Kibana 7.4.0 and SQL Queries :: Can Index Name Have "." Character?

Hi Kibana Grandmasters,

I recently upgraded to Elasticsearch and Kibana 7.4.0 on Docker, because I want to use the new SQL query-like feature. I watched the training video by Arthur Gimpel, plus read through the online Kibana documentation on how to use Dev Tools to run SQL-like queries. But I’m hitting a syntax error right off the bat.

I have only one index in ES at the moment, called “myindex2019.10.09”. I picked that name when I set up Logstash and Elasticsearch, and I didn’t put a lot of thought into which characters to use or not to use. But now that “myindex2019.10.09” is populated with data and I want to SQL query it, I get this on Dev Tools:

My query is:

GET _sql?format=txt
{
  "query": "SELECT * FROM myindex2019.10.09"
}

Dev Tools complains:

{
  "error": {
    "root_cause": [
      {
        "type": "parsing_exception",
        "reason": "line 1:27: mismatched input '.10' expecting {<EOF>, ',', 'ANALYZE', 'ANALYZED', 'AS', 'CATALOGS', 'COLUMNS', 'CURRENT_DATE', 'CURRENT_TIME', 'CURRENT_TIMESTAMP', 'DAY', 'DEBUG', 'EXECUTABLE', 'EXPLAIN', 'FIRST', 'FORMAT', 'FULL', 'FUNCTIONS', 'GRAPHVIZ', 'GROUP', 'HAVING', 'HOUR', 'INNER', 'INTERVAL', 'JOIN', 'LAST', 'LEFT', 'LIMIT', 'MAPPED', 'MINUTE', 'MONTH', 'NATURAL', 'OPTIMIZED', 'ORDER', 'PARSED', 'PHYSICAL', 'PLAN', 'RIGHT', 'RLIKE', 'QUERY', 'SCHEMAS', 'SECOND', 'SHOW', 'SYS', 'TABLES', 'TEXT', 'TYPE', 'TYPES', 'VERIFY', 'WHERE', 'YEAR', '{LIMIT', IDENTIFIER, DIGIT_IDENTIFIER, QUOTED_IDENTIFIER, BACKQUOTED_IDENTIFIER}"
      }
    ],
    "type": "parsing_exception",
    "reason": "line 1:27: mismatched input '.10' expecting {<EOF>, ',', 'ANALYZE', 'ANALYZED', 'AS', 'CATALOGS', 'COLUMNS', 'CURRENT_DATE', 'CURRENT_TIME', 'CURRENT_TIMESTAMP', 'DAY', 'DEBUG', 'EXECUTABLE', 'EXPLAIN', 'FIRST', 'FORMAT', 'FULL', 'FUNCTIONS', 'GRAPHVIZ', 'GROUP', 'HAVING', 'HOUR', 'INNER', 'INTERVAL', 'JOIN', 'LAST', 'LEFT', 'LIMIT', 'MAPPED', 'MINUTE', 'MONTH', 'NATURAL', 'OPTIMIZED', 'ORDER', 'PARSED', 'PHYSICAL', 'PLAN', 'RIGHT', 'RLIKE', 'QUERY', 'SCHEMAS', 'SECOND', 'SHOW', 'SYS', 'TABLES', 'TEXT', 'TYPE', 'TYPES', 'VERIFY', 'WHERE', 'YEAR', '{LIMIT', IDENTIFIER, DIGIT_IDENTIFIER, QUOTED_IDENTIFIER, BACKQUOTED_IDENTIFIER}",
    "caused_by": {
      "type": "input_mismatch_exception",
      "reason": null
    }
  },
  "status": 400
}

So clearly it doesn’t like that my index name uses the “.” character. I’ve tried enclosing the index name in single quotes, and that doesn’t help either.

My question to the forum is: Is my index name incompatible with the SQL parser because I used the “.” character? Is there a workaround? Or am I doing something else wrong? Thanks!

@redapplesonly you need to escape the index name because . (dot) has a special meaning: "query": "SELECT * FROM \"myindex2019.10.09\"".

Yes! Absolutely right! Thank you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.