Supported OpenSearch SQL commands and functions
The following reference tables show which SQL commands are supported in OpenSearch Discover for querying data in Amazon S3, Security Lake, or CloudWatch Logs, and which SQL commands are supported in CloudWatch Logs Insights. The SQL syntax supported in CloudWatch Logs Insights and that supported in OpenSearch Discover for querying CloudWatch Logs are the same, and referenced as CloudWatch Logs in the following tables.
Note
OpenSearch also has SQL support for querying data that is ingested in OpenSearch
and stored in indexes. This SQL dialect is different than the SQL used in direct
query and is referred to as OpenSearch SQL on indexes
Topics
Commands
Note
In the example commands column, replace
<tableName/logGroup>
-
Example command:
SELECT Body , Operation FROM <tableName/logGroup> -
If you're querying Amazon S3 or Security Lake, use:
SELECT Body , Operation FROM table_name -
If you're querying CloudWatch Logs, use:
SELECT Body , Operation FROM `LogGroupA`
| Command | Description | CloudWatch Logs | Amazon S3 | Security Lake | Example command |
|---|---|---|---|---|---|
|
Displays projected values. |
|
||||
| WHERE clause |
Filters log events based on the provided field criteria. |
|
|||
| GROUP BY clause |
Groups log events based on category and finds the average based on stats. |
|
|||
| HAVING clause |
Filters the results based on grouping conditions. |
|
|||
| ORDER BY clause |
Orders the results based on fields in the order clause. You can sort in either descending or ascending order. |
|
|||
|
( |
Joins the results for two tables based on common fields. |
|
|
||
| LIMIT clause |
Restricts the results to first N rows. |
|
|||
| CASE clause | Evaluates conditions and returns a value when the first condition is met. |
|
|||
| Common table expression | Creates a named temporary result set within a SELECT, INSERT, UPDATE, DELETE, or MERGE statement. |
|
|||
| EXPLAIN | Displays the execution plan of a SQL statement without actually executing it. |
|
|||
| LATERAL SUBQUERY clause | Allows a subquery in the FROM clause to reference columns from preceding items in the same FROM clause. |
|
|||
| LATERAL VIEW clause | Generates a virtual table by applying a table-generating function to each row of a base table. |
|
|||
| LIKE predicate | Matches a string against a pattern using wildcard characters. |
|
|||
| OFFSET | Specifies the number of rows to skip before starting to return rows from the query. | LIMIT clause in a query. For example:
|
|
||
| PIVOT clause | Transforms rows into columns, rotating data from a row-based format to a column-based format. |
|
|||
| Set operators | Combines the results of two or more SELECT statements (e.g., UNION, INTERSECT, EXCEPT). |
|
|||
| SORT BY clause | Specifies the order in which to return the query results. |
|
|||
| UNPIVOT | Transforms columns into rows, rotating data from a column-based format to a row-based format. |
|
Functions
Note
In the example commands column, replace
<tableName/logGroup>
-
Example command:
SELECT Body , Operation FROM <tableName/logGroup> -
If you're querying Amazon S3 or Security Lake, use:
SELECT Body , Operation FROM table_name -
If you're querying CloudWatch Logs, use:
SELECT Body , Operation FROM `LogGroupA`
| Available SQL Grammar | Description | CloudWatch Logs | Amazon S3 | Security Lake | Example command |
|---|---|---|---|---|---|
| String functions |
Built-in functions that can manipulate and transform string and text data within SQL queries. For example, converting case, combining strings, extracting parts, and cleaning text. |
|
|||
| Date and time functions |
Built-in functions for handling and transforming date and timestamp data in queries. For example, date_add, date_format, datediff, and current_date. |
|
|||
| Aggregate functions |
Built-in functions that perform calculations on multiple rows to produce a single summarized value. For example, sum, count, avg, max, and min. |
|
|
||
| Conditional functions |
Built-in functions that perform actions based on specified conditions, or that evaluate expressions conditionally. For example, CASE and IF. |
|
|||
| JSON functions |
Built-in functions for parsing, extracting, modifying, and querying JSON-formatted data within SQL queries (e.g., from_json, to_json, get_json_object, json_tuple) allowing manipulation of JSON structures in datasets. |
|
|||
| Array functions |
Built-in functions for working with array-type columns in SQL queries, allowing operations like accessing, modifying, and analyzing array data (e.g., size, explode, array_contains). |
|
|||
| Window functions | Built-in functions that perform calculations across a specified set of rows related to the current row (window), enabling operations like ranking, running totals, and moving averages (e.g., ROW_NUMBER, RANK, LAG, LEAD) |
|
|||
| Conversion functions |
Built-in functions for converting data from one type to another within SQL queries, enabling data type transformations and format conversions (e.g., CAST, TO_DATE, TO_TIMESTAMP, BINARY) |
|
|||
| Predicate functions |
Built-in functions that evaluate conditions and return boolean values (true/false) based on specified criteria or patterns (e.g., IN, LIKE, BETWEEN, IS NULL, EXISTS) |
|
|||
| Map functions | Applies a specified function to each element in a collection, transforming the data into a new set of values. |
|
|||
| Mathematical functions | Performs mathematical operations on numeric data, such as calculating averages, sums, or trigonometric values. |
|
|||
| Multi-log group functions |
Enables users to specify multiple log groups in a SQL SELECT statement |
Not applicable | Not applicable |
|
|
| Generator functions | Creates an iterator object that yields a sequence of values, allowing for efficient memory usage in large data sets. |
|
General SQL restrictions
The following restrictions apply when using OpenSearch SQL with CloudWatch Logs, Amazon S3, and Security Lake.
-
You can only use one JOIN operation in a SELECT statement.
-
Only one level of nested subqueries is supported.
-
Multiple statement queries separated by semi-colons aren't supported.
-
Queries containing field names that are identical but differ only in case (such as field1 and FIELD1) are not supported.
For example, the following queries are not supported:
Select AWSAccountId, awsaccountid from LogGroupHowever, the following query is because the field name (@logStream) is identical in both log groups:
Select a.`@logStream`, b.`@logStream` from Table A INNER Join Table B on a.id = b.id -
Functions and expressions must operate on field names and be part of a SELECT statement with a log group specified in the FROM clause.
For example, this query is not supported:
SELECT cos(10) FROM LogGroupThis query is supported:
SELECT cos(field1) FROM LogGroup
Additional information for CloudWatch Logs Insights users using OpenSearch SQL
If you're a CloudWatch Logs user, you can use OpenSearch SQL in the Logs Insights console, API or CLI. Most of the OpenSearch SQL commands such as SELECT, FROM, WHERE, GROUP BY, HAVING, JOINS, and nested queries are supported, including JSON, mathematics, string, conditional, and other functions. However, some commands and functions which aren't supported when querying CloudWatch Logs. For example, queries involving DDL and DML statements aren't supported because CloudWatch Logs only allows read operations. For a detailed list of query commands and functions supported in CloudWatch Logs, see the CloudWatch Logs columns in the above tables.
Multi-log group functions
CloudWatch Logs Insights supports the ability to query multiple log groups. To address
this use case in SQL, you can use the logGroups command. This
command is specific to querying data in CloudWatch Logs Insights involving one or more log
groups. Using this syntax, you can query multiple log groups easily by
specifying them in the command, instead of writing a query for each of the log
groups and combining them with a UNION command.
Syntax:
`logGroups( logGroupIdentifier: ['LogGroup1','LogGroup2', ...'LogGroupn'] )
In this syntax, you can specify up to 50 log groups in the
logGroupIndentifier parameter. To reference log groups in a
monitoring account, use ARNs instead of LogGroup names.
Example query:
SELECT LG1.Column1, LG1.Column2 from `logGroups( logGroupIdentifier: ['LogGroup1', 'LogGroup2'] )` as LG1 WHERE LG1.Column1 = 'ABC'
The following syntax involving multiple log groups after the FROM
statement is not supported when querying CloudWatch Logs:
SELECT Column1, Column2 FROM 'LogGroup1', 'LogGroup2', ...'LogGroupn' WHERE Column1 = 'ABC'
Restrictions
When using SQL or PPL commands, enclose certain fields in backticks to
successfully query them. Backticks are needed for fields with special
characters (non-alphabetic and non-numeric). For example, enclose
@message, Operation.Export, and
Test::Field in backticks. You don't need to enclose
columns with purely alphabetic names in backticks.
Example query with simple fields:
SELECT SessionToken, Operation, StartTime FROM `LogGroup-A` LIMIT 1000;
Same query with backticks appended:
SELECT `SessionToken`, `Operation`, `StartTime` FROM `LogGroup-A` LIMIT 1000;
For additional general restrictions that aren't specific to CloudWatch Logs, see General SQL restrictions.
Sample queries and quotas
Note
The following applies to both CloudWatch Logs Insights users and OpenSearch users querying CloudWatch data.
For sample SQL queries that you can use in CloudWatch Logs, see Saved and sample queries in the Amazon CloudWatch Logs Insights console for examples.
For information about the limits that apply when querying CloudWatch Logs from OpenSearch Service, see CloudWatch Logs quotas in the Amazon CloudWatch Logs User Guide. Limits involve the number of CloudWatch Log groups you can query, the maximum concurrent queries that you can execute, the maximum query execution time, and the maximum number of rows returned in results. The limits are the same regardless of which language you use for querying CloudWatch Logs (namely, OpenSearch PPL, SQL, and Logs Insights).
