Skip to content

EQL: Disable field extraction for source return #52884

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Feb 28, 2020
Merged

EQL: Disable field extraction for source return #52884

merged 4 commits into from
Feb 28, 2020

Conversation

@costin
Copy link
Member

@costin costin commented Feb 27, 2020

Metric mappings have lots of mappings which, in case of individual field selection, can easily hit the limit of maximum doc value fields or automatons.

As fields are not used in EQL, this commit disables field extraction and returns the entire source instead.

@costin costin added the :Analytics/EQL EQL querying label Feb 27, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Feb 27, 2020

Pinging @elastic/es-search (:Search/EQL)

astefan
astefan approved these changes Feb 28, 2020
View reviewed changes
Copy link
Contributor

@astefan astefan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Left two minor comments.

...k/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/execution/search/SourceGenerator.java

// NB: the sortBuilder takes care of eliminating duplicates
container.fields().forEach(f -> f.v1().collectFields(sortBuilder));
sortBuilder.build(source);
Copy link
Contributor

@astefan astefan Feb 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sortBuilder is still defined above. Needs removal? Also, the two comments above are not needed anymore.

client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java Outdated
String now = DateUtils.nowWithMillisResolution().format(DateTimeFormatter.ISO_DATE_TIME);
StringBuilder sb = new StringBuilder();
sb.append("{");
for (int i = 0; i < 250; i++) {
Copy link
Contributor

@astefan astefan Feb 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add a comment here explaining the reason for 250 value (that value larger than the 100 doc_values limit in ES). Maybe take the default limit in ES and use here a value made of that limit + 100 or something like that?

@costin
Copy link
Member Author

costin commented Feb 28, 2020

@elasticmachine run elasticsearch-ci/bwc

@costin costin merged commit 79ca586 into elastic:master Feb 28, 2020
@costin costin deleted the eql/source-only branch February 28, 2020 11:45
costin added a commit that referenced this pull request Feb 28, 2020
@costin
EQL: Disable field extraction for returned events (#52884)
a674085 
Return the whole source of matching events

(cherry picked from commit 79ca586)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@astefan astefan astefan approved these changes

@rw-access rw-access Awaiting requested review from rw-access

+1 more reviewer

@aleksmaus aleksmaus aleksmaus approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

:Analytics/EQL EQL querying

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@costin @elasticmachine @aleksmaus @astefan