KQL and scripted fields

thomasv95 · May 6, 2021, 9:03am

Hello, I've been having issues with KQL queries using scripted fields. Specifically, queries on numerical fields using operators such as "<=" or ">" throw the following error when using a Lens : [lens_merge_tables] > [esaggs] > EsError

It looks like I get a more detailed error using an Aggregation (see attached screenshot).
Capture d’écran 2021-05-06 à 09.32.42

Interestingly enough, the KQL operator ":" works just fine.

All I am doing in the scripted field is multiplying a numerical field by 2, and there are no missing values.

I am at a complete loss since the Kibana documentation clearly states that all KQL operators are compatible with scripted fields.

I absolutely need to use KQL filtering since I'm using a Filter Ratio in the TSVB tool.

Your support would be much appreciated. Thank you

Marius_Dragomir · May 6, 2021, 12:15pm

hello,

This seems like a bug indeed. If you're using ES > 7.11 you can solve this issue by changing from scripted fields to runtime fields.
For example, if you had a scripted field like this:
doc['FlightDelayMin'].value * 2

you can change it to a runtime field from the Dev Tools

PUT kibana_sample_data_flights/_mapping
{
    "runtime": {
      "minz": {
        "type": "long",
        "script": {
          "source": "emit(doc['FlightDelayMin'].value * 2)"
        }
      }
    }
}

where kibana_sample_data_flights is to be replaced with your index pattern name and minz with your field name.

Marius_Dragomir · May 6, 2021, 12:19pm

And this is the issue for the scripted fields error: [kql] Creating filters with numeric scripted fields sends incorrect type · Issue #98761 · elastic/kibana · GitHub

thomasv95 · May 7, 2021, 7:46am

Hi Marius,

Thank you for your detailed response, using runtime fields did indeed provide a quick fix to my problem. I just saw this morning that a PR was made to solve this bug in Kibana (if I'm not mistaken). My team and I hope that it can be resolved ASAP as we are scheduled to deliver our prototype in the upcoming weeks to be used by non-technical end users who would prefer using scripted fields rather than runtime fields.

Thank you again for your time and support.

Marius_Dragomir · May 8, 2021, 7:08pm

Just to manage the expectations, that PR is set to go in 7.14.0 which is still some time away. Right now 7.13.0 is close to being released in a couple weeks and that fix won't get in it due to code freeze. I wouldn't expect 7.14.0 until mid summer

thomasv95 · May 11, 2021, 8:15am

Ok, thanks for letting me know, I will pass the message on to my team.

system · June 8, 2021, 8:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Double Scripted Field gets fetched as string when filtering in a Dashboard Kibana	2	242	September 14, 2021
Scripted fields issue Kibana	2	483	January 4, 2018
Error in scripted field, working with arrays of objects Kibana	2	217	April 2, 2021
Filter with scripted field Kibana	3	618	April 17, 2021
Unable to filter data when using a scripted-field Kibana	2	2379	June 11, 2018

KQL and scripted fields

Related topics