Forbidding metrics used in aggregations for timeseries (#135223)

* Forbidding metrics used in aggregations for timeseries

* comments

* [CI] Update transport version definitions

* fixup

---------

Co-authored-by: elasticsearchmachine <[email protected]>

Author: pabloem

x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-avg-over-time.csv-spec

@@ -236,12 +236,13 @@ sum:double        | pod:keyword | time_bucket:datetime
 
 avg_over_time_nested_expression_in_grouping_with_alias
 required_capability: ts_command_v0
-TS k8s | STATS min = min(avg_over_time(network.bytes_in)) by rx = (network.eth0.rx + 2000), time_bucket = bucket(@timestamp, 1minute) | SORT rx desc, time_bucket  | LIMIT 5;
-
-min:double | rx:long | time_bucket:datetime
-557.0      | 3398    | 2024-05-10T00:21:00.000Z
-206.0      | 3398    | 2024-05-10T00:22:00.000Z
-557.0      | 3300    | 2024-05-10T00:21:00.000Z
-312.0      | 3262    | 2024-05-10T00:18:00.000Z
-312.0      | 3206    | 2024-05-10T00:18:00.000Z
+TS k8s | STATS min = min(avg_over_time(network.bytes_in)) by time_bucket = bucket(date_trunc(2 minutes, @timestamp), 5 minutes) | SORT time_bucket  | LIMIT 5;
+
+min:double        | time_bucket:datetime
+382.0416666666667 | 2024-05-10T00:00:00.000Z
+382.0416666666667 | 2024-05-10T00:05:00.000Z
+382.0416666666667 | 2024-05-10T00:10:00.000Z
+382.0416666666667 | 2024-05-10T00:15:00.000Z
+382.0416666666667 | 2024-05-10T00:20:00.000Z
+
 ;

x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-sum-over-time.csv-spec

@@ -220,17 +220,13 @@ sum:long | pod:keyword | time_bucket:datetime
 
 sum_over_time_nested_expression_in_grouping_with_alias
 required_capability: ts_command_v0
-TS k8s | STATS min = min(sum_over_time(network.bytes_in)) by rx = (network.eth0.rx + 2000), time_bucket = bucket(@timestamp, 1minute) | SORT rx desc, time_bucket  | LIMIT 10;
-
-min:long | rx:long | time_bucket:datetime
-1114     | 3398    | 2024-05-10T00:21:00.000Z
-206      | 3398    | 2024-05-10T00:22:00.000Z
-1114     | 3300    | 2024-05-10T00:21:00.000Z
-936      | 3262    | 2024-05-10T00:18:00.000Z
-936      | 3206    | 2024-05-10T00:18:00.000Z
-936      | 3205    | 2024-05-10T00:18:00.000Z
-1583     | 3167    | 2024-05-10T00:17:00.000Z
-913      | 3141    | 2024-05-10T00:20:00.000Z
-72       | 3122    | 2024-05-10T00:22:00.000Z
-1583     | 3120    | 2024-05-10T00:17:00.000Z
+TS k8s | STATS min = min(sum_over_time(network.bytes_in)) by time_bucket = bucket(date_trunc(2 minutes, @timestamp), 5 minutes) | SORT time_bucket  | LIMIT 10;
+
+
+min:long | time_bucket:datetime
+6160     | 2024-05-10T00:00:00.000Z
+6160     | 2024-05-10T00:05:00.000Z
+6160     | 2024-05-10T00:10:00.000Z
+6160     | 2024-05-10T00:15:00.000Z
+6160     | 2024-05-10T00:20:00.000Z
 ;

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/plan/logical/TimeSeriesAggregate.java

@@ -13,6 +13,7 @@
 import org.elasticsearch.xpack.esql.common.Failures;
 import org.elasticsearch.xpack.esql.core.expression.Alias;
 import org.elasticsearch.xpack.esql.core.expression.Expression;
+import org.elasticsearch.xpack.esql.core.expression.FieldAttribute;
 import org.elasticsearch.xpack.esql.core.expression.NamedExpression;
 import org.elasticsearch.xpack.esql.core.tree.NodeInfo;
 import org.elasticsearch.xpack.esql.core.tree.Source;
@@ -118,6 +119,19 @@ public boolean equals(Object obj) {
     @Override
     public void postAnalysisVerification(Failures failures) {
         super.postAnalysisVerification(failures);
+        groupings().forEach(g -> g.forEachDown(e -> {
+            if (e instanceof FieldAttribute fieldAttr && fieldAttr.isMetric()) {
+                failures.add(
+                    fail(
+                        fieldAttr,
+                        "cannot group by a metric field [{}] in a time-series aggregation. "
+                            + "If you want to group by a metric field, use the FROM "
+                            + "command instead of the TS command.",
+                        fieldAttr.sourceText()
+                    )
+                );
+            }
+        }));
         child().forEachDown(p -> {
             // reject `TS metrics | SORT BY ... | STATS ...`
             if (p instanceof OrderBy orderBy) {

x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/analysis/VerifierTests.java

@@ -2683,6 +2683,27 @@ public void testFuse() {
         );
     }
 
+    public void testNoMetricInStatsByClause() {
+        assertThat(
+            error("TS test | STATS avg(rate(network.bytes_in)) BY bucket(@timestamp, 1 minute), host, round(network.connections)", tsdb),
+            equalTo(
+                "1:90: cannot group by a metric field [network.connections] in a time-series aggregation. "
+                    + "If you want to group by a metric field, use the FROM command instead of the TS command."
+            )
+        );
+        assertThat(
+            error("TS test | STATS avg(rate(network.bytes_in)) BY bucket(@timestamp, 1 minute), host, network.bytes_in", tsdb),
+            equalTo("1:84: cannot group by on [counter_long] type for grouping [network.bytes_in]")
+        );
+        assertThat(
+            error("TS test | STATS avg(rate(network.bytes_in)) BY bucket(@timestamp, 1 minute), host, to_long(network.bytes_in)", tsdb),
+            equalTo(
+                "1:92: cannot group by a metric field [network.bytes_in] in a time-series aggregation. "
+                    + "If you want to group by a metric field, use the FROM command instead of the TS command."
+            )
+        );
+    }
+
     public void testSortInTimeSeries() {
         assertThat(
             error("TS test | SORT host | STATS avg(last_over_time(network.connections))", tsdb),