Store any dataSecurely store, analyze, and scale all data types — structured, unstructured, time-series, logs, events, geospatial, vectors, and more. No need to move data to a central location or refactor data to fit.
POST /my-index/_doc/1
{ "timestamp": "2025-02-19T14:30:00Z", "log_level": "ERROR", "message": "Unauthorized access attempt detected", "event_id": "abc123xyz", "user": { "id": "user_456", "username": "jdoe", "ip_address": "192.168.1.100" }, "geo": { "lat": 39.7392, "lon": -104.9903, "city": "Denver", "region": "Colorado", "country": "US" }, "http": { "method": "POST", "url": "/admin/login", "status_code": 401, "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" }, "security": { "alert_type": "Failed Login", "severity": "high", "action_taken": "Blocked IP", "detection_engine": "SIEM" }, "server": { "hostname": "webserver-01", "environment": "production" } } }
Semantic searchKeyword-based search falls short when users need results based on meaning, not just exact matches. Elasticsearch enables semantic search with dense and sparse vectors, hybrid retrieval, and advanced relevance tuning — powering AI-driven applications that understand intent and context for more accurate results.
FROM search-movies
| EVAL len = length(semantic_title)
| EVAL semantic_title = to_upper(semantic_title)
| KEEP semantic_title, len
| SORT len DESC
Rerank searchReturning relevant results isn't just about matching terms — it's about ranking what matters most. Elasticsearch enhances search quality with reranking techniques, using vector search, hybrid retrieval, and machine learning to refine and prioritize the best results for each query.
FROM my-index*
| EVAL distance = ST_DISTANCE(TO_GEOPOINT(location, city_location))
| KEEP timestamp, user.username, location, distance, city_location
| SORT distance ASC
Geospatial search & analyticsScaling geospatial search is challenging with large datasets and real-time location updates. Elasticsearch enables fast geospatial search, mapping, and geo-hex analytics while optimizing query performance at scale.
FROM security-logs
| LOOKUP JOIN envs_lkp ON clientip
| WHERE environment IS NOT NULL
| KEEP @timestamp, clientip, environment
| EVAL env = CONCAT(environment, " Environment")
| LOOKUP JOIN blocked_lkp ON clientip
| LOOKUP JOIN emp_lkp ON clientip
| WHERE ST_INTERSECTS(
"POLYGON((109.4 18.1, 109.6 18.1, 109.6 18.3, 109.4 18.3, 109.4 18.1))"::geo_shape,
client_location
)
| STATS COUNT(action) BY emp_no, first_name
Time series analysisMonitoring modern applications and infrastructure requires real-time insights across signals, telemetry, logs, metrics, and traces. Elasticsearch powers observability solutions with scalable data ingestion, fast search, and advanced analytics — helping teams detect issues, troubleshoot performance, and optimize system health efficiently.
FROM my-index*
| WHERE http.status_code >= 500
| STATS failure_count = COUNT(*) BY server.hostname
| SORT failure_count DESC
| KEEP server.hostname, failure_count
Threat huntingDetecting and investigating security threats requires analyzing massive volumes of logs in real time. Elasticsearch powers SIEM solutions with high-speed log ingestion, scalable AI threat detection, and fast search across structured and unstructured security data so teams can identify anomalies and respond to threats faster.
FROM my-index*
| WHERE log_level == "ERROR" OR security.severity == "high"
| SORT timestamp DESC
| KEEP timestamp, user.username, message, security.alert_type, security.severity, http.status_code