All Classes and Interfaces
Class
Description
The function that checks for the absence of a field in the output result.
Similar to
Absent, but it is used to check the absence of values over a time series in the given field.Base class for functions that converts a field into a function-specific type.
AbstractLookupService performs a LEFT JOIN for a given input
page against another index that must have only a single
shard.AbstractLookupService uses this to power the queries and field loading that
it needs to perform to actually do the lookup.Create a
AbstractLookupService.LookupShardContext for a locally allocated ShardId.Base class for functions that reduce multivalued fields into single valued fields.
Base evaluator that can handle both nulls- and no-nulls-containing blocks.
Base evaluator that can handle evaluator-checked exceptions; i.e.
Inverse cosine trigonometric function.
Inverse hyperbolic cosine function.
Represents a PromQL aggregate function call that operates across multiple time series.
Adaptive distribution strategy for external sources.
A type of
Function that takes multiple values and extracts a single value out of them.Static class used to convert aggregate expressions to the named expressions that represent their intermediate state.
Marker interface to say that an aggregate funciton supports aggregate_metric_double natively
i.e.
SPI for declaring that a format can compute aggregates from file-level statistics.
Specification for a single aggregate to be computed from file-level statistics.
An
Alias is a NamedExpression that gets renamed to something else through the Alias.This class is part of the planner.
Values for cluster level settings used during query analysis.
This class computes approximate results for certain classes of ES|QL queries.
The approximation plan, that is substituted during logical plan optimization
in the rule
SubstituteApproximationPlan.A placeholder expression in the main approximation plan, that is replaced
by the actual value after subplan execution.
Settings for query approximation.
Arithmetic operation using the type widening rules of the JLS 5.6.2 namely
widen to double or float or long or int in this order.
Inverse cosine trigonometric function.
Inverse hyperbolic sine function.
Single-split source operator factory that executes a connector query on a background thread
and feeds pages into an
AsyncExternalSourceBuffer for the driver to consume.Thread-safe buffer for async external source data.
Source operator that retrieves data from external sources (Iceberg tables, Parquet files, etc.).
Dual-mode async factory for creating source operators that read from external storage.
Service for managing ESQL requests
Inverse cosine trigonometric function.
Inverse cosine trigonometric function.
Inverse hyperbolic tangent function.
Expressions that can be materialized and describe properties of the derived table.A wrapper class where equality of the contained attribute ignores the
NamedExpression.id().Dedicated map for checking
Attribute equality.Set variant of
AttributeMap - please see that class Javadoc.Matches
BytesRefs against automata.Utility class for analyzing Lucene Automaton patterns to extract optimization opportunities.
Represents a pattern fragment that can be optimized.
Similar to
Avg, but it is used to calculate the average value over a time series of values from the given field.A
QueryList that generates a query for a binary comparison.Operator is a specialized binary predicate where both sides have the compatible types
(it's up to the analyzer to do any conversion if needed).
Binary operator.
Spatial functions that take two arguments that must both be spatial types can inherit from this class.
For most spatial functions we only need to know if the CRS is geo or cartesian, not whether the type is point or shape.
Expression that can be "pushed" into value loading.Expression "fused" to the block loader.
This rule must always be placed after
LiteralsOnTheRight
since it looks at TRUE/FALSE literals' existence on the right hand-side of the Equals/NotEquals expressions.Evaluator for the three-valued boolean expressions.
Query representing boolean AND or boolean OR.
Splits dates and numbers into a given number of buckets.
This class supports case-insensitive lexing by wrapping an existing
CharStream and forcing the lexer to see lowercase characters
Grammar literals should then be lower case such as begin.Categorizes text messages.
Round a number up to the nearest integer.
Plan that detects change points in a list of values.
Utility class used for checking various conditions at runtime, with minimum amount of code.
A fun Easter egg function that wraps text in ASCII art of a chicken saying something,
similar to the classic "cowsay" command.
Collection of chicken ASCII art styles with builder functionality.
This function takes a first parameter of type IP, followed by one or more parameters evaluated to a CIDR specification:
a string literal;
a field of type keyword;
a function outputting a keyword.
Clamps the values of all samples to have a lower limit of min and an upper limit of max.
Clamps the input values to have an upper limit of max.
Clamps input values to have a lower limit of min.
Function returning the first non-null value.
A composite split that groups multiple child splits into a single scheduling
unit.
A "column" from a
table provided in the request.Converts columnar primitive arrays to ESQL
Blocks, avoiding the per-element overhead
of Block.Builder when the source data is already in columnar form.Combine disjunctive Equals, In or CIDRMatch expressions on the same field into an In or CIDRMatch expression.
Combine multiple Evals into one in order to reduce the number of nodes in a plan.
Combines a Limit immediately followed by a TopN into a single TopN.
Comparison utilities.
COMPLETION function generates text completions from a prompt using an inference endpoint.
CompletionOperator is an InferenceOperator that performs inference using prompt-based model (e.g., text completion).Factory for creating
CompletionOperator instances.Base class for logical plan nodes that make a single evaluation on a single input expression and produce multiple output columns.
Abstract base class for physical plans that produce compound outputs from a single input.
The base evaluator that extracts compound output.
The base class for output fields collectors.
A
Block.Builder holder that is being set before each row evaluation.Once query is parsed and validated it is scheduled for execution by
org.elasticsearch.xpack.esql.plugin.ComputeService#execute
This method is responsible for splitting physical plan into coordinator and data node plans.Join strings.
This function is used internally by
Approximation, and is not exposed
to users via the EsqlFunctionRegistry.Interface for plan nodes that require the Configuration at parsing time.
Marker interface indicating that a function needs a Configuration object as its last parameter.
A live connection to an external data source.
Factory for creating connectors to external data sources.
Contains function, given a string 'a' and a substring 'b', returns true if the substring 'b' is in 'a'.
Utility for parsing HTTP Content-Range headers (RFC 7233).
A function that converts from one type to another.
Always executes external sources on the coordinator — no distribution.
A
LocalSupplier that allways creates a new copy of the Page initially provided at creation time.ES|QL function that mimics the behavior of
Math.copySign(double magnitude, double sign).Cosine trigonometric function.
Cosine hyperbolic function.
Used exclusively in the query approximation plan.
Similar to
CountDistinct, but it is used to calculate the distinct count of values over a time series from the given field.Similar to
Count, but it is used to calculate the count of values over a time series from the given field.Aggregated capability declarations from all registered
DataSourcePlugin instances.represents a data source in the physical plan, such as an ES index or an external data source.
Module that collects all data source implementations from plugins.
Extension point for data source implementations.
This enum represents data types the ES|QL query processing layer is able to
interact with in some way.
Conversion utility from one Elasticsearch data type to another Elasticsearch data types.
Reference to a data type conversion that can be serialized.
Subtract the second argument from the third argument and return their difference
in multiples of the unit specified in the first argument.
Represents units that can be used for DATE_DIFF function and how the difference
between 2 dates is calculated
Information about a field in an ES index with the
date typeDecay a numeric, spatial or date type value based on the distance of it to an origin.
SPI for decompression codecs.
Registry for
DecompressionCodec implementations, keyed by extension.This rule handles duplicate aggregate functions to avoid duplicate compute
stats a = min(x), b = min(x), c = count(*), d = count() by g
becomes
stats a = min(x), c = count(*) by g | eval b = a, d = c | keep a, b, c, d, g
An implicit default time-series aggregation function that delegates to the appropriate
time-series aggregation function based on the field's data type.
Slowdown function - for debug purposes only.
Adds support for dense_vector data types.
Set of arithmetic (quad) functions for dense_vectors.
Calculates the derivative over time of a numeric field using linear regression.
A specialization of
Values for collecting dimension fields in time-series queries.Function that emits constants, like Euler’s number.
Function that emits Euler’s number.
Marker for optional attributes.
When a spatial distance predicate can be pushed down to lucene, this is done by capturing the distance within the same function.
EnrichLookupService performs enrich lookup for a given input page.Resolves enrich policies across clusters in several steps:
1.
Holds the resolution results of the enrich polices.
Represent a key-value pair.
ExpressionEvaluator implementation for comparing dense_vector equality.Configures how format readers handle malformed or unparseable rows.
Determines what happens to a row (or field) that fails to parse.
Information about a field in an ES index.
Fields in a TSDB can be either dimensions or metrics.
Context of each shard we're operating against.
Arithmetic (quad) function.
This class provides an empty implementation of
EsqlBaseParserListener,
which can be extended to create a listener which only needs to handle a subset
of the available methods.This class provides an empty implementation of
EsqlBaseParserVisitor,
which can be extended to create a visitor which only needs to handle a subset
of the available methods.This interface defines a complete listener for a parse tree produced by
EsqlBaseParser.This interface defines a complete generic visitor for a parse tree produced
by
EsqlBaseParser.Implementation of
ConfigurationFunction.Holds execution metadata about ES|QL queries for cross-cluster searches in order to display
this information in ES|QL JSON responses.
Represents the search metadata about a particular cluster involved in a cross-cluster search.
Since the Cluster object is immutable, use this Builder class to create
a new Cluster object using the "copyFrom" Cluster passed in and set only
changed values.
Marks the status of a Cluster search involved in a Cross-Cluster search.
NodeFeatures declared by ESQL.Class holding all the flags that can be used to change behavior for certain features in ESQL.
Tracks profiling for the planning phase
A fork of the field-caps API for ES|QL.
View over the response, that supports the xpack core transport API.
Listens for a single
EsqlQueryResponse, builds a corresponding RestResponse and sends it.A
ScalarFunction is a Function that makes one output value per
input row.A fork of the search shards API for ES|QL.
Combines all components necessary for the coordinating node to plan and execute an ESQL query,
including (pre-)analyzing, optimizing and running the physical plan.
Interface for running the underlying plan.
Request to gather usage statistics
Source representing an Elasticsearch index.
Specialized query class for retrieving statistics about the underlying data and not the actual documents.
Evaluation context for a PromQL selector, including the evaluation time and any offset to apply.
Expressions that have a mapping to an
ExpressionEvaluator.An example of using a function that is rendered in the docs.
An example of using a function that is rendered in the docs.
Mark nodes that execute only in a specific way, either on the coordinator or on a remote node.
Executes on the coordinator only.
Executes on the remote nodes only (note that may include coordinator, but not on the aggregation stage).
Returns the value of e raised to the power of tbe number specified as parameter
Transforms a physical plan for EXPLAIN mode by replacing data source nodes
with empty local sources.
In a SQL statement, an Expression is whatever a user specifies inside an
action, so for instance:
SELECT a, b, ABS(c) FROM i
a, b, ABS(c), and i are all Expressions, with ABS(c) being a Function
(which is a type of expression) with a single child, c.Implements an Expression query, which matches documents based on a given expression.
Implements an Expression query builder, which matches documents based on a given expression.
A
LookupEnrichQueryGenerator that combines multiple conditions into a single query list.Maps expressions that have a mapping to an
ScoreOperator.ExpressionScorer.Context provided to an
ExternalDistributionStrategy so it can decide
how (or whether) to distribute external-source splits across data nodes.The result of an
ExternalDistributionStrategy decision: whether to distribute
and, if so, which splits go to which node.Decides whether an external source query should be distributed across data nodes
or executed locally on the coordinator.
Logical plan node for external data source relations (e.g., Iceberg table, Parquet file).
Thread-safe queue of
ExternalSplit instances for parallel external source execution.Utility for draining pages from a
CloseableIterator into an AsyncExternalSourceBuffer
with backpressure.Generic physical plan node for reading from external data sources (e.g., Iceberg tables, Parquet files).
Common interface for complete external data source factories.
Extended interface for external data source metadata.
Factory for creating source operators that read from external storage using
the StorageProvider and FormatReader abstractions.
Holds the result of external source resolution (Iceberg/Parquet metadata).
Resolver for external data sources (Iceberg tables, Parquet files, etc.).
Cluster settings for controlling ESQL external source cloud API rate limiting.
A serializable, parallelizable unit of work for an external data source.
Extract a per-function expression filter applied to all the aggs as a query
Filter, when no groups are provided.A rule that moves `VALUES(dimension-field)` aggregations in time-series aggregations
to execute after the aggregation, reading the dimension fields once each group.
Extracts a
HistogramBlock.Component from a histogram (either exponential histogram or TDigest).Glorified set for managing
Failures.ESQL "features" returned by the usage API.
Attribute for an ES field.
A field name, as found in the mapping.
Represents a set of files resolved from a glob pattern or comma-separated path list.
Represents a byte range within a file for a file-based external source.
Default
SplitProvider for file-based sources.A
Filter is a type of Plan that performs filtering of results.Basic wrapper for expressions declared with a nested filter (typically in stats).
Registry for filter pushdown support implementations.
SPI interface for filter pushdown support in external data sources.
Indicates whether an expression can be pushed to the data source.
Result of attempting to push filters to a data source.
Internal aggregation function that collects the first seen docId per group.
Round a number down to the nearest integer.
A utility class to validate the type resolution of expressions before and after logical planning.
Base class for functions that converts a constant into an interval type - DATE_PERIOD or TIME_DURATION.
Context passed to
Expression.fold(org.elasticsearch.xpack.esql.core.expression.FoldContext).Pre-optimizer rule that performs constant folding for inference functions in logical plans.
A Fork is a n-ary
Plan where each child is a sub plan, e.g.Immutable context for a single
FormatReader.read(org.elasticsearch.xpack.esql.datasources.spi.StorageObject, org.elasticsearch.xpack.esql.datasources.spi.FormatReadContext) or FormatReader.readAsync(org.elasticsearch.xpack.esql.datasources.spi.StorageObject, org.elasticsearch.xpack.esql.datasources.spi.FormatReadContext, java.util.concurrent.Executor, org.elasticsearch.action.ActionListener<org.elasticsearch.compute.operator.CloseableIterator<org.elasticsearch.compute.data.Page>>) call.Unified interface for reading data formats.
Strategy for resolving schemas across multiple files in a glob/multi-file query.
Factory for creating
FormatReader instances.Registry for FormatReader implementations, keyed by format name and file extension.
Describes a file format this plugin provides: a logical format name and the
file extensions that select it.
Index of independently decompressible frames within a compressed file.
Base class for full-text functions that use ES queries to match documents.
Any ESQL function; generally this is translated into a computation to be evaluated on arguments, including scalar functions (e.g.
Converts an
UnresolvedFunction into a proper Function.EsField that represents a function being applied to a field on extraction.
Describes functions.
Strategy indicating the type of resolution to apply for resolving the actual function definition in a pluggable way.
The position the function can appear in the language.
Classifies PromQL functions by their input vector type and aggregation behavior.
A class that checks if a hexagon intersects with a bounding box.
Returns the maximum value of multiple columns.
This is a class of grouping functions that can be evaluated independently within an EVAL operator, independent of the aggregation
they're used by.
This is a class of grouping functions that cannot be evaluated outside the context of an aggregation.
Utility class for generating H3 spherical objects.
Merges multiple histograms into a single histogram.
Currently just a surrogate for applying
HistogramMerge per series.Extracts a percentile value from a single histogram value.
Pulls "up" an
OrderBy node that is not preceded by a "sort breaker" (like LIMIT), but is preceded by an InlineJoin.Locate any LIMIT that is "visible" under remote ENRICH, and make a copy of it above the ENRICH.
Locate any TopN that is "visible" under remote ENRICH, and make a copy of it above the ENRICH,
while making a copy of the original fields.
Simply utility class used for setting a state, typically
for closures (which require outside variables to be final).
Returns the hypotenuse of the numbers given as parameters.
NOTE: THIS RULE IS INTENDED TO BE RUN ONLY ONCE.
A
LocalSupplier that contains already filled Blocks.The
IN operator.ExpressionEvaluator implementation for In.ExpressionEvaluator implementation for In.The
increase() function calculates the absolute increase of a counter field in a time window.Extension of
DecompressionCodec for codecs that support index-based
random access to independently compressed frames.Contains an index pattern together with its
Source.Information for resolving a field.
ExpressionEvaluator implementation for In.Base class for ESQL functions that use inference endpoints (e.g., TEXT_EMBEDDING).
Evaluator for inference functions that performs constant folding by executing inference operations
at optimization time and replacing them with their computed results.
Factory for creating
InferenceFunctionEvaluator instances.An abstract asynchronous operator that performs throttled bulk inference execution.
Manages the execution of inference requests for a single input page.
Represents a single inference request with metadata for result building.
Builder for constructing position value counts arrays dynamically.
Factory interface for creating
InferenceOperator.BulkInferenceOperation instances from input pages.Represents a completed inference response with metadata for result building.
Represents the result of a bulk inference operation for a single input page.
Collects and resolves inference deployments inference IDs from ES|QL logical plans.
Settings for inference features such as completion and rerank.
Simplify IsNotNull targets by resolving the underlying expression to its root fields.
The vast majority of aggs ignore null entries - this rule adds a pushable filter, as it is cheap
to execute, to filter these entries out to begin with.
ExpressionEvaluator implementation for In.Specialized type of join where the source of the left and right plans are the same.
Enriches the stream of data with the results of running a
STATS.ExpressionEvaluator implementation for In.ExpressionEvaluator implementation for In.ExpressionEvaluator implementation for In.Helper class that reads text strings from a
BytesRefBlock.Ensures that
TypedAttributes used inside a TimeSeriesAggregate are wrapped in a
TimeSeriesAggregateFunction.Materialize the concrete fields that need to be extracted from the storage until the last possible moment.
Represents a PromQL instant vector selector.
Representation of field mapped differently across indices; or being potentially unmapped in some, in which case it is treated as
DataType.KEYWORD in the indices where it is unmapped.Truncates an IP value to a given prefix length.
Configuration of a join operation.
Utility class defining the concrete types of joins supported by ESQL.
Extracts a value from a JSON string using a
JsonPath subset.Information about a field in an ES index with the
keyword type.Full text function that performs a
KqlQuery .PromQL label matcher between a label name, a value pattern and match type (=, !=, =~, !~).
Immutable collection of label matchers for a PromQL selector.
Concrete aggregate shape produced by apply().
Maintains the mapping from attribute ids to channels (block index).
Builder class for Layout.
Returns the minimum value of multiple columns.
{code left(foo, len)} is an alias to {code substring(foo, 0, len)}
Base class for hooking versioning information into the ANTLR parser.
Retains at most N rows per group defined by one or more grouping key expressions.
Physical plan node for
LIMIT N BY expr1, expr2, ....Literal or constant.
Represents a PromQL literal scalar value wrapped as a vector selector.
The local execution planner takes a plan (represented as PlanNode tree / digraph) as input and creates the corresponding
drivers that are used to execute the given plan.
Plan representation that is geared towards execution on a single node
Context object used while generating a local plan.
Immutable physical operation.
This class is part of the planner.
Maps a (local) logical plan into a (local) physical plan.
This class is
public for testing.Manages field extraction and pushing parts of the query into Lucene.
Local aggregation can only produce intermediate state that get wired into the global agg.
Supplies fixed
Blocks for things calculated at plan time.Locate function, given a string 'a' and a substring 'b', it returns the index of the first occurrence of the substring 'b' in 'a'.
A LogicalPlan is what (not the "how") a user told us they want to do.
Order is important in the enum; any values should be added at the end.
Translates what we get back from Antlr into the data structures the rest of the planner steps will act on.
Container for PromQL command parameters:
time for instant queries
start/end and one of step or buckets for range queries
scrape_interval for implicit range selector windows
These can be specified in the PROMQL command like so:
This class is part of the planner
The class is responsible for invoking any steps that need to be applied to the logical plan,
before this is being optimized.
A rule that can be applied to an analyzed logical plan before it is optimized.
Context passed to logical pre-optimizer rules.
Looks up values from the associated
tables.Plans the execution of a lookup physical plan
Converts PhysicalPlan nodes into PhysicalOperation with operator factories
Also converts PhysicalOperation into actual Operators
Functional interface for creating a
LookupEnrichQueryGenerator from plan data.LookupFromIndexService performs lookup against a Lookup index for
a given input page.Lookup join - specialized LEFT (OUTER) JOIN between the main left side and a lookup index (index_mode = lookup) on the right.
Logical plan optimizer for the lookup node.
Physical plan optimizer for the lookup node.
Lookup-specific variant of
PruneFilters.Removes leading whitespaces from a string.
This utilities class provides access to protected methods in Lucene using alternative APIs.
When deciding if a filter or topN can be pushed down to Lucene, we need to check a few things on the field.
Functional interface for evaluating the scalar value of the underlying float array.
Represent a collect of key-value pairs.
Describes a function map argument represented by
MapExpression.This class is part of the planner
Class for sharing code across Mappers.
Full text function that performs a
MatchQuery .Configuration for a field used in the join condition of a LOOKUP JOIN or ENRICH operation.
This class performs a
MatchQuery using an operator.Full text function that performs a
MatchPhraseQuery .Similar to
Max, but it is used to calculate the maximum value over a time series of values from the given field.Class encapsulating the metrics collected for ESQL
A
MetricsInfo is a plan node that returns one row per metric with metadata.Physical plan node for METRICS_INFO command.
Execution mode, mirroring the three-phase pattern used by aggregations.
Similar to
Min, but it is used to calculate the minimum value over a time series of values from the given field.Logical plan for the MMR command.
Physical plan for the MMR command.
During IndexResolution it can occur that the same field is mapped to different types in different indices.
Appends values to a multi-value
Reduce a multivalued field to a single valued field containing the average value.
Reduce a multivalued string field to a single valued field by concatenating all values.
Function that takes two multivalued expressions and checks if values of one expression(subset) are
all present(equals) in the other (superset).
Reduce a multivalued field to a single valued field containing the count of values.
Removes duplicate values from a multivalued field.
Reduce a multivalued field to a single valued field containing the minimum value.
Adds a function to return a result set with multivalued items that are contained in the input sets.
Function that takes two multivalued expressions and checks if any values of one expression(subset) are
present(equals) in the other (superset).
Reduce a multivalued field to a single valued field containing the minimum value.
Reduce a multivalued field to a single valued field containing the maximum value.
Reduce a multivalued field to a single valued field containing the median of the values.
Reduce a multivalued field to a single valued field containing the median absolute deviation of the values.
Reduce a multivalued field to a single valued field containing the minimum value.
Reduce a multivalued field to a single valued field containing the weighted sum of all element applying the P series function.
Base class for multi-value set operations.
Returns a subset of the multivalued field using the start and end index values.
Sorts a multivalued field in lexicographical order.
Reduce a multivalued field to a single valued field containing the sum of all values.
Returns the union of values from two multi-valued fields (all unique values from both inputs).
Combines the values from two multivalued fields with a delimiter that joins them together.
An expression that has a name.
A
Subquery that carries the view name it was resolved from.Unique identifier for a named expression.
Negation function (@{code -x}).
Returns the direction type (inbound, outbound, internal, external) given
a source IP address, destination IP address, and a list of internal networks.
Sentinel exception indicating that logical planning could not find any clusters to search
when, for a remote-only cross-cluster search, all clusters have been marked as SKIPPED.
Immutable tree structure.
Determines which nodes are eligible to execute external-source splits.
All the information about a
Node that is needed to recreate or modify it.ExpressionEvaluator implementation for comparing dense_vector inequality.Query that inverts the set of matched documents.
Aggregate function that receives a numeric, signed field, and returns a single double value.
Marker for
Expressions that can only be evaluated by SurrogateExpression.surrogate()ing
on the coordinating node.Registry for source operator factories.
This rule should only be applied on the coordinator plan, not for a local plan.
Rule that has a different implementation when applied to a local plan.
Marker interface indicating that a function accepts one optional argument (typically the last one).
An internal convert function that packs dimension values into a single BytesRef
Coordinates parallel parsing of a single file by splitting it into byte-range
segments and dispatching each segment to a parser thread.
Describes function parameters.
Logical plan node representing a parameterized lookup query source.
Physical plan node representing a lookup source operation.
Fast IP parsing suitable for embedding in an
ExpressionEvaluator
because they don't allocate memory on every run.Parses the
tables request body parameter.Fold the arms of
CASE statements.Configuration for partition detection strategy, parsed from WITH clause parameters.
Pluggable strategy for detecting partition columns from file paths.
Walks an unresolved logical plan extracting simple filter predicates from
Filter nodes
above UnresolvedExternalRelation nodes.Holds partition information detected from file paths.
Similar to
Percentile, but it is used to calculate the percentile value over a time series of values from the given field.A PhysicalPlan is "how" a LogicalPlan (the "what") actually gets translated into one or more queries.
This class is part of the planner.
Physical plan verifier.
Function that emits pi.
A
LogicalPlan that cannot be run only on the data nodes, resp.Marker node used inside PromQL as the children of all selectors.
SPI provider interface for supplying additional ESQL plan checks to be performed during verification.
Calculates the maximum number of nodes that should be queried concurrently for the given data node plan.
A factory that takes a
LogicalPlan and returns another LogicalPlan.Values for cluster level settings used in physical planning.
Result of local plan optimization containing both physical and logical plans.
The plan here is used as a fallback if the reduce driver cannot be planned in a way that avoids field extraction after TopN.
A customized stream input used to deserialize ESQL physical plan fragments.
A Mapper of stream named id, represented as a primitive long value, to NameId instance.
A customized stream output used to serialize ESQL physical plan fragments.
This class is responsible for collecting metrics related to ES|QL planning.
This class is responsible for publishing metrics related to ES|QL planning.
Interface implemented by expressions or plans that require validation after query plan analysis,
when the indices and references have been resolved, but before the plan is transformed further by optimizations.
Interface implemented by expressions or plans that require validation after query plan analysis,
when the indices and references have been resolved, but before the plan is transformed further by optimizations.
Verifies the plan after optimization.
Interface implemented by expressions that require validation post logical optimization,
when the plan and references have been not just resolved but also replaced.
Interface implemented by expressions that require validation post logical optimization,
when the plan and references have been not just resolved but also replaced.
Marker interface for verifiers that should only be run on Coordinator
Interface implemented by expressions that require validation post physical optimization.
This class is used as a marker for fields that may be unmapped, where an unmapped field is a field which exists in the _source but is not
mapped in the index.
This class is part of the planner.
The class is responsible for invoking any premapping steps that need to be applied to the logical plan,
before this is being mapped to a physical one.
An
EsqlQueryRequest backed by a pre-built EsqlStatement, bypassing ES|QL string
parsing.The function that checks for the presence of a field in the output result.
Similar to
Present, but it is used to check the presence of values over a time series in the given field.Remove, duplicate or rename columns.
Adds an explicit project to minimize the amount of attributes sent from the local plan to the coordinator.
This class provides an empty implementation of
PromqlBaseParserListener,
which can be extended to create a listener which only needs to handle a subset
of the available methods.This class provides an empty implementation of
PromqlBaseParserVisitor,
which can be extended to create a visitor which only needs to handle a subset
of the available methods.This interface defines a complete listener for a parse tree produced by
PromqlBaseParser.This interface defines a complete generic visitor for a parse tree produced
by
PromqlBaseParser.Container plan for embedded PromQL queries.
PromQL data types representing the possible return types of PromQL queries.
Utility class for evaluating scalar arithmetic operations at parse time.
Represents a PromQL function call in the logical plan.
A registry for PromQL functions that maps function names to their respective definitions.
Represents the parameter count constraints for a PromQL function.
Function definition record for registration and metadata.
Marker interface for PromQL-specific logical plan nodes.
Propagate Equals to eliminate conjuncted Ranges or BinaryComparisons.
Replace any reference attribute with its source, if it does not affect the result.
Replace any evaluation from the inlined aggregation side (right side) to the left side (source) to perform the matching.
Merges unmapped fields into the output of the ES relation.
Remove unused columns created in the plan, in fields inside eval or aggregations inside stats.
STATS with no aggregates and no groupings can be replaced with a single, empty row.
Removes FORK branches or subqueries from UnionAll that only contain an empty LocalRelation.
The rule checks if the join's performed on a field which is aliased to null (in type or value); if that's the case, it prunes the join,
replacing it with an Eval - returning aliases to null for all the fields added in by the right side of the Join - plus a Project on top
of it.
Prune foldable groupings from
LIMIT BY.SORT cannot be executed without a LIMIT, as ES|QL doesn't support unbounded sort (yet).
Uses the standard index mode if the special index mode is not required in the query.
Replaces
AggregateExec → ExternalSourceExec with LocalSourceExec
when ungrouped aggregates (COUNT(*), MIN, MAX) can be computed from file-level statistics.Pushes count aggregations on top of query and tags to source.
Push-down and combine rules specific to
LimitBy (LIMIT N BY groupings).Pushes down the SAMPLE operator.
Rewrites an expression tree to push down conjunctions in the prefilter of
Knn functions.Push down filters that can be evaluated by the
UnionAll branch to each branch, and below Subquery,
so that the filters can be pushed down further to the data source when possible.Pushes down any SORT + LIMIT (TopN) that appear immediately after a FORK, into the FORK branches that have no pipeline breaker.
Shared structural validation for predicate pushdown across file formats (ORC, Parquet, etc.).
Replaces
Expressions that can be pushed to field loading with a field attribute
that calculates the expression during value loading.Pushes a LIMIT into
ExternalSourceExec so the source can stop reading early.Traverses the logical plan and pushes down the limit to the KNN function(s) in filter expressions, so KNN can use
it to set k if not specified.
Pushes ungrouped aggregate functions (COUNT, MIN, MAX) to external sources when the
required statistics are available in the file metadata.
Looks for the case where certain stats exist right before the query and thus can be pushed down.
We handle two main scenarios here:
Queries like `FROM index | SORT field` will be pushed to the source if the field is an indexed field.
Utilities for Elasticsearch queries.
Intermediate representation of queries that is rewritten to fetch
otherwise unreferenced nested fields and then used to build
Elasticsearch
QueryBuilders.Some
RewriteableAware implementations such as Match
will be translated to a QueryBuilder that require a rewrite phase on the coordinator.Extracts
@timestamp bounds from Query DSL filters.Represents the
@timestamp lower and upper bounds extracted from a query DSL filter.Represent a strongly typed parameter value
There are two main types of plans,
LogicalPlan and PhysicalPlanHolds the pragmas for an ESQL query.
Describes a query to execute against a connector.
Definition of a query setting.
Full text function that performs a
QueryStringQuery .This function is used internally by
Approximation, and is not exposed
to users via the EsqlFunctionRegistry.Extension of
FormatReader for columnar formats (Parquet, ORC) that support
row-group-level split parallelism.Represents a PromQL range vector selector.
This class is
public for testing.Attribute based on a reference to an expression.
The logical plan for the
REGISTERED_DOMAIN command.Physical plan for the REGISTERED_DOMAIN command.
A bridge for the function that extracts registered domain parts from an FQDN string.
Removes
Aggregate overrides in grouping, aggregates and across them inside.This is to fix possible wrong orderings of Limit, Project and Order or LimitBy, Project and OrderBy.
Replace nested expressions over aggregates with synthetic eval post the aggregation
stats a = sum(a) + min(b) by x
becomes
stats a1 = sum(a), a2 = min(b) by x | eval a = a1 + a2 | keep a, x
The rule also considers expressions applied over groups:
STATS a = x + 1 BY x becomes STATS BY x | EVAL a = x + 1 | KEEP a, x
And to combine the two:
stats a = x + count(*) by x
becomes
stats a1 = count(*) by x | eval a = x + a1 | keep a1, x
Since the logic is very similar, this rule also handles duplicate aggregate functions to avoid duplicate compute
stats a = min(x), b = min(x), c = count(*), d = count() by g
becomes
stats a = min(x), c = count(*) by g | eval b = a, d = c | keep a, b, c, d, gReplace nested expressions inside a
Aggregate with synthetic eval.Replace aliasing evals (eval x=a) with a projection which can be further combined / simplified.
Look for any fields used in the plan that are missing and replaces them with null or look for fields that are constant.
ReplaceRoundToWithQueryAndTags builds a list of ranges and associated tags base on the rounding points defined in a
RoundTo function.If the original aggregate wrapped by the sampled aggregate can be
pushed down to Lucene (so that it will execute exact and fast), sampling
should be skipped and the original aggregate should be executed.
If the original aggregate wrapped by the sampled aggregate cannot be
pushed down to Lucene (which would execute exact and fast), sampling
should be used to speed up the aggregation.
Strips source leaf nodes down to their minimal output attributes so that
InsertFieldExtraction
can later add only the fields that the rest of the plan actually needs.Replaces a
SPARKLINE aggregate into a three-phase execution pipeline that
collects per-bucket values, sorts them chronologically, and fills in zero values for
any empty time buckets.Replaces an aggregation function with an EVAL node under 2 conditions.
Break TopN back into Limit + OrderBy to allow the order rules to kick in.
Replace type converting eval with aliasing eval when type change does not occur.
RerankOperator is an InferenceOperator that computes relevance scores for rows using a reranking model.Factory for creating
RerankOperator instances.Converts any Analyzer-specific
ResolvingProject into an Project equivalent.The rule handles fields that don't show up in the index mapping, but are used within the query.
This version of
Project saves part of its state for computing its projections based on its child's output.Collection of static utility methods for helping transform response data between pages and values.
Results from running a chunk of ESQL.
Streaming cursor over query results from a connector.
Function that reverses a string.
Defines objects that need to go through the rewrite phase.
{code right(foo, len)} is an alias to {code substring(foo, foo.length-len, len)}
Distributes external splits evenly across eligible data nodes in round-robin order.
Round down to one of a list of values.
Removes trailing whitespaces from a string.
Rules that apply transformation to a tree.
Aggregate, which upon execution is either:
sampled with the
sampleProbability for fast execution; or
replaced by an exact aggregate if the originalAggregates can be pushed down to Lucene.Aggregate, which is either:
sampled with the
sampleProbability for fast execution; or
replaced by an exact aggregate if the originalAggregates can be pushed down to Lucene.Returns the sample value if there is exactly one element, otherwise returns NaN.
Represents the
scalar(v instant-vector) PromQL function call that converts a vector to a scalar.A
ScalarFunction is a Function that takes values from some
operation and converts each to another value.Represents a PromQL function call that produces a scalar value and has no arguments.
Schema reconciliation algorithms for multi-file external sources.
Maps unified schema column positions to file-local column positions.
Supported widening cast targets.
Per-file schema information collected during reconciliation.
Result of schema reconciliation during planning.
A function to be used to score specific portions of an ES|QL query e.g., in conjunction with
an
Eval.Maps an expression tree into ExpressionScorer.Factory, so scores can be evaluated for an expression tree.
This class provides
SearchStats from a list of SearchExecutionContext's.Interface for determining information about fields in the index.
When there are no search stats available, for example when there are no search contexts, we have static results.
A default implementat that throws
UnsupportedOperationException on all methods.Extension of
FormatReader for line-oriented text formats (CSV, NDJSON)
that support intra-file parallel parsing.Base class representing a PromQL vector selector.
Simple immutable implementation of SourceMetadata.
Builder for SimpleSourceMetadata.
Simplifies arithmetic expressions with BinaryComparisons and fixed point fields, such as: (int + 2) / 3 > 4 => int > 10
Sine trigonometric function.
Base class for full-text functions that operate on a single field.
Lucene query that wraps another query and only selects documents that match
the wrapped query and have a single field value.
Builds a
bool query combining the "next" query and a SingleValueMatchQuery.Builds a query matching either ignored values OR the union of
next query
and SingleValueMatchQuery.Builds a
bool query ANDing the "next" query, a SingleValueMatchQuery,
and a TermQuery making sure we didn't ignore any values.Sine hyperbolic function.
This interface is intended to check redundancy of a previous SORT.
This is a marker interface for commands that maintain the sort order of their input.
Contains all varieties of source commands (FROM, TS, PROMQL, ...) and their associated index mode.
Unified metadata output type returned by all schema discovery mechanisms.
Context for creating source operator factories.
Functional interface for creating source operator factories.
Statistics about a data source for query planning and optimization.
Statistics for an individual column.
Serializes and deserializes
SourceStatistics to/from a flat Map<String, Object>
using well-known keys.All spatial aggregate functions extend this class to enable the planning of reading from doc values for higher performance.
Calculate spatial centroid of all geo_point, cartesian_point, geo_shape, or cartesian_shape values of a field in matching documents.
This is the primary class for supporting the function ST_CONTAINS.
We override the normal behaviour for CONTAINS because we need to test each component separately.
This is the primary class for supporting the function ST_DISJOINT.
This rule is responsible for marking spatial fields to be extracted from doc-values instead of source values.
Spatial functions that can take doc values as an argument can inherit from this class.
These functions provide support for extracting multi-value spatial envelope results into various result builders
for ST_ENVELOPE, ST_XMAX, ST_XMIN, ST_YMAX and ST_YMIN.
The factory is used in the toEvaluator method so that new instances can be created for each thread.
A functional interface for consuming results that need access to the spatial coordinate type.
Calculate spatial extent of all values of a field in matching documents.
Spatial functions that take one spatial argument, one parameter and one optional bounds can inherit from this class.
Public for use in integration tests
This is the primary class for supporting the function ST_INTERSECTS.
This rule is responsible for marking spatial shape fields whose centroid or extent can be extracted from doc-values.
A base class for spatial functions that operate on a single geometry input and produce a geometry output,
and can receive the incoming geometries from doc-values.
This is the primary class for supporting the function ST_WITHIN.
Represents a unit of work for a connector to execute.
Splits a string on some delimiter into a multivalued string field.
Groups many small
ExternalSplits into CoalescedSplits to
reduce scheduling overhead.Context passed to
SplitProvider.discoverSplits(org.elasticsearch.xpack.esql.datasources.spi.SplitDiscoveryContext) containing all information
needed to enumerate and optionally prune splits for an external source.Walks the physical plan tree, discovers splits for each
ExternalSourceExec,
and replaces them with split-enriched copies via ExternalSourceExec.withSplits(java.util.List<org.elasticsearch.xpack.esql.datasources.spi.ExternalSplit>).3 in (field, 4, 5) --> 3 in (field) or 3 in (4, 5)
Discovers parallelizable splits for an external data source.
Extension of
DecompressionCodec for codecs that support splitting compressed
files into independently decompressible ranges aligned to compressed block boundaries.Similar to
StdDev, but it is used to calculate the standard deviation over a time series of values from the given field.Returns the topological dimension of the geometry.
Computes the distance between two points.
This class is a CRS specific interface for generalizing distance calculations for the various possible ways
that the geometries can be provided, from source, from evals, from literals and from doc values.
Determines the minimum bounding rectangle of a geometry.
Calculates the geohash of geo_point geometries.
When checking grid cells with bounds, we need to check if the cell is valid (intersects with the bounds).
Calculates the geohex of geo_point geometries.
When checking grid cells with bounds, we need to check if the cell is valid (intersects with the bounds).
Returns the geometry type of the given geometry as a string.
Calculates the geotile of geo_point geometries.
When checking tiles with bounds, we need to check if the tile is valid (intersects with the bounds).
Returns true if the given geometry is empty.
Counts the number of points in the geometry
Alternatively, it is well described in PostGIS documentation at PostGIS:ST_NPoints.
Metadata about an object returned from directory listing.
Iterator over objects in a directory.
Format-agnostic manager for creating StorageObject instances from paths.
Unified interface for storage object access.
Represents a location in a storage system.
Abstraction for accessing objects in external storage systems.
Factory for creating
StorageProvider instances.Registry for StorageProvider implementations, keyed by URI scheme.
This interface marks commands which do not add or remove rows and aren't sensitive to the exact order of the rows.
Streaming version of LookupFromIndexOperator.
Status for StreamingLookupFromIndexOperator.
Synthetic
LogicalPlan used by the planner that the child plan is referred elsewhere.Extracts the x-coordinate from a point geometry.
Determines the maximum value of the x-coordinate from a geometry.
Determines the minimum value of the x-coordinate from a geometry.
Extracts the y-coordinate from a point geometry.
Determines the maximum value of the y-coordinate from a geometry.
Determines the minimum value of the y-coordinate from a geometry.
Physical plan representing a subquery, meaning a section of the plan that needs to be executed independently.
If query approximation is enabled, this rule substitutes the original plan
with an approximation plan.
This rule should not be needed - the substitute infrastructure should be enough.
Replace
SurrogateExpressions with their surrogates.Sum all values of a field in matching documents.
Specifies the summation algorithm to use for aggregating floating point values.
Similar to
Sum, but it is used to calculate the sum of values over a time series from the given field.Interface signaling to the planner that the declaring expression
has to be replaced by a different form.
Interface signaling to the planner that the declaring plan should be replaced with the surrogate plan.
Connects to table catalog systems like Iceberg, Delta Lake, or Hudi.
Factory for creating TableCatalog instances.
Tangent trigonometric function.
Tangent hyperbolic function.
Function that emits tau, also known as 2 * pi.
Splits dates into buckets based on the
@timestamp field.Interface for plan nodes that need to be accounted in the statistics
Attribute for referencing the TSDB metric temporality.
Utility class for generating temporary and unique names for query expressions.
Generates names with a monotonically increasing numeric suffix.
Term query.
TEXT_EMBEDDING function converts text to dense vector embeddings using an inference endpoint.
TextEmbeddingOperator is an InferenceOperator that performs text embedding inference.Factory for creating
TextEmbeddingOperator instances.Information about a field in an es index with the
text type.Templating class for displaying ESQL responses in text formats.
Formats
EsqlQueryResponse for the textual representation.An extension of
Aggregate to perform time-series aggregation per time-series, such as rate or _over_time.An extension of
Aggregate to perform time-series aggregation per time-series, such as rate or _over_time.This rule implements the "group by all" logic for time series aggregations.
Field attribute for
_timeseries fieldGrouping function that keeps time-series grouping generic while excluding the specified dimensions.
THis class is used to capture a duration of some process, including start and stop point int time.
Marker interface to identify classes of functions that operate on the {code @timestamp} field of an index.
Marker interface for nodes (expressions or plans) that require
@timestamp bounds derived from the query DSL filter.Sub-interface for
Expression nodes that require timestamp bounds.Sub-interface for
LogicalPlan nodes that require timestamp bounds.Expressions that have a mapping to an
AggregatorFunctionSupplier.Converts a multi-valued input of numbers, or a hexadecimal string, to a dense_vector.
In a single-parameter mode, the function converts the first parameter to an integer.
Converts strings to IPs.
In a single-parameter mode, the function converts the first parameter to a long.
An internal aggregate function that always emits intermediate (or partial) output regardless
of the aggregate mode.
Logical plan node for
SORT order1, order2 | LIMIT N BY grouping1, grouping2, ....Physical plan node for
SORT order1, order2 | LIMIT N BY grouping1, grouping2, ....In a single-parameter mode, the function always uses the current time as the end of the range.
Translates PromQL logical plan into ESQL plan.
Time-series aggregation is special because it must be computed per time series, regardless of the grouping keys.
Lowers
TimeSeriesWithout into the _timeseries metadata attribute expected by
the time-series aggregation pipeline.Expressions implementing this interface are asked provide an
Elasticsearch/Lucene query as part of the data node optimizations.
Subinterface for expressions that can only process single values (and null out on MVs).
How is this expression translatable?
Expressions that store their own
QueryBuilder and implement
TranslationAware can use TranslationAwareExpressionQuery
to wrap their QueryBuilder, instead of using the other existing Query implementations.Handler used during query translation.
This action will stop running async request and collect the results.
Performs the stats operation.
Removes leading and trailing whitespaces from a string.
A
TsInfo is a plan node that returns one row per time series with metadata.Physical plan node for the TS_INFO command.
Execution mode, mirroring the three-phase pattern used by aggregations.
Marker interface indicating that a function accepts two optional arguments (the last two).
A fully resolved attribute - we know its type.
A
UnaryPlan is a LogicalPlan with exactly one child, for example, WHERE x in a
SQL statement is an UnaryPlan.This is an unmapped-fields strategy discriminator.
An internal convert function that unpacks dimension values were packed by
PackDimensionAn unresolved attribute.
Thrown when we accidentally attempt to resolve something on on an unresolved entity.
Represents an unresolved external data source reference (Iceberg table or Parquet file).
An unresolved function call.
Unresolved expression for encapsulating a pattern:
KEEP `a*`, b*, `c*`*`d*`
a* is an actual name (UnresolvedAttribute)
b* is a name pattern (this class)
`c*`*`d*` is a name pattern
When a
KEEP or a DROP receives a wildcard pattern, this is provided to them as an UnresolvedNamePattern.Unsupported attribute that has been found yet cannot be used except in special conditions (currently only in projections to allow it to
flow through the engine).
Information about a field in an ES index that cannot be supported by ESQL.
The logical plan for the
URI_PARTS command.Physical plan for the URI_PARTS command.
A bridge for the function that extracts parts from a URI string.
The logical plan for the
USER_AGENT command.Physical plan for the USER_AGENT command.
Bridge for the USER_AGENT command that parses user-agent strings into structured fields.
Represents a PromQL function call that performs element-wise transformations on an instant vector.
Similar to
Variance, but it is used to calculate the variance over a time series of values from the given field.Underlying binary operation (e.g.
Represents the
vector(s scalar) PromQL function call that creates a vector from a scalar.Marker interface for vector functions.
Base class for vector similarity functions, which compute a similarity score between two dense vectors
Defines the named writables for vector functions in ESQL.
This class is part of the planner.
ESQL sometimes can only create query plans in a certain way if all nodes in the cluster (and participating remotes)
are at a certain minimum transport version.
Result of view resolution containing both the rewritten plan and the view queries.
A
UnionAll produced by view resolution, as opposed to user-written subqueries.Warns when a SORT or TopN is followed by a LOOKUP JOIN which does not preserve order,
and there is no subsequent SORT to restore the order.
Distributes external splits across data nodes using a Longest Processing Time (LPT)
algorithm that considers
ExternalSplit.estimatedSizeInBytes() for load balancing.Similar to basic regex, supporting '?' wildcard for single character (same as regex ".")
and '*' wildcard for multiple characters (same as regex ".*")
A list of wildcard patterns.
Represents a PromQL aggregate function call that operates on range vectors.