|
|
@@ -3,3 +3,13 @@ summary: Ban Limit + `MvExpand` before remote Enrich
|
|
|
area: ES|QL
|
|
|
type: bug
|
|
|
issues: []
|
|
|
+highlight:
|
|
|
+ title: Prevent LIMIT + MV_EXPAND before remote ENRICH
|
|
|
+ body: |-
|
|
|
+ Queries using LIMIT followed by MV_EXPAND before a remote ENRICH can produce incorrect results due to distributed execution semantics.
|
|
|
+ These queries are now unsupported and produce an error. Example:
|
|
|
+ [source,yaml]
|
|
|
+ ----------------------------
|
|
|
+ FROM *:events | SORT @timestamp | LIMIT 2 | MV_EXPAND ip | ENRICH _remote:clientip_policy ON ip
|
|
|
+ ----------------------------
|
|
|
+ To avoid this error, reorder your query, for example by moving ENRICH earlier in the pipeline.
|
Stanislav Malyshev