Skip to content

ESQL: KQL OR condition behavior causing query_shard_exception #132366

New issue
New issue
Closed
#133737
Closed
ESQL: KQL OR condition behavior causing query_shard_exception#132366
#133737
Assignees
afoucret
Labels
:Search Relevance/ES|QLSearch functionality in ES|QL>bugTeam:Search RelevanceMeta label for the Search Relevance team in Elasticsearchpriority:normalA label for assessing bug priority to be used by ES engineers
@getkub

Description

@getkub
getkub
opened on Aug 2, 2025

Elasticsearch Version

9.1.0

Installed Plugins

No response

Java Version

bundled

OS Version

unix-like

Problem Description

We’ve found a bug with KQL (Kibana Query Language) while querying Fortinet logs.

Here’s the query we tried:

```esql
FROM fortinet-logs
| WHERE KQL("destination.geo.country_name:(United OR India)")

This query returns the following error:

[esql] > Unexpected error from Elasticsearch: query_shard_exception - Failed to parse KQL query [destination.geo.country_name:(United OR India)]

Interestingly, the equivalent QSTR query works fine:

FROM fortinet-logs
| WHERE QSTR("destination.geo.country_name:(United OR India)")

It seems KQL does not handle the OR operator inside parentheses in this context correctly, while QSTR does.

Steps to Reproduce

For instance, this works perfecly with QSTR. But KQL would have been better
KQL works if we chain the commands, but not ideal

FROM fortinet-logs
| WHERE QSTR("destination.geo.country_name:(United OR India)")
| WHERE KQL("destination.geo.country_name:(United)") OR KQL("destination.geo.country_name:(India)")

Logs (if relevant)

No response

Metadata

Metadata

Assignees

Labels

:Search Relevance/ES|QLSearch functionality in ES|QL>bugTeam:Search RelevanceMeta label for the Search Relevance team in Elasticsearchpriority:normalA label for assessing bug priority to be used by ES engineers

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions