Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOCS] ES|QL: Adding a tip to the WHERE documentation #114050

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[DOCS] ES|QL: Adding a tip to the WHERE documentation #114050

wants to merge 1 commit into from
+5 −0

Conversation

KyleOnK8s
Copy link

The WHERE clause in ES|QL will exclude null results when using a != operator. Examples provided in screenshots. This is the opposite behavior from other query languages supported in Elastic. I tested KQL, Query DSL, and Lucene. I did not test any scripting languages.

This can result in users accidentally excluding data they do not want to. This is especially concerning in Security applications where customers are building their rules to span multiple source types and those source types have mapping conflicts or other field disparity.

There is currently no information on this behavior in the ES|QL support docs. This PR is to address documentation.

No filters (for reference)
No Filters

KQL
KQL

Lucene
Lucene

Query DSL
Query DSL

ES|QL without filters (for reference)
ES|QL No Filters

ES|QL with NOT filter only (excludes the null result)
ES|QL with NOT filter

ES|QL with NOT or IS NULL filter (includes the null result)
ES|QL with NOT or IS NULL filter

@KyleOnK8s KyleOnK8s added the >docs General docs changes label Oct 3, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 3, 2024

Documentation preview:

@elasticsearchmachine
Copy link
Collaborator

@KyleOnK8s please enable the option "Allow edits and access to secrets by maintainers" on your PR. For more information, see the documentation.

@elasticsearchmachine elasticsearchmachine added v9.0.0 Team:Docs Meta label for docs team external-contributor Pull request authored by a developer outside the Elasticsearch team labels Oct 3, 2024
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-docs (Team:Docs)

@KyleOnK8s
Copy link
Author

@KyleOnK8s please enable the option "Allow edits and access to secrets by maintainers" on your PR. For more information, see the documentation.

This option does not appear to exist for me. Docs team, please let me know if you need me to do something differently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
>docs General docs changes external-contributor Pull request authored by a developer outside the Elasticsearch team Team:Docs Meta label for docs team v9.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@KyleOnK8s @elasticsearchmachine