ES|QL: Allow operations on non-existing fields

[dgieselaar]

Description

As an engineer, I sometimes have to query a set of indices, where I'm not sure if a field exists in those indices, but I also don't care. E.g., I might want to group by service.name and service.environment in logs-*, but the user might only have service.name. I want to signal to the _query endpoint that it's OK if service.environment does not exist. Currently this fails:

FROM logs-* | STATS BY service.name, service.environment

per @not-napoleon's suggestion, we could do something like this:

FROM logs-* | STATS BY service.name, IF_EXISTS(service.environment)

I would like it to work for STATS but also things like WHERE, EVAL, etc.

[elasticsearchmachine]

Pinging @elastic/es-analytical-engine (Team:Analytics)

[nik9000]

I wonder if IF_EXISTS could be a function that's a noop if the field exists and null if it doesn't.

[astefan]

EQL has "optional fields": https://www.elastic.co/guide/en/elasticsearch/reference/current/eql-syntax.html#eql-syntax-optional-fields

[dgieselaar]

@astefan IMHO a syntax like that (I assume this conflicts with params) would be ideal (over a function)

[astefan]

@dgieselaar I was mostly interested in what is your expectation for queries where you specify if_exists(some_field). EQL regards that value as null if the field doesn't exist.

[dgieselaar]

@astefan it's about referencing the field at all, I can't think of a way to write a query that accounts for a field not being in the mapping even if I am ok with the field not existing.