SUM(is_recent_hire), total_hires = COUNT(*) BY country
            | EVAL recent_hiring_rate = total_recent_hires / total_hires
        </esql>
    </example>

    <example>
        <natural-language>
            Calculate the failure rate per host over the past 24 hours
        </natural-language>
        <esql>
            FROM logs-*
            | WHERE @timestamp <= NOW() - 24 hours
            | EVAL is_5xx = CASE(http.response.status_code >= 500, 1, 0)
            | STATS total_events = COUNT(*), total_failures = SUM(is_5xx) BY host.hostname, bucket = BUCKET(@timestamp, 1 hour)
            | EVAL failure_rate_per_host = total_failures / total_events
            | DROP total_events, total_failures
        </esql>
    </example>

    <example>
        <natural-language>
            How many logs are there for each log level in the last 24 hours?
        </natural-language>
        <esql>
            FROM logs-*
            | WHERE @timestamp <= NOW() - 24 hours
            | STATS count = COUNT(*) BY log.level
            | SORT count DESC
        </esql>
    </example>

    <example>
        <natural-language>
            What is the min, max and average value of the numbers in the bag?
        </natural-language>
        <esql>
            FROM bag_of_numbers
            | EVAL min = MV_MIN(numbers), max = MV_MAX(numbers), avg = MV_AVG(numbers)
            | KEEP bad_id, min, max, avg
        </esql>
    </example>

    <example>
        <natural-language>
            What messages, that do not contain the word "error", are in the logs?
        </natural-language>
        <esql>
            FROM logs
            | WHERE message NOT LIKE "*error*"
            | KEEP message
            | LIMIT 100
        </esql>
    </example>

    <example>
        <natural-language>
            Find first 10 users with names starting with "A" or "B", sorted by name
        </natural-language>
        <esql>
            FROM users
            | KEEP name
            | WHERE name LIKE "A*" OR name LIKE "B*"
            | SORT name
            | LIMIT 10
        </esql>
    </example>

    <example>
        <natural-language>
            Get user names and birth dates, sorted by birth date
        </natural-language>
        <esql>
            FROM personal_info
            | EVAL birth=DATE_PARSE("yyyy-MM-dd", birth_date)
            | KEEP user_name, birth
            | SORT birth
            | LIMIT 100
        </esql>
    </example>

    <example>
        <natural-language>
            How many unique IP addresses are there from France, Germany and Spain?
        </natural-language>
        <esql>
            FROM users
            | WHERE country IN (France, Germany, Spain)
            | STATS COUNT_DISTINCT(user_ip)
        </esql>
    </example>

    <example>
        <natural-language>
            How many warning logs are there from the US?
        </natural-language>
        <esql>
            FROM logs
            | WHERE message LIKE "*warning*" AND location RLIKE ".*us.*"
            | STATS COUNT(*)
        </esql>
    </example>

    <example>
        <natural-language>
            Find books by authors whose names sound like "Frank Herbert"
        </natural-language>
        <esql>
            FROM library
            | WHERE MATCH(author, "Frank Herbert")
            | KEEP title, author
            | LIMIT 100
        </esql>
    </example>

    <example>
        <natural-language>
            Find the latest articles from the "hr" category, and return their titles and document ids
        </natural-language>
        <esql>
            FROM articles METADATA _id
            | WHERE category == "hr"
            | KEEP _id, title
            | SORT publish_date DESC
            | LIMIT 100
        </esql>
    </example>

    <example>
        <natural-language>
            Find products with a description matching "wireless headphones" and sort them by relevance
        </natural-language>
        <esql>
            FROM products METADATA _score
            | WHERE MATCH(description, "wireless headphones")
            | SORT _score DESC
            | KEEP name, description, _score
            | LIMIT 100
        </esql>
    </example>
</examples>
