Skip to content

ESQL: fix FROM *_logs index name validation#149395

Open
GalLalouche wants to merge 5 commits into
elastic:mainfrom
GalLalouche:fix/star_underscore
Open

ESQL: fix FROM *_logs index name validation#149395
GalLalouche wants to merge 5 commits into
elastic:mainfrom
GalLalouche:fix/star_underscore

Conversation

@GalLalouche
Copy link
Copy Markdown
Contributor

@GalLalouche GalLalouche commented May 19, 2026

Patterns like *_logs were rejected with "Invalid index name [_logs], must not start with '_', '-', or '+'". The parser strips wildcards and validates the remainder as a literal index name, but the "must not start with" rule only restricts literal names; it does not restrict patterns whose wildcard can match any prefix.

Closes #146073

@GalLalouche
ESQL: fix FROM *_logs index name validation
7582889 
Patterns like *_logs were rejected with "Invalid index name [_logs],
must not start with '_', '-', or '+'". The parser strips wildcards
and validates the remainder as a literal index name, but the
"must not start with" rule only restricts literal names; it does
not restrict patterns whose wildcard can match any prefix.

Track whether the current pattern contained a wildcard, and skip
the "must not start with" check in that case. Other validations
(forbidden characters, length, dot-only) still apply.

Closes elastic#146073
@GalLalouche GalLalouche added >bug Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo) :Analytics/ES|QL AKA ESQL labels May 19, 2026
@elasticsearchmachine
Copy link
Copy Markdown
Collaborator

elasticsearchmachine commented May 19, 2026

Hi @GalLalouche, I've created a changelog YAML for you.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 19, 2026
edited
Loading

🔍 Preview links for changed docs

⏳ Building and deploying preview... View progress

This comment will be updated with preview links when the build is complete.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 19, 2026

ℹ️ Important: Docs version tagging

👋 Thanks for updating the docs! Just a friendly reminder that our docs are now cumulative. This means all 9.x versions are documented on the same page and published off of the main branch, instead of creating separate pages for each minor version.

We use applies_to tags to mark version-specific features and changes.

Expand for a quick overview

When to use applies_to tags:

✅ At the page level to indicate which products/deployments the content applies to (mandatory)
✅ When features change state (e.g. preview, ga) in a specific version
✅ When availability differs across deployments and environments

What NOT to do:

❌ Don't remove or replace information that applies to an older version
❌ Don't add new information that applies to a specific version without an applies_to tag
❌ Don't forget that applies_to tags can be used at the page, section, and inline level

🤔 Need help?

@GalLalouche GalLalouche force-pushed the fix/star_underscore branch from 316fba7 to dddf656 Compare May 19, 2026 15:37
@GalLalouche
ESQL: tighten *_logs fix to leading-wildcard only
b10df27 
The previous commit relaxed the "must not start with '_', '-', or
'+'" check for any pattern containing a wildcard. That accepted
sterile patterns like "_logs*" and "_*log" too: real indices can't
start with those characters, so such patterns can never match.

Tighten the relaxation to only patterns whose first character is
'*' (the wildcard absorbs any legal prefix). Patterns that start
with a reserved character literally are still rejected.

Update the tests to pin down the boundary: "*_logs", "*+logs",
"**_logs", "foo*_logs", "cluster:*_logs" still pass; "_logs*",
"_*log", "+logs*" now fail with the original error.
@GalLalouche GalLalouche force-pushed the fix/star_underscore branch from dddf656 to b10df27 Compare May 19, 2026 15:39
GalLalouche
GalLalouche commented May 19, 2026
View reviewed changes
Comment thread x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/parser/StatementParserTests.java
}

String lineNumber = command.equals("FROM") ? "line 1:6: " : "line 1:4: ";
expectError(command + " _logs*", lineNumber + "Invalid index name [_logs], must not start with '_', '-', or '+'");
Copy link
Copy Markdown
Contributor Author

@GalLalouche GalLalouche May 19, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These error messages are a bit confusing (since the user typed _*log, not _log), but it's an artifact of how we validate the patterns (we strip the * and then validate the underlying pattern), and I didn't want to change that in this PR.

@GalLalouche GalLalouche marked this pull request as ready for review May 19, 2026 16:00
@elasticsearchmachine
Copy link
Copy Markdown
Collaborator

elasticsearchmachine commented May 19, 2026

Pinging @elastic/es-analytical-engine (Team:Analytics)

@GalLalouche GalLalouche enabled auto-merge (squash) May 19, 2026 16:25
@GalLalouche GalLalouche added auto-backport Automatically create backport pull requests when merged v9.3.5 v8.19.16 v9.4.2 labels May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MattAlp MattAlp MattAlp approved these changes

Assignees

No one assigned

Labels

:Analytics/ES|QL AKA ESQL auto-backport Automatically create backport pull requests when merged >bug Team:Analytics Meta label for analytical engine team (ESQL/Aggs/Geo) v8.19.16 v9.3.5 v9.4.2 v9.5.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ESQL: FROM *_logs gives "Invalid index name [_logs], must not start with '_', '-', or '+'"

3 participants

@GalLalouche @elasticsearchmachine @MattAlp