Skip to content

[FR] ES|QL remote validation support newline split indices #5355

New issue
New issue
Open
Enhancement
#5356
Open
[FR] ES|QL remote validation support newline split indices#5355
Enhancement
#5356
Assignees
eric-forte-elastic
Labels
Team: TRADEenhancementNew feature or requestpythonInternal python for the repository
@eric-forte-elastic

Description

@eric-forte-elastic
eric-forte-elastic
opened on Nov 24, 2025

Repository Feature

None

Problem Description

Currently rules with newline split indices (e.g. #5340) do not have their indices parsed correctly.

E.g.

Given a rule with the following from ES|QL line:

from
  logs-network_traffic.http-*,
  logs-network_traffic.tls-*,
  logs-nginx.access-*,
  logs-apache.access-*,
  logs-apache_tomcat.access-*,
  logs-iis.access-*

get_esql_query_indices will return a sources_list of the following: ['logs-network_traffic.http-*', ''] which includes only the first index and an empty name index.

Image

Desired Solution

No response

Considered Alternatives

The regex definition FROM_SOURCES_REGEX should support multi-line index definitions. E.g. something like:

FROM_SOURCES_REGEX = re.compile(
    r"^\s*FROM\s+(?P<sources>(?:.+?(?:,\s*)?\n?)+?)\s*(?:\||\bmetadata\b|//|$)",
    re.IGNORECASE | re.MULTILINE
)

Additional Context

No response

Metadata

Metadata

Assignees

Labels

Team: TRADEenhancementNew feature or requestpythonInternal python for the repository

Type

Enhancement

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions