Describe the Bug

There looks to be something going wrong with the auto add for the schema where there are subqueries. In short, we use the error column position to identify what field to add to the auto-gen schema output, and in this case of subqueries this column position is off by one. Resulting in the field that is added is the following:

  "7225791c-5821-46dc-8145-cba32b5b6e4e": {
    "ntegration.Field": "keyword",

Instead of

  "7225791c-5821-46dc-8145-cba32b5b6e4e": {
    "integration.Field": "keyword"

which will fix the issue.

To Reproduce

Queries like this will cause the error:

query = '''
sequence by user.email with maxspan=6h
 [any where integration.Field in~ ("SELECT COUNT() FROM Fake" , "SELECT COUNT() FROM User" , "SELECT COUNT() FROM AnotherFake")]
 [any where integration.Field in~ ("SELECT COUNT() FROM Fake" , "SELECT COUNT() FROM User" , "SELECT COUNT() FROM AnotherFake")]
 [any where integration.Field in~ ("SELECT COUNT() FROM Fake" , "SELECT COUNT() FROM User" , "SELECT COUNT() FROM AnotherFake")]
'''

Expected Behavior

Rule should pass validation and the auto gen schema file should have the proper field name.

Screenshots

No response

Desktop - OS

None

Desktop - Version

No response

Additional Context

No response