Hi Team
Reaching out to understand if there is any functionality available in ES|QL which could handle if a field doesn't exist. Currently if a field has never been indexed we don't have the field name in index mapping then it gives Unknown Column verification exception.
In query DSL we have something called exists, I am looking for any functionality which achieves the same in ES|QL.
The reason I am looking for this is we currently have an index which in future will have logs from a different application which will have a field called event.type which is not part of existing index. Before the data is indexed I wanted to build some search query but it fails once I use the given field in my ES|QL query.
Any pointers by which I can handle this ... please let me know. I have tried is not null which again gives the same error.
I am using Elasticsearch 8.17 version .
Hello @ashit_pupu
Welcome back.
GET kibana_sample_data_logs/_search
{
"query": {
"exists": {
"field": "event.type"
}
}
}
Output :
{
"took": 0,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 0,
"relation": "eq"
},
"max_score": null,
"hits": []
}
}
I have checked and see that ES|QL does not have a direct equivalent to the exists query as it returns below message :
Unexpected error from Elasticsearch: verification_exception - Found 1 problem line 3:30: Unknown column [event.type]
Thanks!!
I tried this:
DELETE test1,test2
POST test1/_doc
{
"foo": "bar",
"size": 1
}
POST test2/_doc
{
"size": 1
}
POST _query?format=txt
{
"query": """
FROM test1, test2
| WHERE foo == "bar"
| LIMIT 10
"""
}
And this gives:
foo | foo.keyword | size
---------------+---------------+---------------
bar |bar |1
So no failure here.
But indeed, if you query the exact index name, it will fail:
POST _query?format=txt
{
"query": """
FROM test2
| WHERE foo == "bar"
| LIMIT 10
"""
}
What is the query you would like to run?