search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.77k stars 8.18k forks source link

[ES|QL] "Quick Fix" Autocomplete for Field Type Conflicts #185045

Open ninoslavmiskovic opened 4 months ago

ninoslavmiskovic commented 4 months ago

Describe the feature:

Users often encounter errors when querying across multiple indices that contain fields with the same name but different types. This commonly happens with fields like message, which might be a keyword in some indices and text in others. The current behavior results in a verification_exception error from Elasticsearch. This feature request aims to provide a "quick fix" in the autocomplete functionality of the query builder to resolve such conflicts.

Example of a query:

from logs-*
| keep message, @timestamp

Example of error:

[esql] > Unexpected error from Elasticsearch: verification_exception - Found 1 problem line 2:8: Cannot use field [message] due to ambiguities being mapped as [2] incompatible types: [keyword] in [logs-aws_s3, logs-custom_multiplex, logs-k8_container], [text] in [.ds-logs-elastic_agent-default-2024.06.04-000001, .ds-logs-elastic_agent.filebeat-default-2024.06.04-000001, .ds-logs-elastic_agent.metricbeat-default-2024.06.04-000001, .ds-logs-enterprise_search.api-default-2024.06.04-000001, .ds-logs-enterprise_search.audit-default-2024.06.04-000001, logs-apache_access, logs-apache_error, logs-docker_container, logs-nginx_application_logs, logs-nginx_error, logs-system_error, logs-windows]

Image

Proposed Solution:

1. Automatic Detection and Notification:

2. Quick Fix Options:

Example:

TO_KEYWORD(message) or TO_TEXT(message)

Example:

EVAL message = TO_KEYWORD(message)

3. UI/UX Enhancements:

Example of Fixed Query:

FROM logs-* METADATA _index
| EVAL message = TO_TEXT(message)
| KEEP _index, @timestamp, message
| SORT _index ASC, @timestamp DESC

References:

elasticmachine commented 4 months ago

Pinging @elastic/kibana-esql (Team:ESQL)