Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EQL: Divergent ignore_unavailable behavior #63295

Closed
rylnd opened this issue Oct 6, 2020 · 2 comments
Closed

EQL: Divergent ignore_unavailable behavior #63295

rylnd opened this issue Oct 6, 2020 · 2 comments
Labels
:Analytics/EQL EQL querying >bug Team:QL (Deprecated) Meta label for query languages team

Comments

@rylnd
Copy link

rylnd commented Oct 6, 2020
edited
Loading

EQL queries appear to have differing behavior for the ignore_unavailable option as compared to a standard query.

While a user can perform a regular search across unavailable indexes:

# SETUP: indexes match the auditbeat-* pattern, while none matches foo*

GET auditbeat-*,foo*/_search
// success

GET auditbeat-*,foo*/_eql/search
// index_not_found_exception: no such index [foo*]

This only appears to be an issue with wildcard indexes, since passing a concrete (unavailable) index works as expected:

GET auditbeat-*,foo*/_eql/search
// index_not_found_exception: no such index [foo*]

GET auditbeat-*,foo/_eql/search
// success

Update: one more data point: allow_no_indices can be used to bypass this behavior:

GET auditbeat-*,foo*/_eql/search
// index_not_found_exception: no such index [foo*]

GET auditbeat-*,foo*/_eql/search?allow_no_indices=true
// success

Note: this is a followup to this issue, particularly: this comment.
@rylnd rylnd added >bug :Analytics/EQL EQL querying Team:QL (Deprecated) Meta label for query languages team needs:triage Requires assignment of a team area label labels Oct 6, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-ql (:Query Languages/EQL)

This was referenced Oct 12, 2020
Closed
Merged
@danielmitterdorfer danielmitterdorfer removed the needs:triage Requires assignment of a team area label label Oct 13, 2020
@costin
Copy link
Member

costin commented Nov 13, 2020

This has been solved through #63561 and #63529

@costin costin closed this as completed Nov 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Analytics/EQL EQL querying >bug Team:QL (Deprecated) Meta label for query languages team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@costin @rylnd @danielmitterdorfer @elasticmachine