Get hands-on with Elasticsearch: Dive into our sample notebooks, start a free cloud trial, or try Elastic on your local machine now.
The Elasticsearch Query Language (ES|QL), generally available since 8.14, introduces a purpose-built query language and engine designed for search, observability, and security investigations. Unlike OpenSearch’s Piped Processing Language (PPL), which borrows heavily from existing piped languages, ES|QL was built from the ground up to focus on polish, usability, and seamless integration across the Kibana platform.
In this blog, we will explore the developer experience of the ES|QL Editor in Elasticsearch 9.1 by comparing it to PPL in the Event Analyzer (PPL for short) in OpenSearch 3.2.
The differences quickly become clear: the ES|QL Editor delivers intelligent autocomplete, contextual help, Recommended Queries, and cross-cluster query support that empower not just beginner users, but expert-level users as well. The thoughtful design for ES|QL authoring is further seen in integrated query inspection and holistic integration through Kibana workflows, for example, with Recent Queries.
PPL, by contrast, lacks comparable support for autocomplete, contextual guidance, and distributed queries, creating a steeper learning curve and more trial-and-error.
Making ES|QL easier to learn and use
Getting started with a new query language can often feel overwhelming. The ES|QL Editor, built directly into Kibana Discover, is designed to ease that process by supporting not only query creation and debugging, but also by accelerating how quickly you become familiar and comfortable with the language. As the editor helps reduce friction in everyday tasks, you can shift your focus from syntax and trial-and-error to solutioning. You can read more about these principles and how we’ve integrated them into the editor here.
This editor experience is not confined to Discover; it's a reusable code module that we are working on integrating into other parts of Kibana, such as Dashboards, Kibana alerts, and Kibana maps.
Intelligent autocomplete: accelerating your query creation
The autocomplete in ES|QL Editor is comprehensive, offering suggestions for compatible functions, arguments, literals, and even nested functions, a capability notably lacking in PPL. In fact, it has been rebuilt from the ground up, as outlined here.
The validation runs as the user types, as outlined here, and will suggest fields and also notify the user of errors. This reduces the users’ mental burden and helps prevent errors early in the query creation process.
Example: Fields and compatible functions are suggested in this nesting:
Something which PPL does not support:
Even with intelligent autocomplete guiding you through compatible functions, arguments, and nested functions, you might still want a deeper understanding of the available options. This is precisely where ES|QL Editor's contextual help becomes invaluable, offering immediate, in-editor assistance to clarify and enhance your query development.
Contextual help at your fingertips
Additional information about a command generated by autocomplete is a Ctrl-Space click away. A panel immediately appears with details about the function, argument, or field in question. This lightweight interaction keeps developers in flow, providing just-in-time guidance without forcing them to leave the editor or search external documentation. This reduces time wasted on syntax lookups and helps prevent common mistakes before they occur.
Here’s how it looks in action:
PPL lacks this level of embedded guidance, leaving users to rely on external docs or trial-and-error. That absence is not just a missing feature; it highlights a broader disparity in design philosophy. ES|QL prioritizes a thoughtful, context-aware experience that adapts to the user’s data and workflow. This difference becomes more pronounced as queries grow in complexity, making ES|QL Editor a more efficient and reliable environment for both learning and production use.
Recommended Queries that are data context aware
The ES|QL Editor provides Recommended Queries that are automatically tailored to the data you are working with, such as logs. Instead of presenting a blank editor, it surfaces the most relevant starting points for common use cases. Selecting a Recommended Query generates a canonical query that is immediately usable and can be further refined as needed. This approach accelerates query development, especially for new users who may not yet know the full syntax.
Here’s an example where a user selects the “Detect Change Point” query:
Compare that to the PPL experience:
By contrast, PPL here offers only basic autocomplete, leaving you to piece together queries without context or structure. This lack of guidance may lead to frustration and trial-and-error.
With ES|QL Editor’s data-aware Recommended Queries, you can avoid starting from scratch or memorizing syntax for routine tasks. The editor reduces cognitive load, helps prevent errors, and lets you focus on problem-solving and broader goals such as running cross-cluster searches rather than wrestling with query construction.
Intuitive cross-cluster querying
ES|QL Editor’s Autocomplete remains superior, even when working with multiple remote clusters with CCS. Here’s why:
ES|QL Editor provides seamless autocomplete even across clusters
Autocomplete in the ES|QL Editor supports not only cluster names but also both local and remote indexes. As covered here, this works thanks to a coordinator node architecture, which helps validate and generate the query plan to send to the local nodes, execute the query and aggregate the results before sending back to the user. Without entering the full remote cluster name, typing “:” starts the autocompletion process for the remote index. And you are not limited to the prefix.
This makes it easy to discover and query across distributed datasets without memorizing naming conventions or switching contexts.
Here is an example where the user types just “clu:g” to locate a remote index:
In stark contrast, the PPL provides only basic completion for local indexes, with suggestions restricted to prefix matches. Remote clusters must be typed manually, which increases the likelihood of errors and slows down query creation.
PPL provides completion only for local indexes and suggestions are restricted to the prefix:
ES|QL goes further by allowing exclusions directly using a negative sign, giving you fine-grained control over which clusters participate in your exploration. This capability is particularly valuable when working with hybrid environments, where you may want to include or omit specific datasets during cross-cluster investigations.
These enhancements reflect Elasticsearch’s broader focus on reducing friction in Cross-Cluster Search. By making distributed queries easier to construct and manage, ES|QL Editor enables analysts and developers to focus on insights rather than syntax, while PPL leaves more of that burden on the user. And just as the ES|QL Editor simplifies the creation of cross-cluster queries, it also provides tools to inspect how those queries execute, ensuring transparency and performance monitoring across multiple clusters.
Using Inspect Tool to analyze Cross-Cluster Search details
The Inspect Tool, accessible from the ES|QL Editor, is designed to provide metadata with explicit information about the query execution across all clusters. This functionality is enabled in Kibana Discover and is accessible directly in the query inspector, allowing you to analyze search progress and details, which is particularly crucial for Cross-Cluster Search (CCS). This capability helps you monitor search progress and understand how queries perform across distributed datasets.
This detailed visibility into query execution, particularly for complex distributed searches, allows you to ensure optimal performance and troubleshooting.
Beyond understanding the mechanics of individual queries, ES|QL Editor further enhances the user journey by deeply embedding essential functionalities across the entire Kibana platform, fostering a seamless and uninterrupted workflow.
Unified Query Experience with ES|QL and Kibana
One of the most common sources of friction in query-driven analysis is context switching. You often need to recall queries you have already written. Each interruption breaks focus and slows investigations. ES|QL Editor addresses this by integrating query history across Kibana.
Recent Queries
The Recent Queries feature in ES|QL Editor helps you stay in flow by making past work instantly accessible. Within the ES|QL Editor in Discover, you can view, re-run, and star your last 20 queries, ensuring that frequently used or complex queries are only a click away. These saved queries also carry across Kibana, integrating with Dashboards, visualizations, alerts, and maps, so you don’t need to leave your current screen or retype commands from scratch. This reduces repetitive work, speeds up investigations, and minimizes the risk of errors.
For example, a user can utilize the Recent Queries in ES|QL Editor in Discover (and star them):
Recent Queries are integrated in Dashboard:
PPL provides no comparable capability, leaving users to rely on manual copy-paste or external notes to reuse queries. The difference is more than convenience; it reflects Elastic’s strategy of building ES|QL as a truly integrated language within the Kibana ecosystem. With features like Recent Queries, ES|QL Editor not only streamlines day-to-day workflows but also lays the foundation for more advanced functionality now in technical preview, ensuring the experience continues to evolve.
Conclusion
ES|QL is more than a syntax; it reflects Elastic’s strategy to improve how users search, explore, and analyze data. With intelligent autocomplete, context-aware Recommended Queries, in-editor guidance, and tools like Inspect, ES|QL Editor accelerates learning, reduces errors, and simplifies complex workflows such as cross-cluster analysis. Integrated across Kibana, it connects queries seamlessly to dashboards, alerts, and visualizations for an uninterrupted workflow.
In summary, ES|QL is not merely another piped language; it is a thoughtfully engineered query engine paired with an intuitive UI that fundamentally redefines how you interact with your data, offering an integrated, intelligent, and continuously evolving experience that contrasts sharply with the often-sequential and less-guided nature of OpenSearch PPL.
What’s Next
This blog only scratches the surface of ES|QL. Future posts will dive deeper into comparisons with OpenSearch PPL and explore geospatial, visualization, and upcoming editor features such as Controls (already available in Dashboards), multi-data exploration tabs, background search, richer query history, and FUSE.
Try out ES|QL today
You can check out ES|QL in fully managed Elasticsearch Serverless projects with a free trial. It’s also available in versions spanning from 8.11, but is best experienced in 8.19 and 9.1.
Get started in minutes on your local environment with a single command:
Related content
Introducing the ES|QL query builder for the Elasticsearch Ruby Client
Learn how to use the recently released ES|QL query builder for the Elasticsearch Ruby Client. A tool to build ES|QL queries more easily with Ruby code.
Introducing the ES|QL query builder for the Python Elasticsearch Client
Learn how to use the ES|QL query builder, a new Python Elasticsearch client feature that makes it easier to construct ES|QL queries using a familiar Python syntax.
Using ES|QL COMPLETION + an LLM to write a Chuck Norris fact generator in 5 minutes
Discover how to use the ES|QL COMPLETION command to turn your Elasticsearch data into creative output using an LLM in just a few lines of code.
July 29, 2025
Introducing a more powerful, resilient, and observable ES|QL in Elasticsearch 8.19 & 9.1
Exploring ES|QL enhancements in Elasticsearch 8.19 & 9.1, including built-in resilience to failures, new monitoring and observability capabilities, and more.
July 29, 2025
Unify your data: Cross-cluster search with ES|QL is now generally available!
Cross-Cluster search with ES|QL is now GA! Query data across multiple clusters with a single, elegant query. Learn about its performance, resilience, and syntax.