SQL and PPL support by AWS elasticsearch (Open distro for ES)

AWS elasticsearch now supports standard SQL syntax. For the system admins, it also supports PPL (Pipe Processing Language). Here is an example of both:

select userAgent, eventID from newcwl where requestParameters.bucketName.keyword like ‘web%’ and (eventName.keyword like ‘PutObject%’ OR eventName.keyword like ‘UploadPartCopy%’ OR eventName.keyword like ‘UploadPart%’) ;

And this is PPL syntax:

search source=newcwl eventSource.keyword=’s3.amazonaws.com’ | where eventName.keyword like ‘PutObject%’ or eventName.keyword like ‘UploadPart%’ or eventName.keyword like ‘UploadPartCopy%’ | where requestParameters.bucketName.keyword like “web%” | fields userAgent, eventID

This is really a great feature. I was looking for something like this for years!

