diff --git a/docs/reference/query-languages/esql/_snippets/functions/description/delta.md b/docs/reference/query-languages/esql/_snippets/functions/description/delta.md index 3f671ca39a6b4..f77e8f3b2b0f4 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/description/delta.md +++ b/docs/reference/query-languages/esql/_snippets/functions/description/delta.md @@ -4,8 +4,3 @@ Calculates the absolute change of a gauge field in a time window. -::::{note} -Available with the [TS](/reference/query-languages/esql/commands/source-commands.md#esql-ts) command -:::: - - diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/absent_over_time.md b/docs/reference/query-languages/esql/_snippets/functions/examples/absent_over_time.md index 6071f68cee62f..eac7733cbd53e 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/absent_over_time.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/absent_over_time.md @@ -5,7 +5,7 @@ ```esql TS k8s | WHERE cluster == "prod" AND pod == "two" -| STATS events_received = max(absent_over_time(events_received)) BY pod, time_bucket = tbucket(2 minute) +| STATS events_received = MAX(ABSENT_OVER_TIME(events_received)) BY pod, time_bucket = TBUCKET(2 minute) ``` | events_received:boolean | pod:keyword | time_bucket:datetime | diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/avg_over_time.md b/docs/reference/query-languages/esql/_snippets/functions/examples/avg_over_time.md index 7373fba4d0b0b..9eec7c3660568 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/avg_over_time.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/avg_over_time.md @@ -4,7 +4,7 @@ ```esql TS k8s -| STATS max_cost=max(avg_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS max_cost=MAX(AVG_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) ``` | max_cost:double | cluster:keyword | time_bucket:datetime | diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/count_distinct_over_time.md b/docs/reference/query-languages/esql/_snippets/functions/examples/count_distinct_over_time.md index e1c04d11d1f2e..92ddb6d7c9ca0 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/count_distinct_over_time.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/count_distinct_over_time.md @@ -4,9 +4,9 @@ ```esql TS k8s -| STATS distincts=count_distinct(count_distinct_over_time(network.cost)), - distincts_imprecise=count_distinct(count_distinct_over_time(network.cost, 100)) - BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS distincts=COUNT_DISTINCT(COUNT_DISTINCT_OVER_TIME(network.cost)), + distincts_imprecise=COUNT_DISTINCT(COUNT_DISTINCT_OVER_TIME(network.cost, 100)) + BY cluster, time_bucket = TBUCKET(1minute) ``` | distincts:long | distincts_imprecise:long | cluster:keyword | time_bucket:datetime | diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/count_over_time.md b/docs/reference/query-languages/esql/_snippets/functions/examples/count_over_time.md index 69fec88506723..d6eee7c5ae37a 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/count_over_time.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/count_over_time.md @@ -4,8 +4,8 @@ ```esql TS k8s -| STATS count=count(count_over_time(network.cost)) - BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS count=COUNT(COUNT_OVER_TIME(network.cost)) + BY cluster, time_bucket = BUCKET(@timestamp,1minute) ``` | count:long | cluster:keyword | time_bucket:datetime | diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/delta.md b/docs/reference/query-languages/esql/_snippets/functions/examples/delta.md index 2ce7829aa9ea5..dceb6cb844e8e 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/delta.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/delta.md @@ -5,7 +5,7 @@ ```esql TS k8s | WHERE pod == "one" -| STATS tx = sum(delta(network.bytes_in)) BY cluster, time_bucket = bucket(@timestamp, 10minute) +| STATS tx = SUM(DELTA(network.bytes_in)) BY cluster, time_bucket = TBUCKET(10minute) ``` | tx:double | cluster:keyword | time_bucket:datetime | diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/first_over_time.md b/docs/reference/query-languages/esql/_snippets/functions/examples/first_over_time.md index d651614647250..5027037714e7e 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/first_over_time.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/first_over_time.md @@ -4,7 +4,7 @@ ```esql TS k8s -| STATS max_cost=max(first_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS max_cost=MAX(FIRST_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) ``` | max_cost:double | cluster:keyword | time_bucket:datetime | diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/idelta.md b/docs/reference/query-languages/esql/_snippets/functions/examples/idelta.md index 66de049e6b06b..196967b7a87ec 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/idelta.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/idelta.md @@ -4,7 +4,7 @@ ```esql TS k8s -| STATS events = sum(idelta(events_received)) by pod, time_bucket = bucket(@timestamp, 10minute) +| STATS events = SUM(IDELTA(events_received)) by pod, time_bucket = TBUCKET(10minute) ``` | events:double | pod:keyword | time_bucket:datetime | diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/increase.md b/docs/reference/query-languages/esql/_snippets/functions/examples/increase.md index 0c2a97f9c9de8..6119b77766a91 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/increase.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/increase.md @@ -5,7 +5,7 @@ ```esql TS k8s | WHERE pod == "one" -| STATS increase_bytes_in = sum(increase(network.total_bytes_in)) BY cluster, time_bucket = bucket(@timestamp, 10minute) +| STATS increase_bytes_in = SUM(INCREASE(network.total_bytes_in)) BY cluster, time_bucket = TBUCKET(10minute) ``` | increase_bytes_in:double | cluster:keyword | time_bucket:datetime | diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/irate.md b/docs/reference/query-languages/esql/_snippets/functions/examples/irate.md index 2c119934d61e0..2c039a7e5c2a8 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/irate.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/irate.md @@ -4,7 +4,7 @@ ```esql TS k8s | WHERE pod == "one" -| STATS irate_bytes_in = sum(irate(network.total_bytes_in)) BY cluster, time_bucket = bucket(@timestamp, 10minute) +| STATS irate_bytes_in = SUM(IRATE(network.total_bytes_in)) BY cluster, time_bucket = TBUCKET(10minute) ``` | irate_bytes_in:double | cluster:keyword | time_bucket:datetime | diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/last_over_time.md b/docs/reference/query-languages/esql/_snippets/functions/examples/last_over_time.md index 358b56d97dfa3..566018ea4fa92 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/last_over_time.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/last_over_time.md @@ -4,7 +4,7 @@ ```esql TS k8s -| STATS max_cost=max(last_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS max_cost=MAX(LAST_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) ``` | max_cost:double | cluster:keyword | time_bucket:datetime | diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/max_over_time.md b/docs/reference/query-languages/esql/_snippets/functions/examples/max_over_time.md index 99e56c16be205..af3b3747418a2 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/max_over_time.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/max_over_time.md @@ -4,7 +4,7 @@ ```esql TS k8s -| STATS cost=sum(max_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS cost=SUM(MAX_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) ``` | cost:double | cluster:keyword | time_bucket:datetime | diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/min_over_time.md b/docs/reference/query-languages/esql/_snippets/functions/examples/min_over_time.md index e75f0417f1e9f..5f051c22cc5fa 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/min_over_time.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/min_over_time.md @@ -4,7 +4,7 @@ ```esql TS k8s -| STATS cost=sum(min_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS cost=SUM(MIN_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) ``` | cost:double | cluster:keyword | time_bucket:datetime | diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/present_over_time.md b/docs/reference/query-languages/esql/_snippets/functions/examples/present_over_time.md index 62062133386c8..261f389594ca3 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/present_over_time.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/present_over_time.md @@ -5,7 +5,7 @@ ```esql TS k8s | WHERE cluster == "prod" AND pod == "two" -| STATS events_received = max(present_over_time(events_received)) BY pod, time_bucket = tbucket(2 minute) +| STATS events_received = MAX(PRESENT_OVER_TIME(events_received)) BY pod, time_bucket = TBUCKET(2 minute) ``` | events_received:boolean | pod:keyword | time_bucket:datetime | diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/rate.md b/docs/reference/query-languages/esql/_snippets/functions/examples/rate.md index e1cf5b0fb29c1..adf8979fa1337 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/rate.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/rate.md @@ -4,10 +4,10 @@ ```esql TS k8s -| STATS max(rate(network.total_bytes_in)) BY time_bucket = bucket(@timestamp,5minute) +| STATS max_rate=MAX(RATE(network.total_bytes_in)) BY time_bucket = TBUCKET(5minute) ``` -| max(rate(network.total_bytes_in)): double | time_bucket:date | +| max_rate: double | time_bucket:date | | --- | --- | | 6.980660660660663 | 2024-05-10T00:20:00.000Z | | 23.702205882352942 | 2024-05-10T00:15:00.000Z | diff --git a/docs/reference/query-languages/esql/_snippets/functions/examples/sum_over_time.md b/docs/reference/query-languages/esql/_snippets/functions/examples/sum_over_time.md index e68f2c9acaeba..0e5ecbeaba895 100644 --- a/docs/reference/query-languages/esql/_snippets/functions/examples/sum_over_time.md +++ b/docs/reference/query-languages/esql/_snippets/functions/examples/sum_over_time.md @@ -4,7 +4,7 @@ ```esql TS k8s -| STATS sum_cost=sum(sum_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS sum_cost=SUM(SUM_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) ``` | sum_cost:double | cluster:keyword | time_bucket:datetime | diff --git a/docs/reference/query-languages/esql/_snippets/lists/time-series-aggregation-functions.md b/docs/reference/query-languages/esql/_snippets/lists/time-series-aggregation-functions.md index 802efda2a8042..e7d60ba0ec007 100644 --- a/docs/reference/query-languages/esql/_snippets/lists/time-series-aggregation-functions.md +++ b/docs/reference/query-languages/esql/_snippets/lists/time-series-aggregation-functions.md @@ -2,7 +2,11 @@ * {applies_to}`stack: preview 9.2` {applies_to}`serverless: preview` [`AVG_OVER_TIME`](../../functions-operators/time-series-aggregation-functions.md#esql-avg_over_time) * {applies_to}`stack: preview 9.2` {applies_to}`serverless: preview` [`COUNT_OVER_TIME`](../../functions-operators/time-series-aggregation-functions.md#esql-count_over_time) * {applies_to}`stack: preview 9.2` {applies_to}`serverless: preview` [`COUNT_DISTINCT_OVER_TIME`](../../functions-operators/time-series-aggregation-functions.md#esql-count_distinct_over_time) +* {applies_to}`stack: preview 9.2` {applies_to}`serverless: preview` [`DELTA`](../../functions-operators/time-series-aggregation-functions.md#esql-rate) * {applies_to}`stack: preview 9.2` {applies_to}`serverless: preview` [`FIRST_OVER_TIME`](../../functions-operators/time-series-aggregation-functions.md#esql-first_over_time) +* {applies_to}`stack: preview 9.2` {applies_to}`serverless: preview` [`IDELTA`](../../functions-operators/time-series-aggregation-functions.md#esql-rate) +* {applies_to}`stack: preview 9.2` {applies_to}`serverless: preview` [`INCREASE`](../../functions-operators/time-series-aggregation-functions.md#esql-rate) +* {applies_to}`stack: preview 9.2` {applies_to}`serverless: preview` [`IRATE`](../../functions-operators/time-series-aggregation-functions.md#esql-rate) * {applies_to}`stack: preview 9.2` {applies_to}`serverless: preview` [`LAST_OVER_TIME`](../../functions-operators/time-series-aggregation-functions.md#esql-last_over_time) * {applies_to}`stack: preview 9.2` {applies_to}`serverless: preview` [`MAX_OVER_TIME`](../../functions-operators/time-series-aggregation-functions.md#esql-max_over_time) * {applies_to}`stack: preview 9.2` {applies_to}`serverless: preview` [`MIN_OVER_TIME`](../../functions-operators/time-series-aggregation-functions.md#esql-min_over_time) diff --git a/docs/reference/query-languages/esql/functions-operators/time-series-aggregation-functions.md b/docs/reference/query-languages/esql/functions-operators/time-series-aggregation-functions.md index b3c49ff40b0ee..25ad2a62f21a6 100644 --- a/docs/reference/query-languages/esql/functions-operators/time-series-aggregation-functions.md +++ b/docs/reference/query-languages/esql/functions-operators/time-series-aggregation-functions.md @@ -25,9 +25,21 @@ supports the following time series aggregation functions: :::{include} ../_snippets/functions/layout/count_distinct_over_time.md ::: +:::{include} ../_snippets/functions/layout/delta.md +::: + :::{include} ../_snippets/functions/layout/first_over_time.md ::: +:::{include} ../_snippets/functions/layout/idelta.md +::: + +:::{include} ../_snippets/functions/layout/increase.md +::: + +:::{include} ../_snippets/functions/layout/irate.md +::: + :::{include} ../_snippets/functions/layout/last_over_time.md ::: diff --git a/docs/reference/query-languages/esql/kibana/definition/functions/absent_over_time.json b/docs/reference/query-languages/esql/kibana/definition/functions/absent_over_time.json index 688871709a85f..4f580ab9445b8 100644 --- a/docs/reference/query-languages/esql/kibana/definition/functions/absent_over_time.json +++ b/docs/reference/query-languages/esql/kibana/definition/functions/absent_over_time.json @@ -234,7 +234,7 @@ } ], "examples" : [ - "TS k8s\n| WHERE cluster == \"prod\" AND pod == \"two\"\n| STATS events_received = max(absent_over_time(events_received)) BY pod, time_bucket = tbucket(2 minute)" + "TS k8s\n| WHERE cluster == \"prod\" AND pod == \"two\"\n| STATS events_received = MAX(ABSENT_OVER_TIME(events_received)) BY pod, time_bucket = TBUCKET(2 minute)" ], "preview" : true, "snapshot_only" : false diff --git a/docs/reference/query-languages/esql/kibana/definition/functions/avg_over_time.json b/docs/reference/query-languages/esql/kibana/definition/functions/avg_over_time.json index b2ed1adf2b2b8..90b19e1b2b69c 100644 --- a/docs/reference/query-languages/esql/kibana/definition/functions/avg_over_time.json +++ b/docs/reference/query-languages/esql/kibana/definition/functions/avg_over_time.json @@ -54,7 +54,7 @@ } ], "examples" : [ - "TS k8s\n| STATS max_cost=max(avg_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute)" + "TS k8s\n| STATS max_cost=MAX(AVG_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute)" ], "preview" : true, "snapshot_only" : false diff --git a/docs/reference/query-languages/esql/kibana/definition/functions/count_distinct_over_time.json b/docs/reference/query-languages/esql/kibana/definition/functions/count_distinct_over_time.json index 0d3204f99270b..708d8ce8b4e57 100644 --- a/docs/reference/query-languages/esql/kibana/definition/functions/count_distinct_over_time.json +++ b/docs/reference/query-languages/esql/kibana/definition/functions/count_distinct_over_time.json @@ -666,7 +666,7 @@ } ], "examples" : [ - "TS k8s\n| STATS distincts=count_distinct(count_distinct_over_time(network.cost)),\n distincts_imprecise=count_distinct(count_distinct_over_time(network.cost, 100))\n BY cluster, time_bucket = bucket(@timestamp,1minute)" + "TS k8s\n| STATS distincts=COUNT_DISTINCT(COUNT_DISTINCT_OVER_TIME(network.cost)),\n distincts_imprecise=COUNT_DISTINCT(COUNT_DISTINCT_OVER_TIME(network.cost, 100))\n BY cluster, time_bucket = TBUCKET(1minute)" ], "preview" : true, "snapshot_only" : false diff --git a/docs/reference/query-languages/esql/kibana/definition/functions/count_over_time.json b/docs/reference/query-languages/esql/kibana/definition/functions/count_over_time.json index 57f40e8c6291e..1213eb2e84340 100644 --- a/docs/reference/query-languages/esql/kibana/definition/functions/count_over_time.json +++ b/docs/reference/query-languages/esql/kibana/definition/functions/count_over_time.json @@ -234,7 +234,7 @@ } ], "examples" : [ - "TS k8s\n| STATS count=count(count_over_time(network.cost))\n BY cluster, time_bucket = bucket(@timestamp,1minute)" + "TS k8s\n| STATS count=COUNT(COUNT_OVER_TIME(network.cost))\n BY cluster, time_bucket = BUCKET(@timestamp,1minute)" ], "preview" : true, "snapshot_only" : false diff --git a/docs/reference/query-languages/esql/kibana/definition/functions/delta.json b/docs/reference/query-languages/esql/kibana/definition/functions/delta.json index 257cfd79c92e1..8624245635be5 100644 --- a/docs/reference/query-languages/esql/kibana/definition/functions/delta.json +++ b/docs/reference/query-languages/esql/kibana/definition/functions/delta.json @@ -3,7 +3,6 @@ "type" : "time_series_agg", "name" : "delta", "description" : "Calculates the absolute change of a gauge field in a time window.", - "note" : "Available with the TS command", "signatures" : [ { "params" : [ @@ -43,7 +42,7 @@ } ], "examples" : [ - "TS k8s\n| WHERE pod == \"one\"\n| STATS tx = sum(delta(network.bytes_in)) BY cluster, time_bucket = bucket(@timestamp, 10minute)" + "TS k8s\n| WHERE pod == \"one\"\n| STATS tx = SUM(DELTA(network.bytes_in)) BY cluster, time_bucket = TBUCKET(10minute)" ], "preview" : true, "snapshot_only" : false diff --git a/docs/reference/query-languages/esql/kibana/definition/functions/first_over_time.json b/docs/reference/query-languages/esql/kibana/definition/functions/first_over_time.json index 33761fcf1e13a..626af23d0bc2f 100644 --- a/docs/reference/query-languages/esql/kibana/definition/functions/first_over_time.json +++ b/docs/reference/query-languages/esql/kibana/definition/functions/first_over_time.json @@ -78,7 +78,7 @@ } ], "examples" : [ - "TS k8s\n| STATS max_cost=max(first_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute)" + "TS k8s\n| STATS max_cost=MAX(FIRST_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute)" ], "preview" : true, "snapshot_only" : false diff --git a/docs/reference/query-languages/esql/kibana/definition/functions/idelta.json b/docs/reference/query-languages/esql/kibana/definition/functions/idelta.json index 35e5c0d1b3a2b..58836d122e83e 100644 --- a/docs/reference/query-languages/esql/kibana/definition/functions/idelta.json +++ b/docs/reference/query-languages/esql/kibana/definition/functions/idelta.json @@ -42,7 +42,7 @@ } ], "examples" : [ - "TS k8s\n| STATS events = sum(idelta(events_received)) by pod, time_bucket = bucket(@timestamp, 10minute)" + "TS k8s\n| STATS events = SUM(IDELTA(events_received)) by pod, time_bucket = TBUCKET(10minute)" ], "preview" : true, "snapshot_only" : false diff --git a/docs/reference/query-languages/esql/kibana/definition/functions/increase.json b/docs/reference/query-languages/esql/kibana/definition/functions/increase.json index 392502d89e278..4e174a4c9471a 100644 --- a/docs/reference/query-languages/esql/kibana/definition/functions/increase.json +++ b/docs/reference/query-languages/esql/kibana/definition/functions/increase.json @@ -42,7 +42,7 @@ } ], "examples" : [ - "TS k8s\n| WHERE pod == \"one\"\n| STATS increase_bytes_in = sum(increase(network.total_bytes_in)) BY cluster, time_bucket = bucket(@timestamp, 10minute)" + "TS k8s\n| WHERE pod == \"one\"\n| STATS increase_bytes_in = SUM(INCREASE(network.total_bytes_in)) BY cluster, time_bucket = TBUCKET(10minute)" ], "preview" : true, "snapshot_only" : false diff --git a/docs/reference/query-languages/esql/kibana/definition/functions/irate.json b/docs/reference/query-languages/esql/kibana/definition/functions/irate.json index c164d5a4f2b96..59c7d4ccf83f3 100644 --- a/docs/reference/query-languages/esql/kibana/definition/functions/irate.json +++ b/docs/reference/query-languages/esql/kibana/definition/functions/irate.json @@ -42,7 +42,7 @@ } ], "examples" : [ - "TS k8s | WHERE pod == \"one\"\n| STATS irate_bytes_in = sum(irate(network.total_bytes_in)) BY cluster, time_bucket = bucket(@timestamp, 10minute)" + "TS k8s | WHERE pod == \"one\"\n| STATS irate_bytes_in = SUM(IRATE(network.total_bytes_in)) BY cluster, time_bucket = TBUCKET(10minute)" ], "preview" : true, "snapshot_only" : false diff --git a/docs/reference/query-languages/esql/kibana/definition/functions/last_over_time.json b/docs/reference/query-languages/esql/kibana/definition/functions/last_over_time.json index 62f2afda7b34d..a79370852adb8 100644 --- a/docs/reference/query-languages/esql/kibana/definition/functions/last_over_time.json +++ b/docs/reference/query-languages/esql/kibana/definition/functions/last_over_time.json @@ -78,7 +78,7 @@ } ], "examples" : [ - "TS k8s\n| STATS max_cost=max(last_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute)" + "TS k8s\n| STATS max_cost=MAX(LAST_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute)" ], "preview" : true, "snapshot_only" : false diff --git a/docs/reference/query-languages/esql/kibana/definition/functions/max_over_time.json b/docs/reference/query-languages/esql/kibana/definition/functions/max_over_time.json index b6a6eb0eee4b6..c77e666ff1f8e 100644 --- a/docs/reference/query-languages/esql/kibana/definition/functions/max_over_time.json +++ b/docs/reference/query-languages/esql/kibana/definition/functions/max_over_time.json @@ -150,7 +150,7 @@ } ], "examples" : [ - "TS k8s\n| STATS cost=sum(max_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute)" + "TS k8s\n| STATS cost=SUM(MAX_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute)" ], "preview" : true, "snapshot_only" : false diff --git a/docs/reference/query-languages/esql/kibana/definition/functions/min_over_time.json b/docs/reference/query-languages/esql/kibana/definition/functions/min_over_time.json index c307a859ce4e8..3ce782c9dce76 100644 --- a/docs/reference/query-languages/esql/kibana/definition/functions/min_over_time.json +++ b/docs/reference/query-languages/esql/kibana/definition/functions/min_over_time.json @@ -150,7 +150,7 @@ } ], "examples" : [ - "TS k8s\n| STATS cost=sum(min_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute)" + "TS k8s\n| STATS cost=SUM(MIN_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute)" ], "preview" : true, "snapshot_only" : false diff --git a/docs/reference/query-languages/esql/kibana/definition/functions/present_over_time.json b/docs/reference/query-languages/esql/kibana/definition/functions/present_over_time.json index 94c28bfc14a73..087a2c2190318 100644 --- a/docs/reference/query-languages/esql/kibana/definition/functions/present_over_time.json +++ b/docs/reference/query-languages/esql/kibana/definition/functions/present_over_time.json @@ -234,7 +234,7 @@ } ], "examples" : [ - "TS k8s\n| WHERE cluster == \"prod\" AND pod == \"two\"\n| STATS events_received = max(present_over_time(events_received)) BY pod, time_bucket = tbucket(2 minute)" + "TS k8s\n| WHERE cluster == \"prod\" AND pod == \"two\"\n| STATS events_received = MAX(PRESENT_OVER_TIME(events_received)) BY pod, time_bucket = TBUCKET(2 minute)" ], "preview" : true, "snapshot_only" : false diff --git a/docs/reference/query-languages/esql/kibana/definition/functions/rate.json b/docs/reference/query-languages/esql/kibana/definition/functions/rate.json index 9468b7f113ec4..a1458e9e57ea3 100644 --- a/docs/reference/query-languages/esql/kibana/definition/functions/rate.json +++ b/docs/reference/query-languages/esql/kibana/definition/functions/rate.json @@ -42,7 +42,7 @@ } ], "examples" : [ - "TS k8s\n| STATS max(rate(network.total_bytes_in)) BY time_bucket = bucket(@timestamp,5minute)" + "TS k8s\n| STATS max_rate=MAX(RATE(network.total_bytes_in)) BY time_bucket = TBUCKET(5minute)" ], "preview" : true, "snapshot_only" : false diff --git a/docs/reference/query-languages/esql/kibana/definition/functions/sum_over_time.json b/docs/reference/query-languages/esql/kibana/definition/functions/sum_over_time.json index 241659ad462df..d0c130cd229af 100644 --- a/docs/reference/query-languages/esql/kibana/definition/functions/sum_over_time.json +++ b/docs/reference/query-languages/esql/kibana/definition/functions/sum_over_time.json @@ -54,7 +54,7 @@ } ], "examples" : [ - "TS k8s\n| STATS sum_cost=sum(sum_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute)" + "TS k8s\n| STATS sum_cost=SUM(SUM_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute)" ], "preview" : true, "snapshot_only" : false diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/absent_over_time.md b/docs/reference/query-languages/esql/kibana/docs/functions/absent_over_time.md index 079cae1583906..c94e93ccab84c 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/absent_over_time.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/absent_over_time.md @@ -6,5 +6,5 @@ Calculates the absence of a field in the output result over time range. ```esql TS k8s | WHERE cluster == "prod" AND pod == "two" -| STATS events_received = max(absent_over_time(events_received)) BY pod, time_bucket = tbucket(2 minute) +| STATS events_received = MAX(ABSENT_OVER_TIME(events_received)) BY pod, time_bucket = TBUCKET(2 minute) ``` diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/avg_over_time.md b/docs/reference/query-languages/esql/kibana/docs/functions/avg_over_time.md index 54937b3322eb6..eb9c6c93e3fbb 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/avg_over_time.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/avg_over_time.md @@ -5,5 +5,5 @@ Calculates the average over time of a numeric field. ```esql TS k8s -| STATS max_cost=max(avg_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS max_cost=MAX(AVG_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) ``` diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/count_distinct_over_time.md b/docs/reference/query-languages/esql/kibana/docs/functions/count_distinct_over_time.md index 4d7b065a29365..4838fff3187b7 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/count_distinct_over_time.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/count_distinct_over_time.md @@ -5,7 +5,7 @@ Calculates the count of distinct values over time for a field. ```esql TS k8s -| STATS distincts=count_distinct(count_distinct_over_time(network.cost)), - distincts_imprecise=count_distinct(count_distinct_over_time(network.cost, 100)) - BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS distincts=COUNT_DISTINCT(COUNT_DISTINCT_OVER_TIME(network.cost)), + distincts_imprecise=COUNT_DISTINCT(COUNT_DISTINCT_OVER_TIME(network.cost, 100)) + BY cluster, time_bucket = TBUCKET(1minute) ``` diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/count_over_time.md b/docs/reference/query-languages/esql/kibana/docs/functions/count_over_time.md index 2c30528cb9653..f830397a60b12 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/count_over_time.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/count_over_time.md @@ -5,6 +5,6 @@ Calculates the count over time value of a field. ```esql TS k8s -| STATS count=count(count_over_time(network.cost)) - BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS count=COUNT(COUNT_OVER_TIME(network.cost)) + BY cluster, time_bucket = BUCKET(@timestamp,1minute) ``` diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/delta.md b/docs/reference/query-languages/esql/kibana/docs/functions/delta.md index ccc36929a2579..fff5a92ebf6c9 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/delta.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/delta.md @@ -3,10 +3,8 @@ ### DELTA Calculates the absolute change of a gauge field in a time window. -Note: Available with the [TS](https://www.elastic.co/docs/reference/query-languages/esql/commands/source-commands#esql-ts) command - ```esql TS k8s | WHERE pod == "one" -| STATS tx = sum(delta(network.bytes_in)) BY cluster, time_bucket = bucket(@timestamp, 10minute) +| STATS tx = SUM(DELTA(network.bytes_in)) BY cluster, time_bucket = TBUCKET(10minute) ``` diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/first_over_time.md b/docs/reference/query-languages/esql/kibana/docs/functions/first_over_time.md index 6dace45bf6ec1..1d4dc5bae87d6 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/first_over_time.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/first_over_time.md @@ -5,5 +5,5 @@ Calculates the earliest value of a field, where recency determined by the `@time ```esql TS k8s -| STATS max_cost=max(first_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS max_cost=MAX(FIRST_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) ``` diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/idelta.md b/docs/reference/query-languages/esql/kibana/docs/functions/idelta.md index 046984e3bf09f..a1f6127c4a906 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/idelta.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/idelta.md @@ -5,5 +5,5 @@ Calculates the idelta of a gauge. idelta is the absolute change between the last ```esql TS k8s -| STATS events = sum(idelta(events_received)) by pod, time_bucket = bucket(@timestamp, 10minute) +| STATS events = SUM(IDELTA(events_received)) by pod, time_bucket = TBUCKET(10minute) ``` diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/increase.md b/docs/reference/query-languages/esql/kibana/docs/functions/increase.md index 9aaa59619d8e2..b4dea78c8042f 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/increase.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/increase.md @@ -6,5 +6,5 @@ Calculates the absolute increase of a counter field in a time window. ```esql TS k8s | WHERE pod == "one" -| STATS increase_bytes_in = sum(increase(network.total_bytes_in)) BY cluster, time_bucket = bucket(@timestamp, 10minute) +| STATS increase_bytes_in = SUM(INCREASE(network.total_bytes_in)) BY cluster, time_bucket = TBUCKET(10minute) ``` diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/irate.md b/docs/reference/query-languages/esql/kibana/docs/functions/irate.md index d80ec203cb999..72ee8099536a1 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/irate.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/irate.md @@ -5,5 +5,5 @@ Calculates the irate of a counter field. irate is the per-second rate of increas ```esql TS k8s | WHERE pod == "one" -| STATS irate_bytes_in = sum(irate(network.total_bytes_in)) BY cluster, time_bucket = bucket(@timestamp, 10minute) +| STATS irate_bytes_in = SUM(IRATE(network.total_bytes_in)) BY cluster, time_bucket = TBUCKET(10minute) ``` diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/last_over_time.md b/docs/reference/query-languages/esql/kibana/docs/functions/last_over_time.md index 7c86922ea729e..ee0d0cefea4e1 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/last_over_time.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/last_over_time.md @@ -5,5 +5,5 @@ Calculates the latest value of a field, where recency determined by the `@timest ```esql TS k8s -| STATS max_cost=max(last_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS max_cost=MAX(LAST_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) ``` diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/max_over_time.md b/docs/reference/query-languages/esql/kibana/docs/functions/max_over_time.md index c36d52de9249d..7fcffdc015388 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/max_over_time.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/max_over_time.md @@ -5,5 +5,5 @@ Calculates the maximum over time value of a field. ```esql TS k8s -| STATS cost=sum(max_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS cost=SUM(MAX_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) ``` diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/min_over_time.md b/docs/reference/query-languages/esql/kibana/docs/functions/min_over_time.md index 544c02e4c78e5..87644f9488525 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/min_over_time.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/min_over_time.md @@ -5,5 +5,5 @@ Calculates the minimum over time value of a field. ```esql TS k8s -| STATS cost=sum(min_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS cost=SUM(MIN_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) ``` diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/present_over_time.md b/docs/reference/query-languages/esql/kibana/docs/functions/present_over_time.md index d799da62ba628..089d26e2fcc95 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/present_over_time.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/present_over_time.md @@ -6,5 +6,5 @@ Calculates the presence of a field in the output result over time range. ```esql TS k8s | WHERE cluster == "prod" AND pod == "two" -| STATS events_received = max(present_over_time(events_received)) BY pod, time_bucket = tbucket(2 minute) +| STATS events_received = MAX(PRESENT_OVER_TIME(events_received)) BY pod, time_bucket = TBUCKET(2 minute) ``` diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/rate.md b/docs/reference/query-languages/esql/kibana/docs/functions/rate.md index bf8504018d01b..353b1641b07b7 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/rate.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/rate.md @@ -5,5 +5,5 @@ Calculates the per-second average rate of increase of a [counter](docs-content:/ ```esql TS k8s -| STATS max(rate(network.total_bytes_in)) BY time_bucket = bucket(@timestamp,5minute) +| STATS max_rate=MAX(RATE(network.total_bytes_in)) BY time_bucket = TBUCKET(5minute) ``` diff --git a/docs/reference/query-languages/esql/kibana/docs/functions/sum_over_time.md b/docs/reference/query-languages/esql/kibana/docs/functions/sum_over_time.md index 680ea0140b023..9c42005e212a8 100644 --- a/docs/reference/query-languages/esql/kibana/docs/functions/sum_over_time.md +++ b/docs/reference/query-languages/esql/kibana/docs/functions/sum_over_time.md @@ -5,5 +5,5 @@ Calculates the sum over time value of a field. ```esql TS k8s -| STATS sum_cost=sum(sum_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS sum_cost=SUM(SUM_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) ``` diff --git a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-delta.csv-spec b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-delta.csv-spec index 75b4ae948a593..1c35639b6334d 100644 --- a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-delta.csv-spec +++ b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-delta.csv-spec @@ -67,7 +67,7 @@ required_capability: delta_ts_agg // tag::delta[] TS k8s | WHERE pod == "one" -| STATS tx = sum(delta(network.bytes_in)) BY cluster, time_bucket = bucket(@timestamp, 10minute) +| STATS tx = SUM(DELTA(network.bytes_in)) BY cluster, time_bucket = TBUCKET(10minute) // end::delta[] | SORT time_bucket, cluster | LIMIT 10; diff --git a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-idelta.csv-spec b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-idelta.csv-spec index 069804c92713e..5608ed116e146 100644 --- a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-idelta.csv-spec +++ b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-idelta.csv-spec @@ -152,7 +152,7 @@ idelta_all_value_types required_capability: ts_command_v0 // tag::idelta[] TS k8s -| STATS events = sum(idelta(events_received)) by pod, time_bucket = bucket(@timestamp, 10minute) +| STATS events = SUM(IDELTA(events_received)) by pod, time_bucket = TBUCKET(10minute) // end::idelta[] | SORT events desc, pod, time_bucket | LIMIT 10 ; diff --git a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-increase.csv-spec b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-increase.csv-spec index 4fbd1f29c9c1f..6a2608d7a2662 100644 --- a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-increase.csv-spec +++ b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-increase.csv-spec @@ -71,7 +71,7 @@ required_capability: ts_command_v0 // tag::increase[] TS k8s | WHERE pod == "one" -| STATS increase_bytes_in = sum(increase(network.total_bytes_in)) BY cluster, time_bucket = bucket(@timestamp, 10minute) +| STATS increase_bytes_in = SUM(INCREASE(network.total_bytes_in)) BY cluster, time_bucket = TBUCKET(10minute) // end::increase[] | SORT time_bucket, cluster | LIMIT 10; diff --git a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-irate.csv-spec b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-irate.csv-spec index 697ec29bf888e..caa3caa01f52b 100644 --- a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-irate.csv-spec +++ b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries-irate.csv-spec @@ -67,7 +67,7 @@ irate_with_filtering required_capability: ts_command_v0 // tag::irate[] TS k8s | WHERE pod == "one" -| STATS irate_bytes_in = sum(irate(network.total_bytes_in)) BY cluster, time_bucket = bucket(@timestamp, 10minute) +| STATS irate_bytes_in = SUM(IRATE(network.total_bytes_in)) BY cluster, time_bucket = TBUCKET(10minute) // end::irate[] | SORT time_bucket, cluster | LIMIT 10; diff --git a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries.csv-spec b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries.csv-spec index e9a5bcc8f770a..b2324bb4c8cbb 100644 --- a/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries.csv-spec +++ b/x-pack/plugin/esql/qa/testFixtures/src/main/resources/k8s-timeseries.csv-spec @@ -109,14 +109,14 @@ oneRateWithBucket required_capability: ts_command_v0 // tag::rate[] TS k8s -| STATS max(rate(network.total_bytes_in)) BY time_bucket = bucket(@timestamp,5minute) +| STATS max_rate=MAX(RATE(network.total_bytes_in)) BY time_bucket = TBUCKET(5minute) // end::rate[] | SORT time_bucket DESC | LIMIT 2; // tag::rate-result[] -max(rate(network.total_bytes_in)): double | time_bucket:date -6.980660660660663 | 2024-05-10T00:20:00.000Z -23.702205882352942 | 2024-05-10T00:15:00.000Z +max_rate: double | time_bucket:date +6.980660660660663 | 2024-05-10T00:20:00.000Z +23.702205882352942 | 2024-05-10T00:15:00.000Z // end::rate-result[] ; @@ -240,7 +240,7 @@ max_over_time required_capability: ts_command_v0 // tag::max_over_time[] TS k8s -| STATS cost=sum(max_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS cost=SUM(MAX_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) // end::max_over_time[] | SORT cost DESC, time_bucket DESC, cluster | LIMIT 10; @@ -263,7 +263,7 @@ min_over_time required_capability: ts_command_v0 // tag::min_over_time[] TS k8s -| STATS cost=sum(min_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS cost=SUM(MIN_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) // end::min_over_time[] | SORT cost DESC, time_bucket DESC, cluster | LIMIT 10; @@ -286,7 +286,7 @@ max_of_avg_over_time required_capability: ts_command_v0 // tag::avg_over_time[] TS k8s -| STATS max_cost=max(avg_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS max_cost=MAX(AVG_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) // end::avg_over_time[] | SORT max_cost DESC, time_bucket DESC, cluster | LIMIT 10; @@ -327,7 +327,7 @@ max_of_last_over_time required_capability: ts_command_v0 // tag::last_over_time[] TS k8s -| STATS max_cost=max(last_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS max_cost=MAX(LAST_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) // end::last_over_time[] | SORT max_cost DESC, time_bucket DESC, cluster | LIMIT 10; @@ -350,7 +350,7 @@ max_of_first_over_time required_capability: ts_command_v0 // tag::first_over_time[] TS k8s -| STATS max_cost=max(first_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS max_cost=MAX(FIRST_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) // end::first_over_time[] | SORT max_cost DESC, time_bucket DESC, cluster | LIMIT 10; @@ -374,7 +374,7 @@ required_capability: ts_command_v0 // tag::sum_over_time[] TS k8s -| STATS sum_cost=sum(sum_over_time(network.cost)) BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS sum_cost=SUM(SUM_OVER_TIME(network.cost)) BY cluster, time_bucket = TBUCKET(1minute) // end::sum_over_time[] | SORT sum_cost DESC, time_bucket DESC, cluster | LIMIT 10; @@ -400,8 +400,8 @@ required_capability: ts_command_v0 // tag::count_over_time[] TS k8s -| STATS count=count(count_over_time(network.cost)) - BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS count=COUNT(COUNT_OVER_TIME(network.cost)) + BY cluster, time_bucket = BUCKET(@timestamp,1minute) // end::count_over_time[] | SORT count DESC, time_bucket DESC, cluster | LIMIT 10; @@ -426,9 +426,9 @@ required_capability: ts_command_v0 // tag::count_distinct_over_time[] TS k8s -| STATS distincts=count_distinct(count_distinct_over_time(network.cost)), - distincts_imprecise=count_distinct(count_distinct_over_time(network.cost, 100)) - BY cluster, time_bucket = bucket(@timestamp,1minute) +| STATS distincts=COUNT_DISTINCT(COUNT_DISTINCT_OVER_TIME(network.cost)), + distincts_imprecise=COUNT_DISTINCT(COUNT_DISTINCT_OVER_TIME(network.cost, 100)) + BY cluster, time_bucket = TBUCKET(1minute) // end::count_distinct_over_time[] | SORT distincts DESC, time_bucket DESC, cluster | LIMIT 10; @@ -468,7 +468,7 @@ required_capability: ts_command_v0 // tag::present_over_time[] TS k8s | WHERE cluster == "prod" AND pod == "two" -| STATS events_received = max(present_over_time(events_received)) BY pod, time_bucket = tbucket(2 minute) +| STATS events_received = MAX(PRESENT_OVER_TIME(events_received)) BY pod, time_bucket = TBUCKET(2 minute) // end::present_over_time[] | SORT time_bucket ; @@ -494,7 +494,7 @@ required_capability: ts_command_v0 // tag::absent_over_time[] TS k8s | WHERE cluster == "prod" AND pod == "two" -| STATS events_received = max(absent_over_time(events_received)) BY pod, time_bucket = tbucket(2 minute) +| STATS events_received = MAX(ABSENT_OVER_TIME(events_received)) BY pod, time_bucket = TBUCKET(2 minute) // end::absent_over_time[] | SORT time_bucket ; diff --git a/x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/aggregate/Delta.java b/x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/aggregate/Delta.java index 0b0ecda75b61d..f1883499a59cf 100644 --- a/x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/aggregate/Delta.java +++ b/x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/aggregate/Delta.java @@ -48,8 +48,7 @@ public class Delta extends TimeSeriesAggregateFunction implements OptionalArgume description = "Calculates the absolute change of a gauge field in a time window.", appliesTo = { @FunctionAppliesTo(lifeCycle = FunctionAppliesToLifecycle.PREVIEW, version = "9.2.0") }, preview = true, - examples = { @Example(file = "k8s-timeseries-delta", tag = "delta") }, - note = "Available with the [TS](/reference/query-languages/esql/commands/source-commands.md#esql-ts) command" + examples = { @Example(file = "k8s-timeseries-delta", tag = "delta") } ) public Delta(Source source, @Param(name = "field", type = { "long", "integer", "double" }) Expression field) { this(source, field, new UnresolvedAttribute(source, "@timestamp"));