Problem with SQL Query with special character in field and table name

stef35340 · August 28, 2018, 1:40pm

Hello,

I've an issue when I try to use fields and table names with some special characters.
My indexes are named like the following xxxxxx-prod-2018.08.28 and the fact that there is a "dash" in the index name. As workaround, I searched like the following query: "SELECT * FROM xxxxxx*28 ORDER BY 1". Any trick to use tables with special characters in their name?

Another issue I have and I don't found the solution is when I want to use the @timestamp field: "SELECT @timestamp FROM xxxxxx*28 ORDER BY 1", I obtain the following error:

{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "line 1:8: mismatched input '@timestamp' expecting {'(', 'ANALYZE', 'ANALYZED', 'CAST', 'CATALOGS', 'COLUMNS', 'DEBUG', 'EXECUTABLE', 'EXISTS', 'EXPLAIN', 'EXTRACT', 'FALSE', 'FORMAT', 'FUNCTIONS', 'GRAPHVIZ', 'LEFT', 'MAPPED', 'MATCH', 'NOT', 'NULL', 'OPTIMIZED', 'PARSED', 'PHYSICAL', 'PLAN', 'RIGHT', 'RLIKE', 'QUERY', 'SCHEMAS', 'SHOW', 'SYS', 'TABLES', 'TEXT', 'TRUE', 'TYPE', 'TYPES', 'VERIFY', '{FN', '{D', '{T', '{TS', '{GUID', '+', '-', '', '?', STRING, INTEGER_VALUE, DECIMAL_VALUE, IDENTIFIER, DIGIT_IDENTIFIER, QUOTED_IDENTIFIER, BACKQUOTED_IDENTIFIER}"
}
],
"type": "parsing_exception",
"reason": "line 1:8: mismatched input '@timestamp' expecting {'(', 'ANALYZE', 'ANALYZED', 'CAST', 'CATALOGS', 'COLUMNS', 'DEBUG', 'EXECUTABLE', 'EXISTS', 'EXPLAIN', 'EXTRACT', 'FALSE', 'FORMAT', 'FUNCTIONS', 'GRAPHVIZ', 'LEFT', 'MAPPED', 'MATCH', 'NOT', 'NULL', 'OPTIMIZED', 'PARSED', 'PHYSICAL', 'PLAN', 'RIGHT', 'RLIKE', 'QUERY', 'SCHEMAS', 'SHOW', 'SYS', 'TABLES', 'TEXT', 'TRUE', 'TYPE', 'TYPES', 'VERIFY', '{FN', '{D', '{T', '{TS', '{GUID', '+', '-', '', '?', STRING, INTEGER_VALUE, DECIMAL_VALUE, IDENTIFIER, DIGIT_IDENTIFIER, QUOTED_IDENTIFIER, BACKQUOTED_IDENTIFIER}",
"caused_by": {
"type": "input_mismatch_exception",
"reason": null
}
},
"status": 400
}

Someone have any trick to use this field in SQL queries?

Thank you for you cooperation!

Stephane

Andrei_Stefan · August 29, 2018, 5:25am

Hi @stef35340,
You simply need to put double-quotes for both the index name with a dash and the field name with @:

select "@timestamp" from "xxx-123"

NerdSec · August 29, 2018, 6:42am

Hi Andrei,

This does not seem to work for me. I have an ELK 6.3.2 setup. Here is the query that I am trying to run on the Dev console.

POST _xpack/sql?format=txt
{
  "query": "select * from my-alarm"
}

The output i get is as follows:

{
  "error": {
    "root_cause": [
      {
        "type": "parsing_exception",
        "reason": "line 1:19: mismatched input '-' expecting {<EOF>, ',', 'FULL', 'GROUP', 'HAVING', 'INNER', 'JOIN', 'LEFT', 'LIMIT', 'NATURAL', 'ORDER', 'RIGHT', 'WHERE'}"
      }
    ],
    "type": "parsing_exception",
    "reason": "line 1:19: mismatched input '-' expecting {<EOF>, ',', 'FULL', 'GROUP', 'HAVING', 'INNER', 'JOIN', 'LEFT', 'LIMIT', 'NATURAL', 'ORDER', 'RIGHT', 'WHERE'}",
    "caused_by": {
      "type": "input_mismatch_exception",
      "reason": null
    }
  },
  "status": 400
}

I then tried to escape them using a single quote as escaping a double quote using a double quote simply terminated the query earlier than expected.

Here is the query:

POST _xpack/sql?format=txt
{
  "query": "select * from 'my-alarm'"
}

I received the following error:

{
  "error": {
    "root_cause": [
      {
        "type": "parsing_exception",
        "reason": "line 1:15: mismatched input ''my-alarm'' expecting {'(', 'ANALYZE', 'ANALYZED', 'CATALOGS', 'COLUMNS', 'DEBUG', 'EXECUTABLE', 'EXPLAIN', 'FORMAT', 'FUNCTIONS', 'GRAPHVIZ', 'MAPPED', 'OPTIMIZED', 'PARSED', 'PHYSICAL', 'PLAN', 'RLIKE', 'QUERY', 'SCHEMAS', 'SHOW', 'SYS', 'TABLES', 'TEXT', 'TYPE', 'TYPES', 'VERIFY', IDENTIFIER, DIGIT_IDENTIFIER, TABLE_IDENTIFIER, QUOTED_IDENTIFIER, BACKQUOTED_IDENTIFIER}"
      }
    ],
    "type": "parsing_exception",
    "reason": "line 1:15: mismatched input ''my-alarm'' expecting {'(', 'ANALYZE', 'ANALYZED', 'CATALOGS', 'COLUMNS', 'DEBUG', 'EXECUTABLE', 'EXPLAIN', 'FORMAT', 'FUNCTIONS', 'GRAPHVIZ', 'MAPPED', 'OPTIMIZED', 'PARSED', 'PHYSICAL', 'PLAN', 'RLIKE', 'QUERY', 'SCHEMAS', 'SHOW', 'SYS', 'TABLES', 'TEXT', 'TYPE', 'TYPES', 'VERIFY', IDENTIFIER, DIGIT_IDENTIFIER, TABLE_IDENTIFIER, QUOTED_IDENTIFIER, BACKQUOTED_IDENTIFIER}",
    "caused_by": {
      "type": "input_mismatch_exception",
      "reason": null
    }
  },
  "status": 400
}

This is a major issue as we create indices on a daily basis and they all dates are separated by '-'. Is it possible to query indices that have special characters?

Regards,
Nachiket

NerdSec · August 29, 2018, 7:26am

OK. Got it to work. Andrei was right, you will have to escape it. I ran this on the console as follows:

POST _xpack/sql
{
  "query": "select \"@timestamp\" from \"my-alarms-2018.08.28\""
}

Apparently, you had to escape the double quotes.

stef35340 · August 29, 2018, 7:59am

So cool! Thanks NerdSec and Andrei_Stefan! The solution is indeed to to escape double quotes before the name of the table or field with specific characters.

Have a nice day!

system · September 26, 2018, 7:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error when do sql query from table name with special character Elasticsearch	2	3255	August 30, 2019
@timestamp field problem while reading data from elasticsearch using spark-sql Elasticsearch	2	431	June 16, 2021
Kibana 7.4.0 and SQL Queries :: Can Index Name Have "." Character? Kibana elastic-stack-sql	3	1078	November 15, 2019
Unable to fetch exact result at first when searching with special charecters Elasticsearch	2	365	July 13, 2020
Index name error Elasticsearch	2	442	July 18, 2020

Problem with SQL Query with special character in field and table name

Related topics