`FROM`

Stack Serverless

The FROM source command returns a table with data from a data stream, index, or alias.

Syntax

FROM index_pattern [METADATA fields]

Parameters

index_pattern: A list of indices, data streams or aliases. Supports wildcards and date math.
fields: A comma-separated list of metadata fields to retrieve.

Description

The FROM source command returns a table with data from a data stream, index, or alias. Each row in the resulting table represents a document. Each column corresponds to a field, and can be accessed by the name of that field.

Note

By default, an ES|QL query without an explicit LIMIT uses an implicit limit of 1000. This applies to FROM too. A FROM command without LIMIT:

FROM employees

is executed as:

		FROM employees
| LIMIT 1000

Examples

FROM employees

You can use date math to refer to indices, aliases and data streams. This can be useful for time series data, for example to access today’s index:

FROM <logs-{now/d}>

Use comma-separated lists or wildcards to query multiple data streams, indices, or aliases:

FROM employees-00001,other-employees-*

Use the format <remote_cluster_name>:<target> to query data streams and indices on remote clusters:

FROM cluster_one:employees-00001,cluster_two:other-employees-*

Use the optional METADATA directive to enable metadata fields:

FROM employees METADATA _id

Use enclosing double quotes (") or three enclosing double quotes (""") to escape index names that contain special characters:

FROM "this=that", """this[that"""