Description
Elasticsearch Version
8.18.1
Installed Plugins
No response
Java Version
bundled
OS Version
Linux ussv-es-data-hot-zone1-1 5.14.0-503.34.1.el9_5.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Mar 27 06:00:50 EDT 2025 x86_64 x86_64 x86_64 GNU/Linux
Problem Description
Elastic throws an 'unknown index' error when searching against a CCS cluster. Adding a wildcard to the 'unknown index' will make the query work.
Error:
If you put users-ad*, the query will work. Additionally, if you put a new document that has a timestamp of the current time, the query will work without a wildcard. It seems to be correlated to the last document timestamp somehow.
Here is a breakdown of the time picker and the results:
Sample query sent out during the ESQL search:
{
"batch": [
{
"request": {
"params": {
"query": "FROM users-ad, azure:logs-email* | LIMIT 10",
"locale": "en",
"include_ccs_metadata": true,
"filter": {
"bool": {
"must": [],
"filter": [
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "2025-06-03T17:24:11.806Z",
"lte": "2025-06-03T17:39:11.806Z"
}
}
}
],
"should": [],
"must_not": []
}
},
"dropNullColumns": true
}
},
"options": {
"strategy": "esql_async",
"isSearchStored": false,
"executionContext": {
"type": "application",
"name": "discover",
"url": "/app/discover",
"page": "app",
"id": "new"
}
}
}
]
}Steps to Reproduce
Have two indices, one with current time and another one (either remote or local) with the last document being several hours behind. Set the timepicker for the last 15 minutes and you should get an error until you change the time picker to encompass a larger time window OR you put a new document with a current timestamp in the 'older' index.
Logs (if relevant)
No response