ES|QL "Unknown column [process.name]" after upgrading to 8.17

After upgrading our Elastic stack to 8.17, we have began having issues with our ES|QL queries. When searching for process.name or process.command_line in all logs, we receive the error "Unknown column [process.name]" even though this key is present and populated in several documents. When switching to from logs-*powershell* the key is able to be queried, however, process.name is always empty, when it previously had been powershell.exe.
What is broken?

Hi @isugg

The first example is
process.command_line
The 2nd is
process.name

Can you try the ESQL with process.command_line

Also are you sure they are there in the time range?

Also try using the same logs selector

Also did you upgrade the agent or beats?

What version did you upgrade from?

What are you using to collect the logs?

validate the same in Discover

Hello Stephen,

I am having issues with process.command_line and process.name being missing or un-queryable, in multiple different index matching patterns, and the most generic from logs-* although I am able to query these fields in certain indices. These indices are not matching a similar collection pattern like endpoint or system security logs. The matching indices are from random UIDS representing different data collection points. We upgraded the Elastic stack and kibana version from 8.11 to 8.17, the agents are various versions of 8.XX. I am having these issues in Discover when using ES|QL in Kibana. When getting the metadata of each document, and switching to KQL in Discover and finding these documents, the data is matching. I.e. process.name is there when it is available in ES|QL or not there in KQL when it is not available in ES|QL. Thank you!

Hi @isugg

I am not sure what the issue is.

What I suggest is to go to Discover and do a very strict query on a specific index and field .... you can find the index in the document.

Example

_index: .ds-metrics-system.process-default-2025.01.10-001243 and process.name : *

Then replicate that in ESQL ...

FROM .ds-metrics-system.process-default-2025.01.10-001243
| WHERE process.name IS NOT NULL

Let me know if that works...

I suspect perhaps there are conflicts in your data views that are causing the issue.

It is possible there is a bug... If so you will need to provide a repeatable case so that an Issue can be drafted...

Hello @stephenb I appreciate the follow up, and recommendation. We have a ticket open with Elastic support and I will try to update with the resolution/issue if able. Thank you!

1 Like