[DOCS] EQL: Add doc for common troubleshooting errors #343
Description
In order to execute an EQL query, the syntax must be valid. The following are common errors you may see.
Error:
Found 1 problem line -1:-1: Unknown index [*,-*]
Explanation:
Elasticsearch is unable to resolve any of the provided index patterns to concrete indexes. Because EQL requires fields
to function, this is an error for an EQL query.
Note: Related issue: elastic/elasticsearch#63529
Error:
verification_exception: Found 1 problem line 1:1: Cannot use field [event.category] due to ambiguities being mapped as [2] incompatible types: [text] in [index-1], [keyword] in [index-2, index-3]`
Explanation:
There is a mapping conflict between the index patterns provided to the query. In this particular example, event.category is incorrectly mapped as a text field in index-1, and corrrectly mapped as a keyword field elsewhere. Because EQL requires event.category
to function, this is an error for an EQL query. Note: one may also see a similar error for conflicts on the @timestamp field, or on any overridden field.
Error:
Found 1 problem line -1:-1: Unknown column [@timestamp]
Explanation:
The indexes provided are missing a field required by EQL. In this example, the default time field, @timestamp, is not found, and no override was provided.