From b14649659dc7ee206069ae13c82614d40ee034d2 Mon Sep 17 00:00:00 2001 From: Luigi Dell'Aquila Date: Thu, 10 Jul 2025 11:33:57 +0200 Subject: [PATCH 1/2] ES|QL: Add Known Issues note about STATS #130644 --- docs/reference/release-notes/8.16.0.asciidoc | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/reference/release-notes/8.16.0.asciidoc b/docs/reference/release-notes/8.16.0.asciidoc index 767ae30b50b8a..0d57fef105f3c 100644 --- a/docs/reference/release-notes/8.16.0.asciidoc +++ b/docs/reference/release-notes/8.16.0.asciidoc @@ -517,3 +517,12 @@ Snapshot/Restore:: {esql}:: * Some valid queries using an `ENRICH` command can fail when a match field is used that is absent from some indices or shards, either with a 500 status code due to `NullPointerException` or `ClassCastException` or with a 400 status code and `IllegalArgumentException`. This is fixed in {es-pull}126187[#126187]. + +* A bug in STATS command may lead to wrong results. The bug only happens in a very specific case, ie. with `STATS ... BY keyword1, keyword2`: +exactly two grouping fields, both keywords, where the first field has high cardinality (more than 65k distinct values). + + The issue is described in detail in [this issue](https://github.com/elastic/elasticsearch/issues/130644). + + Possible work-arounds are: + * switching the order of the grouping keys (eg. `STATS ... BY keyword2, keyword1`, if the `keyword2` has a lower cardinality) + * reducing the grouping key cardinality, filtering out values before STATS. From 28e0d0f7d1ba873d3eeae501bef8b76baa48cf85 Mon Sep 17 00:00:00 2001 From: Luigi Dell'Aquila Date: Fri, 11 Jul 2025 15:25:48 +0200 Subject: [PATCH 2/2] Add section in ESQL limitations --- docs/reference/esql/esql-limitations.asciidoc | 14 ++++++++++++++ docs/reference/release-notes/8.16.0.asciidoc | 11 ++++++----- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/docs/reference/esql/esql-limitations.asciidoc b/docs/reference/esql/esql-limitations.asciidoc index c61e0c118755b..4aa550d53b20c 100644 --- a/docs/reference/esql/esql-limitations.asciidoc +++ b/docs/reference/esql/esql-limitations.asciidoc @@ -302,3 +302,17 @@ the <>. === Kibana limitations include::esql-kibana.asciidoc[tag=limitations] + +[discrete] +[[esql-known-issues]] +== Known issues + +A bug in the ES|QL STATS command may yield incorrect results. The bug only happens in very specific cases that follow this pattern: `STATS ... BY keyword1, keyword2`, i.e. the command must have exactly two grouping fields, both keywords, where the first field has high cardinality (more than 65k distinct values). + +The bug is described in detail in [this issue](https://github.com/elastic/elasticsearch/issues/130644). +The problem was introduced in 8.16.0 and [fixed](https://github.com/elastic/elasticsearch/pull/130705) in 8.17.9, 8.18.7. + +Possible workarounds include: + * switching the order of the grouping keys (eg. `STATS ... BY keyword2, keyword1`, if the `keyword2` has a lower cardinality) + * reducing the grouping key cardinality, by filtering out values before STATS + diff --git a/docs/reference/release-notes/8.16.0.asciidoc b/docs/reference/release-notes/8.16.0.asciidoc index 0d57fef105f3c..ff6c028534606 100644 --- a/docs/reference/release-notes/8.16.0.asciidoc +++ b/docs/reference/release-notes/8.16.0.asciidoc @@ -518,11 +518,12 @@ Snapshot/Restore:: * Some valid queries using an `ENRICH` command can fail when a match field is used that is absent from some indices or shards, either with a 500 status code due to `NullPointerException` or `ClassCastException` or with a 400 status code and `IllegalArgumentException`. This is fixed in {es-pull}126187[#126187]. -* A bug in STATS command may lead to wrong results. The bug only happens in a very specific case, ie. with `STATS ... BY keyword1, keyword2`: -exactly two grouping fields, both keywords, where the first field has high cardinality (more than 65k distinct values). +* A bug in the ES|QL STATS command may yield incorrect results. The bug only happens in very specific cases that follow this pattern: `STATS ... BY keyword1, keyword2`, i.e. the command must have exactly two grouping fields, both keywords, where the first field has high cardinality (more than 65k distinct values). - The issue is described in detail in [this issue](https://github.com/elastic/elasticsearch/issues/130644). + The bug is described in detail in [this issue](https://github.com/elastic/elasticsearch/issues/130644). + The problem was introduced in 8.16.0 and [fixed](https://github.com/elastic/elasticsearch/pull/130705) in 8.17.9, 8.18.7. - Possible work-arounds are: + Possible workarounds include: * switching the order of the grouping keys (eg. `STATS ... BY keyword2, keyword1`, if the `keyword2` has a lower cardinality) - * reducing the grouping key cardinality, filtering out values before STATS. + * reducing the grouping key cardinality, by filtering out values before STATS +