Description
When using SET unmapped_fields="NULLIFY" in combination with KQL() and an EVAL that references a field not mapped in the matched indices, ES|QL returns a verification_exception:
[KQL] function cannot be used after WHERE
The KQL() function is correctly placed in the first WHERE directly after FROM.
Steps to reproduce
The following query fails, duration is not mapped in traces-apm.rum* indices:
SET unmapped_fields="NULLIFY"; FROM traces-apm.rum*
| WHERE KQL("service.name:*")
| WHERE TO_STRING(processor.event) == "transaction" OR processor.event IS NULL
| EVAL duration_ms_otel = ROUND(duration) / 1000 / 1000
| STATS AVG(duration_ms_otel) BY BUCKET(@timestamp, 100, ?_tstart, ?_tend)
Replacing duration with span.duration.us (which IS mapped in the same indices) makes it work:
SET unmapped_fields="NULLIFY"; FROM traces-apm.rum*
| WHERE KQL("service.name:*")
| WHERE TO_STRING(processor.event) == "transaction" OR processor.event IS NULL
| EVAL duration_ms_ecs = ROUND(span.duration.us) / 1000 / 1000
| STATS AVG(duration_ms_ecs) BY BUCKET(@timestamp, 100, ?_tstart, ?_tend)
Expected behavior
Both queries should execute successfully. SET unmapped_fields="NULLIFY" should resolve the unmapped field as null in EVAL without affecting the validation of KQL() placement.
Description
When using
SET unmapped_fields="NULLIFY"in combination withKQL()and anEVALthat references a field not mapped in the matched indices, ES|QL returns averification_exception:The
KQL()function is correctly placed in the firstWHEREdirectly afterFROM.Steps to reproduce
The following query fails,
durationis not mapped intraces-apm.rum*indices:Replacing
durationwithspan.duration.us(which IS mapped in the same indices) makes it work:Expected behavior
Both queries should execute successfully.
SET unmapped_fields="NULLIFY"should resolve the unmapped field asnullinEVALwithout affecting the validation ofKQL()placement.