Support for unmapped fields

[GalLalouche]

Work plan

• Support for a single INSIST parameter, without casting or conflict resolution (ESQL: Initial support for unmapped fields #119886).
• Support for multiple INSIST parameters, still without casting (ESQL: Initial support for unmapped fields #119886).
• Support for multiple INSIST clauses, one on top of the other (ESQL: Initial support for unmapped fields #119886).
• Support for type resolution using an explicit EVAL.
• Support for casting, which will be desugar to an EVAL on top of the INSIST.
• Support for "float" INSIST clauses, i.e., not directly on top of a FROM.
• Optimization: remove INSIST clauses when all indices are mapped. Note that we currently do not maintain this information during index retrieval, so it isn't as trivial as one might assume (ESQL: Initial support for unmapped fields #119886).

ES|QL Field Loading for LogsAI

We'd like to enable the LogsAI folks to build a sort of "tree" of data streams with many fields left unmapped at index time and loaded at query time. ES|QL is capable of loading fields from source today, but only if they are mapped. Let's make this smooth for LogsAI users.

The Pretty Way

We expect to make some pretty syntax "insist" that a field exists which is a noop if the field exists and is mapped correctly, but otherwise will "force" the field to exist, either loading it from _source, or loading from an existing mapped field and casting its values on the fly. Imagine a syntax like:

FROM logs | INSIST field::LONG | WHERE field == 200

• If field is mapped as a long then we push the WHERE clause to the index.
• If field is unmapped we load it from _source, parse it to a long, and compare it for each document.
• If field is mapped as a keyword then its like a normal keyword and parsed to a long and the comparison is done on the fly.

Note that the INSIST syntax is almost certainly not what we want in the end. But we want some syntax for this behavior that's short.

The hard way or: How we get there from here

The most natural way for ES|QL to support unmapped fields is to create a function to load from source. Something like:

FROM logs
| EVAL field = EXTRACT_FROM_SOURCE("field")

This is close already! If we just build EXTRACT_FROM_SOURCE we could really unblock some folks. The trouble is that ES|QL will always 'EXTRACT_FROM_SOURCE', even if field is mapped. And with the "tree" shaped mapping, we expect it to sometime be mapped.

But ES|QL is a whole language, so if we made an IS_MAPPED function we could load from _source if the field isn't mapped. Something like:

FROM logs
| EVAL field = CASE(IS_MAPPED("field"), field, EXTRACT_FROM_SOURCE("field"))

This doesn't handle the case where the field is mapped, but we already support that with conversion functions and union types. That'd just look like:

FROM logs
| EVAL field = CASE(IS_MAPPED("field"), field, EXTRACT_FROM_SOURCE("field"))::LONG

This is nice because ES|QL already has constant folding. So:

• If field is mapped as a long, the query is rewritten to FROM logs.
• If field is mapped as a keyword, the query is rewritten to FROM logs | EVAL field = field::long.
• If field is not mapped, the query is rewritten to: FROM logs | EVAL field = EXTRACT_FROM_SOURCE("field")::long.

Those are pretty much exactly what we want! We get them by implementing two functions and a bunch of tests and maybe a rewrite rule.

The bow

No one is going to want to write out all that stuff for every field. I propose we make the syntax we decided on in the "The pretty way" section syntactic sugar for this CASE sequence. So

FROM logs | INSIST field::LONG | WHERE field == 200

Becomes

FROM logs
| EVAL field = CASE(IS_MAPPED("field"), field, EXTRACT_FROM_SOURCE("field"))::LONG
| WHERE field == 200

Performance considerations

Parsing _source is expensive! We should make sure we parse it as few times as we can manage.

First and foremost, you don't want to parse _source once per field you extract from it. We did that in very very old versions of ES|QL, long before GA. It was devastating to performance. We've since built a row-wise loading mechanism for extracting fields from source. We should figure out a way to piggy-back on that when running EXTRACT_FROM_SOURCE.

The point of this "tree" shape of data streams is to separate data that's very different from one another. If field exists in only a handful of documents it's going to be super inefficient to load and parse _source to figure that out. Maybe Elasticsearch could make a field that lists all of the unmapped field included in _source. It wouldn't be that expensive. There's a lot of neat things we could do with it, I think.

[elasticsearchmachine]

Pinging @elastic/es-analytical-engine (Team:Analytics)

[flash1293]

Syntax quibbles about how exactly INSIST works and whether it's a part of FROM or a standalone command aside (I have a lot of ideas!) - the biggest question mark for me is the behavior on "mixed" fields in a single index.

If I understand correctly, the current proposal and what's implemented in #119886 is that it will make a decision per index on where to load a field from (_source, doc values or something else). This works fine when we assume that over the lifetime of an index, its mapping stays fixed.

However, with unmapped-by-default it will be a common occurrence to map fields after the fact once users notice to consistently use a field and they don't want to wait for queries to load. The streams interface makes it easy to add additional fields to a mapping. If it's possible to do so, it will patch the mapping of the write index (e.g. adding a new field). If the field type is incompatible (e.g. going from long to keyword), it will roll over the data stream.

Let's take the following case:

• Field myfield is not mapped, but exists in source data
• User uses it happy via | INSIST myfield::LONG
• User notices queries get slow with larger volume and maps myfield as long - the change is added to the current write index
• The values of myfield suddenly have a gap in all queries, from the beginning of the write index to the point where the mapping was made:
  • When executing | INSIST myfield::LONG, the engine checks the mapping and sees myfield is mapped as long, so it directly accesses the doc values - however, for a lot of docs in the current write index the doc values are not set (the value is only in _source), because they were ingested before the mapping change occured.

I'm not sure whether this even is something that should be fixed in ESQL, but it would be one way to do things. Some options/thoughts:

• Somehow make the execution engine to check each doc to make a decision on where to load the value from - this will probably be really slow for sparse fields as _source has to be checked a lot just to turn out empty
• Allow to mark a field in a single index as "mixed" - this could be part of an index setting. If this setting is set on a field, INSIST will always fetch the value from _source, even if there are faster options available. The streams API layer knows that the problem could arise and adds the setting to the current write index. This means that queries are a little slower than necessary, but only for this one index, so it's not a big problem
• Always roll over on mapping changes - this would avoid the issue completely, but will probably result in a lot of indices (and we already have problems with too many indices)
• ¯\(ツ)/¯ - Just live with it. Maybe it's OK and users will understand. I doubt it though - if they map a field they are interested in it, and when they go back to check, some values are gone? Not a good look
• Make the experience good by telling the user what's going to happen and provide a nice flow for re-indexing existing data - didn't think too much about reindexing flows to know whether this even makes sense, but I guess there are a lot of cases where this just isn't feasible from a performance standpoint.

[nik9000]

However, with unmapped-by-default it will be a common occurrence to map fields after the fact once users notice to consistently use a field and they don't want to wait for queries to load. The streams interface makes it easy to add additional fields to a mapping. If it's possible to do so, it will patch the mapping of the write index (e.g. adding a new field). If the field type is incompatible (e.g. going from long to keyword), it will roll over the data stream.

I must have missed this. I'm honestly not really sure how to deal with the mapping change. Someone's going to have to figure that bit out.

I think ESQL could use some kind of "this field might not be indexed" thing to change our behavior. We'd have to do something interesting for _search though.

[nik9000]

FWIW, if you "always roll over" _search and esql will "do the right thing"

[flash1293]

I think ESQL could use some kind of "this field might not be indexed" thing to change our behavior. We'd have to do something interesting for _search though.

This sounds like the Allow to mark a field in a single index as "mixed" - this could be part of an index setting option I mention above. I'm leaning towards this option tbh. For our use case it would be OK for this to be manual/user-initiated. I'm not sure whether we need something for regular search as well - so far we mostly thought about ESQL. Of course it would be great to have an INSIST equivalent for _search as well, but that can be a follow-up IMHO.