Skip to content

ES|QL: missing columns for wildcard drop after lookup join  #129561

New issue
New issue
Closed
#130448
Closed
ES|QL: missing columns for wildcard drop after lookup join #129561
#130448
Assignees
alex-spies
Labels
:Analytics/ES|QLAKA ESQL>bugTeam:AnalyticsMeta label for analytical engine team (ESQL/Aggs/Geo)
@luigidellaquila

Description

@luigidellaquila
luigidellaquila
opened on Jun 17, 2025
from sample_data_str,app_logs,fi* 
| sort service_id, client_ip DESC, destination.IP NULLS FIRST 
| eval  xJRwHRezpds = -1299206307, ZuPpUkXhu = -1360937430036226416, `source.IP` = \"IizPcFyV\" | keep xJRwHRezpds, `source.IP`
| rename `source.IP` AS `dVxoyvSH`| rename dVxoyvSH as message 
| lookup join message_types_lookup on message 
| drop xJRwHRezpds, *Rezpds 
| mv_expand message 
| dissect message \"%{RQZzvsuaWfI}\" 
| rename RQZzvsuaWfI AS `message`, `message` AS FJaUmggBPj 
| dissect FJaUmggBPj \"%{FJaUmggBPj} %{FJaUmggBPj}\" | rename FJaUmggBPj AS `FvgUVtLZjcGv` 
| grok FvgUVtLZjcGv \"%{WORD:FvgUVtLZjcGv}\" 
| eval DRfKHTdnx = 1146940792054680116, FvgUVtLZjcGv = null 
| keep *

...
"columns": [
        {
            "name": "type",
            "type": "keyword"
        },
        {
            "name": "DRfKHTdnx",
            "type": "long"
        },
        {
            "name": "FvgUVtLZjcGv",
            "type": "null"
        }
    ],
...

Same query, but without KEEP *

from sample_data_str,app_logs,fi* 
| sort service_id, client_ip DESC, destination.IP NULLS FIRST 
| eval  xJRwHRezpds = -1299206307, ZuPpUkXhu = -1360937430036226416, `source.IP` = \"IizPcFyV\" | keep xJRwHRezpds, `source.IP`
| rename `source.IP` AS `dVxoyvSH`| rename dVxoyvSH as message 
| lookup join message_types_lookup on message 
| drop xJRwHRezpds, *Rezpds 
| mv_expand message 
| dissect message \"%{RQZzvsuaWfI}\" 
| rename RQZzvsuaWfI AS `message`, `message` AS FJaUmggBPj 
| dissect FJaUmggBPj \"%{FJaUmggBPj} %{FJaUmggBPj}\" | rename FJaUmggBPj AS `FvgUVtLZjcGv` 
| grok FvgUVtLZjcGv \"%{WORD:FvgUVtLZjcGv}\" 
| eval DRfKHTdnx = 1146940792054680116, FvgUVtLZjcGv = null 

...
"columns": [
        {
            "name": "DRfKHTdnx",
            "type": "long"
        },
        {
            "name": "FvgUVtLZjcGv",
            "type": "null"
        }
    ],
...

A KEEP * shouldn't change the columns returned.

Metadata

Metadata

Assignees

Labels

:Analytics/ES|QLAKA ESQL>bugTeam:AnalyticsMeta label for analytical engine team (ESQL/Aggs/Geo)

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions