We saw the following as a suppressed error.
It seems to be a combination of TS functions and eval expressions that is not supported but not correctly validated.
org.elasticsearch.xpack.esql.core.QlIllegalArgumentException: Unsupported expression [last_over_time(metrics.x509_cert_not_after{f}#71423, @timestamp{f}#71389)]
at org.elasticsearch.xpack.esql.evaluator.EvalMapper.toEvaluator(EvalMapper.java:92)
at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.planEval(LocalExecutionPlanner.java:528)
at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.plan(LocalExecutionPlanner.java:266)
at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.planFieldExtractNode(LocalExecutionPlanner.java:401)
at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.plan(LocalExecutionPlanner.java:260)
at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.planAggregation(LocalExecutionPlanner.java:371)
at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.plan(LocalExecutionPlanner.java:258)
at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.planFieldExtractNode(LocalExecutionPlanner.java:401)
at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.plan(LocalExecutionPlanner.java:260)
at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.planEval(LocalExecutionPlanner.java:525)
at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.plan(LocalExecutionPlanner.java:266)
at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.planProject(LocalExecutionPlanner.java:841)
at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.plan(LocalExecutionPlanner.java:272)
at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.planExchangeSink(LocalExecutionPlanner.java:449)
at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.plan(LocalExecutionPlanner.java:313)
at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.plan(LocalExecutionPlanner.java:233)
at org.elasticsearch.xpack.esql.plugin.ComputeService.runCompute(ComputeService.java:641)
Trying to reproduce, I got a similar problem (but not exactly the same)
(with CSV dataset)
TS k8s | STATS last_over_time(network.bytes_in) + 1
{
"error": {
"root_cause": [
{
"type": "esql_illegal_argument_exception",
"reason": "no operator factory"
}
],
"type": "esql_illegal_argument_exception",
"reason": "no operator factory"
},
"status": 500
}
We should add better validation at planning time for these situations.
We saw the following as a suppressed error.
It seems to be a combination of TS functions and eval expressions that is not supported but not correctly validated.
Trying to reproduce, I got a similar problem (but not exactly the same)
(with CSV dataset)
We should add better validation at planning time for these situations.