Skip to content

ESQL: Avoid regex extract attributes removal #127563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

ESQL: Avoid regex extract attributes removal #127563

wants to merge 7 commits into from
+96 −18

Conversation

kanoshiou
Copy link
Contributor

The inputs required by Grok or Dissect might be removed later, so we need to add them separately to the referencesBuilder afterward.

Closes #127468

@elasticsearchmachine elasticsearchmachine added needs:triage Requires assignment of a team area label external-contributor Pull request authored by a developer outside the Elasticsearch team v9.1.0 labels Apr 30, 2025
@PeteGillinElastic PeteGillinElastic added :Analytics/ES|QL AKA ESQL and removed needs:triage Requires assignment of a team area label labels May 1, 2025
@elasticsearchmachine elasticsearchmachine added the Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo) label May 1, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-analytical-engine (Team:Analytics)

@astefan astefan self-requested a review May 5, 2025 13:42
@astefan astefan self-assigned this May 5, 2025
@astefan astefan added the >bug label May 5, 2025
@astefan
Copy link
Contributor

astefan commented May 5, 2025

buildkite test this

@kanoshiou
Copy link
Contributor Author

I'm really confused. I can get a result of 4325287503714500000 when I run the query on my local machine, but the test says it should be 4325287503714500302. It seems the test result is right, I will update the branch.

@astefan astefan requested a review from luigidellaquila May 5, 2025 16:31
astefan
astefan requested changes May 5, 2025
View reviewed changes
Copy link
Contributor

@astefan astefan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kanoshiou I really appreciate you provided this PR and you tried to understand where the fix needs to go.

Unfortunately, this is a trivial fix that doesn't quite catch the true reason for the initial failure.

The essence of the failure is the fact that lookup join can override the type user-provided field with its own type field. The type from eval is of type integer while the type that comes from the lookup join is of type keyword. Because the list of field names didn't contain type the Analyzer couldn't learn about that type that exists in message_types_lookup and the only thing it knew about its type is that it comes from eval.

lookup join (like enrich and maybe inlinestats) are special in the sense that they add some columns to the result, so some of the rules we have in EsqlSession.fieldNames need to be adjusted to account for these special characteristics. Because lookup join can add a field of the same name as type coming from an eval before the said lookup join command, we have a special check in fieldNames that forbids the removal of those Aliases.

Your proposed solution does this:

  • places the input references of grok in a new variable, instead of the referenceBuilder that was used before
  • the special check above for lookup join is not applied to referenceBuilder for grok because the input reference is not there anymore
  • you add to referenceBuilder the content of the grok-special variable

This is a bypass of the lookup join special removal check.

Instead, let the grok references in referenceBuilder where they are and don't let the special lookup join check remove it. The issue is with the lookup join check, not with grok, so adjust that one. I have the feeling that check is applicable in other cases, only that we didn't catch those yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@astefan astefan astefan requested changes

@luigidellaquila luigidellaquila Awaiting requested review from luigidellaquila

Requested changes must be addressed to merge this pull request.

Assignees

@astefan astefan

Labels
:Analytics/ES|QL AKA ESQL >bug external-contributor Pull request authored by a developer outside the Elasticsearch team Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo) v9.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ES|QL: Grok only supports KEYWORD or TEXT values, found expression [type] type [INTEGER]
4 participants
@kanoshiou @elasticsearchmachine @astefan @PeteGillinElastic