Add max_over_time aggregation for TSDB

x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries.csv-spec

@@ -155,3 +155,21 @@ null                                     | three       | 2024-05-10T00:05:00.000
 null                                     | three       | 2024-05-10T00:02:00.000Z
 null                                     | three       | 2024-05-10T00:01:00.000Z
 ;
+
+
+max_over_time
+required_capability: max_over_time
+TS k8s | STATS cost=sum(max_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) | SORT cost DESC, time_bucket DESC, cluster | LIMIT 10;
+
+cost:double | cluster:keyword | time_bucket:datetime    
+32.75       | qa              | 2024-05-10T00:17:00.000Z
+32.25       | staging         | 2024-05-10T00:09:00.000Z
+31.75       | qa              | 2024-05-10T00:06:00.000Z
+29.0        | prod            | 2024-05-10T00:19:00.000Z
+28.625      | qa              | 2024-05-10T00:09:00.000Z
+24.625      | qa              | 2024-05-10T00:18:00.000Z
+23.25       | qa              | 2024-05-10T00:11:00.000Z
+23.125      | staging         | 2024-05-10T00:08:00.000Z
+22.75       | prod            | 2024-05-10T00:13:00.000Z
+22.75       | qa              | 2024-05-10T00:08:00.000Z
+;

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/action/EsqlCapabilities.java

@@ -959,7 +959,9 @@ public enum Cap {
         /**
          * Listing queries and getting information on a specific query.
          */
-        QUERY_MONITORING;
+        QUERY_MONITORING,
+
+        MAX_OVER_TIME(Build.current().isSnapshot());
 
         private final boolean enabled;
 

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/EsqlFunctionRegistry.java

@@ -20,6 +20,7 @@
 import org.elasticsearch.xpack.esql.expression.function.aggregate.Count;
 import org.elasticsearch.xpack.esql.expression.function.aggregate.CountDistinct;
 import org.elasticsearch.xpack.esql.expression.function.aggregate.Max;
+import org.elasticsearch.xpack.esql.expression.function.aggregate.MaxOverTime;
 import org.elasticsearch.xpack.esql.expression.function.aggregate.Median;
 import org.elasticsearch.xpack.esql.expression.function.aggregate.MedianAbsoluteDeviation;
 import org.elasticsearch.xpack.esql.expression.function.aggregate.Min;
@@ -432,6 +433,7 @@ private static FunctionDefinition[][] snapshotFunctions() {
                 // This is an experimental function and can be removed without notice.
                 def(Delay.class, Delay::new, "delay"),
                 def(Rate.class, Rate::withUnresolvedTimestamp, "rate"),
+                def(MaxOverTime.class, uni(MaxOverTime::new), "max_over_time"),
                 def(Term.class, bi(Term::new), "term") } };
     }
 

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/aggregate/AggregateWritables.java

@@ -30,6 +30,7 @@ public static List<NamedWriteableRegistry.Entry> getNamedWriteables() {
             Sum.ENTRY,
             Top.ENTRY,
             Values.ENTRY,
+            MaxOverTime.ENTRY,
             // internal functions
             ToPartial.ENTRY,
             FromPartial.ENTRY,

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/aggregate/Max.java

@@ -44,7 +44,7 @@
 public class Max extends AggregateFunction implements ToAggregator, SurrogateExpression {
     public static final NamedWriteableRegistry.Entry ENTRY = new NamedWriteableRegistry.Entry(Expression.class, "Max", Max::new);
 
-    private static final Map<DataType, Supplier<AggregatorFunctionSupplier>> SUPPLIERS = Map.ofEntries(
+    static final Map<DataType, Supplier<AggregatorFunctionSupplier>> SUPPLIERS = Map.ofEntries(
         Map.entry(DataType.BOOLEAN, MaxBooleanAggregatorFunctionSupplier::new),
         Map.entry(DataType.LONG, MaxLongAggregatorFunctionSupplier::new),
         Map.entry(DataType.DATETIME, MaxLongAggregatorFunctionSupplier::new),

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/aggregate/MaxOverTime.java

@@ -0,0 +1,105 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.esql.expression.function.aggregate;
+
+import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.xpack.esql.core.expression.Expression;
+import org.elasticsearch.xpack.esql.core.expression.Literal;
+import org.elasticsearch.xpack.esql.core.tree.NodeInfo;
+import org.elasticsearch.xpack.esql.core.tree.Source;
+import org.elasticsearch.xpack.esql.core.type.DataType;
+import org.elasticsearch.xpack.esql.expression.function.FunctionInfo;
+import org.elasticsearch.xpack.esql.expression.function.FunctionType;
+import org.elasticsearch.xpack.esql.expression.function.Param;
+
+import java.io.IOException;
+import java.util.List;
+
+import static java.util.Collections.emptyList;
+
+/**
+ * Similar to {@link Max}, but it is used to calculate the maximum value over a time series of values from the given field.
+ */
+public class MaxOverTime extends TimeSeriesAggregateFunction {
+    public static final NamedWriteableRegistry.Entry ENTRY = new NamedWriteableRegistry.Entry(
+        Expression.class,
+        "MaxOverTime",
+        MaxOverTime::new
+    );
+
+    @FunctionInfo(
+        returnType = { "boolean", "double", "integer", "long", "date", "date_nanos", "ip", "keyword", "long", "version" },
+        description = "The maximum over time value of a field.",
+        type = FunctionType.AGGREGATE
+    )
+    public MaxOverTime(
+        Source source,
+        @Param(
+            name = "field",
+            type = {
+                "aggregate_metric_double",
+                "boolean",
+                "double",
+                "integer",
+                "long",
+                "date",
+                "date_nanos",
+                "ip",
+                "keyword",
+                "text",
+                "long",
+                "version" }
+        ) Expression field
+    ) {
+        this(source, field, Literal.TRUE);
+    }
+
+    public MaxOverTime(Source source, Expression field, Expression filter) {
+        super(source, field, filter, emptyList());
+    }
+
+    private MaxOverTime(StreamInput in) throws IOException {
+        super(in);
+    }
+
+    @Override
+    public String getWriteableName() {
+        return ENTRY.name;
+    }
+
+    @Override
+    public MaxOverTime withFilter(Expression filter) {
+        return new MaxOverTime(source(), field(), filter);
+    }
+
+    @Override
+    protected NodeInfo<MaxOverTime> info() {
+        return NodeInfo.create(this, MaxOverTime::new, field(), filter());
+    }
+
+    @Override
+    public MaxOverTime replaceChildren(List<Expression> newChildren) {
+        return new MaxOverTime(source(), newChildren.get(0), newChildren.get(1));
+    }
+
+    @Override
+    protected TypeResolution resolveType() {
+        return perTimeSeriesAggregation().resolveType();
+    }
+
+    @Override
+    public DataType dataType() {
+        return perTimeSeriesAggregation().dataType();
+    }
+
+    @Override
+    public Max perTimeSeriesAggregation() {
+        return new Max(source(), field(), filter());
+    }
+}

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/aggregate/Rate.java

@@ -29,7 +29,7 @@
 import org.elasticsearch.xpack.esql.expression.function.OptionalArgument;
 import org.elasticsearch.xpack.esql.expression.function.Param;
 import org.elasticsearch.xpack.esql.io.stream.PlanStreamInput;
-import org.elasticsearch.xpack.esql.planner.ToTimeSeriesAggregator;
+import org.elasticsearch.xpack.esql.planner.ToAggregator;
 
 import java.io.IOException;
 import java.time.Duration;
@@ -40,7 +40,7 @@
 import static org.elasticsearch.xpack.esql.core.expression.TypeResolutions.isType;
 import static org.elasticsearch.xpack.esql.core.util.CollectionUtils.nullSafeList;
 
-public class Rate extends AggregateFunction implements OptionalArgument, ToTimeSeriesAggregator {
+public class Rate extends TimeSeriesAggregateFunction implements OptionalArgument, ToAggregator {
     public static final NamedWriteableRegistry.Entry ENTRY = new NamedWriteableRegistry.Entry(Expression.class, "Rate", Rate::new);
     private static final TimeValue DEFAULT_UNIT = TimeValue.timeValueSeconds(1);
 
@@ -180,6 +180,11 @@ public AggregatorFunctionSupplier supplier() {
         };
     }
 
+    @Override
+    public Rate perTimeSeriesAggregation() {
+        return this;
+    }
+
     @Override
     public String toString() {
         if (unit != null) {

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/aggregate/TimeSeriesAggregateFunction.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+package org.elasticsearch.xpack.esql.expression.function.aggregate;
+
+import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.xpack.esql.core.expression.Expression;
+import org.elasticsearch.xpack.esql.core.tree.Source;
+
+import java.io.IOException;
+import java.util.List;
+
+/**
+ * Extends {@link AggregateFunction} to support aggregation per time_series,
+ * such as {@link Rate} or {@link MaxOverTime}.
+ */
+public abstract class TimeSeriesAggregateFunction extends AggregateFunction {
+
+    protected TimeSeriesAggregateFunction(Source source, Expression field, Expression filter, List<? extends Expression> parameters) {
+        super(source, field, filter, parameters);
+    }
+
+    protected TimeSeriesAggregateFunction(StreamInput in) throws IOException {
+        super(in);
+    }
+
+    /**
+     * Returns the aggregation function to be used in the first aggregation stage,
+     * which is grouped by `_tsid` (and `time_bucket`).
+     *
+     * @see org.elasticsearch.xpack.esql.optimizer.rules.logical.TranslateTimeSeriesAggregate
+     */
+    public abstract AggregateFunction perTimeSeriesAggregation();
+}

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/optimizer/rules/logical/SubstituteSurrogates.java

@@ -17,7 +17,7 @@
 import org.elasticsearch.xpack.esql.core.expression.NamedExpression;
 import org.elasticsearch.xpack.esql.expression.SurrogateExpression;
 import org.elasticsearch.xpack.esql.expression.function.aggregate.AggregateFunction;
-import org.elasticsearch.xpack.esql.expression.function.aggregate.Rate;
+import org.elasticsearch.xpack.esql.expression.function.aggregate.TimeSeriesAggregateFunction;
 import org.elasticsearch.xpack.esql.plan.logical.Aggregate;
 import org.elasticsearch.xpack.esql.plan.logical.Eval;
 import org.elasticsearch.xpack.esql.plan.logical.LogicalPlan;
@@ -70,8 +70,7 @@ protected LogicalPlan rule(Aggregate aggregate) {
                 if (s instanceof AggregateFunction == false) {
                     // 1. collect all aggregate functions from the expression
                     var surrogateWithRefs = s.transformUp(AggregateFunction.class, af -> {
-                        // TODO: more generic than this?
-                        if (af instanceof Rate) {
+                        if (af instanceof TimeSeriesAggregateFunction) {
                             return af;
                         }
                         // 2. check if they are already use otherwise add them to the Aggregate with some made-up aliases

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/optimizer/rules/logical/TranslateTimeSeriesAggregate.java

@@ -19,7 +19,7 @@
 import org.elasticsearch.xpack.esql.core.util.Holder;
 import org.elasticsearch.xpack.esql.expression.function.aggregate.AggregateFunction;
 import org.elasticsearch.xpack.esql.expression.function.aggregate.FromPartial;
-import org.elasticsearch.xpack.esql.expression.function.aggregate.Rate;
+import org.elasticsearch.xpack.esql.expression.function.aggregate.TimeSeriesAggregateFunction;
 import org.elasticsearch.xpack.esql.expression.function.aggregate.ToPartial;
 import org.elasticsearch.xpack.esql.expression.function.aggregate.Values;
 import org.elasticsearch.xpack.esql.expression.function.grouping.Bucket;
@@ -34,7 +34,7 @@
 import java.util.Map;
 
 /**
- * Rate aggregation is special because it must be computed per time series, regardless of the grouping keys.
+ * Time-series aggregation is special because it must be computed per time series, regardless of the grouping keys.
  * The keys must be `_tsid` or a pair of `_tsid` and `time_bucket`. To support user-defined grouping keys,
  * we first execute the rate aggregation using the time-series keys, then perform another aggregation with
  * the resulting rate using the user-specific keys.
@@ -113,6 +113,17 @@
  * | STATS rate(request), $p1=to_partial(min(memory_used)), VALUES(pod) BY _tsid, `bucket(@timestamp, 5m)`
  * | STATS sum(`rate(request)`), `min(memory_used)` = from_partial($p1, min($)) BY pod=`VALUES(pod)`, `bucket(@timestamp, 5m)`
  * | KEEP `min(memory_used)`, `sum(rate(request))`, pod, `bucket(@timestamp, 5m)`
+ *
+ * _over_time time-series aggregation will be rewritten in the similar way
+ *
+ * TS k8s | STATS sum(max_over_time(memory_usage)) BY host, bucket(@timestamp, 1minute)
+ *
+ * becomes
+ *
+ * TS k8s
+ * | STATS max(memory_usage), VALUES(host) BY _tsid, bucket(@timestamp, 1minute)
+ * | STATS sum(`max(memory_usage)`) BY host=`VALUES(host)`, `bucket(@timestamp, 1minute)`
+ *
  * </pre>
  */
 public final class TranslateTimeSeriesAggregate extends OptimizerRules.OptimizerRule<Aggregate> {
@@ -131,20 +142,21 @@ protected LogicalPlan rule(Aggregate aggregate) {
     }
 
     LogicalPlan translate(TimeSeriesAggregate aggregate) {
-        Map<Rate, Alias> rateAggs = new HashMap<>();
+        Map<AggregateFunction, Alias> timeSeriesAggs = new HashMap<>();
         List<NamedExpression> firstPassAggs = new ArrayList<>();
         List<NamedExpression> secondPassAggs = new ArrayList<>();
         for (NamedExpression agg : aggregate.aggregates()) {
             if (agg instanceof Alias alias && alias.child() instanceof AggregateFunction af) {
                 Holder<Boolean> changed = new Holder<>(Boolean.FALSE);
-                Expression outerAgg = af.transformDown(Rate.class, rate -> {
+                Expression outerAgg = af.transformDown(TimeSeriesAggregateFunction.class, tsAgg -> {
                     changed.set(Boolean.TRUE);
-                    Alias rateAgg = rateAggs.computeIfAbsent(rate, k -> {
-                        Alias newRateAgg = new Alias(rate.source(), agg.name(), rate);
-                        firstPassAggs.add(newRateAgg);
-                        return newRateAgg;
+                    AggregateFunction firstStageFn = tsAgg.perTimeSeriesAggregation();
+                    Alias newAgg = timeSeriesAggs.computeIfAbsent(firstStageFn, k -> {
+                        Alias firstStageAlias = new Alias(tsAgg.source(), agg.name(), firstStageFn);
+                        firstPassAggs.add(firstStageAlias);
+                        return firstStageAlias;
                     });
-                    return rateAgg.toAttribute();
+                    return newAgg.toAttribute();
                 });
                 if (changed.get()) {
                     secondPassAggs.add(new Alias(alias.source(), alias.name(), outerAgg, agg.id()));
@@ -156,7 +168,7 @@ LogicalPlan translate(TimeSeriesAggregate aggregate) {
                 }
             }
         }
-        if (rateAggs.isEmpty()) {
+        if (timeSeriesAggs.isEmpty()) {
             // no time-series aggregations, run a regular aggregation instead.
             return new Aggregate(aggregate.source(), aggregate.child(), aggregate.groupings(), aggregate.aggregates());
         }

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/plan/logical/Aggregate.java

@@ -28,6 +28,7 @@
 import org.elasticsearch.xpack.esql.expression.function.aggregate.AggregateFunction;
 import org.elasticsearch.xpack.esql.expression.function.aggregate.FilteredExpression;
 import org.elasticsearch.xpack.esql.expression.function.aggregate.Rate;
+import org.elasticsearch.xpack.esql.expression.function.aggregate.TimeSeriesAggregateFunction;
 import org.elasticsearch.xpack.esql.expression.function.grouping.Categorize;
 import org.elasticsearch.xpack.esql.expression.function.grouping.GroupingFunction;
 import org.elasticsearch.xpack.esql.io.stream.PlanStreamInput;
@@ -223,8 +224,8 @@ public void postAnalysisVerification(Failures failures) {
             aggregates.forEach(a -> checkRateAggregates(a, 0, failures));
         } else {
             forEachExpression(
-                Rate.class,
-                r -> failures.add(fail(r, "the rate aggregate[{}] can only be used with the TS command", r.sourceText()))
+                TimeSeriesAggregateFunction.class,
+                r -> failures.add(fail(r, "time_series aggregate[{}] can only be used with the TS command", r.sourceText()))
             );
         }
         checkCategorizeGrouping(failures);
@@ -370,7 +371,7 @@ else if (c instanceof GroupingFunction gf) {
         if (e instanceof AggregateFunction af) {
             af.field().forEachDown(AggregateFunction.class, f -> {
                 // rate aggregate is allowed to be inside another aggregate
-                if (f instanceof Rate == false) {
+                if (f instanceof TimeSeriesAggregateFunction == false) {
                     failures.add(fail(f, "nested aggregations [{}] not allowed inside other aggregations [{}]", f, af));
                 }
             });

x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/analysis/VerifierTests.java

@@ -1136,11 +1136,15 @@ public void testNotAllowRateOutsideMetrics() {
         assumeTrue("requires snapshot builds", Build.current().isSnapshot());
         assertThat(
             error("FROM tests | STATS avg(rate(network.bytes_in))", tsdb),
-            equalTo("1:24: the rate aggregate[rate(network.bytes_in)] can only be used with the TS command")
+            equalTo("1:24: time_series aggregate[rate(network.bytes_in)] can only be used with the TS command")
         );
         assertThat(
             error("FROM tests | STATS rate(network.bytes_in)", tsdb),
-            equalTo("1:20: the rate aggregate[rate(network.bytes_in)] can only be used with the TS command")
+            equalTo("1:20: time_series aggregate[rate(network.bytes_in)] can only be used with the TS command")
+        );
+        assertThat(
+            error("FROM tests | STATS max_over_time(network.connections)", tsdb),
+            equalTo("1:20: time_series aggregate[max_over_time(network.connections)] can only be used with the TS command")
         );
         assertThat(
             error("FROM tests | EVAL r = rate(network.bytes_in)", tsdb),