search

elastic / elasticsearch

Free and Open Source, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
1.16k stars 24.84k forks source link

ESQL: Referncing children of nested fields doesn't always fail #115685

Open nik9000 opened 2 weeks ago

nik9000 commented 2 weeks ago

Elasticsearch Version

8.16

Installed Plugins

No response

Java Version

bundled

OS Version

cloud

Problem Description

ESQL isn't always making an error when referring to a nested field.

Steps to Reproduce

Make an index with a mapping like:

"process": {
              "type": "nested",
              "properties": {
                "entity_id": {
                  "type": "text"
                },
                "name": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "pid": {
                  "type": "long"
                }
              }
            },

Then write a query like FROM foo* | WHERE process.name = "bar". That fails like it should - we don't know what the process.name field is because we don't understand nested. But if you write

FROM foo*
| EVAL s = CASE(process.name RLIKE ".*adfadsfdaf", 1, 0)
| WHERE s == 1
| STATS COUNT(*) BY process.name

that doesn't fail. Or didn't in an example I'm looking at. Neither does this:

FROM foo* | STATS COUNT(*) BY process.name

Now this could have something to do with foo* matching an index with the nested mapping and one without - but I'm not sure.

Logs (if relevant)

No response

elasticsearchmachine commented 1 week ago

Pinging @elastic/es-analytical-engine (Team:Analytics)