QL: EQL and ESQL to use only the necessary fields in the internal fie…

…ld_caps calls (#98987) * Use only the necessary fields in field_caps calls from QL
elastic · Aug 30, 2023 · 291ecc5 · 291ecc5
1 parent 8ea41dd
commit 291ecc5
Show file tree

Hide file tree

Showing 12 changed files with 1,800 additions and 33 deletions.
diff --git a/docs/changelog/98987.yaml b/docs/changelog/98987.yaml
@@ -0,0 +1,6 @@
+pr: 98987
+summary: EQL and ESQL to use only the necessary fields in the internal `field_caps`
+  calls
+area: EQL
+type: enhancement
+issues: []
diff --git a/x-pack/plugin/eql/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/eql/10_basic.yml b/x-pack/plugin/eql/qa/rest/src/yamlRestTest/resources/rest-api-spec/test/eql/10_basic.yml
@@ -454,3 +454,27 @@ setup:
         body:
           query: 'sequence with maxspan=10d [network where user == "ADMIN"] ![network where user == "SYSTEM"] [network where user == "ADMIN"]'
   - match: {hits.total.value: 0}
+
+---
+"Error message missing column - no suggestion":
+
+  - do:
+      catch: "bad_request"
+      eql.search:
+        index: eql_test
+        body:
+          query: 'sequence with maxspan=10d [network where used == "ADMIN"] [network where id == 123]'
+  - match: { error.root_cause.0.type: "verification_exception" }
+  - match: { error.root_cause.0.reason: "Found 1 problem\nline 1:42: Unknown column [used]" }
+
+---
+"Error message missing column - did you mean functionality":
+
+  - do:
+      catch: "bad_request"
+      eql.search:
+        index: eql_test
+        body:
+          query: 'sequence with maxspan=10d [network where user == "ADMIN"] ![network where used == "SYSTEM"]'
+  - match: { error.root_cause.0.type: "verification_exception" }
+  - match: { error.root_cause.0.reason: "Found 1 problem\nline 1:75: Unknown column [used], did you mean [user]?" }
diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/session/EqlSession.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/session/EqlSession.java
@@ -22,11 +22,16 @@
 import org.elasticsearch.xpack.eql.parser.ParserParams;
 import org.elasticsearch.xpack.eql.plan.physical.PhysicalPlan;
 import org.elasticsearch.xpack.eql.planner.Planner;
+import org.elasticsearch.xpack.ql.expression.UnresolvedAttribute;
 import org.elasticsearch.xpack.ql.expression.function.FunctionRegistry;
 import org.elasticsearch.xpack.ql.index.IndexResolver;
 import org.elasticsearch.xpack.ql.plan.logical.LogicalPlan;
 
+import java.util.LinkedHashSet;
+import java.util.Set;
+
 import static org.elasticsearch.xpack.ql.util.ActionListeners.map;
+import static org.elasticsearch.xpack.ql.util.StringUtils.WILDCARD;
 
 public class EqlSession {
 
@@ -116,14 +121,27 @@ private <T> void preAnalyze(LogicalPlan parsed, ActionListener<LogicalPlan> list
             listener.onFailure(new TaskCancelledException("cancelled"));
             return;
         }
+        Set<String> fieldNames = fieldNames(parsed);
         indexResolver.resolveAsMergedMapping(
             indexWildcard,
+            fieldNames,
             configuration.indicesOptions(),
             configuration.runtimeMappings(),
             map(listener, r -> preAnalyzer.preAnalyze(parsed, r))
         );
     }
 
+    static Set<String> fieldNames(LogicalPlan parsed) {
+        Set<String> fieldNames = new LinkedHashSet<>();
+        parsed.forEachExpressionDown(UnresolvedAttribute.class, ua -> {
+            fieldNames.add(ua.name());
+            if (ua.name().endsWith(WILDCARD) == false) {
+                fieldNames.add(ua.name() + ".*");
+            }
+        });
+        return fieldNames.isEmpty() ? IndexResolver.ALL_FIELDS : fieldNames;
+    }
+
     private LogicalPlan postAnalyze(LogicalPlan verified) {
         return postAnalyzer.postAnalyze(verified, configuration);
     }