Additional ES|QL commands | Voters

Additional ES|QL commands

in progress

John Ermolowich

Support for additional commands like SORT, STATS, and COUNT. These are part of the ES|QL documentation and will allow us to create queries such as failed login count by IP address or username.

August 22, 2025

Nate O'Brien

marked this post as

in progress

We now support the stats COUNT and COUNT DISTINCT operators. SORT will becoming in the near future. Please see the documentation here: https://support.huntress.io/hc/en-us/articles/30113222043155-Huntress-Managed-SIEM-Log-Search-Guide

Autopilot

Merged in a post:

ESQL Stats

Kurt Woods

We are building saved queries, but are seeing more data than we want to. ESQL has a Stats command that could allow us to set thresholds for queries. For example, it would allow us to build a saved search that only shows us hostnames that have 5 or more failed logins for the past 24 hours. I'd love to see the Stats be available for use

January 3, 2026