ECL is a simple query language intended for use with data sources that generate tabulated data. It allows you to query data from these sources and do some limited manipulation. It supports conditional statements, loops, variables and comments. There are almost certainly bugs. Pls report!
ECL is based on bash's shell syntax. You'll find similar ideas here:
- Comments (
# HACK). - Variables (bools, ints, floats, strings, arrays).
- String concatentation (
"app"'le'). - Output redirection via
>and|. - Control flow (
ifandfor). And some other stuff I'm forgetting.
The authoritative source for syntax questions is the grammar. For a gentler introduction, try checking out the examples below.
set type="access_log"; # Define the type we want to query
es:logstash type:$type > res_a; # Query ES for data and store the results into a variable
if `count(res_a) > 0` { # If we got results...
# Load up our results and use it in a follow up query.
# Look for any info_log documents that match any of the `request_uaid`s in our first result set.
load res_a | es:logstash type:info_log request_uaid:$_.request_uaid;
}
set list=["one","two","three"];
for list {
es:logstash a:$_.value;
}
# This is a comment
set VAR=VALUE
The set statement allows you to assign a primitive value to a variable. Has no return value.
VAR: The name of the variable.
VALUE: The value to set the variable to. Supports bools, ints, floats, strings and arrays.
Example: set num=10
if `COND` {
BRANCH_A
}
if `COND` {
BRANCH_A
} else {
BRANCH_B
}
The if statement allows you to branch execution. It accepts an ECL expression which allows you to access any global variables. Returns the value of the winning branch.
COND: An SEL expression.
BRANCH_A: The truthy branch.
BRANCH_B: The falsey branch.
Example: if true { es:logstash url:"/" } else { es:logstash -url:"/" }
for VAR {
CODE
}
The loop statement allows you to loop over a result. Each iteration of the loop body sets the _ variable. Returns the value of the loop body.
VAR: The result to iterate over.
CODE: The code block to execute.
Example: for res { count }
AAA
AAA | BBB | ...
AAA | BBB | > VAR_A | CCC | DDD > VAR_B
The CommandList is a pipeline of Commands to execute. Output from each Command flows to the next one until it reaches the end. You can copy the output for almost all Commands into a varible. Returns the output from the final Command iff it is not redirected into a variable.
AAA,BBB,CCC,DDD: Commands
count
Returns the result count for the result set.
filter `EXPR`
Filters the result set with the provided expression.
EXPR: An SEL expression.
Example: filter _['level'] == 'info'``
head NUM
Returns the first n results.
NUM: The max number of results to return.
Example: head 5
tail NUM
Returns the last n results.
NUM: The max number of results to return.
Example: tail 5
join:TYPE RES=FIELD+FIELD+...
Performs an inner join on two result sets.
TYPE: The type of join (inner, left, right).
RES: The result set to join with.
FIELD: The field to join on.
Example: join res_a=request_uaid
map -FIELD
map AAA+BBB=CCC
map FIELD=`EXPR`
Map field names and values in the results. You can specify multiple clauses in a single Command and they'll be executed in order.
Example: map count=_ + 3 _type=type -_type
es:SRC QUERY
es:SRC OPTS QUERY | agg:ATYPE AFIELD AOPTS
Returns data from ES.
SRC: The source (usually logstash).
OPTS: Search options.
QUERY: A query.
ATYPE: Aggregation type.
AOPTS: Aggregation options.
Supports most standard ES syntax with a few extras:
Example: es:logstash type:info_log | agg:terms ip_addr
sort FIELD,ORD ...
Returns the results, sorted.
FIELD: The field name to sort on.
ORD: asc or desc.
Example: sort request_time,asc
load AAA
load AAA,BBB,...
Load a result set.
AAA,BBB: Variables.