PPL syntax

Every PPL query starts with the search command. It specifies the index to search and retrieve documents from. Subsequent commands can follow in any order.

Currently, PPL supports only one search command, which can be omitted to simplify the query. { : .note}

Syntax

  1. search source=<index> [boolean-expression]
  2. source=<index> [boolean-expression]
FieldDescriptionRequired
searchSpecifies search keywords.Yes
indexSpecifies which index to query from.No
bool-expressionSpecifies an expression that evaluates to a Boolean value.No

Examples

Example 1: Search through accounts index

In the following example, the search command refers to an accounts index as the source and uses fields and where commands for the conditions:

  1. search source=accounts
  2. | where age > 18
  3. | fields firstname, lastname

In the following examples, angle brackets < > enclose required arguments and square brackets [ ] enclose optional arguments.

Example 2: Get all documents

To get all documents from the accounts index, specify it as the source:

  1. search source=accounts;
account_numberfirstnameaddressbalancegendercityemployerstateageemaillastname
1Amber880 Holmes Lane39225MBroganPyramiIL32amberduke@pyrami.comDuke
6Hattie671 Bristol Street5686MDanteNetagyTN36hattiebond@netagy.comBond
13Nanette789 Madison Street32838FNogalQuilityVA28nullBates
18Dale467 Hutchinson Court4180MOricknullMD33daleadams@boink.comAdams

Example 3: Get documents that match a condition

To get all documents from the accounts index that either have account_number equal to 1 or have gender as F, use the following query:

  1. search source=accounts account_number=1 or gender=\"F\";
account_numberfirstnameaddressbalancegendercityemployerstateageemaillastname
1Amber880 Holmes Lane39225MBroganPyramiIL32amberduke@pyrami.comDuke
13Nanette789 Madison Street32838FNogalQuilityVA28nullBates