@@ -31,6 +31,7 @@ An {{esql}} source command produces a table, typically with data from {{es}}. An
3131
3232{{esql}} supports these processing commands:
3333
34+ * [ ` CHANGE_POINT ` ] ( #esql-change-point )
3435* [ ` DISSECT ` ] ( #esql-dissect )
3536* [ ` DROP ` ] ( #esql-drop )
3637* [ ` ENRICH ` ] ( #esql-enrich )
@@ -191,6 +192,63 @@ SHOW INFO
191192| 8.13.0 | 2024-02-23T10:04:18.123117961Z | 04ba8c8db2507501c88f215e475de7b0798cb3b3 |
192193
193194
195+ ## ` CHANGE_POINT ` [ esql-change-point]
196+
197+ ` CHANGE_POINT ` detects spikes, dips, and change points in a metric.
198+
199+ ** Syntax**
200+
201+ ``` esql
202+ CHANGE_POINT value [ON key] [AS type_name, pvalue_name]
203+ ```
204+
205+ ** Parameters**
206+
207+ ` value `
208+ : The column with the metric in which you want to detect a change point.
209+
210+ ` key `
211+ : The column with the key to order the values by. If not specified, ` @timestamp ` is used.
212+
213+ ` type_name `
214+ : The name of the output column with the change point type. If not specified, ` type ` is used.
215+
216+ ` pvalue_name `
217+ : The name of the output column with the p-value that indicates how extreme the change point is. If not specified, ` pvalue ` is used.
218+
219+ ** Description**
220+
221+ ` CHANGE_POINT ` detects spikes, dips, and change points in a metric. The command adds columns to
222+ the table with the change point type and p-value, that indicates how extreme the change point is
223+ (lower values indicate greater changes).
224+
225+ The possible change point types are:
226+ * ` dip ` : a significant dip occurs at this change point
227+ * ` distribution_change ` : the overall distribution of the values has changed significantly
228+ * ` spike ` : a significant spike occurs at this point
229+ * ` step_change ` : the change indicates a statistically significant step up or down in value distribution
230+ * ` trend_change ` : there is an overall trend change occurring at this point
231+
232+ ::::{note}
233+ There must be at least 22 values for change point detection. Fewer than 1,000 is preferred.
234+ ::::
235+
236+ ** Examples**
237+
238+ The following example shows whether there is a day with a significant change in the number of log messages:
239+
240+ ```
241+ FROM kibana_sample_data_logs
242+ | STATS message_count=COUNT() BY day=BUCKET(@timestamp, 1 DAY)
243+ | CHANGE_POINT message_count ON day
244+ | WHERE type IS NOT NULL
245+ ```
246+
247+ | message_count: long | day: datetime | type: keyword | pvalue: double |
248+ | --------------------| --------------------------| --------------| ------------------------|
249+ | 329 | 2025-05-10T00:00:00.000Z | spike | 7.284562237089151e-198 |
250+
251+
194252## ` DISSECT ` [ esql-dissect]
195253
196254` DISSECT ` enables you to [ extract structured data out of a string] ( /reference/query-languages/esql/esql-process-data-with-dissect-grok.md ) .
0 commit comments