You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
FROM logs-* | STATS count=count(user_agent.name) BY user_agent.name
yields this error:
class org.elasticsearch.compute.data.ConstantNullBlock cannot be cast to
class org.elasticsearch.compute.data.BytesRefBlock
(org.elasticsearch.compute.data.ConstantNullBlock and org.elasticsearch.compute.data.BytesRefBlock are in unnamed module of loader java.net.FactoryURLClassLoader @15a8cebd)
The server logs claim the exception is thrown on line 56 of BytesRefBlockHash.java.
Data
The data used for this is the elastic/logs track in benchmarks, where many benchmark queries look at all indices, using GET /logs-*/_search, so I expect ESQL queries on logs-* should also work.
Further investigation of the data:
Omitting the group by FROM logs-* | STATS count=count(user_agent.name) works and returns a count of 55494, which matches the number of non-null user agent names (a bit over 10%, see below)
Omitting the aggregating function FROM logs-* | STATS by user_agent.name returns a different error ValuesSources are mismatched hinting that the issue might relate to different mappings in the different indices.
Searching for values of user_agent.name that are not null from logs-* | keep user_agent.name | WHERE user_agent.name IS NOT NULL | LIMIT 20 yields many values like Chrome, Go-http-client, etc.
Doing the stats with a non-null predicate also works
FROM logs-*
| WHERE user_agent.name IS NOT NULL
| STATS count=count(user_agent.name) BY user_agent.name
| SORT count DESC
craigtaverner
changed the title
ESQL: ClassCastException in stats group by field that is null in some indices
ESQL: ClassCastException in stats group by field that is missing in some indices
Oct 3, 2023
We should remove the ConstantNullBlock implementation, but it will take
some time to do so. This PR ensures that BlockHash handles cases where
all keys are null.
Closes#100186
Description
The following query:
yields this error:
The server logs claim the exception is thrown on line 56 of
BytesRefBlockHash.java
.Data
The data used for this is the
elastic/logs
track in benchmarks, where many benchmark queries look at all indices, usingGET /logs-*/_search
, so I expect ESQL queries onlogs-*
should also work.Further investigation of the data:
FROM logs-* | STATS count=count(user_agent.name)
works and returns a count of55494
, which matches the number of non-null user agent names (a bit over 10%, see below)FROM logs-* | STATS by user_agent.name
returns a different errorValuesSources are mismatched
hinting that the issue might relate to different mappings in the different indices.user_agent.name
that are not nullfrom logs-* | keep user_agent.name | WHERE user_agent.name IS NOT NULL | LIMIT 20
yields many values likeChrome
,Go-http-client
, etc.returns:
Counting how many are NULL vs NOT NULL:
FROM logs-* | WHERE user_agent.name IS NOT NULL | STATS count(@timestamp)
->406506
FROM logs-* | WHERE user_agent.name IS NULL | STATS count(@timestamp)
->55494
While of course, trying the same with a group by fails:
FROM logs-* | STATS count(@timestamp) BY user_agent.name
->ValuesSources are mismatched
Index mappings
Finally, looking at the mappings files, there are 13 index mappings defined in
elastic/logs
:user_agent
mapping at alluser_agent
mappings (I’ve never seen this before!)user_agent
with sub-fieldname
askeyword
The correctly mapped files contain the
name
like this:The empty
user_agent
mapping looks like this:The text was updated successfully, but these errors were encountered: