diff --git a/muted-tests.yml b/muted-tests.yml index 8f6b22673a6cb..c770fb065ea3d 100644 --- a/muted-tests.yml +++ b/muted-tests.yml @@ -534,6 +534,9 @@ tests: - class: org.elasticsearch.xpack.esql.ccq.MultiClusterSpecIT method: test {csv-spec:fork.ForkWithMixOfCommands} issue: https://github.com/elastic/elasticsearch/issues/134135 +- class: org.elasticsearch.xpack.esql.qa.single_node.GenerativeForkIT + method: test {csv-spec:inlinestats.MultiIndexInlinestatsOfMultiTypedField} + issue: https://github.com/elastic/elasticsearch/issues/133973 # Examples: # diff --git a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/inlinestats.csv-spec b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/inlinestats.csv-spec index f226ed5fd36ae..ae0eba15fed64 100644 --- a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/inlinestats.csv-spec +++ b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/inlinestats.csv-spec @@ -2480,3 +2480,1285 @@ from employees 10002 |0 |0 10003 |0 |0 ; + +//////////////////////////////// +// Union types tests +//////////////////////////////// + +singleIndexIpInlinestats +required_capability: inlinestats_v11 + +FROM sample_data +| EVAL client_ip = client_ip::ip +| INLINESTATS count=count(*) BY client_ip +| SORT count DESC, client_ip ASC +| KEEP count, client_ip +; + +count:long | client_ip:ip +4 |172.21.3.15 +4 |172.21.3.15 +4 |172.21.3.15 +4 |172.21.3.15 +1 |172.21.0.5 +1 |172.21.2.113 +1 |172.21.2.162 +; + +singleIndexIpStringInlinestats +required_capability: inlinestats_v11 + +FROM sample_data_str +| EVAL client_ip = client_ip::ip +| INLINESTATS count=count(*) BY client_ip +| SORT count DESC, client_ip ASC +| KEEP count, client_ip +; + +count:long | client_ip:ip +4 |172.21.3.15 +4 |172.21.3.15 +4 |172.21.3.15 +4 |172.21.3.15 +1 |172.21.0.5 +1 |172.21.2.113 +1 |172.21.2.162 +; + +singleIndexIpStringInlinestats Inline +required_capability: inlinestats_v11 + +FROM sample_data_str +| INLINESTATS count=count(*) BY client_ip::ip +| INLINESTATS mc=count(count) BY count +| SORT mc DESC, count ASC +| KEEP mc, count +; + +mc:l | count:l +4 |4 +4 |4 +4 |4 +4 |4 +3 |1 +3 |1 +3 |1 +; + +singleIndexIpStringInlinestatsInline_SecondStats +// same as above but the second agg is a STATS one +required_capability: inlinestats_v11 + +FROM sample_data_str +| INLINESTATS count=count(*) BY client_ip::ip +| STATS mc=count(count) BY count +| SORT mc DESC, count ASC +| KEEP mc, count +; + +mc:l | count:l +4 |4 +3 |1 +; + +multiIndexIpStringInlinestats +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| EVAL client_ip = client_ip::ip +| INLINESTATS count=count(*) BY client_ip +| SORT count DESC, client_ip ASC +| KEEP count, client_ip +; + +count:long | client_ip:ip +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +2 |172.21.0.5 +2 |172.21.0.5 +2 |172.21.2.113 +2 |172.21.2.113 +2 |172.21.2.162 +2 |172.21.2.162 +; + +multiIndexIpStringRenameInlinestats +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| EVAL host_ip = client_ip::ip +| INLINESTATS count=count(*) BY host_ip +| SORT count DESC, host_ip ASC +| KEEP count, host_ip +; + +count:long | host_ip:ip +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +2 |172.21.0.5 +2 |172.21.0.5 +2 |172.21.2.113 +2 |172.21.2.113 +2 |172.21.2.162 +2 |172.21.2.162 +; + +multiIndexIpStringRenameToStringInlinestats +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| EVAL host_ip = TO_STRING(TO_IP(client_ip)) +| INLINESTATS count=count(*) BY host_ip +| SORT count DESC, host_ip ASC +| KEEP count, host_ip +; + +count:long | host_ip:keyword +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +2 |172.21.0.5 +2 |172.21.0.5 +2 |172.21.2.113 +2 |172.21.2.113 +2 |172.21.2.162 +2 |172.21.2.162 +; + +multiIndexIpStringInlinestats Drop +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| INLINESTATS count=count(*) BY client_ip::ip +| KEEP count +| SORT count DESC +; + +count:long +8 +8 +8 +8 +8 +8 +8 +8 +2 +2 +2 +2 +2 +2 +; + +multiIndexIpStringInlinestats Inline +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| INLINESTATS count=count(*) BY client_ip = TO_IP(client_ip) +| SORT count DESC, client_ip ASC +| KEEP count, client_ip +; + +count:long | client_ip:ip +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +2 |172.21.0.5 +2 |172.21.0.5 +2 |172.21.2.113 +2 |172.21.2.113 +2 |172.21.2.162 +2 |172.21.2.162 +; + +statsUnionAggInline +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| INLINESTATS count = COUNT(CIDR_MATCH(TO_IP(client_ip), "172.21.0.0/24") OR NULL) + BY + @timestamp = DATE_TRUNC(10 minutes, @timestamp) +| SORT count DESC, @timestamp ASC, event_duration +| LIMIT 8 +; + +client_ip:unsupported |event_duration:long| message:keyword | count:long | @timestamp:date +null |1232382 |Disconnected |2 |2023-10-23T13:30:00.000Z +null |1232382 |Disconnected |2 |2023-10-23T13:30:00.000Z +null |3450233 |Connected to 10.1.0.3|0 |2023-10-23T12:10:00.000Z +null |3450233 |Connected to 10.1.0.3|0 |2023-10-23T12:10:00.000Z +null |2764889 |Connected to 10.1.0.2|0 |2023-10-23T12:20:00.000Z +null |2764889 |Connected to 10.1.0.2|0 |2023-10-23T12:20:00.000Z +null |725448 |Connection error |0 |2023-10-23T13:50:00.000Z +null |725448 |Connection error |0 |2023-10-23T13:50:00.000Z +; + +multiIndexIpInlinestats_NonPushableCount +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| INLINESTATS count=count(client_ip::ip) +| SORT event_duration DESC +| LIMIT 2 +; + + @timestamp:date |client_ip:unsupported|event_duration:long|message:keyword |count:long +2023-10-23T13:52:55.015Z|null |8268153 |Connection error|14 +2023-10-23T13:52:55.015Z|null |8268153 |Connection error|14 +; + +multiIndexIpInlinestats_NonPushableCountEval +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| EVAL client_ip = client_ip::ip +| INLINESTATS count=count(client_ip) +| SORT event_duration DESC +| LIMIT 2 +; + + @timestamp:date |event_duration:long|message:keyword |client_ip:ip |count:long +2023-10-23T13:52:55.015Z|8268153 |Connection error|172.21.3.15 |14 +2023-10-23T13:52:55.015Z|8268153 |Connection error|172.21.3.15 |14 +; + +multiIndexIpInlinestats_NonPushableCountWithFilter +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long +| INLINESTATS count_matching=count(@timestamp::long) WHERE @timestamp::long >= 1698069301543, + total_count=count(@timestamp::long) +| SORT client_ip +| LIMIT 4 +; + +@timestamp:unsupported| client_ip:ip|event_duration:long | message:keyword |count_matching:long | total_count:long +null |172.21.0.5 |1232382 |Disconnected |2 |14 +null |172.21.0.5 |1232382 |Disconnected |2 |14 +null |172.21.2.113 |2764889 |Connected to 10.1.0.2|2 |14 +null |172.21.2.113 |2764889 |Connected to 10.1.0.2|2 |14 +; + +multiIndexIpInlinestats_PushableCount +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long +| INLINESTATS count=count(@timestamp::long) +| KEEP count +| LIMIT 2 +; + +count:long +14 +14 +; + +multiIndexIpInlinestats_PushableCountEval +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long +| EVAL @timestamp = @timestamp::long +| INLINESTATS count=count(@timestamp) +| KEEP count +| LIMIT 2 +; + +count:long +14 +14 +; + +multiIndexIpStringInlinestats_Inline2 +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| INLINESTATS count=count(*) BY client_ip::ip +| SORT count DESC, `client_ip::ip` ASC +| KEEP count, `client_ip::ip` +; + +count:long | client_ip::ip:ip +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +8 |172.21.3.15 +2 |172.21.0.5 +2 |172.21.0.5 +2 |172.21.2.113 +2 |172.21.2.113 +2 |172.21.2.162 +2 |172.21.2.162 +; + +multiIndexIpStringInlinestats_Inline3 +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| INLINESTATS count=count(*) BY client_ip::ip +| INLINESTATS mc=count(count) BY count +| SORT mc DESC, count ASC, event_duration +| KEEP mc, count, event_duration +; + +mc:l | count:l | event_duration:l +8 |8 |725448 +8 |8 |725448 +8 |8 |1756467 +8 |8 |1756467 +8 |8 |5033755 +8 |8 |5033755 +8 |8 |8268153 +8 |8 |8268153 +6 |2 |1232382 +6 |2 |1232382 +6 |2 |2764889 +6 |2 |2764889 +6 |2 |3450233 +6 |2 |3450233 +; + +multiIndexIpStringInlinestats_Inline4 +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| SORT @timestamp +| LIMIT 1000 +| INLINESTATS count=count(*) BY client_ip::ip +| LIMIT 5 +| INLINESTATS mc=count(count) BY count +| SORT mc DESC, count ASC, event_duration +| KEEP mc, count, event_duration +; + +mc:l | count:l | event_duration:l +5 |2 |1232382 +5 |2 |2764889 +5 |2 |2764889 +5 |2 |3450233 +5 |2 |3450233 +; + +multiIndexWhereIpStringInlinestats +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| WHERE STARTS_WITH(TO_STRING(client_ip), "172.21.2") +| INLINESTATS count=count(*) BY message +| SORT count DESC, message ASC +| KEEP count, message +; + +count:long | message:keyword +2 |Connected to 10.1.0.2 +2 |Connected to 10.1.0.2 +2 |Connected to 10.1.0.3 +2 |Connected to 10.1.0.3 +; + +multiIndexTsLongInlinestats +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long +| EVAL @timestamp = DATE_TRUNC(1 hour, TO_DATETIME(@timestamp)) +| INLINESTATS count=count(*) BY @timestamp +| SORT count DESC, @timestamp ASC +| KEEP count, @timestamp +; + +count:long | @timestamp:date +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +4 |2023-10-23T12:00:00.000Z +4 |2023-10-23T12:00:00.000Z +4 |2023-10-23T12:00:00.000Z +4 |2023-10-23T12:00:00.000Z +; + +multiIndexTsNanosToDatetimeInlinestats +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_nanos +| EVAL @timestamp = DATE_TRUNC(1 hour, TO_DATETIME(@timestamp)) +| INLINESTATS count=count(*) BY @timestamp +| KEEP count, @timestamp +| STATS count=count(*) BY @timestamp +| SORT count DESC, @timestamp ASC +; + +count:long | @timestamp:date +10 | 2023-10-23T13:00:00.000Z +4 | 2023-10-23T12:00:00.000Z +; + +multiIndexMillisToNanosStats +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_nanos +| EVAL @timestamp = DATE_TRUNC(1 hour, TO_DATE_NANOS(@timestamp)) +| INLINESTATS count=count(*) BY @timestamp +| KEEP count, @timestamp +| STATS count=count(*) BY @timestamp +| SORT count DESC, @timestamp ASC +; + +count:long | @timestamp:date_nanos +10 | 2023-10-23T13:00:00.000Z +4 | 2023-10-23T12:00:00.000Z +; + + +multiIndexTsLongInlinestatsDrop +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long, sample_data_ts_nanos +| INLINESTATS count=count(*) BY @timestamp::datetime +| KEEP count +| LIMIT 2 +; + +count:long +3 +3 +; + +multiIndexTsLongInlinestatsInline2 +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long, sample_data_ts_nanos +| INLINESTATS count=count(*) BY @timestamp::datetime +| SORT `@timestamp::datetime` DESC, event_duration +| LIMIT 6 +; + +@timestamp:unsupported| client_ip:ip|event_duration:long| message:keyword | count:long| @timestamp::datetime:datetime +null |172.21.3.15 |1756467 |Connected to 10.1.0.1|3 |2023-10-23T13:55:01.543Z +null |172.21.3.15 |1756467 |Connected to 10.1.0.1|3 |2023-10-23T13:55:01.543Z +null |172.21.3.15 |1756467 |Connected to 10.1.0.1|3 |2023-10-23T13:55:01.543Z +null |172.21.3.15 |5033755 |Connection error |3 |2023-10-23T13:53:55.832Z +null |172.21.3.15 |5033755 |Connection error |3 |2023-10-23T13:53:55.832Z +null |172.21.3.15 |5033755 |Connection error |3 |2023-10-23T13:53:55.832Z +; + +multiIndexTsLongInlinestatsInline3 +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long +| INLINESTATS count=count(*) BY @timestamp::datetime +| INLINESTATS mc=count(count) BY count +| SORT client_ip DESC +| LIMIT 1 +| KEEP mc, count +; + +mc:l | count:l +14 | 2 +; + +multiIndexTsLongInlinestatsInlinestats +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long +| EVAL ts = TO_STRING(@timestamp) +| INLINESTATS count = COUNT(*) BY ts +| INLINESTATS mc = COUNT(count) BY count +| SORT ts +| LIMIT 1 +; + +@timestamp:unsupported| client_ip:ip|event_duration:long| message:keyword | ts:keyword| mc:long | count:long +null |172.21.2.162 |3450233 |Connected to 10.1.0.3|1698063303360 |14 |1 +; + +multiIndexTsLongRenameInlinestats +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long +| EVAL hour = DATE_TRUNC(1 hour, TO_DATETIME(@timestamp)) +| INLINESTATS count=count(*) BY hour +| SORT count DESC, hour ASC +| KEEP count, hour +; + +count:long | hour:date +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +10 |2023-10-23T13:00:00.000Z +4 |2023-10-23T12:00:00.000Z +4 |2023-10-23T12:00:00.000Z +4 |2023-10-23T12:00:00.000Z +4 |2023-10-23T12:00:00.000Z +; + +multiIndexTsLongRenameToDatetimeToStringInlinestats +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long +| EVAL hour = LEFT(TO_STRING(TO_DATETIME(@timestamp)), 13) +| INLINESTATS count=count(*) BY hour +| STATS count_distinct(count) BY count, hour +| SORT count DESC, hour ASC +| KEEP count, hour +; + +count:long | hour:keyword +10 | 2023-10-23T13 +4 | 2023-10-23T12 +; + +multiIndexTsLongRenameToStringInlinestats +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long +| EVAL mess = LEFT(TO_STRING(@timestamp), 7) +| INLINESTATS count=count(*) BY mess +| SORT count DESC, mess DESC +| KEEP count, mess +; + +count:long | mess:keyword +7 |2023-10 +7 |2023-10 +7 |2023-10 +7 |2023-10 +7 |2023-10 +7 |2023-10 +7 |2023-10 +4 |1698069 +4 |1698069 +4 |1698069 +4 |1698069 +1 |1698068 +1 |1698064 +1 |1698063 +; + +multiIndexTsLongInlinestatsInline +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long +| INLINESTATS count=COUNT(*), max=MAX(TO_DATETIME(@timestamp)) +| KEEP count, max +| LIMIT 3 +; + +count:long | max:date +14 | 2023-10-23T13:55:01.543Z +14 | 2023-10-23T13:55:01.543Z +14 | 2023-10-23T13:55:01.543Z +; + +multiIndexTsLongInlinestatsInlineDropped +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long +| INLINESTATS count=COUNT(*), max=MAX(TO_DATETIME(@timestamp)) +| KEEP count +| LIMIT 2 +; + +count:long +14 +14 +; + +multiIndexWhereTsLongInlinestats +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long +| WHERE TO_LONG(@timestamp) < 1698068014937 +| INLINESTATS count=count(*) BY message +| SORT count DESC, message ASC +| KEEP count, message +; + +count:long | message:keyword +2 | Connected to 10.1.0.2 +2 | Connected to 10.1.0.2 +2 | Connected to 10.1.0.3 +2 | Connected to 10.1.0.3 +; + +multiIndexWhereIpStringTsLongInlinestats +required_capability: inlinestats_v11 + +FROM sample_data* +| WHERE TO_LONG(@timestamp) < 1698068014937 AND TO_STRING(client_ip) == "172.21.2.162" +| INLINESTATS count=count(*) BY message +| SORT count DESC, message ASC +| KEEP count, message +; + +count:long | message:keyword +3 | Connected to 10.1.0.3 +3 | Connected to 10.1.0.3 +3 | Connected to 10.1.0.3 +; + +multiIndexWhereIpStringLikeTsLongInlinestats +required_capability: inlinestats_v11 + +FROM sample_data* +| WHERE TO_LONG(@timestamp) < 1698068014937 AND TO_STRING(client_ip) LIKE "172.21.2.16?" +| INLINESTATS count=count(*) BY message +| SORT count DESC, message ASC +| KEEP count, message +; + +count:long | message:keyword +3 | Connected to 10.1.0.3 +3 | Connected to 10.1.0.3 +3 | Connected to 10.1.0.3 +; + +multiIndexInlinestatsOfMultiTypedField +required_capability: inlinestats_v11 +// https://github.com/elastic/elasticsearch/issues/133973 +FROM apps, apps_short +| INLINESTATS s = sum(id::integer) +| SORT name, version +| LIMIT 5 +; + + id:unsupported| name:keyword |version:version| s:long +null |aaaaa |1 |210 +null |aaaaa |1 |210 +null |aaaaa |1.2.3.4 |210 +null |aaaaa |1.2.3.4 |210 +null |bbbbb |2.1 |210 +; + +inlineStatsUnionGroup +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long +| INLINESTATS count = COUNT(*) + BY @timestamp = SUBSTRING(TO_STRING(@timestamp), 0, 7) +| SORT client_ip ASC, @timestamp ASC +| LIMIT 4 +; + +client_ip:ip | event_duration:long | message:keyword | count:long| @timestamp:keyword + 172.21.0.5 | 1232382 | Disconnected | 1 | 1698068 + 172.21.0.5 | 1232382 | Disconnected | 7 | 2023-10 +172.21.2.113 | 2764889 | Connected to 10.1.0.2 | 1 | 1698064 +172.21.2.113 | 2764889 | Connected to 10.1.0.2 | 7 | 2023-10 +; + +inlineStatsUnionGroupWithEval +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long +| EVAL @timestamp = SUBSTRING(TO_STRING(@timestamp), 0, 7) +| INLINESTATS count = COUNT(*) BY @timestamp +| SORT client_ip ASC, @timestamp ASC +| LIMIT 4 +; + +client_ip:ip | event_duration:long | message:keyword | count:long| @timestamp:keyword + 172.21.0.5 | 1232382 | Disconnected | 1 | 1698068 + 172.21.0.5 | 1232382 | Disconnected | 7 | 2023-10 +172.21.2.113 | 2764889 | Connected to 10.1.0.2 | 1 | 1698064 +172.21.2.113 | 2764889 | Connected to 10.1.0.2 | 7 | 2023-10 +; + +inlineStatsUnionGroupTogether +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long +| INLINESTATS count = COUNT(*) + BY @timestamp = TO_STRING(TO_DATETIME(@timestamp)) +| SORT client_ip ASC, @timestamp ASC +| LIMIT 4 +; + +client_ip:ip | event_duration:long | message:keyword |count:long| @timestamp:keyword + 172.21.0.5 | 1232382 | Disconnected |2 | 2023-10-23T13:33:34.937Z + 172.21.0.5 | 1232382 | Disconnected |2 | 2023-10-23T13:33:34.937Z +172.21.2.113 | 2764889 | Connected to 10.1.0.2 |2 | 2023-10-23T12:27:28.948Z +172.21.2.113 | 2764889 | Connected to 10.1.0.2 |2 | 2023-10-23T12:27:28.948Z +; + +multiIndexIndirectUseOfUnionTypesInInlinestats +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long +| INLINESTATS foo = max(event_duration) BY client_ip +| RENAME event_duration AS e +| SORT client_ip ASC, e +| LIMIT 8 +; + +@timestamp:unsupported| e:long | message:keyword | foo:long| client_ip:ip +null |1232382 |Disconnected |1232382 |172.21.0.5 +null |1232382 |Disconnected |1232382 |172.21.0.5 +null |2764889 |Connected to 10.1.0.2|2764889 |172.21.2.113 +null |2764889 |Connected to 10.1.0.2|2764889 |172.21.2.113 +null |3450233 |Connected to 10.1.0.3|3450233 |172.21.2.162 +null |3450233 |Connected to 10.1.0.3|3450233 |172.21.2.162 +null |725448 |Connection error |8268153 |172.21.3.15 +null |725448 |Connection error |8268153 |172.21.3.15 +; + + +multiIndexIndirectUseOfUnionTypesInInlineStats +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_ts_long +| INLINESTATS foo = max(event_duration) +| SORT client_ip ASC, event_duration +| LIMIT 1 +; + +@timestamp:unsupported | client_ip:ip | event_duration:long | message:keyword | foo:long + null | 172.21.0.5 | 1232382 | Disconnected | 8268153 +; + +shortIntegerWideningInlinestats +required_capability: inlinestats_v11 + +FROM apps, apps_short +| EVAL id = id::integer +| INLINESTATS count=count() BY name, id +| KEEP id, name, count +| SORT id ASC, name ASC +| LIMIT 5 +; + +id:integer | name:keyword | count:long +1 |aaaaa |2 +1 |aaaaa |2 +2 |bbbbb |2 +2 |bbbbb |2 +3 |ccccc |2 +; + +ImplicitCastingMultiTypedFieldsInlinestats_ByNumeric +required_capability: inlinestats_v11 + +FROM employees, employees_incompatible +| INLINESTATS x=max(hire_date), y = min(hire_date) BY languages = languages::integer +| SORT languages +| KEEP emp_no, languages, x, y +| LIMIT 3 +; + +emp_no:unsupported|languages:integer| x:date_nanos | y:date_nanos +null |1 |1999-04-30T00:00:00.000Z|1985-02-18T00:00:00.000Z +null |1 |1999-04-30T00:00:00.000Z|1985-02-18T00:00:00.000Z +null |1 |1999-04-30T00:00:00.000Z|1985-02-18T00:00:00.000Z +; + +ImplicitCastingMultiTypedFieldsInlinestats_ByNumericWithFilter +required_capability: inlinestats_v11 + +FROM employees, employees_incompatible +| INLINESTATS x=max(hire_date) where hire_date < "1993-08-03", y = min(hire_date) where hire_date >= "1993-08-03" BY languages = languages::integer +| SORT languages +| LIMIT 3 +| KEEP emp_no, languages, x, y +; + +emp_no:unsupported|languages:integer| x:date_nanos | y:date_nanos +null |1 |1990-10-20T00:00:00.000Z|1994-05-21T00:00:00.000Z +null |1 |1990-10-20T00:00:00.000Z|1994-05-21T00:00:00.000Z +null |1 |1990-10-20T00:00:00.000Z|1994-05-21T00:00:00.000Z +; + +ImplicitCastingMultiTypedFieldsInlinestats_ByDateNanos +required_capability: inlinestats_v11 + +FROM employees, employees_incompatible +| INLINESTATS x=count(emp_no::long), y=avg(salary_change::double), z=max(height::double) BY hire_date +| EVAL y = round(y, 1), z = round(z, 1) +| KEEP x, y, z, hire_date +| SORT hire_date +| LIMIT 12 +; + + x:long | y:double | z:double | hire_date:date_nanos +2 |null |1.9 |1985-02-18T00:00:00.000Z +2 |null |1.9 |1985-02-18T00:00:00.000Z +2 |null |2.0 |1985-02-24T00:00:00.000Z +2 |null |2.0 |1985-02-24T00:00:00.000Z +2 |3.3 |2.0 |1985-05-13T00:00:00.000Z +2 |3.3 |2.0 |1985-05-13T00:00:00.000Z +2 |0.2 |1.8 |1985-07-09T00:00:00.000Z +2 |0.2 |1.8 |1985-07-09T00:00:00.000Z +2 |3.6 |1.5 |1985-09-17T00:00:00.000Z +2 |3.6 |1.5 |1985-09-17T00:00:00.000Z +2 |-5.9 |1.8 |1985-10-14T00:00:00.000Z +2 |-5.9 |1.8 |1985-10-14T00:00:00.000Z +; + +ImplicitCastingMultiTypedFieldsInlinestats_ByDateNanosWithFilter +required_capability: inlinestats_v11 + +FROM employees, employees_incompatible +| INLINESTATS x=count(emp_no::long) where hire_date > "1985-05-01", y=avg(salary_change::double) where hire_date > "1985-05-01", z=max(height::double) where hire_date > "1985-05-01" BY hire_date +| EVAL y = round(y, 1), z = round(z, 1) +| KEEP x, y, z, hire_date +| SORT hire_date +| LIMIT 10 +; + + x:long | y:double | z:double | hire_date:date_nanos +0 |null |null |1985-02-18T00:00:00.000Z +0 |null |null |1985-02-18T00:00:00.000Z +0 |null |null |1985-02-24T00:00:00.000Z +0 |null |null |1985-02-24T00:00:00.000Z +2 |3.3 |2.0 |1985-05-13T00:00:00.000Z +2 |3.3 |2.0 |1985-05-13T00:00:00.000Z +2 |0.2 |1.8 |1985-07-09T00:00:00.000Z +2 |0.2 |1.8 |1985-07-09T00:00:00.000Z +2 |3.6 |1.5 |1985-09-17T00:00:00.000Z +2 |3.6 |1.5 |1985-09-17T00:00:00.000Z +; + +ImplicitCastingMultiTypedMVFieldsInlinestats_MaxMin +required_capability: inlinestats_v11 + +FROM date_nanos, date_nanos_union_types +| INLINESTATS max = MAX(millis), min = MIN(nanos) +| SORT millis DESC +| LIMIT 5 +; + +warningRegex:evaluation of \[FROM .*date_nanos.*date_nanos_union_types.*\] failed, treating result as null. Only first 20 failures recorded. +warningRegex:java.lang.IllegalArgumentException: milliSeconds \[-1457696696640\] are before the epoch in 1970 and cannot be converted to nanoseconds + + millis:date_nanos | nanos:date_nanos | num:long | max:date_nanos | min:date_nanos +2023-10-23T13:55:01.543123456Z|2023-10-23T13:55:01.543Z |1698069301543123456|2023-10-23T13:55:01.543123456Z|2023-01-23T13:55:01.543Z +2023-10-23T13:55:01.543123456Z|2023-10-23T13:55:01.543Z |1698069301543123456|2023-10-23T13:55:01.543123456Z|2023-01-23T13:55:01.543Z +2023-10-23T13:55:01.543Z |2023-10-23T13:55:01.543123456Z|1698069301543123456|2023-10-23T13:55:01.543123456Z|2023-01-23T13:55:01.543Z +2023-10-23T13:53:55.832987654Z|2023-10-23T13:53:55.832Z |1698069235832987654|2023-10-23T13:55:01.543123456Z|2023-01-23T13:55:01.543Z +2023-10-23T13:53:55.832Z |2023-10-23T13:53:55.832987654Z|1698069235832987654|2023-10-23T13:55:01.543123456Z|2023-01-23T13:55:01.543Z +; + +ImplicitCastingMultiTypedMVFieldsInlinestats_Values +required_capability: inlinestats_v11 + +FROM date_nanos, date_nanos_union_types +| INLINESTATS c = MV_COUNT(VALUES(nanos)) +| SORT millis DESC +| LIMIT 5 +; + +warningRegex:evaluation of \[FROM .*date_nanos.*date_nanos_union_types.*\] failed, treating result as null. Only first 20 failures recorded. +warningRegex:java.lang.IllegalArgumentException: milliSeconds \[-1457696696640\] are before the epoch in 1970 and cannot be converted to nanoseconds + + millis:date_nanos | nanos:date_nanos | num:long | c:integer +2023-10-23T13:55:01.543123456Z|2023-10-23T13:55:01.543Z |1698069301543123456|19 +2023-10-23T13:55:01.543123456Z|2023-10-23T13:55:01.543Z |1698069301543123456|19 +2023-10-23T13:55:01.543Z |2023-10-23T13:55:01.543123456Z|1698069301543123456|19 +2023-10-23T13:53:55.832987654Z|2023-10-23T13:53:55.832Z |1698069235832987654|19 +2023-10-23T13:53:55.832Z |2023-10-23T13:53:55.832987654Z|1698069235832987654|19 +; + +ImplicitCastingMultiTypedDateTruncInlinestats_By-Ignore +required_capability: inlinestats_v11 +// https://github.com/elastic/elasticsearch/issues/133973 +// optimized incorrectly due to missing references [$$emp_no$converted_to$long{f$}# + +FROM employees, employees_incompatible +| KEEP emp_no, hire_date +| INLINESTATS c = count(emp_no::long) BY yr = DATE_TRUNC(1 year, hire_date) +| SORT yr DESC +| LIMIT 5 +; + +c:long | yr:date_nanos +2 | 1999-01-01T00:00:00.000Z +2 | 1997-01-01T00:00:00.000Z +2 | 1996-01-01T00:00:00.000Z +10 | 1995-01-01T00:00:00.000Z +8 | 1994-01-01T00:00:00.000Z +; + +ImplicitCastingMultiTypedDateTruncInlinestats_ByWithFilter-Ignore +required_capability: inlinestats_v11 +// https://github.com/elastic/elasticsearch/issues/133973 +// optimized incorrectly due to missing references [$$emp_no$converted_to$long{f$}# + +FROM employees, employees_incompatible +| KEEP emp_no, hire_date +| INLINESTATS c = count(emp_no::long) where hire_date > "1996-01-01" BY yr = DATE_TRUNC(1 year, hire_date) +| SORT yr DESC +| LIMIT 5 +; + +c:long | yr:date_nanos +2 | 1999-01-01T00:00:00.000Z +2 | 1997-01-01T00:00:00.000Z +2 | 1996-01-01T00:00:00.000Z +0 | 1995-01-01T00:00:00.000Z +0 | 1994-01-01T00:00:00.000Z +; + +ImplicitCastingMultiTypedDateTruncInlinestats_ByWithEval-Ignore +required_capability: inlinestats_v11 +// https://github.com/elastic/elasticsearch/issues/133973 +// optimized incorrectly due to missing references [$$emp_no$converted_to$long{f$}# + +FROM employees, employees_incompatible +| KEEP emp_no, hire_date +| EVAL yr = DATE_TRUNC(1 year, hire_date) +| INLINESTATS c = count(emp_no::long) BY yr +| SORT yr DESC +| LIMIT 5 +; + +c:long | yr:date_nanos +2 | 1999-01-01T00:00:00.000Z +2 | 1997-01-01T00:00:00.000Z +2 | 1996-01-01T00:00:00.000Z +10 | 1995-01-01T00:00:00.000Z +8 | 1994-01-01T00:00:00.000Z +; + +ImplicitCastingMultiTypedDateTruncInlinestats_ByWithEvalWithFilter-Ignore +required_capability: inlinestats_v11 +// https://github.com/elastic/elasticsearch/issues/133973 +// optimized incorrectly due to missing references [$$emp_no$converted_to$long{f$}# + +FROM employees, employees_incompatible +| KEEP emp_no, hire_date +| EVAL yr = DATE_TRUNC(1 year, hire_date) +| INLINESTATS c = count(emp_no::long) where hire_date > "1991-01-01" BY yr +| SORT yr DESC +| LIMIT 5 +; + +c:long | yr:date_nanos +2 | 1999-01-01T00:00:00.000Z +2 | 1997-01-01T00:00:00.000Z +2 | 1996-01-01T00:00:00.000Z +10 | 1995-01-01T00:00:00.000Z +8 | 1994-01-01T00:00:00.000Z +; + +ImplicitCastingMultiTypedBucketDateNanosByYear +required_capability: inlinestats_v11 + +FROM employees, employees_incompatible +| KEEP emp_no, hire_date, gender +| INLINESTATS c = count(*) BY yr = BUCKET(hire_date, 1 year) +| SORT yr DESC, c, hire_date +| LIMIT 10 +; + +emp_no:unsupported| hire_date:date_nanos |gender:unsupported| c:long | yr:date_nanos +null |1999-04-30T00:00:00.000Z|null |2 |1999-01-01T00:00:00.000Z +null |1999-04-30T00:00:00.000Z|null |2 |1999-01-01T00:00:00.000Z +null |1997-05-19T00:00:00.000Z|null |2 |1997-01-01T00:00:00.000Z +null |1997-05-19T00:00:00.000Z|null |2 |1997-01-01T00:00:00.000Z +null |1996-11-05T00:00:00.000Z|null |2 |1996-01-01T00:00:00.000Z +null |1996-11-05T00:00:00.000Z|null |2 |1996-01-01T00:00:00.000Z +null |1995-01-27T00:00:00.000Z|null |10 |1995-01-01T00:00:00.000Z +null |1995-01-27T00:00:00.000Z|null |10 |1995-01-01T00:00:00.000Z +null |1995-03-13T00:00:00.000Z|null |10 |1995-01-01T00:00:00.000Z +null |1995-03-13T00:00:00.000Z|null |10 |1995-01-01T00:00:00.000Z +; + +ImplicitCastingMultiTypedBucketDateNanosByYearWithFilter +required_capability: inlinestats_v11 + +FROM employees, employees_incompatible +| KEEP emp_no, hire_date, gender +| INLINESTATS c = count(*) where hire_date > "1995-02-01" BY yr = BUCKET(hire_date, 1 year) +| SORT yr DESC, c, hire_date +| LIMIT 10 +; + +emp_no:unsupported| hire_date:date_nanos |gender:unsupported| c:long | yr:date_nanos +null |1999-04-30T00:00:00.000Z|null |2 |1999-01-01T00:00:00.000Z +null |1999-04-30T00:00:00.000Z|null |2 |1999-01-01T00:00:00.000Z +null |1997-05-19T00:00:00.000Z|null |2 |1997-01-01T00:00:00.000Z +null |1997-05-19T00:00:00.000Z|null |2 |1997-01-01T00:00:00.000Z +null |1996-11-05T00:00:00.000Z|null |2 |1996-01-01T00:00:00.000Z +null |1996-11-05T00:00:00.000Z|null |2 |1996-01-01T00:00:00.000Z +null |1995-01-27T00:00:00.000Z|null |8 |1995-01-01T00:00:00.000Z +null |1995-01-27T00:00:00.000Z|null |8 |1995-01-01T00:00:00.000Z +null |1995-03-13T00:00:00.000Z|null |8 |1995-01-01T00:00:00.000Z +null |1995-03-13T00:00:00.000Z|null |8 |1995-01-01T00:00:00.000Z +; + +ImplicitCastingMultiTypedBucketDateNanosByMonth +required_capability: inlinestats_v11 + +FROM employees, employees_incompatible +| INLINESTATS c = count(*) BY mo = BUCKET(hire_date, 20, "1986-01-01", "1999-12-31") +| KEEP emp_no, hire_date, c, mo +| SORT mo DESC, c, hire_date +| LIMIT 10 +; + +emp_no:unsupported| hire_date:date_nanos | c:long | mo:date_nanos +null |1999-04-30T00:00:00.000Z|2 |1999-01-01T00:00:00.000Z +null |1999-04-30T00:00:00.000Z|2 |1999-01-01T00:00:00.000Z +null |1997-05-19T00:00:00.000Z|2 |1997-01-01T00:00:00.000Z +null |1997-05-19T00:00:00.000Z|2 |1997-01-01T00:00:00.000Z +null |1996-11-05T00:00:00.000Z|2 |1996-01-01T00:00:00.000Z +null |1996-11-05T00:00:00.000Z|2 |1996-01-01T00:00:00.000Z +null |1995-01-27T00:00:00.000Z|10 |1995-01-01T00:00:00.000Z +null |1995-01-27T00:00:00.000Z|10 |1995-01-01T00:00:00.000Z +null |1995-03-13T00:00:00.000Z|10 |1995-01-01T00:00:00.000Z +null |1995-03-13T00:00:00.000Z|10 |1995-01-01T00:00:00.000Z +; + +ImplicitCastingMultiTypedBucketDateNanos_In_BothInlinestats_AndBy +required_capability: inlinestats_v11 + +FROM employees, employees_incompatible +| INLINESTATS c = count(*), b = BUCKET(hire_date, 1 year) + 1 year BY yr = BUCKET(hire_date, 1 year) +| SORT yr DESC, c, hire_date +| KEEP emp_no, hire_date, c, b, yr +| LIMIT 10 +; + +emp_no:unsupported| hire_date:date_nanos | c:long | b:date_nanos | yr:date_nanos +null |1999-04-30T00:00:00.000Z|2 |2000-01-01T00:00:00.000Z|1999-01-01T00:00:00.000Z +null |1999-04-30T00:00:00.000Z|2 |2000-01-01T00:00:00.000Z|1999-01-01T00:00:00.000Z +null |1997-05-19T00:00:00.000Z|2 |1998-01-01T00:00:00.000Z|1997-01-01T00:00:00.000Z +null |1997-05-19T00:00:00.000Z|2 |1998-01-01T00:00:00.000Z|1997-01-01T00:00:00.000Z +null |1996-11-05T00:00:00.000Z|2 |1997-01-01T00:00:00.000Z|1996-01-01T00:00:00.000Z +null |1996-11-05T00:00:00.000Z|2 |1997-01-01T00:00:00.000Z|1996-01-01T00:00:00.000Z +null |1995-01-27T00:00:00.000Z|10 |1996-01-01T00:00:00.000Z|1995-01-01T00:00:00.000Z +null |1995-01-27T00:00:00.000Z|10 |1996-01-01T00:00:00.000Z|1995-01-01T00:00:00.000Z +null |1995-03-13T00:00:00.000Z|10 |1996-01-01T00:00:00.000Z|1995-01-01T00:00:00.000Z +null |1995-03-13T00:00:00.000Z|10 |1996-01-01T00:00:00.000Z|1995-01-01T00:00:00.000Z +; + +ImplicitCastingMultiTypedBucketDateNanos_In_BothInlinestats_AndByWithAlias +required_capability: inlinestats_v11 + +FROM employees, employees_incompatible +| KEEP emp_no, hire_date +| INLINESTATS c = count(*), b = yr + 1 year BY yr = BUCKET(hire_date, 1 year) +| SORT hire_date DESC +| LIMIT 10 +; + +emp_no:unsupported| hire_date:date_nanos | c:long | b:date_nanos | yr:date_nanos +null |1999-04-30T00:00:00.000Z|2 |2000-01-01T00:00:00.000Z|1999-01-01T00:00:00.000Z +null |1999-04-30T00:00:00.000Z|2 |2000-01-01T00:00:00.000Z|1999-01-01T00:00:00.000Z +null |1997-05-19T00:00:00.000Z|2 |1998-01-01T00:00:00.000Z|1997-01-01T00:00:00.000Z +null |1997-05-19T00:00:00.000Z|2 |1998-01-01T00:00:00.000Z|1997-01-01T00:00:00.000Z +null |1996-11-05T00:00:00.000Z|2 |1997-01-01T00:00:00.000Z|1996-01-01T00:00:00.000Z +null |1996-11-05T00:00:00.000Z|2 |1997-01-01T00:00:00.000Z|1996-01-01T00:00:00.000Z +null |1995-12-15T00:00:00.000Z|10 |1996-01-01T00:00:00.000Z|1995-01-01T00:00:00.000Z +null |1995-12-15T00:00:00.000Z|10 |1996-01-01T00:00:00.000Z|1995-01-01T00:00:00.000Z +null |1995-08-22T00:00:00.000Z|10 |1996-01-01T00:00:00.000Z|1995-01-01T00:00:00.000Z +null |1995-08-22T00:00:00.000Z|10 |1996-01-01T00:00:00.000Z|1995-01-01T00:00:00.000Z +; + +multiInlinestatsWithUnionTypes1 +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| EVAL one_ip = client_ip::ip +| INLINESTATS count1=count(client_ip::ip), count2=count(one_ip), max(one_ip), min(client_ip::ip) +| SORT @timestamp +| LIMIT 3 +; + + @timestamp:date |client_ip:unsupported|event_duration:long| message:keyword | one_ip:ip | count1:long| count2:long|max(one_ip):ip |min(client_ip::ip):ip +2023-10-23T12:15:03.360Z|null |3450233 |Connected to 10.1.0.3|172.21.2.162 |14 |14 |172.21.3.15 |172.21.0.5 +2023-10-23T12:15:03.360Z|null |3450233 |Connected to 10.1.0.3|172.21.2.162 |14 |14 |172.21.3.15 |172.21.0.5 +2023-10-23T12:27:28.948Z|null |2764889 |Connected to 10.1.0.2|172.21.2.113 |14 |14 |172.21.3.15 |172.21.0.5 +; + +multiInlinestatsWithUnionTypes2 +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| EVAL one_ip = client_ip::ip +| INLINESTATS count1=count(client_ip::ip), count2=count(one_ip), max=max(one_ip), min=min(client_ip::ip) +| RENAME one_ip AS client_ip +| INLINESTATS max(event_duration) BY client_ip +| SORT @timestamp +| LIMIT 5 +; + +@timestamp:date | event_duration:long | message:keyword | count1:long | count2:long | max:ip | min:ip | max(event_duration):long| client_ip:ip +2023-10-23T12:15:03.360Z| 3450233 | Connected to 10.1.0.3 | 14 | 14 | 172.21.3.15 | 172.21.0.5 | 3450233 | 172.21.2.162 +2023-10-23T12:15:03.360Z| 3450233 | Connected to 10.1.0.3 | 14 | 14 | 172.21.3.15 | 172.21.0.5 | 3450233 | 172.21.2.162 +2023-10-23T12:27:28.948Z| 2764889 | Connected to 10.1.0.2 | 14 | 14 | 172.21.3.15 | 172.21.0.5 | 2764889 | 172.21.2.113 +2023-10-23T12:27:28.948Z| 2764889 | Connected to 10.1.0.2 | 14 | 14 | 172.21.3.15 | 172.21.0.5 | 2764889 | 172.21.2.113 +2023-10-23T13:33:34.937Z| 1232382 | Disconnected | 14 | 14 | 172.21.3.15 | 172.21.0.5 | 1232382 | 172.21.0.5 +; + +multiInlinestatsWithUnionTypes3 +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| EVAL one_ip = client_ip::ip +| INLINESTATS avg_duration = AVG(event_duration) BY one_ip +| RENAME one_ip AS client_ip +| WHERE CIDR_MATCH(client_ip, "172.21.2.0/24") +| INLINESTATS count1=count(client_ip::ip), count2=count(client_ip), max=max(client_ip), min=min(client_ip::ip) +| INLINESTATS avg_total_duration = AVG(event_duration) +| SORT @timestamp +; + +@timestamp:date | event_duration:long| message:keyword | avg_duration:double| client_ip:ip | count1:long | count2:long | max:ip | min:ip | avg_total_duration:double +2023-10-23T12:15:03.360Z | 3450233 | Connected to 10.1.0.3 | 3450233.0 | 172.21.2.162 | 4 | 4 | 172.21.2.162 | 172.21.2.113 | 3107561.0 +2023-10-23T12:15:03.360Z | 3450233 | Connected to 10.1.0.3 | 3450233.0 | 172.21.2.162 | 4 | 4 | 172.21.2.162 | 172.21.2.113 | 3107561.0 +2023-10-23T12:27:28.948Z | 2764889 | Connected to 10.1.0.2 | 2764889.0 | 172.21.2.113 | 4 | 4 | 172.21.2.162 | 172.21.2.113 | 3107561.0 +2023-10-23T12:27:28.948Z | 2764889 | Connected to 10.1.0.2 | 2764889.0 | 172.21.2.113 | 4 | 4 | 172.21.2.162 | 172.21.2.113 | 3107561.0 +; + +unionTypeDroppedBeforeInlinestats +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| EVAL one_ip = client_ip::ip +| DROP one_ip +| INLINESTATS avg(event_duration) BY client_ip::ip +| SORT @timestamp +; + +@timestamp:date | client_ip:unsupported | event_duration:long| message:keyword | avg(event_duration):double| client_ip::ip:ip +2023-10-23T12:15:03.360Z | null | 3450233 | Connected to 10.1.0.3 | 3450233.0 | 172.21.2.162 +2023-10-23T12:15:03.360Z | null | 3450233 | Connected to 10.1.0.3 | 3450233.0 | 172.21.2.162 +2023-10-23T12:27:28.948Z | null | 2764889 | Connected to 10.1.0.2 | 2764889.0 | 172.21.2.113 +2023-10-23T12:27:28.948Z | null | 2764889 | Connected to 10.1.0.2 | 2764889.0 | 172.21.2.113 +2023-10-23T13:33:34.937Z | null | 1232382 | Disconnected | 1232382.0 | 172.21.0.5 +2023-10-23T13:33:34.937Z | null | 1232382 | Disconnected | 1232382.0 | 172.21.0.5 +2023-10-23T13:51:54.732Z | null | 725448 | Connection error | 3945955.75 | 172.21.3.15 +2023-10-23T13:51:54.732Z | null | 725448 | Connection error | 3945955.75 | 172.21.3.15 +2023-10-23T13:52:55.015Z | null | 8268153 | Connection error | 3945955.75 | 172.21.3.15 +2023-10-23T13:52:55.015Z | null | 8268153 | Connection error | 3945955.75 | 172.21.3.15 +2023-10-23T13:53:55.832Z | null | 5033755 | Connection error | 3945955.75 | 172.21.3.15 +2023-10-23T13:53:55.832Z | null | 5033755 | Connection error | 3945955.75 | 172.21.3.15 +2023-10-23T13:55:01.543Z | null | 1756467 | Connected to 10.1.0.1 | 3945955.75 | 172.21.3.15 +2023-10-23T13:55:01.543Z | null | 1756467 | Connected to 10.1.0.1 | 3945955.75 | 172.21.3.15 +; + +inlinestatsWithUnionTypesAs_InlinestatsCondition +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| EVAL temp_ip = client_ip::ip +| EVAL ip1 = CIDR_MATCH(temp_ip, "172.21.2.0/24"), ip2 = CIDR_MATCH(temp_ip, "172.21.0.0/24"), ip3 = CIDR_MATCH(temp_ip, "172.21.3.0/24") +| EVAL client_ip = temp_ip +| INLINESTATS avg_ip1 = avg(event_duration) WHERE ip1 +| DROP client_ip +| INLINESTATS avg_ip2 = avg(event_duration) WHERE ip2, avg_ip3 = avg(event_duration) WHERE ip3 +| SORT @timestamp +| DROP @timestamp +; + +event_duration:long | message:keyword | temp_ip:ip | ip1:boolean | ip2:boolean | ip3:boolean | avg_ip1:double | avg_ip2:double | avg_ip3:double +3450233 | Connected to 10.1.0.3 | 172.21.2.162 | true | false | false | 3107561.0 | 1232382.0 | 3945955.75 +3450233 | Connected to 10.1.0.3 | 172.21.2.162 | true | false | false | 3107561.0 | 1232382.0 | 3945955.75 +2764889 | Connected to 10.1.0.2 | 172.21.2.113 | true | false | false | 3107561.0 | 1232382.0 | 3945955.75 +2764889 | Connected to 10.1.0.2 | 172.21.2.113 | true | false | false | 3107561.0 | 1232382.0 | 3945955.75 +1232382 | Disconnected | 172.21.0.5 | false | true | false | 3107561.0 | 1232382.0 | 3945955.75 +1232382 | Disconnected | 172.21.0.5 | false | true | false | 3107561.0 | 1232382.0 | 3945955.75 +725448 | Connection error | 172.21.3.15 | false | false | true | 3107561.0 | 1232382.0 | 3945955.75 +725448 | Connection error | 172.21.3.15 | false | false | true | 3107561.0 | 1232382.0 | 3945955.75 +8268153 | Connection error | 172.21.3.15 | false | false | true | 3107561.0 | 1232382.0 | 3945955.75 +8268153 | Connection error | 172.21.3.15 | false | false | true | 3107561.0 | 1232382.0 | 3945955.75 +5033755 | Connection error | 172.21.3.15 | false | false | true | 3107561.0 | 1232382.0 | 3945955.75 +5033755 | Connection error | 172.21.3.15 | false | false | true | 3107561.0 | 1232382.0 | 3945955.75 +1756467 | Connected to 10.1.0.1 | 172.21.3.15 | false | false | true | 3107561.0 | 1232382.0 | 3945955.75 +1756467 | Connected to 10.1.0.1 | 172.21.3.15 | false | false | true | 3107561.0 | 1232382.0 | 3945955.75 +; + +inlinestatsWithOverwrittenUnionType +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| EVAL client_ip = client_ip::ip +| EVAL client_ip = 123 +| INLINESTATS a = avg(event_duration) BY client_ip::integer +| SORT @timestamp +; + +@timestamp:date | event_duration:long | message:keyword | client_ip:integer | a:double | client_ip::integer:integer +2023-10-23T12:15:03.360Z | 3450233 | Connected to 10.1.0.3 | 123 | 3318761.0 | 123 +2023-10-23T12:15:03.360Z | 3450233 | Connected to 10.1.0.3 | 123 | 3318761.0 | 123 +2023-10-23T12:27:28.948Z | 2764889 | Connected to 10.1.0.2 | 123 | 3318761.0 | 123 +2023-10-23T12:27:28.948Z | 2764889 | Connected to 10.1.0.2 | 123 | 3318761.0 | 123 +2023-10-23T13:33:34.937Z | 1232382 | Disconnected | 123 | 3318761.0 | 123 +2023-10-23T13:33:34.937Z | 1232382 | Disconnected | 123 | 3318761.0 | 123 +2023-10-23T13:51:54.732Z | 725448 | Connection error | 123 | 3318761.0 | 123 +2023-10-23T13:51:54.732Z | 725448 | Connection error | 123 | 3318761.0 | 123 +2023-10-23T13:52:55.015Z | 8268153 | Connection error | 123 | 3318761.0 | 123 +2023-10-23T13:52:55.015Z | 8268153 | Connection error | 123 | 3318761.0 | 123 +2023-10-23T13:53:55.832Z | 5033755 | Connection error | 123 | 3318761.0 | 123 +2023-10-23T13:53:55.832Z | 5033755 | Connection error | 123 | 3318761.0 | 123 +2023-10-23T13:55:01.543Z | 1756467 | Connected to 10.1.0.1 | 123 | 3318761.0 | 123 +2023-10-23T13:55:01.543Z | 1756467 | Connected to 10.1.0.1 | 123 | 3318761.0 | 123 +; + +overwriteAndDropUnionTypeBeforeInlinestats +required_capability: inlinestats_v11 + +FROM sample_data, sample_data_str +| EVAL temp = client_ip::string +| EVAL client_ip = temp +| DROP temp +| INLINESTATS avg(event_duration) BY client_ip +| SORT @timestamp +| DROP @timestamp +; + +event_duration:long| message:keyword | avg(event_duration):double| client_ip:string +3450233 | Connected to 10.1.0.3 | 3450233.0 | 172.21.2.162 +3450233 | Connected to 10.1.0.3 | 3450233.0 | 172.21.2.162 +2764889 | Connected to 10.1.0.2 | 2764889.0 | 172.21.2.113 +2764889 | Connected to 10.1.0.2 | 2764889.0 | 172.21.2.113 +1232382 | Disconnected | 1232382.0 | 172.21.0.5 +1232382 | Disconnected | 1232382.0 | 172.21.0.5 +725448 | Connection error | 3945955.75 | 172.21.3.15 +725448 | Connection error | 3945955.75 | 172.21.3.15 +8268153 | Connection error | 3945955.75 | 172.21.3.15 +8268153 | Connection error | 3945955.75 | 172.21.3.15 +5033755 | Connection error | 3945955.75 | 172.21.3.15 +5033755 | Connection error | 3945955.75 | 172.21.3.15 +1756467 | Connected to 10.1.0.1 | 3945955.75 | 172.21.3.15 +1756467 | Connected to 10.1.0.1 | 3945955.75 | 172.21.3.15 +; diff --git a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/union_types.csv-spec b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/union_types.csv-spec index f87a96f65fd26..70109916e813d 100644 --- a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/union_types.csv-spec +++ b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/union_types.csv-spec @@ -1398,62 +1398,6 @@ event_duration:long | _index:keyword | ts:date | ts_str: ; -inlineStatsUnionGroup-Ignore -required_capability: union_types -required_capability: inlinestats - -FROM sample_data, sample_data_ts_long -| INLINESTATS count = COUNT(*) - BY @timestamp = SUBSTRING(TO_STRING(@timestamp), 0, 7) -| SORT client_ip ASC, @timestamp ASC -| LIMIT 4 -; - -client_ip:ip | event_duration:long | message:keyword | @timestamp:keyword | count:long - 172.21.0.5 | 1232382 | Disconnected | 1698068 | 1 - 172.21.0.5 | 1232382 | Disconnected | 2023-10 | 7 -172.21.2.113 | 2764889 | Connected to 10.1.0.2 | 1698064 | 1 -172.21.2.113 | 2764889 | Connected to 10.1.0.2 | 2023-10 | 7 -; - -inlineStatsUnionGroupWithEval-Ignore -required_capability: union_types -required_capability: inlinestats - -FROM sample_data, sample_data_ts_long -| EVAL @timestamp = SUBSTRING(TO_STRING(@timestamp), 0, 7) -| INLINESTATS count = COUNT(*) BY @timestamp -| SORT client_ip ASC, @timestamp ASC -| LIMIT 4 -; - -client_ip:ip | event_duration:long | message:keyword | @timestamp:keyword | count:long - 172.21.0.5 | 1232382 | Disconnected | 1698068 | 1 - 172.21.0.5 | 1232382 | Disconnected | 2023-10 | 7 -172.21.2.113 | 2764889 | Connected to 10.1.0.2 | 1698064 | 1 -172.21.2.113 | 2764889 | Connected to 10.1.0.2 | 2023-10 | 7 -; - -inlineStatsUnionGroupTogether-Ignore -required_capability: union_types -required_capability: inlinestats - -FROM sample_data, sample_data_ts_long -| INLINESTATS count = COUNT(*) - BY @timestamp = TO_STRING(TO_DATETIME(@timestamp)) -| SORT client_ip ASC, @timestamp ASC -| LIMIT 4 -; - -client_ip:ip | event_duration:long | message:keyword | @timestamp:keyword | count:long - 172.21.0.5 | 1232382 | Disconnected | 2023-10-23T13:33:34.937Z | 2 - 172.21.0.5 | 1232382 | Disconnected | 2023-10-23T13:33:34.937Z | 2 -172.21.2.113 | 2764889 | Connected to 10.1.0.2 | 2023-10-23T12:27:28.948Z | 2 -172.21.2.113 | 2764889 | Connected to 10.1.0.2 | 2023-10-23T12:27:28.948Z | 2 -; - -# Once INLINESTATS supports expressions in agg functions and groups, convert the group in the inlinestats - multiIndexIndirectUseOfUnionTypesInSort required_capability: union_types FROM sample_data, sample_data_ts_long @@ -1628,18 +1572,6 @@ foo:long | client_ip:ip 8268153 | 172.21.3.15 ; -multiIndexIndirectUseOfUnionTypesInInlineStats-Ignore -required_capability: union_types -required_capability: inlinestats -FROM sample_data, sample_data_ts_long -| INLINESTATS foo = max(event_duration) -| SORT client_ip ASC -| LIMIT 1 -; - -@timestamp:unsupported | client_ip:ip | event_duration:long | message:keyword | foo:long - null | 172.21.0.5 | 1232382 | Disconnected | 8268153 -; multiIndexIndirectUseOfUnionTypesInLookup-Ignore required_capability: union_types