What is the bug?
The Explore editor shows no error highlighting when the user writes an invalid <name>=<name> form as the source field of grok, parse, patterns, or spath (e.g. grok field=body "...", grok foo=bar "..."). The grammar bundle served by /_plugins/_ppl/_grammar accepts these as valid because the source-field slot uses the broad expression rule, and <name>=<name> matches the compareExpr alternative.
The documented form is positional: grok <field> <pattern>.
How can one reproduce the bug?
-
Open Explore with PPL on a >= 3.6 cluster (which uses the runtime grammar bundle).
-
Type any of these — all are accepted with no error highlighting:
source=myindex | grok field=body '%{COMMONAPACHELOG}'
source=myindex | grok foo=bar '%{WORD}'
source=myindex | parse max_match=raw '(?<x>\w+)'
source=myindex | spath input=a=b
-
Expected: red squiggle showing the source field is invalid (field=body, foo=bar, etc.).
-
Actual: no highlighting — the grammar accepts it as a comparison expression.
What is the expected behavior?
The editor should flag <name>=<name> source fields as syntax errors. The valid positional forms like grok body '%{COMMONAPACHELOG}' and grok log.message '%{WORD}' should continue to show no error.
What is your host/environment?
Any cluster >= 3.6 with the Explore editor using the runtime grammar bundle.
Do you have any additional context?
The root cause is that grokCommand/parseCommand/patternsCommand use expression for source_field and spathParameter uses expression for input=/output=. The compareExpr alternative of expression matches any <name>=<name>.
What is the bug?
The Explore editor shows no error highlighting when the user writes an invalid
<name>=<name>form as the source field ofgrok,parse,patterns, orspath(e.g.grok field=body "...",grok foo=bar "..."). The grammar bundle served by/_plugins/_ppl/_grammaraccepts these as valid because the source-field slot uses the broadexpressionrule, and<name>=<name>matches thecompareExpralternative.The documented form is positional:
grok <field> <pattern>.How can one reproduce the bug?
Open Explore with PPL on a >= 3.6 cluster (which uses the runtime grammar bundle).
Type any of these — all are accepted with no error highlighting:
Expected: red squiggle showing the source field is invalid (
field=body,foo=bar, etc.).Actual: no highlighting — the grammar accepts it as a comparison expression.
What is the expected behavior?
The editor should flag
<name>=<name>source fields as syntax errors. The valid positional forms likegrok body '%{COMMONAPACHELOG}'andgrok log.message '%{WORD}'should continue to show no error.What is your host/environment?
Any cluster >= 3.6 with the Explore editor using the runtime grammar bundle.
Do you have any additional context?
The root cause is that
grokCommand/parseCommand/patternsCommanduseexpressionforsource_fieldandspathParameterusesexpressionforinput=/output=. ThecompareExpralternative ofexpressionmatches any<name>=<name>.