|
|
@@ -2480,3 +2480,1285 @@ from employees
|
|
|
10002 |0 |0
|
|
|
10003 |0 |0
|
|
|
;
|
|
|
+
|
|
|
+////////////////////////////////
|
|
|
+// Union types tests
|
|
|
+////////////////////////////////
|
|
|
+
|
|
|
+singleIndexIpInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data
|
|
|
+| EVAL client_ip = client_ip::ip
|
|
|
+| INLINESTATS count=count(*) BY client_ip
|
|
|
+| SORT count DESC, client_ip ASC
|
|
|
+| KEEP count, client_ip
|
|
|
+;
|
|
|
+
|
|
|
+count:long | client_ip:ip
|
|
|
+4 |172.21.3.15
|
|
|
+4 |172.21.3.15
|
|
|
+4 |172.21.3.15
|
|
|
+4 |172.21.3.15
|
|
|
+1 |172.21.0.5
|
|
|
+1 |172.21.2.113
|
|
|
+1 |172.21.2.162
|
|
|
+;
|
|
|
+
|
|
|
+singleIndexIpStringInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data_str
|
|
|
+| EVAL client_ip = client_ip::ip
|
|
|
+| INLINESTATS count=count(*) BY client_ip
|
|
|
+| SORT count DESC, client_ip ASC
|
|
|
+| KEEP count, client_ip
|
|
|
+;
|
|
|
+
|
|
|
+count:long | client_ip:ip
|
|
|
+4 |172.21.3.15
|
|
|
+4 |172.21.3.15
|
|
|
+4 |172.21.3.15
|
|
|
+4 |172.21.3.15
|
|
|
+1 |172.21.0.5
|
|
|
+1 |172.21.2.113
|
|
|
+1 |172.21.2.162
|
|
|
+;
|
|
|
+
|
|
|
+singleIndexIpStringInlinestats Inline
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data_str
|
|
|
+| INLINESTATS count=count(*) BY client_ip::ip
|
|
|
+| INLINESTATS mc=count(count) BY count
|
|
|
+| SORT mc DESC, count ASC
|
|
|
+| KEEP mc, count
|
|
|
+;
|
|
|
+
|
|
|
+mc:l | count:l
|
|
|
+4 |4
|
|
|
+4 |4
|
|
|
+4 |4
|
|
|
+4 |4
|
|
|
+3 |1
|
|
|
+3 |1
|
|
|
+3 |1
|
|
|
+;
|
|
|
+
|
|
|
+singleIndexIpStringInlinestatsInline_SecondStats
|
|
|
+// same as above but the second agg is a STATS one
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data_str
|
|
|
+| INLINESTATS count=count(*) BY client_ip::ip
|
|
|
+| STATS mc=count(count) BY count
|
|
|
+| SORT mc DESC, count ASC
|
|
|
+| KEEP mc, count
|
|
|
+;
|
|
|
+
|
|
|
+mc:l | count:l
|
|
|
+4 |4
|
|
|
+3 |1
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexIpStringInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| EVAL client_ip = client_ip::ip
|
|
|
+| INLINESTATS count=count(*) BY client_ip
|
|
|
+| SORT count DESC, client_ip ASC
|
|
|
+| KEEP count, client_ip
|
|
|
+;
|
|
|
+
|
|
|
+count:long | client_ip:ip
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+2 |172.21.0.5
|
|
|
+2 |172.21.0.5
|
|
|
+2 |172.21.2.113
|
|
|
+2 |172.21.2.113
|
|
|
+2 |172.21.2.162
|
|
|
+2 |172.21.2.162
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexIpStringRenameInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| EVAL host_ip = client_ip::ip
|
|
|
+| INLINESTATS count=count(*) BY host_ip
|
|
|
+| SORT count DESC, host_ip ASC
|
|
|
+| KEEP count, host_ip
|
|
|
+;
|
|
|
+
|
|
|
+count:long | host_ip:ip
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+2 |172.21.0.5
|
|
|
+2 |172.21.0.5
|
|
|
+2 |172.21.2.113
|
|
|
+2 |172.21.2.113
|
|
|
+2 |172.21.2.162
|
|
|
+2 |172.21.2.162
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexIpStringRenameToStringInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| EVAL host_ip = TO_STRING(TO_IP(client_ip))
|
|
|
+| INLINESTATS count=count(*) BY host_ip
|
|
|
+| SORT count DESC, host_ip ASC
|
|
|
+| KEEP count, host_ip
|
|
|
+;
|
|
|
+
|
|
|
+count:long | host_ip:keyword
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+2 |172.21.0.5
|
|
|
+2 |172.21.0.5
|
|
|
+2 |172.21.2.113
|
|
|
+2 |172.21.2.113
|
|
|
+2 |172.21.2.162
|
|
|
+2 |172.21.2.162
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexIpStringInlinestats Drop
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| INLINESTATS count=count(*) BY client_ip::ip
|
|
|
+| KEEP count
|
|
|
+| SORT count DESC
|
|
|
+;
|
|
|
+
|
|
|
+count:long
|
|
|
+8
|
|
|
+8
|
|
|
+8
|
|
|
+8
|
|
|
+8
|
|
|
+8
|
|
|
+8
|
|
|
+8
|
|
|
+2
|
|
|
+2
|
|
|
+2
|
|
|
+2
|
|
|
+2
|
|
|
+2
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexIpStringInlinestats Inline
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| INLINESTATS count=count(*) BY client_ip = TO_IP(client_ip)
|
|
|
+| SORT count DESC, client_ip ASC
|
|
|
+| KEEP count, client_ip
|
|
|
+;
|
|
|
+
|
|
|
+count:long | client_ip:ip
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+2 |172.21.0.5
|
|
|
+2 |172.21.0.5
|
|
|
+2 |172.21.2.113
|
|
|
+2 |172.21.2.113
|
|
|
+2 |172.21.2.162
|
|
|
+2 |172.21.2.162
|
|
|
+;
|
|
|
+
|
|
|
+statsUnionAggInline
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| INLINESTATS count = COUNT(CIDR_MATCH(TO_IP(client_ip), "172.21.0.0/24") OR NULL)
|
|
|
+ BY
|
|
|
+ @timestamp = DATE_TRUNC(10 minutes, @timestamp)
|
|
|
+| SORT count DESC, @timestamp ASC, event_duration
|
|
|
+| LIMIT 8
|
|
|
+;
|
|
|
+
|
|
|
+client_ip:unsupported |event_duration:long| message:keyword | count:long | @timestamp:date
|
|
|
+null |1232382 |Disconnected |2 |2023-10-23T13:30:00.000Z
|
|
|
+null |1232382 |Disconnected |2 |2023-10-23T13:30:00.000Z
|
|
|
+null |3450233 |Connected to 10.1.0.3|0 |2023-10-23T12:10:00.000Z
|
|
|
+null |3450233 |Connected to 10.1.0.3|0 |2023-10-23T12:10:00.000Z
|
|
|
+null |2764889 |Connected to 10.1.0.2|0 |2023-10-23T12:20:00.000Z
|
|
|
+null |2764889 |Connected to 10.1.0.2|0 |2023-10-23T12:20:00.000Z
|
|
|
+null |725448 |Connection error |0 |2023-10-23T13:50:00.000Z
|
|
|
+null |725448 |Connection error |0 |2023-10-23T13:50:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexIpInlinestats_NonPushableCount
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| INLINESTATS count=count(client_ip::ip)
|
|
|
+| SORT event_duration DESC
|
|
|
+| LIMIT 2
|
|
|
+;
|
|
|
+
|
|
|
+ @timestamp:date |client_ip:unsupported|event_duration:long|message:keyword |count:long
|
|
|
+2023-10-23T13:52:55.015Z|null |8268153 |Connection error|14
|
|
|
+2023-10-23T13:52:55.015Z|null |8268153 |Connection error|14
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexIpInlinestats_NonPushableCountEval
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| EVAL client_ip = client_ip::ip
|
|
|
+| INLINESTATS count=count(client_ip)
|
|
|
+| SORT event_duration DESC
|
|
|
+| LIMIT 2
|
|
|
+;
|
|
|
+
|
|
|
+ @timestamp:date |event_duration:long|message:keyword |client_ip:ip |count:long
|
|
|
+2023-10-23T13:52:55.015Z|8268153 |Connection error|172.21.3.15 |14
|
|
|
+2023-10-23T13:52:55.015Z|8268153 |Connection error|172.21.3.15 |14
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexIpInlinestats_NonPushableCountWithFilter
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long
|
|
|
+| INLINESTATS count_matching=count(@timestamp::long) WHERE @timestamp::long >= 1698069301543,
|
|
|
+ total_count=count(@timestamp::long)
|
|
|
+| SORT client_ip
|
|
|
+| LIMIT 4
|
|
|
+;
|
|
|
+
|
|
|
+@timestamp:unsupported| client_ip:ip|event_duration:long | message:keyword |count_matching:long | total_count:long
|
|
|
+null |172.21.0.5 |1232382 |Disconnected |2 |14
|
|
|
+null |172.21.0.5 |1232382 |Disconnected |2 |14
|
|
|
+null |172.21.2.113 |2764889 |Connected to 10.1.0.2|2 |14
|
|
|
+null |172.21.2.113 |2764889 |Connected to 10.1.0.2|2 |14
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexIpInlinestats_PushableCount
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long
|
|
|
+| INLINESTATS count=count(@timestamp::long)
|
|
|
+| KEEP count
|
|
|
+| LIMIT 2
|
|
|
+;
|
|
|
+
|
|
|
+count:long
|
|
|
+14
|
|
|
+14
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexIpInlinestats_PushableCountEval
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long
|
|
|
+| EVAL @timestamp = @timestamp::long
|
|
|
+| INLINESTATS count=count(@timestamp)
|
|
|
+| KEEP count
|
|
|
+| LIMIT 2
|
|
|
+;
|
|
|
+
|
|
|
+count:long
|
|
|
+14
|
|
|
+14
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexIpStringInlinestats_Inline2
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| INLINESTATS count=count(*) BY client_ip::ip
|
|
|
+| SORT count DESC, `client_ip::ip` ASC
|
|
|
+| KEEP count, `client_ip::ip`
|
|
|
+;
|
|
|
+
|
|
|
+count:long | client_ip::ip:ip
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+8 |172.21.3.15
|
|
|
+2 |172.21.0.5
|
|
|
+2 |172.21.0.5
|
|
|
+2 |172.21.2.113
|
|
|
+2 |172.21.2.113
|
|
|
+2 |172.21.2.162
|
|
|
+2 |172.21.2.162
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexIpStringInlinestats_Inline3
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| INLINESTATS count=count(*) BY client_ip::ip
|
|
|
+| INLINESTATS mc=count(count) BY count
|
|
|
+| SORT mc DESC, count ASC, event_duration
|
|
|
+| KEEP mc, count, event_duration
|
|
|
+;
|
|
|
+
|
|
|
+mc:l | count:l | event_duration:l
|
|
|
+8 |8 |725448
|
|
|
+8 |8 |725448
|
|
|
+8 |8 |1756467
|
|
|
+8 |8 |1756467
|
|
|
+8 |8 |5033755
|
|
|
+8 |8 |5033755
|
|
|
+8 |8 |8268153
|
|
|
+8 |8 |8268153
|
|
|
+6 |2 |1232382
|
|
|
+6 |2 |1232382
|
|
|
+6 |2 |2764889
|
|
|
+6 |2 |2764889
|
|
|
+6 |2 |3450233
|
|
|
+6 |2 |3450233
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexIpStringInlinestats_Inline4
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| SORT @timestamp
|
|
|
+| LIMIT 1000
|
|
|
+| INLINESTATS count=count(*) BY client_ip::ip
|
|
|
+| LIMIT 5
|
|
|
+| INLINESTATS mc=count(count) BY count
|
|
|
+| SORT mc DESC, count ASC, event_duration
|
|
|
+| KEEP mc, count, event_duration
|
|
|
+;
|
|
|
+
|
|
|
+mc:l | count:l | event_duration:l
|
|
|
+5 |2 |1232382
|
|
|
+5 |2 |2764889
|
|
|
+5 |2 |2764889
|
|
|
+5 |2 |3450233
|
|
|
+5 |2 |3450233
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexWhereIpStringInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| WHERE STARTS_WITH(TO_STRING(client_ip), "172.21.2")
|
|
|
+| INLINESTATS count=count(*) BY message
|
|
|
+| SORT count DESC, message ASC
|
|
|
+| KEEP count, message
|
|
|
+;
|
|
|
+
|
|
|
+count:long | message:keyword
|
|
|
+2 |Connected to 10.1.0.2
|
|
|
+2 |Connected to 10.1.0.2
|
|
|
+2 |Connected to 10.1.0.3
|
|
|
+2 |Connected to 10.1.0.3
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexTsLongInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long
|
|
|
+| EVAL @timestamp = DATE_TRUNC(1 hour, TO_DATETIME(@timestamp))
|
|
|
+| INLINESTATS count=count(*) BY @timestamp
|
|
|
+| SORT count DESC, @timestamp ASC
|
|
|
+| KEEP count, @timestamp
|
|
|
+;
|
|
|
+
|
|
|
+count:long | @timestamp:date
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+4 |2023-10-23T12:00:00.000Z
|
|
|
+4 |2023-10-23T12:00:00.000Z
|
|
|
+4 |2023-10-23T12:00:00.000Z
|
|
|
+4 |2023-10-23T12:00:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexTsNanosToDatetimeInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_nanos
|
|
|
+| EVAL @timestamp = DATE_TRUNC(1 hour, TO_DATETIME(@timestamp))
|
|
|
+| INLINESTATS count=count(*) BY @timestamp
|
|
|
+| KEEP count, @timestamp
|
|
|
+| STATS count=count(*) BY @timestamp
|
|
|
+| SORT count DESC, @timestamp ASC
|
|
|
+;
|
|
|
+
|
|
|
+count:long | @timestamp:date
|
|
|
+10 | 2023-10-23T13:00:00.000Z
|
|
|
+4 | 2023-10-23T12:00:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexMillisToNanosStats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_nanos
|
|
|
+| EVAL @timestamp = DATE_TRUNC(1 hour, TO_DATE_NANOS(@timestamp))
|
|
|
+| INLINESTATS count=count(*) BY @timestamp
|
|
|
+| KEEP count, @timestamp
|
|
|
+| STATS count=count(*) BY @timestamp
|
|
|
+| SORT count DESC, @timestamp ASC
|
|
|
+;
|
|
|
+
|
|
|
+count:long | @timestamp:date_nanos
|
|
|
+10 | 2023-10-23T13:00:00.000Z
|
|
|
+4 | 2023-10-23T12:00:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+
|
|
|
+multiIndexTsLongInlinestatsDrop
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long, sample_data_ts_nanos
|
|
|
+| INLINESTATS count=count(*) BY @timestamp::datetime
|
|
|
+| KEEP count
|
|
|
+| LIMIT 2
|
|
|
+;
|
|
|
+
|
|
|
+count:long
|
|
|
+3
|
|
|
+3
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexTsLongInlinestatsInline2
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long, sample_data_ts_nanos
|
|
|
+| INLINESTATS count=count(*) BY @timestamp::datetime
|
|
|
+| SORT `@timestamp::datetime` DESC, event_duration
|
|
|
+| LIMIT 6
|
|
|
+;
|
|
|
+
|
|
|
+@timestamp:unsupported| client_ip:ip|event_duration:long| message:keyword | count:long| @timestamp::datetime:datetime
|
|
|
+null |172.21.3.15 |1756467 |Connected to 10.1.0.1|3 |2023-10-23T13:55:01.543Z
|
|
|
+null |172.21.3.15 |1756467 |Connected to 10.1.0.1|3 |2023-10-23T13:55:01.543Z
|
|
|
+null |172.21.3.15 |1756467 |Connected to 10.1.0.1|3 |2023-10-23T13:55:01.543Z
|
|
|
+null |172.21.3.15 |5033755 |Connection error |3 |2023-10-23T13:53:55.832Z
|
|
|
+null |172.21.3.15 |5033755 |Connection error |3 |2023-10-23T13:53:55.832Z
|
|
|
+null |172.21.3.15 |5033755 |Connection error |3 |2023-10-23T13:53:55.832Z
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexTsLongInlinestatsInline3
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long
|
|
|
+| INLINESTATS count=count(*) BY @timestamp::datetime
|
|
|
+| INLINESTATS mc=count(count) BY count
|
|
|
+| SORT client_ip DESC
|
|
|
+| LIMIT 1
|
|
|
+| KEEP mc, count
|
|
|
+;
|
|
|
+
|
|
|
+mc:l | count:l
|
|
|
+14 | 2
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexTsLongInlinestatsInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long
|
|
|
+| EVAL ts = TO_STRING(@timestamp)
|
|
|
+| INLINESTATS count = COUNT(*) BY ts
|
|
|
+| INLINESTATS mc = COUNT(count) BY count
|
|
|
+| SORT ts
|
|
|
+| LIMIT 1
|
|
|
+;
|
|
|
+
|
|
|
+@timestamp:unsupported| client_ip:ip|event_duration:long| message:keyword | ts:keyword| mc:long | count:long
|
|
|
+null |172.21.2.162 |3450233 |Connected to 10.1.0.3|1698063303360 |14 |1
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexTsLongRenameInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long
|
|
|
+| EVAL hour = DATE_TRUNC(1 hour, TO_DATETIME(@timestamp))
|
|
|
+| INLINESTATS count=count(*) BY hour
|
|
|
+| SORT count DESC, hour ASC
|
|
|
+| KEEP count, hour
|
|
|
+;
|
|
|
+
|
|
|
+count:long | hour:date
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+10 |2023-10-23T13:00:00.000Z
|
|
|
+4 |2023-10-23T12:00:00.000Z
|
|
|
+4 |2023-10-23T12:00:00.000Z
|
|
|
+4 |2023-10-23T12:00:00.000Z
|
|
|
+4 |2023-10-23T12:00:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexTsLongRenameToDatetimeToStringInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long
|
|
|
+| EVAL hour = LEFT(TO_STRING(TO_DATETIME(@timestamp)), 13)
|
|
|
+| INLINESTATS count=count(*) BY hour
|
|
|
+| STATS count_distinct(count) BY count, hour
|
|
|
+| SORT count DESC, hour ASC
|
|
|
+| KEEP count, hour
|
|
|
+;
|
|
|
+
|
|
|
+count:long | hour:keyword
|
|
|
+10 | 2023-10-23T13
|
|
|
+4 | 2023-10-23T12
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexTsLongRenameToStringInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long
|
|
|
+| EVAL mess = LEFT(TO_STRING(@timestamp), 7)
|
|
|
+| INLINESTATS count=count(*) BY mess
|
|
|
+| SORT count DESC, mess DESC
|
|
|
+| KEEP count, mess
|
|
|
+;
|
|
|
+
|
|
|
+count:long | mess:keyword
|
|
|
+7 |2023-10
|
|
|
+7 |2023-10
|
|
|
+7 |2023-10
|
|
|
+7 |2023-10
|
|
|
+7 |2023-10
|
|
|
+7 |2023-10
|
|
|
+7 |2023-10
|
|
|
+4 |1698069
|
|
|
+4 |1698069
|
|
|
+4 |1698069
|
|
|
+4 |1698069
|
|
|
+1 |1698068
|
|
|
+1 |1698064
|
|
|
+1 |1698063
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexTsLongInlinestatsInline
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long
|
|
|
+| INLINESTATS count=COUNT(*), max=MAX(TO_DATETIME(@timestamp))
|
|
|
+| KEEP count, max
|
|
|
+| LIMIT 3
|
|
|
+;
|
|
|
+
|
|
|
+count:long | max:date
|
|
|
+14 | 2023-10-23T13:55:01.543Z
|
|
|
+14 | 2023-10-23T13:55:01.543Z
|
|
|
+14 | 2023-10-23T13:55:01.543Z
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexTsLongInlinestatsInlineDropped
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long
|
|
|
+| INLINESTATS count=COUNT(*), max=MAX(TO_DATETIME(@timestamp))
|
|
|
+| KEEP count
|
|
|
+| LIMIT 2
|
|
|
+;
|
|
|
+
|
|
|
+count:long
|
|
|
+14
|
|
|
+14
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexWhereTsLongInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long
|
|
|
+| WHERE TO_LONG(@timestamp) < 1698068014937
|
|
|
+| INLINESTATS count=count(*) BY message
|
|
|
+| SORT count DESC, message ASC
|
|
|
+| KEEP count, message
|
|
|
+;
|
|
|
+
|
|
|
+count:long | message:keyword
|
|
|
+2 | Connected to 10.1.0.2
|
|
|
+2 | Connected to 10.1.0.2
|
|
|
+2 | Connected to 10.1.0.3
|
|
|
+2 | Connected to 10.1.0.3
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexWhereIpStringTsLongInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data*
|
|
|
+| WHERE TO_LONG(@timestamp) < 1698068014937 AND TO_STRING(client_ip) == "172.21.2.162"
|
|
|
+| INLINESTATS count=count(*) BY message
|
|
|
+| SORT count DESC, message ASC
|
|
|
+| KEEP count, message
|
|
|
+;
|
|
|
+
|
|
|
+count:long | message:keyword
|
|
|
+3 | Connected to 10.1.0.3
|
|
|
+3 | Connected to 10.1.0.3
|
|
|
+3 | Connected to 10.1.0.3
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexWhereIpStringLikeTsLongInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data*
|
|
|
+| WHERE TO_LONG(@timestamp) < 1698068014937 AND TO_STRING(client_ip) LIKE "172.21.2.16?"
|
|
|
+| INLINESTATS count=count(*) BY message
|
|
|
+| SORT count DESC, message ASC
|
|
|
+| KEEP count, message
|
|
|
+;
|
|
|
+
|
|
|
+count:long | message:keyword
|
|
|
+3 | Connected to 10.1.0.3
|
|
|
+3 | Connected to 10.1.0.3
|
|
|
+3 | Connected to 10.1.0.3
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexInlinestatsOfMultiTypedField
|
|
|
+required_capability: inlinestats_v11
|
|
|
+// https://github.com/elastic/elasticsearch/issues/133973
|
|
|
+FROM apps, apps_short
|
|
|
+| INLINESTATS s = sum(id::integer)
|
|
|
+| SORT name, version
|
|
|
+| LIMIT 5
|
|
|
+;
|
|
|
+
|
|
|
+ id:unsupported| name:keyword |version:version| s:long
|
|
|
+null |aaaaa |1 |210
|
|
|
+null |aaaaa |1 |210
|
|
|
+null |aaaaa |1.2.3.4 |210
|
|
|
+null |aaaaa |1.2.3.4 |210
|
|
|
+null |bbbbb |2.1 |210
|
|
|
+;
|
|
|
+
|
|
|
+inlineStatsUnionGroup
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long
|
|
|
+| INLINESTATS count = COUNT(*)
|
|
|
+ BY @timestamp = SUBSTRING(TO_STRING(@timestamp), 0, 7)
|
|
|
+| SORT client_ip ASC, @timestamp ASC
|
|
|
+| LIMIT 4
|
|
|
+;
|
|
|
+
|
|
|
+client_ip:ip | event_duration:long | message:keyword | count:long| @timestamp:keyword
|
|
|
+ 172.21.0.5 | 1232382 | Disconnected | 1 | 1698068
|
|
|
+ 172.21.0.5 | 1232382 | Disconnected | 7 | 2023-10
|
|
|
+172.21.2.113 | 2764889 | Connected to 10.1.0.2 | 1 | 1698064
|
|
|
+172.21.2.113 | 2764889 | Connected to 10.1.0.2 | 7 | 2023-10
|
|
|
+;
|
|
|
+
|
|
|
+inlineStatsUnionGroupWithEval
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long
|
|
|
+| EVAL @timestamp = SUBSTRING(TO_STRING(@timestamp), 0, 7)
|
|
|
+| INLINESTATS count = COUNT(*) BY @timestamp
|
|
|
+| SORT client_ip ASC, @timestamp ASC
|
|
|
+| LIMIT 4
|
|
|
+;
|
|
|
+
|
|
|
+client_ip:ip | event_duration:long | message:keyword | count:long| @timestamp:keyword
|
|
|
+ 172.21.0.5 | 1232382 | Disconnected | 1 | 1698068
|
|
|
+ 172.21.0.5 | 1232382 | Disconnected | 7 | 2023-10
|
|
|
+172.21.2.113 | 2764889 | Connected to 10.1.0.2 | 1 | 1698064
|
|
|
+172.21.2.113 | 2764889 | Connected to 10.1.0.2 | 7 | 2023-10
|
|
|
+;
|
|
|
+
|
|
|
+inlineStatsUnionGroupTogether
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long
|
|
|
+| INLINESTATS count = COUNT(*)
|
|
|
+ BY @timestamp = TO_STRING(TO_DATETIME(@timestamp))
|
|
|
+| SORT client_ip ASC, @timestamp ASC
|
|
|
+| LIMIT 4
|
|
|
+;
|
|
|
+
|
|
|
+client_ip:ip | event_duration:long | message:keyword |count:long| @timestamp:keyword
|
|
|
+ 172.21.0.5 | 1232382 | Disconnected |2 | 2023-10-23T13:33:34.937Z
|
|
|
+ 172.21.0.5 | 1232382 | Disconnected |2 | 2023-10-23T13:33:34.937Z
|
|
|
+172.21.2.113 | 2764889 | Connected to 10.1.0.2 |2 | 2023-10-23T12:27:28.948Z
|
|
|
+172.21.2.113 | 2764889 | Connected to 10.1.0.2 |2 | 2023-10-23T12:27:28.948Z
|
|
|
+;
|
|
|
+
|
|
|
+multiIndexIndirectUseOfUnionTypesInInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long
|
|
|
+| INLINESTATS foo = max(event_duration) BY client_ip
|
|
|
+| RENAME event_duration AS e
|
|
|
+| SORT client_ip ASC, e
|
|
|
+| LIMIT 8
|
|
|
+;
|
|
|
+
|
|
|
+@timestamp:unsupported| e:long | message:keyword | foo:long| client_ip:ip
|
|
|
+null |1232382 |Disconnected |1232382 |172.21.0.5
|
|
|
+null |1232382 |Disconnected |1232382 |172.21.0.5
|
|
|
+null |2764889 |Connected to 10.1.0.2|2764889 |172.21.2.113
|
|
|
+null |2764889 |Connected to 10.1.0.2|2764889 |172.21.2.113
|
|
|
+null |3450233 |Connected to 10.1.0.3|3450233 |172.21.2.162
|
|
|
+null |3450233 |Connected to 10.1.0.3|3450233 |172.21.2.162
|
|
|
+null |725448 |Connection error |8268153 |172.21.3.15
|
|
|
+null |725448 |Connection error |8268153 |172.21.3.15
|
|
|
+;
|
|
|
+
|
|
|
+
|
|
|
+multiIndexIndirectUseOfUnionTypesInInlineStats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_ts_long
|
|
|
+| INLINESTATS foo = max(event_duration)
|
|
|
+| SORT client_ip ASC, event_duration
|
|
|
+| LIMIT 1
|
|
|
+;
|
|
|
+
|
|
|
+@timestamp:unsupported | client_ip:ip | event_duration:long | message:keyword | foo:long
|
|
|
+ null | 172.21.0.5 | 1232382 | Disconnected | 8268153
|
|
|
+;
|
|
|
+
|
|
|
+shortIntegerWideningInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM apps, apps_short
|
|
|
+| EVAL id = id::integer
|
|
|
+| INLINESTATS count=count() BY name, id
|
|
|
+| KEEP id, name, count
|
|
|
+| SORT id ASC, name ASC
|
|
|
+| LIMIT 5
|
|
|
+;
|
|
|
+
|
|
|
+id:integer | name:keyword | count:long
|
|
|
+1 |aaaaa |2
|
|
|
+1 |aaaaa |2
|
|
|
+2 |bbbbb |2
|
|
|
+2 |bbbbb |2
|
|
|
+3 |ccccc |2
|
|
|
+;
|
|
|
+
|
|
|
+ImplicitCastingMultiTypedFieldsInlinestats_ByNumeric
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM employees, employees_incompatible
|
|
|
+| INLINESTATS x=max(hire_date), y = min(hire_date) BY languages = languages::integer
|
|
|
+| SORT languages
|
|
|
+| KEEP emp_no, languages, x, y
|
|
|
+| LIMIT 3
|
|
|
+;
|
|
|
+
|
|
|
+emp_no:unsupported|languages:integer| x:date_nanos | y:date_nanos
|
|
|
+null |1 |1999-04-30T00:00:00.000Z|1985-02-18T00:00:00.000Z
|
|
|
+null |1 |1999-04-30T00:00:00.000Z|1985-02-18T00:00:00.000Z
|
|
|
+null |1 |1999-04-30T00:00:00.000Z|1985-02-18T00:00:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+ImplicitCastingMultiTypedFieldsInlinestats_ByNumericWithFilter
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM employees, employees_incompatible
|
|
|
+| INLINESTATS x=max(hire_date) where hire_date < "1993-08-03", y = min(hire_date) where hire_date >= "1993-08-03" BY languages = languages::integer
|
|
|
+| SORT languages
|
|
|
+| LIMIT 3
|
|
|
+| KEEP emp_no, languages, x, y
|
|
|
+;
|
|
|
+
|
|
|
+emp_no:unsupported|languages:integer| x:date_nanos | y:date_nanos
|
|
|
+null |1 |1990-10-20T00:00:00.000Z|1994-05-21T00:00:00.000Z
|
|
|
+null |1 |1990-10-20T00:00:00.000Z|1994-05-21T00:00:00.000Z
|
|
|
+null |1 |1990-10-20T00:00:00.000Z|1994-05-21T00:00:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+ImplicitCastingMultiTypedFieldsInlinestats_ByDateNanos
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM employees, employees_incompatible
|
|
|
+| INLINESTATS x=count(emp_no::long), y=avg(salary_change::double), z=max(height::double) BY hire_date
|
|
|
+| EVAL y = round(y, 1), z = round(z, 1)
|
|
|
+| KEEP x, y, z, hire_date
|
|
|
+| SORT hire_date
|
|
|
+| LIMIT 12
|
|
|
+;
|
|
|
+
|
|
|
+ x:long | y:double | z:double | hire_date:date_nanos
|
|
|
+2 |null |1.9 |1985-02-18T00:00:00.000Z
|
|
|
+2 |null |1.9 |1985-02-18T00:00:00.000Z
|
|
|
+2 |null |2.0 |1985-02-24T00:00:00.000Z
|
|
|
+2 |null |2.0 |1985-02-24T00:00:00.000Z
|
|
|
+2 |3.3 |2.0 |1985-05-13T00:00:00.000Z
|
|
|
+2 |3.3 |2.0 |1985-05-13T00:00:00.000Z
|
|
|
+2 |0.2 |1.8 |1985-07-09T00:00:00.000Z
|
|
|
+2 |0.2 |1.8 |1985-07-09T00:00:00.000Z
|
|
|
+2 |3.6 |1.5 |1985-09-17T00:00:00.000Z
|
|
|
+2 |3.6 |1.5 |1985-09-17T00:00:00.000Z
|
|
|
+2 |-5.9 |1.8 |1985-10-14T00:00:00.000Z
|
|
|
+2 |-5.9 |1.8 |1985-10-14T00:00:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+ImplicitCastingMultiTypedFieldsInlinestats_ByDateNanosWithFilter
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM employees, employees_incompatible
|
|
|
+| INLINESTATS x=count(emp_no::long) where hire_date > "1985-05-01", y=avg(salary_change::double) where hire_date > "1985-05-01", z=max(height::double) where hire_date > "1985-05-01" BY hire_date
|
|
|
+| EVAL y = round(y, 1), z = round(z, 1)
|
|
|
+| KEEP x, y, z, hire_date
|
|
|
+| SORT hire_date
|
|
|
+| LIMIT 10
|
|
|
+;
|
|
|
+
|
|
|
+ x:long | y:double | z:double | hire_date:date_nanos
|
|
|
+0 |null |null |1985-02-18T00:00:00.000Z
|
|
|
+0 |null |null |1985-02-18T00:00:00.000Z
|
|
|
+0 |null |null |1985-02-24T00:00:00.000Z
|
|
|
+0 |null |null |1985-02-24T00:00:00.000Z
|
|
|
+2 |3.3 |2.0 |1985-05-13T00:00:00.000Z
|
|
|
+2 |3.3 |2.0 |1985-05-13T00:00:00.000Z
|
|
|
+2 |0.2 |1.8 |1985-07-09T00:00:00.000Z
|
|
|
+2 |0.2 |1.8 |1985-07-09T00:00:00.000Z
|
|
|
+2 |3.6 |1.5 |1985-09-17T00:00:00.000Z
|
|
|
+2 |3.6 |1.5 |1985-09-17T00:00:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+ImplicitCastingMultiTypedMVFieldsInlinestats_MaxMin
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM date_nanos, date_nanos_union_types
|
|
|
+| INLINESTATS max = MAX(millis), min = MIN(nanos)
|
|
|
+| SORT millis DESC
|
|
|
+| LIMIT 5
|
|
|
+;
|
|
|
+
|
|
|
+warningRegex:evaluation of \[FROM .*date_nanos.*date_nanos_union_types.*\] failed, treating result as null. Only first 20 failures recorded.
|
|
|
+warningRegex:java.lang.IllegalArgumentException: milliSeconds \[-1457696696640\] are before the epoch in 1970 and cannot be converted to nanoseconds
|
|
|
+
|
|
|
+ millis:date_nanos | nanos:date_nanos | num:long | max:date_nanos | min:date_nanos
|
|
|
+2023-10-23T13:55:01.543123456Z|2023-10-23T13:55:01.543Z |1698069301543123456|2023-10-23T13:55:01.543123456Z|2023-01-23T13:55:01.543Z
|
|
|
+2023-10-23T13:55:01.543123456Z|2023-10-23T13:55:01.543Z |1698069301543123456|2023-10-23T13:55:01.543123456Z|2023-01-23T13:55:01.543Z
|
|
|
+2023-10-23T13:55:01.543Z |2023-10-23T13:55:01.543123456Z|1698069301543123456|2023-10-23T13:55:01.543123456Z|2023-01-23T13:55:01.543Z
|
|
|
+2023-10-23T13:53:55.832987654Z|2023-10-23T13:53:55.832Z |1698069235832987654|2023-10-23T13:55:01.543123456Z|2023-01-23T13:55:01.543Z
|
|
|
+2023-10-23T13:53:55.832Z |2023-10-23T13:53:55.832987654Z|1698069235832987654|2023-10-23T13:55:01.543123456Z|2023-01-23T13:55:01.543Z
|
|
|
+;
|
|
|
+
|
|
|
+ImplicitCastingMultiTypedMVFieldsInlinestats_Values
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM date_nanos, date_nanos_union_types
|
|
|
+| INLINESTATS c = MV_COUNT(VALUES(nanos))
|
|
|
+| SORT millis DESC
|
|
|
+| LIMIT 5
|
|
|
+;
|
|
|
+
|
|
|
+warningRegex:evaluation of \[FROM .*date_nanos.*date_nanos_union_types.*\] failed, treating result as null. Only first 20 failures recorded.
|
|
|
+warningRegex:java.lang.IllegalArgumentException: milliSeconds \[-1457696696640\] are before the epoch in 1970 and cannot be converted to nanoseconds
|
|
|
+
|
|
|
+ millis:date_nanos | nanos:date_nanos | num:long | c:integer
|
|
|
+2023-10-23T13:55:01.543123456Z|2023-10-23T13:55:01.543Z |1698069301543123456|19
|
|
|
+2023-10-23T13:55:01.543123456Z|2023-10-23T13:55:01.543Z |1698069301543123456|19
|
|
|
+2023-10-23T13:55:01.543Z |2023-10-23T13:55:01.543123456Z|1698069301543123456|19
|
|
|
+2023-10-23T13:53:55.832987654Z|2023-10-23T13:53:55.832Z |1698069235832987654|19
|
|
|
+2023-10-23T13:53:55.832Z |2023-10-23T13:53:55.832987654Z|1698069235832987654|19
|
|
|
+;
|
|
|
+
|
|
|
+ImplicitCastingMultiTypedDateTruncInlinestats_By-Ignore
|
|
|
+required_capability: inlinestats_v11
|
|
|
+// https://github.com/elastic/elasticsearch/issues/133973
|
|
|
+// optimized incorrectly due to missing references [$$emp_no$converted_to$long{f$}#
|
|
|
+
|
|
|
+FROM employees, employees_incompatible
|
|
|
+| KEEP emp_no, hire_date
|
|
|
+| INLINESTATS c = count(emp_no::long) BY yr = DATE_TRUNC(1 year, hire_date)
|
|
|
+| SORT yr DESC
|
|
|
+| LIMIT 5
|
|
|
+;
|
|
|
+
|
|
|
+c:long | yr:date_nanos
|
|
|
+2 | 1999-01-01T00:00:00.000Z
|
|
|
+2 | 1997-01-01T00:00:00.000Z
|
|
|
+2 | 1996-01-01T00:00:00.000Z
|
|
|
+10 | 1995-01-01T00:00:00.000Z
|
|
|
+8 | 1994-01-01T00:00:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+ImplicitCastingMultiTypedDateTruncInlinestats_ByWithFilter-Ignore
|
|
|
+required_capability: inlinestats_v11
|
|
|
+// https://github.com/elastic/elasticsearch/issues/133973
|
|
|
+// optimized incorrectly due to missing references [$$emp_no$converted_to$long{f$}#
|
|
|
+
|
|
|
+FROM employees, employees_incompatible
|
|
|
+| KEEP emp_no, hire_date
|
|
|
+| INLINESTATS c = count(emp_no::long) where hire_date > "1996-01-01" BY yr = DATE_TRUNC(1 year, hire_date)
|
|
|
+| SORT yr DESC
|
|
|
+| LIMIT 5
|
|
|
+;
|
|
|
+
|
|
|
+c:long | yr:date_nanos
|
|
|
+2 | 1999-01-01T00:00:00.000Z
|
|
|
+2 | 1997-01-01T00:00:00.000Z
|
|
|
+2 | 1996-01-01T00:00:00.000Z
|
|
|
+0 | 1995-01-01T00:00:00.000Z
|
|
|
+0 | 1994-01-01T00:00:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+ImplicitCastingMultiTypedDateTruncInlinestats_ByWithEval-Ignore
|
|
|
+required_capability: inlinestats_v11
|
|
|
+// https://github.com/elastic/elasticsearch/issues/133973
|
|
|
+// optimized incorrectly due to missing references [$$emp_no$converted_to$long{f$}#
|
|
|
+
|
|
|
+FROM employees, employees_incompatible
|
|
|
+| KEEP emp_no, hire_date
|
|
|
+| EVAL yr = DATE_TRUNC(1 year, hire_date)
|
|
|
+| INLINESTATS c = count(emp_no::long) BY yr
|
|
|
+| SORT yr DESC
|
|
|
+| LIMIT 5
|
|
|
+;
|
|
|
+
|
|
|
+c:long | yr:date_nanos
|
|
|
+2 | 1999-01-01T00:00:00.000Z
|
|
|
+2 | 1997-01-01T00:00:00.000Z
|
|
|
+2 | 1996-01-01T00:00:00.000Z
|
|
|
+10 | 1995-01-01T00:00:00.000Z
|
|
|
+8 | 1994-01-01T00:00:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+ImplicitCastingMultiTypedDateTruncInlinestats_ByWithEvalWithFilter-Ignore
|
|
|
+required_capability: inlinestats_v11
|
|
|
+// https://github.com/elastic/elasticsearch/issues/133973
|
|
|
+// optimized incorrectly due to missing references [$$emp_no$converted_to$long{f$}#
|
|
|
+
|
|
|
+FROM employees, employees_incompatible
|
|
|
+| KEEP emp_no, hire_date
|
|
|
+| EVAL yr = DATE_TRUNC(1 year, hire_date)
|
|
|
+| INLINESTATS c = count(emp_no::long) where hire_date > "1991-01-01" BY yr
|
|
|
+| SORT yr DESC
|
|
|
+| LIMIT 5
|
|
|
+;
|
|
|
+
|
|
|
+c:long | yr:date_nanos
|
|
|
+2 | 1999-01-01T00:00:00.000Z
|
|
|
+2 | 1997-01-01T00:00:00.000Z
|
|
|
+2 | 1996-01-01T00:00:00.000Z
|
|
|
+10 | 1995-01-01T00:00:00.000Z
|
|
|
+8 | 1994-01-01T00:00:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+ImplicitCastingMultiTypedBucketDateNanosByYear
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM employees, employees_incompatible
|
|
|
+| KEEP emp_no, hire_date, gender
|
|
|
+| INLINESTATS c = count(*) BY yr = BUCKET(hire_date, 1 year)
|
|
|
+| SORT yr DESC, c, hire_date
|
|
|
+| LIMIT 10
|
|
|
+;
|
|
|
+
|
|
|
+emp_no:unsupported| hire_date:date_nanos |gender:unsupported| c:long | yr:date_nanos
|
|
|
+null |1999-04-30T00:00:00.000Z|null |2 |1999-01-01T00:00:00.000Z
|
|
|
+null |1999-04-30T00:00:00.000Z|null |2 |1999-01-01T00:00:00.000Z
|
|
|
+null |1997-05-19T00:00:00.000Z|null |2 |1997-01-01T00:00:00.000Z
|
|
|
+null |1997-05-19T00:00:00.000Z|null |2 |1997-01-01T00:00:00.000Z
|
|
|
+null |1996-11-05T00:00:00.000Z|null |2 |1996-01-01T00:00:00.000Z
|
|
|
+null |1996-11-05T00:00:00.000Z|null |2 |1996-01-01T00:00:00.000Z
|
|
|
+null |1995-01-27T00:00:00.000Z|null |10 |1995-01-01T00:00:00.000Z
|
|
|
+null |1995-01-27T00:00:00.000Z|null |10 |1995-01-01T00:00:00.000Z
|
|
|
+null |1995-03-13T00:00:00.000Z|null |10 |1995-01-01T00:00:00.000Z
|
|
|
+null |1995-03-13T00:00:00.000Z|null |10 |1995-01-01T00:00:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+ImplicitCastingMultiTypedBucketDateNanosByYearWithFilter
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM employees, employees_incompatible
|
|
|
+| KEEP emp_no, hire_date, gender
|
|
|
+| INLINESTATS c = count(*) where hire_date > "1995-02-01" BY yr = BUCKET(hire_date, 1 year)
|
|
|
+| SORT yr DESC, c, hire_date
|
|
|
+| LIMIT 10
|
|
|
+;
|
|
|
+
|
|
|
+emp_no:unsupported| hire_date:date_nanos |gender:unsupported| c:long | yr:date_nanos
|
|
|
+null |1999-04-30T00:00:00.000Z|null |2 |1999-01-01T00:00:00.000Z
|
|
|
+null |1999-04-30T00:00:00.000Z|null |2 |1999-01-01T00:00:00.000Z
|
|
|
+null |1997-05-19T00:00:00.000Z|null |2 |1997-01-01T00:00:00.000Z
|
|
|
+null |1997-05-19T00:00:00.000Z|null |2 |1997-01-01T00:00:00.000Z
|
|
|
+null |1996-11-05T00:00:00.000Z|null |2 |1996-01-01T00:00:00.000Z
|
|
|
+null |1996-11-05T00:00:00.000Z|null |2 |1996-01-01T00:00:00.000Z
|
|
|
+null |1995-01-27T00:00:00.000Z|null |8 |1995-01-01T00:00:00.000Z
|
|
|
+null |1995-01-27T00:00:00.000Z|null |8 |1995-01-01T00:00:00.000Z
|
|
|
+null |1995-03-13T00:00:00.000Z|null |8 |1995-01-01T00:00:00.000Z
|
|
|
+null |1995-03-13T00:00:00.000Z|null |8 |1995-01-01T00:00:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+ImplicitCastingMultiTypedBucketDateNanosByMonth
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM employees, employees_incompatible
|
|
|
+| INLINESTATS c = count(*) BY mo = BUCKET(hire_date, 20, "1986-01-01", "1999-12-31")
|
|
|
+| KEEP emp_no, hire_date, c, mo
|
|
|
+| SORT mo DESC, c, hire_date
|
|
|
+| LIMIT 10
|
|
|
+;
|
|
|
+
|
|
|
+emp_no:unsupported| hire_date:date_nanos | c:long | mo:date_nanos
|
|
|
+null |1999-04-30T00:00:00.000Z|2 |1999-01-01T00:00:00.000Z
|
|
|
+null |1999-04-30T00:00:00.000Z|2 |1999-01-01T00:00:00.000Z
|
|
|
+null |1997-05-19T00:00:00.000Z|2 |1997-01-01T00:00:00.000Z
|
|
|
+null |1997-05-19T00:00:00.000Z|2 |1997-01-01T00:00:00.000Z
|
|
|
+null |1996-11-05T00:00:00.000Z|2 |1996-01-01T00:00:00.000Z
|
|
|
+null |1996-11-05T00:00:00.000Z|2 |1996-01-01T00:00:00.000Z
|
|
|
+null |1995-01-27T00:00:00.000Z|10 |1995-01-01T00:00:00.000Z
|
|
|
+null |1995-01-27T00:00:00.000Z|10 |1995-01-01T00:00:00.000Z
|
|
|
+null |1995-03-13T00:00:00.000Z|10 |1995-01-01T00:00:00.000Z
|
|
|
+null |1995-03-13T00:00:00.000Z|10 |1995-01-01T00:00:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+ImplicitCastingMultiTypedBucketDateNanos_In_BothInlinestats_AndBy
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM employees, employees_incompatible
|
|
|
+| INLINESTATS c = count(*), b = BUCKET(hire_date, 1 year) + 1 year BY yr = BUCKET(hire_date, 1 year)
|
|
|
+| SORT yr DESC, c, hire_date
|
|
|
+| KEEP emp_no, hire_date, c, b, yr
|
|
|
+| LIMIT 10
|
|
|
+;
|
|
|
+
|
|
|
+emp_no:unsupported| hire_date:date_nanos | c:long | b:date_nanos | yr:date_nanos
|
|
|
+null |1999-04-30T00:00:00.000Z|2 |2000-01-01T00:00:00.000Z|1999-01-01T00:00:00.000Z
|
|
|
+null |1999-04-30T00:00:00.000Z|2 |2000-01-01T00:00:00.000Z|1999-01-01T00:00:00.000Z
|
|
|
+null |1997-05-19T00:00:00.000Z|2 |1998-01-01T00:00:00.000Z|1997-01-01T00:00:00.000Z
|
|
|
+null |1997-05-19T00:00:00.000Z|2 |1998-01-01T00:00:00.000Z|1997-01-01T00:00:00.000Z
|
|
|
+null |1996-11-05T00:00:00.000Z|2 |1997-01-01T00:00:00.000Z|1996-01-01T00:00:00.000Z
|
|
|
+null |1996-11-05T00:00:00.000Z|2 |1997-01-01T00:00:00.000Z|1996-01-01T00:00:00.000Z
|
|
|
+null |1995-01-27T00:00:00.000Z|10 |1996-01-01T00:00:00.000Z|1995-01-01T00:00:00.000Z
|
|
|
+null |1995-01-27T00:00:00.000Z|10 |1996-01-01T00:00:00.000Z|1995-01-01T00:00:00.000Z
|
|
|
+null |1995-03-13T00:00:00.000Z|10 |1996-01-01T00:00:00.000Z|1995-01-01T00:00:00.000Z
|
|
|
+null |1995-03-13T00:00:00.000Z|10 |1996-01-01T00:00:00.000Z|1995-01-01T00:00:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+ImplicitCastingMultiTypedBucketDateNanos_In_BothInlinestats_AndByWithAlias
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM employees, employees_incompatible
|
|
|
+| KEEP emp_no, hire_date
|
|
|
+| INLINESTATS c = count(*), b = yr + 1 year BY yr = BUCKET(hire_date, 1 year)
|
|
|
+| SORT hire_date DESC
|
|
|
+| LIMIT 10
|
|
|
+;
|
|
|
+
|
|
|
+emp_no:unsupported| hire_date:date_nanos | c:long | b:date_nanos | yr:date_nanos
|
|
|
+null |1999-04-30T00:00:00.000Z|2 |2000-01-01T00:00:00.000Z|1999-01-01T00:00:00.000Z
|
|
|
+null |1999-04-30T00:00:00.000Z|2 |2000-01-01T00:00:00.000Z|1999-01-01T00:00:00.000Z
|
|
|
+null |1997-05-19T00:00:00.000Z|2 |1998-01-01T00:00:00.000Z|1997-01-01T00:00:00.000Z
|
|
|
+null |1997-05-19T00:00:00.000Z|2 |1998-01-01T00:00:00.000Z|1997-01-01T00:00:00.000Z
|
|
|
+null |1996-11-05T00:00:00.000Z|2 |1997-01-01T00:00:00.000Z|1996-01-01T00:00:00.000Z
|
|
|
+null |1996-11-05T00:00:00.000Z|2 |1997-01-01T00:00:00.000Z|1996-01-01T00:00:00.000Z
|
|
|
+null |1995-12-15T00:00:00.000Z|10 |1996-01-01T00:00:00.000Z|1995-01-01T00:00:00.000Z
|
|
|
+null |1995-12-15T00:00:00.000Z|10 |1996-01-01T00:00:00.000Z|1995-01-01T00:00:00.000Z
|
|
|
+null |1995-08-22T00:00:00.000Z|10 |1996-01-01T00:00:00.000Z|1995-01-01T00:00:00.000Z
|
|
|
+null |1995-08-22T00:00:00.000Z|10 |1996-01-01T00:00:00.000Z|1995-01-01T00:00:00.000Z
|
|
|
+;
|
|
|
+
|
|
|
+multiInlinestatsWithUnionTypes1
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| EVAL one_ip = client_ip::ip
|
|
|
+| INLINESTATS count1=count(client_ip::ip), count2=count(one_ip), max(one_ip), min(client_ip::ip)
|
|
|
+| SORT @timestamp
|
|
|
+| LIMIT 3
|
|
|
+;
|
|
|
+
|
|
|
+ @timestamp:date |client_ip:unsupported|event_duration:long| message:keyword | one_ip:ip | count1:long| count2:long|max(one_ip):ip |min(client_ip::ip):ip
|
|
|
+2023-10-23T12:15:03.360Z|null |3450233 |Connected to 10.1.0.3|172.21.2.162 |14 |14 |172.21.3.15 |172.21.0.5
|
|
|
+2023-10-23T12:15:03.360Z|null |3450233 |Connected to 10.1.0.3|172.21.2.162 |14 |14 |172.21.3.15 |172.21.0.5
|
|
|
+2023-10-23T12:27:28.948Z|null |2764889 |Connected to 10.1.0.2|172.21.2.113 |14 |14 |172.21.3.15 |172.21.0.5
|
|
|
+;
|
|
|
+
|
|
|
+multiInlinestatsWithUnionTypes2
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| EVAL one_ip = client_ip::ip
|
|
|
+| INLINESTATS count1=count(client_ip::ip), count2=count(one_ip), max=max(one_ip), min=min(client_ip::ip)
|
|
|
+| RENAME one_ip AS client_ip
|
|
|
+| INLINESTATS max(event_duration) BY client_ip
|
|
|
+| SORT @timestamp
|
|
|
+| LIMIT 5
|
|
|
+;
|
|
|
+
|
|
|
+@timestamp:date | event_duration:long | message:keyword | count1:long | count2:long | max:ip | min:ip | max(event_duration):long| client_ip:ip
|
|
|
+2023-10-23T12:15:03.360Z| 3450233 | Connected to 10.1.0.3 | 14 | 14 | 172.21.3.15 | 172.21.0.5 | 3450233 | 172.21.2.162
|
|
|
+2023-10-23T12:15:03.360Z| 3450233 | Connected to 10.1.0.3 | 14 | 14 | 172.21.3.15 | 172.21.0.5 | 3450233 | 172.21.2.162
|
|
|
+2023-10-23T12:27:28.948Z| 2764889 | Connected to 10.1.0.2 | 14 | 14 | 172.21.3.15 | 172.21.0.5 | 2764889 | 172.21.2.113
|
|
|
+2023-10-23T12:27:28.948Z| 2764889 | Connected to 10.1.0.2 | 14 | 14 | 172.21.3.15 | 172.21.0.5 | 2764889 | 172.21.2.113
|
|
|
+2023-10-23T13:33:34.937Z| 1232382 | Disconnected | 14 | 14 | 172.21.3.15 | 172.21.0.5 | 1232382 | 172.21.0.5
|
|
|
+;
|
|
|
+
|
|
|
+multiInlinestatsWithUnionTypes3
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| EVAL one_ip = client_ip::ip
|
|
|
+| INLINESTATS avg_duration = AVG(event_duration) BY one_ip
|
|
|
+| RENAME one_ip AS client_ip
|
|
|
+| WHERE CIDR_MATCH(client_ip, "172.21.2.0/24")
|
|
|
+| INLINESTATS count1=count(client_ip::ip), count2=count(client_ip), max=max(client_ip), min=min(client_ip::ip)
|
|
|
+| INLINESTATS avg_total_duration = AVG(event_duration)
|
|
|
+| SORT @timestamp
|
|
|
+;
|
|
|
+
|
|
|
+@timestamp:date | event_duration:long| message:keyword | avg_duration:double| client_ip:ip | count1:long | count2:long | max:ip | min:ip | avg_total_duration:double
|
|
|
+2023-10-23T12:15:03.360Z | 3450233 | Connected to 10.1.0.3 | 3450233.0 | 172.21.2.162 | 4 | 4 | 172.21.2.162 | 172.21.2.113 | 3107561.0
|
|
|
+2023-10-23T12:15:03.360Z | 3450233 | Connected to 10.1.0.3 | 3450233.0 | 172.21.2.162 | 4 | 4 | 172.21.2.162 | 172.21.2.113 | 3107561.0
|
|
|
+2023-10-23T12:27:28.948Z | 2764889 | Connected to 10.1.0.2 | 2764889.0 | 172.21.2.113 | 4 | 4 | 172.21.2.162 | 172.21.2.113 | 3107561.0
|
|
|
+2023-10-23T12:27:28.948Z | 2764889 | Connected to 10.1.0.2 | 2764889.0 | 172.21.2.113 | 4 | 4 | 172.21.2.162 | 172.21.2.113 | 3107561.0
|
|
|
+;
|
|
|
+
|
|
|
+unionTypeDroppedBeforeInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| EVAL one_ip = client_ip::ip
|
|
|
+| DROP one_ip
|
|
|
+| INLINESTATS avg(event_duration) BY client_ip::ip
|
|
|
+| SORT @timestamp
|
|
|
+;
|
|
|
+
|
|
|
+@timestamp:date | client_ip:unsupported | event_duration:long| message:keyword | avg(event_duration):double| client_ip::ip:ip
|
|
|
+2023-10-23T12:15:03.360Z | null | 3450233 | Connected to 10.1.0.3 | 3450233.0 | 172.21.2.162
|
|
|
+2023-10-23T12:15:03.360Z | null | 3450233 | Connected to 10.1.0.3 | 3450233.0 | 172.21.2.162
|
|
|
+2023-10-23T12:27:28.948Z | null | 2764889 | Connected to 10.1.0.2 | 2764889.0 | 172.21.2.113
|
|
|
+2023-10-23T12:27:28.948Z | null | 2764889 | Connected to 10.1.0.2 | 2764889.0 | 172.21.2.113
|
|
|
+2023-10-23T13:33:34.937Z | null | 1232382 | Disconnected | 1232382.0 | 172.21.0.5
|
|
|
+2023-10-23T13:33:34.937Z | null | 1232382 | Disconnected | 1232382.0 | 172.21.0.5
|
|
|
+2023-10-23T13:51:54.732Z | null | 725448 | Connection error | 3945955.75 | 172.21.3.15
|
|
|
+2023-10-23T13:51:54.732Z | null | 725448 | Connection error | 3945955.75 | 172.21.3.15
|
|
|
+2023-10-23T13:52:55.015Z | null | 8268153 | Connection error | 3945955.75 | 172.21.3.15
|
|
|
+2023-10-23T13:52:55.015Z | null | 8268153 | Connection error | 3945955.75 | 172.21.3.15
|
|
|
+2023-10-23T13:53:55.832Z | null | 5033755 | Connection error | 3945955.75 | 172.21.3.15
|
|
|
+2023-10-23T13:53:55.832Z | null | 5033755 | Connection error | 3945955.75 | 172.21.3.15
|
|
|
+2023-10-23T13:55:01.543Z | null | 1756467 | Connected to 10.1.0.1 | 3945955.75 | 172.21.3.15
|
|
|
+2023-10-23T13:55:01.543Z | null | 1756467 | Connected to 10.1.0.1 | 3945955.75 | 172.21.3.15
|
|
|
+;
|
|
|
+
|
|
|
+inlinestatsWithUnionTypesAs_InlinestatsCondition
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| EVAL temp_ip = client_ip::ip
|
|
|
+| EVAL ip1 = CIDR_MATCH(temp_ip, "172.21.2.0/24"), ip2 = CIDR_MATCH(temp_ip, "172.21.0.0/24"), ip3 = CIDR_MATCH(temp_ip, "172.21.3.0/24")
|
|
|
+| EVAL client_ip = temp_ip
|
|
|
+| INLINESTATS avg_ip1 = avg(event_duration) WHERE ip1
|
|
|
+| DROP client_ip
|
|
|
+| INLINESTATS avg_ip2 = avg(event_duration) WHERE ip2, avg_ip3 = avg(event_duration) WHERE ip3
|
|
|
+| SORT @timestamp
|
|
|
+| DROP @timestamp
|
|
|
+;
|
|
|
+
|
|
|
+event_duration:long | message:keyword | temp_ip:ip | ip1:boolean | ip2:boolean | ip3:boolean | avg_ip1:double | avg_ip2:double | avg_ip3:double
|
|
|
+3450233 | Connected to 10.1.0.3 | 172.21.2.162 | true | false | false | 3107561.0 | 1232382.0 | 3945955.75
|
|
|
+3450233 | Connected to 10.1.0.3 | 172.21.2.162 | true | false | false | 3107561.0 | 1232382.0 | 3945955.75
|
|
|
+2764889 | Connected to 10.1.0.2 | 172.21.2.113 | true | false | false | 3107561.0 | 1232382.0 | 3945955.75
|
|
|
+2764889 | Connected to 10.1.0.2 | 172.21.2.113 | true | false | false | 3107561.0 | 1232382.0 | 3945955.75
|
|
|
+1232382 | Disconnected | 172.21.0.5 | false | true | false | 3107561.0 | 1232382.0 | 3945955.75
|
|
|
+1232382 | Disconnected | 172.21.0.5 | false | true | false | 3107561.0 | 1232382.0 | 3945955.75
|
|
|
+725448 | Connection error | 172.21.3.15 | false | false | true | 3107561.0 | 1232382.0 | 3945955.75
|
|
|
+725448 | Connection error | 172.21.3.15 | false | false | true | 3107561.0 | 1232382.0 | 3945955.75
|
|
|
+8268153 | Connection error | 172.21.3.15 | false | false | true | 3107561.0 | 1232382.0 | 3945955.75
|
|
|
+8268153 | Connection error | 172.21.3.15 | false | false | true | 3107561.0 | 1232382.0 | 3945955.75
|
|
|
+5033755 | Connection error | 172.21.3.15 | false | false | true | 3107561.0 | 1232382.0 | 3945955.75
|
|
|
+5033755 | Connection error | 172.21.3.15 | false | false | true | 3107561.0 | 1232382.0 | 3945955.75
|
|
|
+1756467 | Connected to 10.1.0.1 | 172.21.3.15 | false | false | true | 3107561.0 | 1232382.0 | 3945955.75
|
|
|
+1756467 | Connected to 10.1.0.1 | 172.21.3.15 | false | false | true | 3107561.0 | 1232382.0 | 3945955.75
|
|
|
+;
|
|
|
+
|
|
|
+inlinestatsWithOverwrittenUnionType
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| EVAL client_ip = client_ip::ip
|
|
|
+| EVAL client_ip = 123
|
|
|
+| INLINESTATS a = avg(event_duration) BY client_ip::integer
|
|
|
+| SORT @timestamp
|
|
|
+;
|
|
|
+
|
|
|
+@timestamp:date | event_duration:long | message:keyword | client_ip:integer | a:double | client_ip::integer:integer
|
|
|
+2023-10-23T12:15:03.360Z | 3450233 | Connected to 10.1.0.3 | 123 | 3318761.0 | 123
|
|
|
+2023-10-23T12:15:03.360Z | 3450233 | Connected to 10.1.0.3 | 123 | 3318761.0 | 123
|
|
|
+2023-10-23T12:27:28.948Z | 2764889 | Connected to 10.1.0.2 | 123 | 3318761.0 | 123
|
|
|
+2023-10-23T12:27:28.948Z | 2764889 | Connected to 10.1.0.2 | 123 | 3318761.0 | 123
|
|
|
+2023-10-23T13:33:34.937Z | 1232382 | Disconnected | 123 | 3318761.0 | 123
|
|
|
+2023-10-23T13:33:34.937Z | 1232382 | Disconnected | 123 | 3318761.0 | 123
|
|
|
+2023-10-23T13:51:54.732Z | 725448 | Connection error | 123 | 3318761.0 | 123
|
|
|
+2023-10-23T13:51:54.732Z | 725448 | Connection error | 123 | 3318761.0 | 123
|
|
|
+2023-10-23T13:52:55.015Z | 8268153 | Connection error | 123 | 3318761.0 | 123
|
|
|
+2023-10-23T13:52:55.015Z | 8268153 | Connection error | 123 | 3318761.0 | 123
|
|
|
+2023-10-23T13:53:55.832Z | 5033755 | Connection error | 123 | 3318761.0 | 123
|
|
|
+2023-10-23T13:53:55.832Z | 5033755 | Connection error | 123 | 3318761.0 | 123
|
|
|
+2023-10-23T13:55:01.543Z | 1756467 | Connected to 10.1.0.1 | 123 | 3318761.0 | 123
|
|
|
+2023-10-23T13:55:01.543Z | 1756467 | Connected to 10.1.0.1 | 123 | 3318761.0 | 123
|
|
|
+;
|
|
|
+
|
|
|
+overwriteAndDropUnionTypeBeforeInlinestats
|
|
|
+required_capability: inlinestats_v11
|
|
|
+
|
|
|
+FROM sample_data, sample_data_str
|
|
|
+| EVAL temp = client_ip::string
|
|
|
+| EVAL client_ip = temp
|
|
|
+| DROP temp
|
|
|
+| INLINESTATS avg(event_duration) BY client_ip
|
|
|
+| SORT @timestamp
|
|
|
+| DROP @timestamp
|
|
|
+;
|
|
|
+
|
|
|
+event_duration:long| message:keyword | avg(event_duration):double| client_ip:string
|
|
|
+3450233 | Connected to 10.1.0.3 | 3450233.0 | 172.21.2.162
|
|
|
+3450233 | Connected to 10.1.0.3 | 3450233.0 | 172.21.2.162
|
|
|
+2764889 | Connected to 10.1.0.2 | 2764889.0 | 172.21.2.113
|
|
|
+2764889 | Connected to 10.1.0.2 | 2764889.0 | 172.21.2.113
|
|
|
+1232382 | Disconnected | 1232382.0 | 172.21.0.5
|
|
|
+1232382 | Disconnected | 1232382.0 | 172.21.0.5
|
|
|
+725448 | Connection error | 3945955.75 | 172.21.3.15
|
|
|
+725448 | Connection error | 3945955.75 | 172.21.3.15
|
|
|
+8268153 | Connection error | 3945955.75 | 172.21.3.15
|
|
|
+8268153 | Connection error | 3945955.75 | 172.21.3.15
|
|
|
+5033755 | Connection error | 3945955.75 | 172.21.3.15
|
|
|
+5033755 | Connection error | 3945955.75 | 172.21.3.15
|
|
|
+1756467 | Connected to 10.1.0.1 | 3945955.75 | 172.21.3.15
|
|
|
+1756467 | Connected to 10.1.0.1 | 3945955.75 | 172.21.3.15
|
|
|
+;
|
Andrei Stefan