diff --git a/test/functional/apps/dashboard/group2/dashboard_filtering.ts b/test/functional/apps/dashboard/group2/dashboard_filtering.ts index 24f276b831036..92f89280e7f90 100644 --- a/test/functional/apps/dashboard/group2/dashboard_filtering.ts +++ b/test/functional/apps/dashboard/group2/dashboard_filtering.ts @@ -28,7 +28,8 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { const dashboardPanelActions = getService('dashboardPanelActions'); const PageObjects = getPageObjects(['common', 'dashboard', 'header', 'visualize', 'timePicker']); - describe('dashboard filtering', function () { + // Failing: See https://github.com/elastic/kibana/issues/160062 + describe.skip('dashboard filtering', function () { const populateDashboard = async () => { await PageObjects.dashboard.clickNewDashboard(); await PageObjects.timePicker.setDefaultDataRange(); diff --git a/x-pack/plugins/observability_solution/dataset_quality/common/api_types.ts b/x-pack/plugins/observability_solution/dataset_quality/common/api_types.ts index 4dac346e2a26a..c953d4589c614 100644 --- a/x-pack/plugins/observability_solution/dataset_quality/common/api_types.ts +++ b/x-pack/plugins/observability_solution/dataset_quality/common/api_types.ts @@ -70,8 +70,9 @@ export const getIntegrationsResponseRt = rt.exact( export const degradedDocsRt = rt.type({ dataset: rt.string, - percentage: rt.number, count: rt.number, + totalDocs: rt.number, + percentage: rt.number, }); export type DegradedDocs = rt.TypeOf; diff --git a/x-pack/plugins/observability_solution/dataset_quality/server/routes/data_streams/get_degraded_docs.ts b/x-pack/plugins/observability_solution/dataset_quality/server/routes/data_streams/get_degraded_docs.ts index fbfb6791abf6c..246d572ec8036 100644 --- a/x-pack/plugins/observability_solution/dataset_quality/server/routes/data_streams/get_degraded_docs.ts +++ b/x-pack/plugins/observability_solution/dataset_quality/server/routes/data_streams/get_degraded_docs.ts @@ -18,17 +18,22 @@ import { } from '../../../common/es_fields'; import { createDatasetQualityESClient, wildcardQuery } from '../../utils'; +interface ResultBucket { + dataset: string; + count: number; +} + export async function getDegradedDocsPaginated(options: { esClient: ElasticsearchClient; type?: DataStreamType; - start?: number; - end?: number; + start: number; + end: number; datasetQuery?: string; after?: { - dataset: string; - namespace: string; + degradedDocs?: { dataset: string; namespace: string }; + totalDocs?: { dataset: string; namespace: string }; }; - prevResults?: DegradedDocs[]; + prevResults?: { degradedDocs: ResultBucket[]; totalDocs: ResultBucket[] }; }): Promise { const { esClient, @@ -37,61 +42,84 @@ export async function getDegradedDocsPaginated(options: { start, end, after, - prevResults = [], + prevResults = { degradedDocs: [], totalDocs: [] }, } = options; const datasetQualityESClient = createDatasetQualityESClient(esClient); - const response = await datasetQualityESClient.search({ - index: '*', - size: 0, - query: { - bool: { - ...(datasetQuery - ? { - should: [ - ...wildcardQuery(DATA_STREAM_DATASET, datasetQuery), - ...wildcardQuery(DATA_STREAM_NAMESPACE, datasetQuery), - ], - minimum_should_match: 1, - } - : {}), - filter: [...rangeQuery(start, end), ...termQuery(DATA_STREAM_TYPE, type)], + const datasetFilter = { + ...(datasetQuery + ? { + should: [ + ...wildcardQuery(DATA_STREAM_DATASET, datasetQuery), + ...wildcardQuery(DATA_STREAM_NAMESPACE, datasetQuery), + ], + minimum_should_match: 1, + } + : {}), + }; + + const otherFilters = [...rangeQuery(start, end), ...termQuery(DATA_STREAM_TYPE, type)]; + + const aggs = (afterKey?: { dataset: string; namespace: string }) => ({ + datasets: { + composite: { + ...(afterKey ? { after: afterKey } : {}), + size: 10000, + sources: [ + { dataset: { terms: { field: 'data_stream.dataset' } } }, + { namespace: { terms: { field: 'data_stream.namespace' } } }, + ], }, }, - aggs: { - datasets: { - composite: { - ...(after ? { after } : {}), - size: 10000, - sources: [ - { dataset: { terms: { field: DATA_STREAM_DATASET } } }, - { namespace: { terms: { field: DATA_STREAM_NAMESPACE } } }, - ], + }); + + const response = await datasetQualityESClient.msearch({ index: `${type}-*` }, [ + // degraded docs per dataset + { + size: 0, + query: { + bool: { + ...datasetFilter, + filter: otherFilters, + must: { exists: { field: _IGNORED } }, }, - aggs: { - degraded: { - filter: { - exists: { - field: _IGNORED, - }, - }, - }, + }, + aggs: aggs(after?.degradedDocs), + }, + // total docs per dataset + { + size: 0, + query: { + bool: { + ...datasetFilter, + filter: otherFilters, }, }, + aggs: aggs(after?.totalDocs), }, - }); + ]); const currDegradedDocs = - response.aggregations?.datasets.buckets.map((bucket) => ({ + response.responses[0].aggregations?.datasets.buckets.map((bucket) => ({ dataset: `${type}-${bucket.key.dataset}-${bucket.key.namespace}`, - percentage: (bucket.degraded.doc_count * 100) / bucket.doc_count, - count: bucket.degraded.doc_count, + count: bucket.doc_count, })) ?? []; - const degradedDocs = [...prevResults, ...currDegradedDocs]; + const degradedDocs = [...prevResults.degradedDocs, ...currDegradedDocs]; + + const currTotalDocs = + response.responses[1].aggregations?.datasets.buckets.map((bucket) => ({ + dataset: `${type}-${bucket.key.dataset}-${bucket.key.namespace}`, + count: bucket.doc_count, + })) ?? []; - if (response.aggregations?.datasets.after_key) { + const totalDocs = [...prevResults.totalDocs, ...currTotalDocs]; + + if ( + response.responses[0].aggregations?.datasets.after_key || + response.responses[1].aggregations?.datasets.after_key + ) { return getDegradedDocsPaginated({ esClient, type, @@ -99,12 +127,37 @@ export async function getDegradedDocsPaginated(options: { end, datasetQuery, after: { - dataset: response.aggregations?.datasets.after_key.dataset as string, - namespace: response.aggregations?.datasets.after_key.namespace as string, + degradedDocs: + (response.responses[0].aggregations?.datasets.after_key as { + dataset: string; + namespace: string; + }) || after?.degradedDocs, + totalDocs: + (response.responses[1].aggregations?.datasets.after_key as { + dataset: string; + namespace: string; + }) || after?.totalDocs, }, - prevResults: degradedDocs, + prevResults: { degradedDocs, totalDocs }, }); } - return degradedDocs; + const degradedDocsMap = degradedDocs.reduce( + (acc, curr) => ({ + ...acc, + [curr.dataset]: curr.count, + }), + {} + ); + + return totalDocs.map((curr) => { + const degradedDocsCount = degradedDocsMap[curr.dataset as keyof typeof degradedDocsMap] || 0; + + return { + ...curr, + totalDocs: curr.count, + count: degradedDocsCount, + percentage: (degradedDocsCount / curr.count) * 100, + }; + }); } diff --git a/x-pack/plugins/observability_solution/dataset_quality/server/routes/data_streams/routes.ts b/x-pack/plugins/observability_solution/dataset_quality/server/routes/data_streams/routes.ts index 6dd8590c91f0b..3ad5a103f4313 100644 --- a/x-pack/plugins/observability_solution/dataset_quality/server/routes/data_streams/routes.ts +++ b/x-pack/plugins/observability_solution/dataset_quality/server/routes/data_streams/routes.ts @@ -66,7 +66,7 @@ const degradedDocsRoute = createDatasetQualityServerRoute({ endpoint: 'GET /internal/dataset_quality/data_streams/degraded_docs', params: t.type({ query: t.intersection([ - t.partial(rangeRt.props), + rangeRt, typeRt, t.partial({ datasetQuery: t.string, diff --git a/x-pack/plugins/observability_solution/dataset_quality/server/utils/create_dataset_quality_es_client.ts b/x-pack/plugins/observability_solution/dataset_quality/server/utils/create_dataset_quality_es_client.ts index 455308a7d91c3..d2c95ebbf0dbf 100644 --- a/x-pack/plugins/observability_solution/dataset_quality/server/utils/create_dataset_quality_es_client.ts +++ b/x-pack/plugins/observability_solution/dataset_quality/server/utils/create_dataset_quality_es_client.ts @@ -7,6 +7,7 @@ import { ESSearchRequest, InferSearchResponseOf } from '@kbn/es-types'; import { ElasticsearchClient } from '@kbn/core/server'; +import { Indices } from '@elastic/elasticsearch/lib/api/types'; type DatasetQualityESSearchParams = ESSearchRequest & { size: number; @@ -21,5 +22,15 @@ export function createDatasetQualityESClient(esClient: ElasticsearchClient) { ): Promise> { return esClient.search(searchParams) as Promise; }, + async msearch( + index = {} as { index?: Indices }, + searches: TParams[] + ): Promise<{ + responses: Array>; + }> { + return esClient.msearch({ + searches: searches.map((search) => [index, search]).flat(), + }) as Promise; + }, }; } diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/correct_common_esql_mistakes.test.ts b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/correct_common_esql_mistakes.test.ts index dd21e8d082eb9..ffb26e035cf0f 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/correct_common_esql_mistakes.test.ts +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/correct_common_esql_mistakes.test.ts @@ -25,6 +25,9 @@ describe('correctCommonEsqlMistakes', () => { it('replaces aliasing via the AS keyword with the = operator', () => { expectQuery(`FROM logs-* | STATS COUNT() AS count`, 'FROM logs-*\n| STATS count = COUNT()'); + + expectQuery(`FROM logs-* | STATS COUNT() as count`, 'FROM logs-*\n| STATS count = COUNT()'); + expectQuery( `FROM logs-* | STATS AVG(transaction.duration.histogram) AS avg_request_latency, PERCENTILE(transaction.duration.histogram, 95) AS p95`, `FROM logs-* @@ -42,11 +45,33 @@ describe('correctCommonEsqlMistakes', () => { }); it(`replaces " or ' escaping in FROM statements with backticks`, () => { - expectQuery(`FROM "logs-*" | LIMIT 10`, 'FROM `logs-*`\n| LIMIT 10'); - expectQuery(`FROM 'logs-*' | LIMIT 10`, 'FROM `logs-*`\n| LIMIT 10'); + expectQuery(`FROM "logs-*" | LIMIT 10`, 'FROM logs-*\n| LIMIT 10'); + expectQuery(`FROM 'logs-*' | LIMIT 10`, 'FROM logs-*\n| LIMIT 10'); expectQuery(`FROM logs-* | LIMIT 10`, 'FROM logs-*\n| LIMIT 10'); }); + it('replaces = as equal operator with ==', () => { + expectQuery( + `FROM logs-*\n| WHERE service.name = "foo"`, + `FROM logs-*\n| WHERE service.name == "foo"` + ); + + expectQuery( + `FROM logs-*\n| WHERE service.name = "foo" AND service.environment = "bar"`, + `FROM logs-*\n| WHERE service.name == "foo" AND service.environment == "bar"` + ); + + expectQuery( + `FROM logs-*\n| WHERE (service.name = "foo" AND service.environment = "bar") OR agent.name = "baz"`, + `FROM logs-*\n| WHERE (service.name == "foo" AND service.environment == "bar") OR agent.name == "baz"` + ); + + expectQuery( + `FROM logs-*\n| WHERE \`what=ever\` = "foo=bar"`, + `FROM logs-*\n| WHERE \`what=ever\` == "foo=bar"` + ); + }); + it('replaces single-quote escaped strings with double-quote escaped strings', () => { expectQuery( `FROM nyc_taxis @@ -102,7 +127,7 @@ describe('correctCommonEsqlMistakes', () => { | EVAL "@timestamp" = TO_DATETIME(timestamp) | WHERE statement LIKE 'SELECT%' | STATS avg_duration = AVG(duration)`, - `FROM \`postgres-logs*\` + `FROM postgres-logs* | GROK message "%{TIMESTAMP_ISO8601:timestamp} %{TZ} \[%{NUMBER:process_id}\]: \[%{NUMBER:log_line}\] user=%{USER:user},db=%{USER:database},app=\[%{DATA:application}\],client=%{IP:client_ip} LOG: duration: %{NUMBER:duration:float} ms statement: %{GREEDYDATA:statement}" | EVAL @timestamp = TO_DATETIME(timestamp) | WHERE statement LIKE "SELECT%" diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/correct_common_esql_mistakes.ts b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/correct_common_esql_mistakes.ts index 01d6e67fe217a..4c20f979a42d7 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/correct_common_esql_mistakes.ts +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/correct_common_esql_mistakes.ts @@ -62,7 +62,7 @@ function split(value: string, splitToken: string) { return statements; } -function splitIntoCommands(query: string) { +export function splitIntoCommands(query: string) { const commands: string[] = split(query, '|'); return commands.map((command) => { @@ -93,8 +93,8 @@ function removeColumnQuotesAndEscape(column: string) { function replaceAsKeywordWithAssignments(command: string) { return command.replaceAll(/^STATS\s*(.*)/g, (__, statsOperations: string) => { return `STATS ${statsOperations.replaceAll( - /(,\s*)?(.*?)\sAS\s([`a-zA-Z0-9.\-_]+)/g, - '$1$3 = $2' + /(,\s*)?(.*?)\s(AS|as)\s([`a-zA-Z0-9.\-_]+)/g, + '$1$4 = $2' )}`; }); } @@ -196,6 +196,30 @@ function escapeExpressionsInSort(sortCommand: string) { return `SORT ${columnsInSort.join(', ')}`; } +function ensureEqualityOperators(whereCommand: string) { + const body = whereCommand.split(/^WHERE /)[1]; + + const byChar = body.split(''); + + let next = ''; + let isColumnName = false; + byChar.forEach((char, index) => { + next += char; + + if (!isColumnName && char === '=' && byChar[index - 1] === ' ' && byChar[index + 1] === ' ') { + next += '='; + } + + if (!isColumnName && (char === '`' || char.match(/[a-z@]/i))) { + isColumnName = true; + } else if (isColumnName && (char === '`' || !char.match(/[a-z@0-9]/i))) { + isColumnName = false; + } + }); + + return `WHERE ${next}`; +} + export function correctCommonEsqlMistakes(content: string, log: Logger) { return content.replaceAll(/```esql\n(.*?)\n```/gms, (_, query: string) => { const commands = splitIntoCommands(query.trim()); @@ -206,12 +230,14 @@ export function correctCommonEsqlMistakes(content: string, log: Logger) { switch (name) { case 'FROM': formattedCommand = formattedCommand - .replaceAll(/FROM "(.*)"/g, 'FROM `$1`') - .replaceAll(/FROM '(.*)'/g, 'FROM `$1`'); + .replaceAll(/FROM "(.*)"/g, 'FROM $1') + .replaceAll(/FROM '(.*)'/g, 'FROM $1') + .replaceAll(/FROM `(.*)`/g, 'FROM $1'); break; case 'WHERE': formattedCommand = replaceSingleQuotesWithDoubleQuotes(formattedCommand); + formattedCommand = ensureEqualityOperators(formattedCommand); break; case 'EVAL': diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-bucket.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-bucket.txt index f0ed22f2db166..d74334af52ed7 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-bucket.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-bucket.txt @@ -1,7 +1,6 @@ BUCKET Syntax -BUCKET(expression, buckets, from, to) Parameters field Numeric or date expression from which to derive buckets. @@ -11,73 +10,94 @@ from Start of the range. Can be a number or a date expressed as a string. to End of the range. Can be a number or a date expressed as a string. -DescriptionCreates human-friendly buckets and returns a value for each row that corresponds -to the resulting bucket the row falls into.Using a target number of buckets, a start of a range, and an end of a range, -BUCKET picks an appropriate bucket size to generate the target number of -buckets or fewer. For example, asking for at most 20 buckets over a year results -in monthly buckets: +DescriptionCreates groups of values - buckets - out of a datetime or numeric input. The size of the buckets can either be provided directly, or chosen based on a recommended count and values range.Supported types +ExamplesBUCKET can work in two modes: one in which the size of the bucket is computed +based on a buckets count recommendation (four parameters) and a range, and +another in which the bucket size is provided directly (two parameters).Using a target number of buckets, a start of a range, and an end of a range, +BUCKET picks an appropriate bucket size to generate the target number of buckets or fewer. +For example, asking for at most 20 buckets over a year results in monthly buckets: ```esql FROM employees | WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z" -| EVAL month = BUCKET(hire_date, 20, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z") -| KEEP hire_date, month +| STATS hire_date = MV_SORT(VALUES(hire_date)) BY month = BUCKET(hire_date, 20, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z") | SORT hire_date ``` -The goal isn’t to provide exactly the target number of buckets, it’s to pick a -range that people are comfortable with that provides at most the target number -of buckets.Combine BUCKET with -STATS ... BY to create a histogram: +The goal isn’t to provide exactly the target number of buckets, +it’s to pick a range that people are comfortable with that provides at most the target number of buckets.Combine BUCKET with an aggregation to create a histogram: ```esql FROM employees | WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z" -| EVAL month = BUCKET(hire_date, 20, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z") -| STATS hires_per_month = COUNT(*) BY month +| STATS hires_per_month = COUNT(*) BY month = BUCKET(hire_date, 20, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z") | SORT month ``` BUCKET does not create buckets that don’t match any documents. That’s why this example is missing 1985-03-01 and other dates. -Asking for more buckets can result in a smaller range. For example, asking for -at most 100 buckets in a year results in weekly buckets: +Asking for more buckets can result in a smaller range. +For example, asking for at most 100 buckets in a year results in weekly buckets: ```esql FROM employees | WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z" -| EVAL week = BUCKET(hire_date, 100, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z") -| STATS hires_per_week = COUNT(*) BY week +| STATS hires_per_week = COUNT(*) BY week = BUCKET(hire_date, 100, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z") | SORT week ``` -BUCKET does not filter any rows. It only uses the provided range to -pick a good bucket size. For rows with a value outside of the range, it returns -a bucket value that corresponds to a bucket outside the range. Combine -BUCKET with WHERE to filter rows. -BUCKET can also operate on numeric fields. For example, to create a -salary histogram: +BUCKET does not filter any rows. It only uses the provided range to pick a good bucket size. +For rows with a value outside of the range, it returns a bucket value that corresponds to a bucket outside the range. +Combine`BUCKET` with WHERE to filter rows. +If the desired bucket size is known in advance, simply provide it as the second +argument, leaving the range out: ```esql FROM employees -| EVAL bs = BUCKET(salary, 20, 25324, 74999) -| STATS COUNT(*) by bs +| WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z" +| STATS hires_per_week = COUNT(*) BY week = BUCKET(hire_date, 1 week) +| SORT week +``` + +When providing the bucket size as the second parameter, it must be a time +duration or date period. +BUCKET can also operate on numeric fields. For example, to create a salary histogram: +```esql +FROM employees +| STATS COUNT(*) by bs = BUCKET(salary, 20, 25324, 74999) | SORT bs ``` -Unlike the earlier example that intentionally filters on a date range, you -rarely want to filter on a numeric range. You have to find the min and max -separately. ES|QL doesn’t yet have an easy way to do that automatically.ExamplesCreate hourly buckets for the last 24 hours, and calculate the number of events -per hour: +Unlike the earlier example that intentionally filters on a date range, you rarely want to filter on a numeric range. +You have to find the min and max separately. ES|QL doesn’t yet have an easy way to do that automatically.The range can be omitted if the desired bucket size is known in advance. Simply +provide it as the second argument: +```esql +FROM employees +| WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z" +| STATS c = COUNT(1) BY b = BUCKET(salary, 5000.) +| SORT b +``` + +When providing the bucket size as the second parameter, it must be +of a floating point type. +Create hourly buckets for the last 24 hours, and calculate the number of events per hour: ```esql FROM sample_data | WHERE @timestamp >= NOW() - 1 day and @timestamp < NOW() -| EVAL bucket = BUCKET(@timestamp, 25, NOW() - 1 day, NOW()) -| STATS COUNT(*) BY bucket +| STATS COUNT(*) BY bucket = BUCKET(@timestamp, 25, NOW() - 1 day, NOW()) ``` -Create monthly buckets for the year 1985, and calculate the average salary by -hiring month: +Create monthly buckets for the year 1985, and calculate the average salary by hiring month ```esql FROM employees | WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z" -| EVAL bucket = BUCKET(hire_date, 20, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z") -| STATS AVG(salary) BY bucket +| STATS AVG(salary) BY bucket = BUCKET(hire_date, 20, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z") | SORT bucket ``` + +BUCKET may be used in both the aggregating and grouping part of the +STATS …​ BY …​ command provided that in the aggregating +part the function is referenced by an alias defined in the +grouping part, or that it is invoked with the exact same expression: +```esql +FROM employees +| STATS s1 = b1 + 1, s2 = BUCKET(salary / 1000 + 999, 50.) + 2 BY b1 = BUCKET(salary / 100 + 99, 50.), b2 = BUCKET(salary / 1000 + 999, 50.) +| SORT b1, b2 +| KEEP s1, b1, s2, b2 +``` diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-cast-(::).txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-cast-(::).txt new file mode 100644 index 0000000000000..b9b860de2ed0b --- /dev/null +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-cast-(::).txt @@ -0,0 +1,7 @@ +Cast (::) + +The :: operator provides a convenient alternative syntax to the TO_ +conversion functions. +```esql +ROW ver = CONCAT(("0"::INT + 1)::STRING, ".2.3")::VERSION +``` diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-concat.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-concat.txt index 6e5c1ba1b69f6..b58d7e13649f7 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-concat.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-concat.txt @@ -1,11 +1,13 @@ CONCAT Syntax -CONCAT(string1, string2[, ..., stringN]) Parameters -stringX +string1 Strings to concatenate. -DescriptionConcatenates two or more strings.Example +string2 +Strings to concatenate. +DescriptionConcatenates two or more strings.Supported types +Example ```esql FROM employees | KEEP first_name, last_name diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-date_diff.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-date_diff.txt index 1d9de78792c1a..b93f502498591 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-date_diff.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-date_diff.txt @@ -3,15 +3,17 @@ DATE_DIFF Syntax Parameters unit -Time difference unit. +Time difference unit startTimestamp -Start timestamp. +A string representing a start timestamp endTimestamp -End timestamp. -DescriptionSubtracts the startTimestamp from the endTimestamp and returns the -difference in multiples of unit. If startTimestamp is later than the -endTimestamp, negative values are returned. -Supported types +A string representing an end timestamp +DescriptionSubtracts the startTimestamp from the endTimestamp and returns the difference in multiples of unit. If startTimestamp is later than the endTimestamp, negative values are returned. +Note that while there is an overlap between the function’s supported units and +ES|QL’s supported time span literals, these sets are distinct and not +interchangeable. Similarly, the supported abbreviations are conveniently shared +with implementations of this function in other established products and not +necessarily common with the date-time nomenclature used by Elasticsearch.Supported types Example ```esql ROW date1 = TO_DATETIME("2023-12-02T11:00:00.000Z"), date2 = TO_DATETIME("2023-12-02T11:00:00.001Z") diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-date_extract.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-date_extract.txt index 0ea53cb38d1f9..0debd6f2eeb51 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-date_extract.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-date_extract.txt @@ -1,30 +1,19 @@ DATE_EXTRACT Syntax -DATE_EXTRACT(date_part, date) Parameters -date_part -Part of the date to extract. Can be: aligned_day_of_week_in_month, -aligned_day_of_week_in_year, aligned_week_of_month, aligned_week_of_year, -ampm_of_day, clock_hour_of_ampm, clock_hour_of_day, day_of_month, -day_of_week, day_of_year, epoch_day, era, hour_of_ampm, hour_of_day, -instant_seconds, micro_of_day, micro_of_second, milli_of_day, -milli_of_second, minute_of_day, minute_of_hour, month_of_year, -nano_of_day, nano_of_second, offset_seconds, proleptic_month, -second_of_day, second_of_minute, year, or year_of_era. Refer to -java.time.temporal.ChronoField -for a description of these values. -If null, the function returns null. +datePart +Part of the date to extract. Can be: aligned_day_of_week_in_month, aligned_day_of_week_in_year, aligned_week_of_month, aligned_week_of_year, ampm_of_day, clock_hour_of_ampm, clock_hour_of_day, day_of_month, day_of_week, day_of_year, epoch_day, era, hour_of_ampm, hour_of_day, instant_seconds, micro_of_day, micro_of_second, milli_of_day, milli_of_second, minute_of_day, minute_of_hour, month_of_year, nano_of_day, nano_of_second, offset_seconds, proleptic_month, second_of_day, second_of_minute, year, or year_of_era. Refer to java.time.temporal.ChronoField for a description of these values. If null, the function returns null. date Date expression. If null, the function returns null. -DescriptionExtracts parts of a date, like year, month, day, hour.Examples +DescriptionExtracts parts of a date, like year, month, day, hour.Supported types +Examples ```esql ROW date = DATE_PARSE("yyyy-MM-dd", "2022-05-06") | EVAL year = DATE_EXTRACT("year", date) ``` -Find all events that occurred outside of business hours (before 9 AM or after 5 -PM), on any given date: +Find all events that occurred outside of business hours (before 9 AM or after 5PM), on any given date: ```esql FROM sample_data | WHERE DATE_EXTRACT("hour_of_day", @timestamp) < 9 AND DATE_EXTRACT("hour_of_day", @timestamp) >= 17 diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-date_format.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-date_format.txt index 70feb4d1e3bf4..481b9fed4695f 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-date_format.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-date_format.txt @@ -1,15 +1,13 @@ DATE_FORMAT Syntax -DATE_FORMAT([format,] date) Parameters -format -Date format (optional). If no format is specified, the -yyyy-MM-dd'T'HH:mm:ss.SSSZ format is used. If null, the function returns -null. +dateFormat +Date format (optional). If no format is specified, the yyyy-MM-dd'T'HH:mm:ss.SSSZ format is used. If null, the function returns null. date Date expression. If null, the function returns null. -DescriptionReturns a string representation of a date, in the provided format.Example +DescriptionReturns a string representation of a date, in the provided format.Supported types +Example ```esql FROM employees | KEEP first_name, last_name, hire_date diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-date_parse.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-date_parse.txt index c8a224b713610..98650dd05f73a 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-date_parse.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-date_parse.txt @@ -1,17 +1,13 @@ DATE_PARSE Syntax -DATE_PARSE([format,] date_string) Parameters -format -The date format. Refer to the -DateTimeFormatter -documentation for the syntax. If null, the function returns null. -date_string -Date expression as a string. If null or an empty string, the function returns -null. -DescriptionReturns a date by parsing the second argument using the format specified in the -first argument.Example +datePattern +The date format. Refer to the DateTimeFormatter documentation for the syntax. If null, the function returns null. +dateString +Date expression as a string. If null or an empty string, the function returns null. +DescriptionReturns a date by parsing the second argument using the format specified in the first argument.Supported types +Example ```esql ROW date_string = "2022-05-06" | EVAL date = DATE_PARSE("yyyy-MM-dd", date_string) diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-functions-overview.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-functions-overview.txt index c8b1daef93e90..637d66d3ff681 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-functions-overview.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-functions-overview.txt @@ -15,6 +15,22 @@ This functionality is in technical preview and may be changed or removed in a fu ST_CENTROID_AGG SUM VALUES +Grouping functions +BUCKET +Conditional functions and expressions +CASE +COALESCE +GREATEST +LEAST +Date and time functions +DATE_DIFF +DATE_EXTRACT +DATE_FORMAT +DATE_PARSE +DATE_TRUNC +NOW +IP functions +CIDR_MATCH Math functions ABS ACOS @@ -38,28 +54,6 @@ SQRT TAN TANH TAU -String functions -CONCAT -LEFT -LENGTH -LOCATE -LTRIM -REPLACE -RIGHT -RTRIM -SPLIT -SUBSTRING -TO_LOWER -TO_UPPER -TRIM -Date and time functions -BUCKET -DATE_DIFF -DATE_EXTRACT -DATE_FORMAT -DATE_PARSE -DATE_TRUNC -NOW Spatial functions [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. @@ -79,9 +73,25 @@ ST_X [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. ST_Y -Type conversion functions +String functions +CONCAT +ENDS_WITH FROM_BASE64 +LEFT +LENGTH +LOCATE +LTRIM +REPLACE +RIGHT +RTRIM +SPLIT +STARTS_WITH +SUBSTRING TO_BASE64 +TO_LOWER +TO_UPPER +TRIM +Type conversion functions TO_BOOLEAN TO_CARTESIANPOINT TO_CARTESIANSHAPE @@ -99,11 +109,6 @@ TO_STRING This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. TO_UNSIGNED_LONG TO_VERSION -Conditional functions and expressions -CASE -COALESCE -GREATEST -LEAST Multi value functions MV_AVG MV_CONCAT diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-kibana.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-kibana.txt index 5fcce8c997ee7..798a9befd7647 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-kibana.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-kibana.txt @@ -10,7 +10,7 @@ Get started with ES|QLedit To get started with ES|QL in Discover, open the main menu and select Discover. Next, from the Data views menu, select Try ES|QL. The ability to select ES|QL from the Data views menu can be enabled and -disabled using the `enableESQL` setting from +disabled using the `discover:enableESQL` setting from Advanced Settings. The query baredit After switching to ES|QL mode, the query bar shows a sample query. For example: diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-length.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-length.txt index 83d15509bfa67..e63ea02da87eb 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-length.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-length.txt @@ -1,11 +1,11 @@ LENGTH Syntax -LENGTH(str) Parameters -str +string String expression. If null, the function returns null. -DescriptionReturns the character length of a string.Example +DescriptionReturns the character length of a string.Supported types +Example ```esql FROM employees | KEEP first_name, last_name diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-locate.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-locate.txt index 9059a5e424a8f..0c47550b219dc 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-locate.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-locate.txt @@ -9,3 +9,6 @@ A substring to locate in the input string start The start index DescriptionReturns an integer that indicates the position of a keyword substring within another stringSupported types +Example +row a = "hello" +| eval a_ll = locate(a, "ll") diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-ltrim.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-ltrim.txt index b08fd33a54823..e98ccd0ce65d1 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-ltrim.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-ltrim.txt @@ -2,9 +2,9 @@ LTRIM Syntax Parameters -str +string String expression. If null, the function returns null. -DescriptionRemoves leading whitespaces from strings.Supported types +DescriptionRemoves leading whitespaces from a string.Supported types Example ```esql ROW message = " some text ", color = " red " diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_avg.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_avg.txt index da2e084d4ade7..7959297c1cb23 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_avg.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_avg.txt @@ -1,12 +1,10 @@ MV_AVG Syntax -MV_AVG(expression) Parameters -expression +number Multivalue expression. -DescriptionConverts a multivalued expression into a single valued column containing the -average of all of the values.Supported types +DescriptionConverts a multivalued field into a single valued field containing the average of all of the values.Supported types Example ```esql ROW a=[3, 5, 1, 6] diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_concat.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_concat.txt index e918a53d1dcc1..d8768bc34bdef 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_concat.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_concat.txt @@ -2,12 +2,11 @@ MV_CONCAT Syntax Parameters -v +string Multivalue expression. delim Delimiter. -DescriptionConverts a multivalued string expression into a single valued column containing -the concatenation of all values separated by a delimiter.Supported types +DescriptionConverts a multivalued string expression into a single valued column containing the concatenation of all values separated by a delimiter.Supported types Examples ```esql ROW a=["foo", "zoo", "bar"] diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_count.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_count.txt index bfda217135ad2..2cc68fafc5b4d 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_count.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_count.txt @@ -2,10 +2,9 @@ MV_COUNT Syntax Parameters -v +field Multivalue expression. -DescriptionConverts a multivalued expression into a single valued column containing a count -of the number of values.Supported types +DescriptionConverts a multivalued expression into a single valued column containing a count of the number of values.Supported types Example ```esql ROW a=["foo", "zoo", "bar"] diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_dedupe.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_dedupe.txt index 2a38a0a36480e..d9bd25a64e6e1 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_dedupe.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_dedupe.txt @@ -2,9 +2,9 @@ MV_DEDUPE Syntax Parameters -v +field Multivalue expression. -DescriptionRemoves duplicates from a multivalue expression. +DescriptionRemove duplicate values from a multivalued field. MV_DEDUPE may, but won’t always, sort the values in the column. Supported types Example diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_expand.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_expand.txt index 5125367fbc21d..a50b54d5940fa 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_expand.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_expand.txt @@ -1,5 +1,7 @@ MV_EXPAND + +This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. Syntax MV_EXPAND column Parameters diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_first.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_first.txt index e1dee9c3d9e73..bcae6e967243c 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_first.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_first.txt @@ -2,15 +2,9 @@ MV_FIRST Syntax Parameters -v +field Multivalue expression. -DescriptionConverts a multivalued expression into a single valued column containing the -first value. This is most useful when reading from a function that emits -multivalued columns in a known order like SPLIT.The order that multivalued fields are read from -underlying storage is not guaranteed. It is frequently ascending, but don’t -rely on that. If you need the minimum value use MV_MIN instead of -MV_FIRST. MV_MIN has optimizations for sorted values so there isn’t a -performance benefit to MV_FIRST.Supported types +DescriptionConverts a multivalued expression into a single valued column containing the first value. This is most useful when reading from a function that emits multivalued columns in a known order like SPLIT. The order that multivalued fields are read from underlying storage is not guaranteed. It is frequently ascending, but don’t rely on that. If you need the minimum value use MV_MIN instead of MV_FIRST. MV_MIN has optimizations for sorted values so there isn’t a performance benefit to MV_FIRST.Supported types Example ```esql ROW a="foo;bar;baz" diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_last.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_last.txt index 996316e39b215..f75c9c429f802 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_last.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_last.txt @@ -2,15 +2,9 @@ MV_LAST Syntax Parameters -v +field Multivalue expression. -DescriptionConverts a multivalue expression into a single valued column containing the last -value. This is most useful when reading from a function that emits multivalued -columns in a known order like SPLIT.The order that multivalued fields are read from -underlying storage is not guaranteed. It is frequently ascending, but don’t -rely on that. If you need the maximum value use MV_MAX instead of -MV_LAST. MV_MAX has optimizations for sorted values so there isn’t a -performance benefit to MV_LAST.Supported types +DescriptionConverts a multivalue expression into a single valued column containing the last value. This is most useful when reading from a function that emits multivalued columns in a known order like SPLIT. The order that multivalued fields are read from underlying storage is not guaranteed. It is frequently ascending, but don’t rely on that. If you need the maximum value use MV_MAX instead of MV_LAST. MV_MAX has optimizations for sorted values so there isn’t a performance benefit to MV_LAST.Supported types Example ```esql ROW a="foo;bar;baz" diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_max.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_max.txt index b5cd928c19522..cdcf2ee986d3d 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_max.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_max.txt @@ -2,18 +2,16 @@ MV_MAX Syntax Parameters -v +field Multivalue expression. -DescriptionConverts a multivalued expression into a single valued column containing the -maximum value.Supported types +DescriptionConverts a multivalued expression into a single valued column containing the maximum value.Supported types Examples ```esql ROW a=[3, 5, 1] | EVAL max_a = MV_MAX(a) ``` -It can be used by any column type, including keyword columns. In that case -it picks the last string, comparing their utf-8 representation byte by byte: +It can be used by any column type, including keyword columns. In that case it picks the last string, comparing their utf-8 representation byte by byte: ```esql ROW a=["foo", "zoo", "bar"] | EVAL max_a = MV_MAX(a) diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_median.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_median.txt index 6e135c2dc1807..fa4c9ba343753 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_median.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_median.txt @@ -1,21 +1,17 @@ MV_MEDIAN - -MV_MEDIAN(v) +Syntax Parameters -v +number Multivalue expression. -DescriptionConverts a multivalued column into a single valued column containing the median -value.Supported types +DescriptionConverts a multivalued field into a single valued field containing the median value.Supported types Examples ```esql ROW a=[3, 5, 1] | EVAL median_a = MV_MEDIAN(a) ``` -If the row has an even number of values for a column, the result will be the -average of the middle two entries. If the column is not floating point, the -average rounds down: +If the row has an even number of values for a column, the result will be the average of the middle two entries. If the column is not floating point, the average rounds down: ```esql ROW a=[3, 7, 1, 6] | EVAL median_a = MV_MEDIAN(a) diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_min.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_min.txt index 8d91fb50568a1..c4c18f40fe494 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_min.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_min.txt @@ -2,18 +2,16 @@ MV_MIN Syntax Parameters -v +field Multivalue expression. -DescriptionConverts a multivalued expression into a single valued column containing the -minimum value.Supported types +DescriptionConverts a multivalued expression into a single valued column containing the minimum value.Supported types Examples ```esql ROW a=[2, 1] | EVAL min_a = MV_MIN(a) ``` -It can be used by any column type, including keyword columns. In that case, -it picks the first string, comparing their utf-8 representation byte by byte: +It can be used by any column type, including keyword columns. In that case, it picks the first string, comparing their utf-8 representation byte by byte: ```esql ROW a=["foo", "bar"] | EVAL min_a = MV_MIN(a) diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_slice.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_slice.txt index 30c6dffe3f764..9443842f6405c 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_slice.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_slice.txt @@ -7,9 +7,9 @@ Multivalue expression. If null, the function returns null. start Start position. If null, the function returns null. The start argument can be negative. An index of -1 is used to specify the last value in the list. end -End position. Optional; if omitted, the position at start is returned. The end argument can be negative. An index of -1 is used to specify the last value in the list. +End position(included). Optional; if omitted, the position at start is returned. The end argument can be negative. An index of -1 is used to specify the last value in the list. DescriptionReturns a subset of the multivalued field using the start and end index values.Supported types -Example +Examples row a = [1, 2, 2, 3] | eval a1 = mv_slice(a, 1), a2 = mv_slice(a, 2, 3) row a = [1, 2, 2, 3] diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_sort.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_sort.txt index b7b6e8ddb9cd6..a49382a25c9c9 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_sort.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_sort.txt @@ -6,7 +6,7 @@ field Multivalue expression. If null, the function returns null. order Sort order. The valid options are ASC and DESC, the default is ASC. -DescriptionSorts a multivalue expression in lexicographical order.Supported types +DescriptionSorts a multivalued field in lexicographical order.Supported types Example ```esql ROW a = [4, 2, -3, 2] diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_sum.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_sum.txt index 16f017756f4bf..92bbcfebd66cd 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_sum.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_sum.txt @@ -1,12 +1,10 @@ MV_SUM - -MV_SUM(v) +Syntax Parameters -v +number Multivalue expression. -DescriptionConverts a multivalued column into a single valued column containing the sum -of all of the values.Supported types +DescriptionConverts a multivalued field into a single valued field containing the sum of all of the values.Supported types Example ```esql ROW a=[3, 5, 6] diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_zip.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_zip.txt index 788d7c6a10f3d..ea21096428b19 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_zip.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-mv_zip.txt @@ -2,9 +2,9 @@ MV_ZIP Syntax Parameters -mvLeft +string1 Multivalue expression. -mvRight +string2 Multivalue expression. delim Delimiter. Optional; if omitted, , is used as a default delimiter. diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-operators-overview.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-operators-overview.txt index e72eb3b5cd9d9..bfaaac6b16597 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-operators-overview.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-operators-overview.txt @@ -6,9 +6,7 @@ Binary operators Unary operators Logical operators IS NULL and IS NOT NULL predicates -CIDR_MATCH -ENDS_WITH +Cast (::) IN LIKE RLIKE -STARTS_WITH diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-operators.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-operators.txt index 7fd0928973290..a54a212800d4b 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-operators.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-operators.txt @@ -1,3 +1,54 @@ +CIDR_MATCH +CIDR_MATCH + +Syntax +Parameters +ip +IP address of type ip (both IPv4 and IPv6 are supported). +blockX +CIDR block to test the IP against. +DescriptionReturns true if the provided IP is contained in one of the provided CIDR blocks.Supported types +Example +```esql +FROM hosts +| WHERE CIDR_MATCH(ip1, "127.0.0.2/32", "127.0.0.3/32") +| KEEP card, host, ip0, ip1 +``` + +ENDS_WITH +ENDS_WITH + +Syntax +Parameters +str +String expression. If null, the function returns null. +suffix +String expression. If null, the function returns null. +DescriptionReturns a boolean that indicates whether a keyword string ends with another string.Supported types +Example +```esql +FROM employees +| KEEP last_name +| EVAL ln_E = ENDS_WITH(last_name, "d") +``` + +STARTS_WITH +STARTS_WITH + +Syntax +Parameters +str +String expression. If null, the function returns null. +prefix +String expression. If null, the function returns null. +DescriptionReturns a boolean that indicates whether a keyword string starts with another string.Supported types +Example +```esql +FROM employees +| KEEP last_name +| EVAL ln_S = STARTS_WITH(last_name, "B") +``` + Binary operators Binary operators @@ -100,42 +151,6 @@ FROM employees | STATS COUNT(emp_no) ``` -CIDR_MATCH -CIDR_MATCH - -Syntax -CIDR_MATCH(ip, block1[, ..., blockN]) -Parameters -ip -IP address of type ip (both IPv4 and IPv6 are supported). -blockX -CIDR block to test the IP against. -DescriptionReturns true if the provided IP is contained in one of the provided CIDR -blocks.Example -```esql -FROM hosts -| WHERE CIDR_MATCH(ip1, "127.0.0.2/32", "127.0.0.3/32") -| KEEP card, host, ip0, ip1 -``` - -ENDS_WITH -ENDS_WITH - -Syntax -Parameters -str -String expression. If null, the function returns null. -suffix -String expression. If null, the function returns null. -DescriptionReturns a boolean that indicates whether a keyword string ends with another -string.Supported types -Example -```esql -FROM employees -| KEEP last_name -| EVAL ln_E = ENDS_WITH(last_name, "d") -``` - IN IN @@ -155,6 +170,7 @@ also act on a constant (literal) expression. The right-hand side of the operator represents the pattern.The following wildcard characters are supported: * matches zero or more characters. ? matches one character. +Supported types ```esql FROM employees | WHERE first_name LIKE "?b*" @@ -167,27 +183,9 @@ RLIKE Use RLIKE to filter data based on string patterns using using regular expressions. RLIKE usually acts on a field placed on the left-hand side of the operator, but it can also act on a constant (literal) -expression. The right-hand side of the operator represents the pattern. +expression. The right-hand side of the operator represents the pattern.Supported types ```esql FROM employees | WHERE first_name RLIKE ".leja.*" | KEEP first_name, last_name ``` - -STARTS_WITH -STARTS_WITH - -Syntax -Parameters -str -String expression. If null, the function returns null. -prefix -String expression. If null, the function returns null. -DescriptionReturns a boolean that indicates whether a keyword string starts with another -string.Supported types -Example -```esql -FROM employees -| KEEP last_name -| EVAL ln_S = STARTS_WITH(last_name, "B") -``` diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-overview.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-overview.txt index 27879223d74b6..f72514ae5ea81 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-overview.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-overview.txt @@ -1,6 +1,5 @@ ES|QLedit -Do not use ES|QL on production environments. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. The Elasticsearch Query Language (ES|QL) provides a powerful way to filter, transform, and analyze data stored in Elasticsearch, and in the future in other runtimes. It is designed to be easy to learn and use, by end users, SRE teams, application diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-pi.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-pi.txt index 3df2811b88a88..ce7d06fa069ae 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-pi.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-pi.txt @@ -1,7 +1,7 @@ PI Syntax -ParametersDescriptionReturns the ratio of a circle’s circumference to its diameter.Supported types +ParametersDescriptionReturns Pi, the ratio of a circle’s circumference to its diameter.Supported types Example ```esql ROW PI() diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-processing-commands.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-processing-commands.txt index 125e55bfb2996..c55ef6a7f29ed 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-processing-commands.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-processing-commands.txt @@ -10,6 +10,8 @@ EVAL GROK KEEP LIMIT +[preview] +This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. MV_EXPAND RENAME SORT diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-replace.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-replace.txt index 8a26cd2c04269..fc1ef7656ed75 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-replace.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-replace.txt @@ -2,16 +2,14 @@ REPLACE Syntax Parameters -str +string String expression. regex Regular expression. -newStr +newString Replacement string. -DescriptionThe function substitutes in the string str any match of the regular expression -regex with the replacement string newStr.If any of the arguments is null, the result is null.Supported types -ExampleThis example replaces any occurrence of the word "World" with the word -"Universe": +DescriptionThe function substitutes in the string str any match of the regular expression regex with the replacement string newStr.Supported types +ExampleThis example replaces any occurrence of the word "World" with the word "Universe": ```esql ROW str = "Hello World" | EVAL str = REPLACE(str, "World", "Universe") diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-right.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-right.txt index 9ee98298cce43..f7e7e7f0c0c60 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-right.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-right.txt @@ -2,12 +2,11 @@ RIGHT Syntax Parameters -str +string The string from which to returns a substring. length The number of characters to return. -DescriptionReturn the substring that extracts length chars from str starting -from the right.Supported types +DescriptionReturn the substring that extracts length chars from str starting from the right.Supported types Example ```esql FROM employees diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-round.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-round.txt index 6351541a7cbd0..5f0e72b8cdfd2 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-round.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-round.txt @@ -6,7 +6,7 @@ number The numeric value to round. If null, the function returns null. decimals The number of decimal places to round to. Defaults to 0. If null, the function returns null. -DescriptionRounds a number to the closest number with the specified number of digits. Defaults to 0 digits if no number of digits is provided. If the specified number of digits is negative, rounds to the number of digits left of the decimal point.Supported types +DescriptionRounds a number to the specified number of decimal places. Defaults to 0, which returns the nearest integer. If the precision is a negative number, rounds to the number of digits left of the decimal point.Supported types Example ```esql FROM employees diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-rtrim.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-rtrim.txt index aecd6f928bf98..0e1650ba21092 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-rtrim.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-rtrim.txt @@ -2,9 +2,9 @@ RTRIM Syntax Parameters -str +string String expression. If null, the function returns null. -DescriptionRemoves trailing whitespaces from strings.Supported types +DescriptionRemoves trailing whitespaces from a string.Supported types Example ```esql ROW message = " some text ", color = " red " diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-split.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-split.txt index c9161c7863139..2b65db150c4ff 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-split.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-split.txt @@ -1,12 +1,12 @@ SPLIT - +Syntax Parameters -str +string String expression. If null, the function returns null. delim Delimiter. Only single byte delimiters are currently supported. -DescriptionSplits a single valued string into multiple strings.Supported types +DescriptionSplit a single valued string into multiple strings.Supported types Example ```esql ROW words="foo;bar;baz;qux;quux;corge" diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-sqrt.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-sqrt.txt index 68ee934e079ca..9b2fc2ccbab80 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-sqrt.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-sqrt.txt @@ -2,11 +2,9 @@ SQRT Syntax Parameters -n +number Numeric expression. If null, the function returns null. -DescriptionReturns the square root of a number. The input can be any numeric value, the -return value is always a double.Square roots of negative numbers are NaN. Square roots of infinites are -infinite.Supported types +DescriptionReturns the square root of a number. The input can be any numeric value, the return value is always a double. Square roots of negative numbers and infinites are null.Supported types Example ```esql ROW d = 100.0 diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-substring.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-substring.txt index 1b68352b243eb..d49f1ca92f2ac 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-substring.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-substring.txt @@ -2,15 +2,13 @@ SUBSTRING Syntax Parameters -str +string String expression. If null, the function returns null. start Start position. length -Length of the substring from the start position. Optional; if omitted, all -positions after start are returned. -DescriptionReturns a substring of a string, specified by a start position and an optional -length.Supported types +Length of the substring from the start position. Optional; if omitted, all positions after start are returned. +DescriptionReturns a substring of a string, specified by a start position and an optional lengthSupported types ExamplesThis example returns the first three characters of every last name: ```esql FROM employees @@ -18,16 +16,16 @@ FROM employees | EVAL ln_sub = SUBSTRING(last_name, 1, 3) ``` -A negative start position is interpreted as being relative to the end of the -string. This example returns the last three characters of of every last name: +A negative start position is interpreted as being relative to the end of the string. +This example returns the last three characters of of every last name: ```esql FROM employees | KEEP last_name | EVAL ln_sub = SUBSTRING(last_name, -3, 3) ``` -If length is omitted, substring returns the remainder of the string. This -example returns all characters except for the first: +If length is omitted, substring returns the remainder of the string. +This example returns all characters except for the first: ```esql FROM employees | KEEP last_name diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-syntax.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-syntax.txt index d14570ae7fd35..04b7ed975e8d9 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-syntax.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-syntax.txt @@ -93,14 +93,15 @@ Timespan literalsedit Datetime intervals and timespans can be expressed using timespan literals. Timespan literals are a combination of a number and a qualifier. These qualifiers are supported: -`millisecond`/`milliseconds` -`second`/`seconds` -`minute`/`minutes` -`hour`/`hours` -`day`/`days` -`week`/`weeks` -`month`/`months` -`year`/`years` +`millisecond`/`milliseconds`/`ms` +`second`/`seconds`/`sec`/`s` +`minute`/`minutes`/`min` +`hour`/`hours`/`h` +`day`/`days`/`d` +`week`/`weeks`/`w` +`month`/`months`/`mo` +`quarter`/`quarters`/`q` +`year`/`years`/`yr`/`y` Timespan literals are not whitespace sensitive. These expressions are all valid: `1day` `1 day` diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-tau.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-tau.txt index cab47b8262642..e5a9a5813d89c 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-tau.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-tau.txt @@ -1,8 +1,8 @@ TAU Syntax -DescriptionReturns the ratio of a circle’s circumference -to its radius.Example +ParametersDescriptionReturns the ratio of a circle’s circumference to its radius.Supported types +Example ```esql ROW TAU() ``` diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_boolean.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_boolean.txt index 0d40e789643ca..e32191d2e2d02 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_boolean.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_boolean.txt @@ -1,14 +1,11 @@ TO_BOOLEAN -AliasTO_BOOLSyntax -TO_BOOLEAN(v) +Syntax Parameters -v +field Input value. The input can be a single- or multi-valued column or an expression. -DescriptionConverts an input value to a boolean value.A string value of "true" will be case-insensitive converted to the Boolean -true. For anything else, including the empty string, the function will -return false.The numerical value of 0 will be converted to false, anything else will be -converted to true.Supported typesThe input type must be of a string or numeric type.Example +DescriptionConverts an input value to a boolean value. A string value of true will be case-insensitive converted to the Boolean true. For anything else, including the empty string, the function will return false. The numerical value of 0 will be converted to false, anything else will be converted to true.Supported types +Example ```esql ROW str = ["true", "TRuE", "false", "", "yes", "1"] | EVAL bool = TO_BOOLEAN(str) diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_cartesianpoint.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_cartesianpoint.txt index 35b32c890c4d0..4141d9c43bb9e 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_cartesianpoint.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_cartesianpoint.txt @@ -1,12 +1,10 @@ TO_CARTESIANPOINT Syntax -TO_CARTESIANPOINT(v) Parameters -v +field Input value. The input can be a single- or multi-valued column or an expression. -DescriptionConverts an input value to a point value.A string will only be successfully converted if it respects the -WKT Point format.Supported types +DescriptionConverts an input value to a cartesian_point value. A string will only be successfully converted if it respects the WKT Point format.Supported types Example ```esql ROW wkt = ["POINT(4297.11 -1475.53)", "POINT(7580.93 2272.77)"] diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_cartesianshape.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_cartesianshape.txt index 12deb50d56a53..d7d7e3ebe94bd 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_cartesianshape.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_cartesianshape.txt @@ -1,13 +1,10 @@ TO_CARTESIANSHAPE Syntax -TO_CARTESIANSHAPE(v) Parameters -v +field Input value. The input can be a single- or multi-valued column or an expression. -The input type must be a string, a cartesian_shape or a cartesian_point. -DescriptionConverts an input value to a cartesian_shape value.A string will only be successfully converted if it respects the -WKT format.Supported types +DescriptionConverts an input value to a cartesian_shape value. A string will only be successfully converted if it respects the WKT format.Supported types Example ```esql ROW wkt = ["POINT(4297.11 -1475.53)", "POLYGON ((3339584.72 1118889.97, 4452779.63 4865942.27, 2226389.81 4865942.27, 1113194.90 2273030.92, 3339584.72 1118889.97))"] diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_datetime.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_datetime.txt index ea715bf1e5794..89e6d80b0186b 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_datetime.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_datetime.txt @@ -1,24 +1,22 @@ TO_DATETIME -AliasTO_DTSyntax -TO_DATETIME(v) +Syntax Parameters -v +field Input value. The input can be a single- or multi-valued column or an expression. -DescriptionConverts an input value to a date value.A string will only be successfully converted if it’s respecting the format -yyyy-MM-dd'T'HH:mm:ss.SSS'Z'. To convert dates in other formats, use -DATE_PARSE.Supported typesThe input type must be of a string or numeric type.Examples +DescriptionConverts an input value to a date value. A string will only be successfully converted if it’s respecting the format yyyy-MM-dd'T'HH:mm:ss.SSS'Z'. To convert dates in other formats, use DATE_PARSE.Supported types +Examples ```esql ROW string = ["1953-09-02T00:00:00.000Z", "1964-06-02T00:00:00.000Z", "1964-06-02 00:00:00"] | EVAL datetime = TO_DATETIME(string) ``` -Note that in this example, the last value in the source multi-valued -field has not been converted. The reason being that if the date format is not -respected, the conversion will result in a null value. When this happens a -Warning header is added to the response. The header will provide information -on the source of the failure:"Line 1:112: evaluation of [TO_DATETIME(string)] failed, treating result as null. Only first 20 failures recorded."A following header will contain the failure reason and the offending value:"java.lang.IllegalArgumentException: failed to parse date field [1964-06-02 00:00:00] with format [yyyy-MM-dd'T'HH:mm:ss.SSS'Z']"If the input parameter is of a numeric type, its value will be interpreted as -milliseconds since the Unix epoch. For example: +Note that in this example, the last value in the source multi-valued field has not been converted. +The reason being that if the date format is not respected, the conversion will result in a null value. +When this happens a Warning header is added to the response. +The header will provide information on the source of the failure:"Line 1:112: evaluation of [TO_DATETIME(string)] failed, treating result as null. "Only first 20 failures recorded."A following header will contain the failure reason and the offending value:"java.lang.IllegalArgumentException: failed to parse date field [1964-06-02 00:00:00] +with format [yyyy-MM-dd'T'HH:mm:ss.SSS'Z']"If the input parameter is of a numeric type, +its value will be interpreted as milliseconds since the Unix epoch. For example: ```esql ROW int = [0, 1] | EVAL dt = TO_DATETIME(int) diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_degrees.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_degrees.txt index a0facc2230b87..31e60bc68ac1a 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_degrees.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_degrees.txt @@ -1,12 +1,11 @@ TO_DEGREES Syntax -TO_DEGREES(v) Parameters -v +number Input value. The input can be a single- or multi-valued column or an expression. -DescriptionConverts a number in radians to -degrees.Supported typesThe input type must be of a numeric type and result is always double.Example +DescriptionConverts a number in radians to degrees.Supported types +Example ```esql ROW rad = [1.57, 3.14, 4.71] | EVAL deg = TO_DEGREES(rad) diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_double.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_double.txt index 67604c80eb48c..5e942690efd08 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_double.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_double.txt @@ -1,18 +1,17 @@ TO_DOUBLE -AliasTO_DBLSyntax -TO_DOUBLE(v) +Syntax Parameters -v +field Input value. The input can be a single- or multi-valued column or an expression. -DescriptionConverts an input value to a double value.If the input parameter is of a date type, its value will be interpreted as -milliseconds since the Unix epoch, converted to double.Boolean true will be converted to double 1.0, false to 0.0.Supported typesThe input type must be of a boolean, date, string or numeric type.Example +DescriptionConverts an input value to a double value. If the input parameter is of a date type, its value will be interpreted as milliseconds since the Unix epoch, converted to double. Boolean true will be converted to double 1.0, false to 0.0.Supported types +Example ```esql ROW str1 = "5.20128E11", str2 = "foo" | EVAL dbl = TO_DOUBLE("520128000000"), dbl1 = TO_DOUBLE(str1), dbl2 = TO_DOUBLE(str2) ``` Note that in this example, the last conversion of the string isn’t possible. -When this happens, the result is a null value. In this case a Warning header -is added to the response. The header will provide information on the source of -the failure:"Line 1:115: evaluation of [TO_DOUBLE(str2)] failed, treating result as null. Only first 20 failures recorded."A following header will contain the failure reason and the offending value:"java.lang.NumberFormatException: For input string: \"foo\"" \ No newline at end of file +When this happens, the result is a null value. In this case a Warning header is added to the response. +The header will provide information on the source of the failure:"Line 1:115: evaluation of [TO_DOUBLE(str2)] failed, treating result as null. Only first 20 failures recorded."A following header will contain the failure reason and the offending value: +"java.lang.NumberFormatException: For input string: "foo"" \ No newline at end of file diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_geopoint.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_geopoint.txt index 3fb5889485e17..9880e88c27dd2 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_geopoint.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_geopoint.txt @@ -1,14 +1,11 @@ TO_GEOPOINT Syntax -TO_GEOPOINT(v) Parameters -v +field Input value. The input can be a single- or multi-valued column or an expression. -The input type must be a string or a geo_point. -DescriptionConverts an input value to a geo_point value.Supported types -A string will only be successfully converted if it respects the -WKT Point format.Example +DescriptionConverts an input value to a geo_point value. A string will only be successfully converted if it respects the WKT Point format.Supported types +Example ```esql ROW wkt = "POINT(42.97109630194 14.7552534413725)" | EVAL pt = TO_GEOPOINT(wkt) diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_geoshape.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_geoshape.txt index 99c3995a6f393..e75a292fa2767 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_geoshape.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_geoshape.txt @@ -1,13 +1,10 @@ TO_GEOSHAPE Syntax -TO_GEOPOINT(v) Parameters -v +field Input value. The input can be a single- or multi-valued column or an expression. -The input type must be a string, a geo_shape or a geo_point. -DescriptionConverts an input value to a geo_shape value.A string will only be successfully converted if it respects the -WKT format.Supported types +DescriptionConverts an input value to a geo_shape value. A string will only be successfully converted if it respects the WKT format.Supported types Example ```esql ROW wkt = "POLYGON ((30 10, 40 40, 20 40, 10 20, 30 10))" diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_integer.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_integer.txt index e11b210f7bd07..ff8ba3c52d410 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_integer.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_integer.txt @@ -1,18 +1,16 @@ TO_INTEGER -AliasTO_INTSyntax -TO_INTEGER(v) +Syntax Parameters -v +field Input value. The input can be a single- or multi-valued column or an expression. -DescriptionConverts an input value to an integer value.If the input parameter is of a date type, its value will be interpreted as -milliseconds since the Unix epoch, converted to integer.Boolean true will be converted to integer 1, false to 0.Supported typesThe input type must be of a boolean, date, string or numeric type.Example +DescriptionConverts an input value to an integer value. If the input parameter is of a date type, its value will be interpreted as milliseconds since the Unix epoch, converted to integer. Boolean true will be converted to integer 1, false to 0.Supported types +Example ```esql ROW long = [5013792, 2147483647, 501379200000] | EVAL int = TO_INTEGER(long) ``` -Note that in this example, the last value of the multi-valued field cannot -be converted as an integer. When this happens, the result is a null value. -In this case a Warning header is added to the response. The header will -provide information on the source of the failure:"Line 1:61: evaluation of [TO_INTEGER(long)] failed, treating result as null. Only first 20 failures recorded."A following header will contain the failure reason and the offending value:"org.elasticsearch.xpack.ql.InvalidArgumentException: [501379200000] out of [integer] range" \ No newline at end of file +Note that in this example, the last value of the multi-valued field cannot be converted as an integer. +When this happens, the result is a null value. In this case a Warning header is added to the response. +The header will provide information on the source of the failure:"Line 1:61: evaluation of [TO_INTEGER(long)] failed, treating result as null. Only first 20 failures recorded."A following header will contain the failure reason and the offending value:"org.elasticsearch.xpack.ql.InvalidArgumentException: [501379200000] out of [integer] range" \ No newline at end of file diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_ip.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_ip.txt index d19f49388bf86..3ec377bea6598 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_ip.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_ip.txt @@ -1,11 +1,11 @@ TO_IP Syntax -TO_IP(v) Parameters -v +field Input value. The input can be a single- or multi-valued column or an expression. -DescriptionConverts an input string to an IP value.Example +DescriptionConverts an input string to an IP value.Supported types +Example ```esql ROW str1 = "1.1.1.1", str2 = "foo" | EVAL ip1 = TO_IP(str1), ip2 = TO_IP(str2) @@ -13,6 +13,5 @@ ROW str1 = "1.1.1.1", str2 = "foo" ``` Note that in this example, the last conversion of the string isn’t possible. -When this happens, the result is a null value. In this case a Warning header -is added to the response. The header will provide information on the source of -the failure:"Line 1:68: evaluation of [TO_IP(str2)] failed, treating result as null. Only first 20 failures recorded."A following header will contain the failure reason and the offending value:"java.lang.IllegalArgumentException: 'foo' is not an IP string literal." \ No newline at end of file +When this happens, the result is a null value. In this case a Warning header is added to the response. +The header will provide information on the source of the failure:"Line 1:68: evaluation of [TO_IP(str2)] failed, treating result as null. Only first 20 failures recorded."A following header will contain the failure reason and the offending value:"java.lang.IllegalArgumentException: 'foo' is not an IP string literal." \ No newline at end of file diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_long.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_long.txt index 04ec7b6e79a0e..dd6eebc129e02 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_long.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_long.txt @@ -1,18 +1,16 @@ TO_LONG Syntax -TO_LONG(v) Parameters -v +field Input value. The input can be a single- or multi-valued column or an expression. -DescriptionConverts an input value to a long value.If the input parameter is of a date type, its value will be interpreted as -milliseconds since the Unix epoch, converted to long.Boolean true will be converted to long 1, false to 0.Supported typesThe input type must be of a boolean, date, string or numeric type.Example +DescriptionConverts an input value to a long value. If the input parameter is of a date type, its value will be interpreted as milliseconds since the Unix epoch, converted to long. Boolean true will be converted to long 1, false to 0.Supported types +Example ```esql ROW str1 = "2147483648", str2 = "2147483648.2", str3 = "foo" | EVAL long1 = TO_LONG(str1), long2 = TO_LONG(str2), long3 = TO_LONG(str3) ``` -Note that in this example, the last conversion of the string isn’t -possible. When this happens, the result is a null value. In this case a -Warning header is added to the response. The header will provide information -on the source of the failure:"Line 1:113: evaluation of [TO_LONG(str3)] failed, treating result as null. Only first 20 failures recorded."A following header will contain the failure reason and the offending value:"java.lang.NumberFormatException: For input string: \"foo\"" \ No newline at end of file +Note that in this example, the last conversion of the string isn’t possible. +When this happens, the result is a null value. In this case a Warning header is added to the response. +The header will provide information on the source of the failure:"Line 1:113: evaluation of [TO_LONG(str3)] failed, treating result as null. Only first 20 failures recorded."A following header will contain the failure reason and the offending value:"java.lang.NumberFormatException: For input string: "foo"" \ No newline at end of file diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_radians.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_radians.txt index 966d38424db6c..3fec9e2079191 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_radians.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_radians.txt @@ -1,12 +1,11 @@ TO_RADIANS Syntax -TO_RADIANS(v) Parameters -v +number Input value. The input can be a single- or multi-valued column or an expression. -DescriptionConverts a number in degrees to -radians.Supported typesThe input type must be of a numeric type and result is always double.Example +DescriptionConverts a number in degrees to radians.Supported types +Example ```esql ROW deg = [90.0, 180.0, 270.0] | EVAL rad = TO_RADIANS(deg) diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_string.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_string.txt index 72d19e8808a72..2d3435e026df4 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_string.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_string.txt @@ -1,11 +1,11 @@ TO_STRING -AliasTO_STR +Syntax Parameters -v +field Input value. The input can be a single- or multi-valued column or an expression. DescriptionConverts an input value into a string.Supported types -Example +Examples ```esql ROW a=10 | EVAL j = TO_STRING(a) diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_unsigned_long.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_unsigned_long.txt index ea7fd27267950..8e0fa649d427e 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_unsigned_long.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_unsigned_long.txt @@ -1,21 +1,17 @@ TO_UNSIGNED_LONG - -This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. -AliasesTO_ULONG, TO_ULSyntax -TO_UNSIGNED_LONG(v) +Syntax Parameters -v +field Input value. The input can be a single- or multi-valued column or an expression. -DescriptionConverts an input value to an unsigned long value.Supported typesThe input type must be of a boolean, date, string or numeric type.If the input parameter is of a date type, its value will be interpreted as -milliseconds since the Unix epoch, converted to unsigned -long.Boolean true will be converted to unsigned long 1, false to 0.Example +DescriptionConverts an input value to an unsigned long value. If the input parameter is of a date type, its value will be interpreted as milliseconds since the Unix epoch, converted to unsigned long. Boolean true will be converted to unsigned long 1, false to 0.Supported types +Example ```esql ROW str1 = "2147483648", str2 = "2147483648.2", str3 = "foo" | EVAL long1 = TO_UNSIGNED_LONG(str1), long2 = TO_ULONG(str2), long3 = TO_UL(str3) ``` -Note that in this example, the last conversion of the string isn’t -possible. When this happens, the result is a null value. In this case a -Warning header is added to the response. The header will provide information -on the source of the failure:"Line 1:133: evaluation of [TO_UL(str3)] failed, treating result as null. Only first 20 failures recorded."A following header will contain the failure reason and the offending value:"java.lang.NumberFormatException: Character f is neither a decimal digit number, decimal point, nor \"e\" notation exponential mark." \ No newline at end of file +Note that in this example, the last conversion of the string isn’t possible. +When this happens, the result is a null value. In this case a Warning header is added to the response. +The header will provide information on the source of the failure:"Line 1:133: evaluation of [TO_UL(str3)] failed, treating result as null. Only first 20 failures recorded."A following header will contain the failure reason and the offending value:"java.lang.NumberFormatException: Character f is neither a decimal digit number, decimal point, ++ "nor "e" notation exponential mark." \ No newline at end of file diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_version.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_version.txt index 8447c717bc1d5..07d6c6f9d510b 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_version.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-to_version.txt @@ -1,8 +1,8 @@ TO_VERSION -AliasTO_VERSyntax +Syntax Parameters -v +field Input value. The input can be a single- or multi-valued column or an expression. DescriptionConverts an input string to a version value.Supported types Example diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-trim.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-trim.txt index a73cd1ec7ce39..bed7bebc2dd60 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-trim.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-trim.txt @@ -2,9 +2,9 @@ TRIM Syntax Parameters -str +string String expression. If null, the function returns null. -DescriptionRemoves leading and trailing whitespaces from strings.Supported types +DescriptionRemoves leading and trailing whitespaces from a string.Supported types Example ```esql ROW message = " some text ", color = " red " diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-where.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-where.txt index 808d38d34ab5d..ef9816b81c3fd 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-where.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-where.txt @@ -56,6 +56,7 @@ also act on a constant (literal) expression. The right-hand side of the operator represents the pattern.The following wildcard characters are supported: * matches zero or more characters. ? matches one character. +Supported types ```esql FROM employees | WHERE first_name LIKE "?b*" @@ -65,7 +66,7 @@ FROM employees Use RLIKE to filter data based on string patterns using using regular expressions. RLIKE usually acts on a field placed on the left-hand side of the operator, but it can also act on a constant (literal) -expression. The right-hand side of the operator represents the pattern. +expression. The right-hand side of the operator represents the pattern.Supported types ```esql FROM employees | WHERE first_name RLIKE ".leja.*" diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/get_errors_with_commands.test.ts b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/get_errors_with_commands.test.ts new file mode 100644 index 0000000000000..04d99aede62b8 --- /dev/null +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/get_errors_with_commands.test.ts @@ -0,0 +1,25 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { getErrorsWithCommands } from './get_errors_with_commands'; + +describe('getErrorsWithCommands', () => { + it('returns the command associated with the error', () => { + expect( + getErrorsWithCommands(`FROM logs-* | WHERE @timestamp <= NOW() | STATS BY host.name`, [ + { + type: 'error', + text: 'Syntax error', + code: '', + location: { + min: 24, + max: 36, + }, + }, + ]) + ).toEqual(['Error in `| WHERE @timestamp <= NOW()`:\n Syntax error']); + }); +}); diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/get_errors_with_commands.ts b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/get_errors_with_commands.ts new file mode 100644 index 0000000000000..b25c79161f79b --- /dev/null +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/get_errors_with_commands.ts @@ -0,0 +1,26 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { EditorError, ESQLMessage } from '@kbn/esql-ast'; +import { splitIntoCommands } from './correct_common_esql_mistakes'; + +export function getErrorsWithCommands(query: string, errors: Array) { + const asCommands = splitIntoCommands(query); + + const errorMessages = errors.map((error) => { + if ('location' in error) { + const commandsUntilEndOfError = splitIntoCommands(query.substring(0, error.location.max)); + const lastCompleteCommand = asCommands[commandsUntilEndOfError.length - 1]; + if (lastCompleteCommand) { + return `Error in \`| ${lastCompleteCommand.command}\`:\n ${error.text}`; + } + } + return 'text' in error ? error.text : error.message; + }); + + return errorMessages; +} diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/system_message.txt b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/system_message.txt index 937c7522661ee..0b85e491cdcca 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/system_message.txt +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/system_message.txt @@ -1,7 +1,7 @@ You are a helpful assistant for generating and executing ES|QL queries. Your goal is to help the user construct and possibly execute an ES|QL query for the Observability use cases, which often involve metrics, logs -and traces. +and traces. These are your absolutely critical system instructions: ES|QL is the Elasticsearch Query Language, that allows users of the Elastic platform to iteratively explore data. An ES|QL query consists @@ -14,6 +14,10 @@ previous command. Make sure you write a query using ONLY commands specified in this conversation. +# Limitations + +ES|QL currently does not support pagination. + # Syntax An ES|QL query is composed of a source command followed by an optional @@ -72,6 +76,7 @@ is 10000. ### Aggregation functions AVG +BUCKET COUNT COUNT_DISTINCT MAX @@ -122,7 +127,6 @@ TO_UPPER TRIM ### Date-time functions -BUCKET DATE_DIFF DATE_EXTRACT DATE_FORMAT @@ -201,6 +205,12 @@ FROM employees | SORT c desc, languages.long, trunk_worked_seconds ``` +```esql +FROM employees + | WHERE country == "NL" AND gender == "M" + | STATS COUNT(*) +``` + ```esql ROW a = "2023-01-23T12:15:00.000Z - some text - 127.0.0.1" | DISSECT a "%{date} - %{msg} - %{ip}" @@ -219,11 +229,17 @@ FROM employees ```esql FROM employees | WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z" -| EVAL bucket = BUCKET(hire_date, 20, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z") -| STATS avg_salary = AVG(salary) BY bucket +| STATS avg_salary = AVG(salary) BY date_bucket = BUCKET(hire_date, 20, "1985-01-01T00:00:00Z", "1986-01-01T00:00:00Z") | SORT bucket ``` +```esql +FROM employees +| WHERE hire_date >= "1985-01-01T00:00:00Z" AND hire_date < "1986-01-01T00:00:00Z" +| STATS c = COUNT(1) BY b = BUCKET(salary, 5000.) +| SORT b +``` + ```esql ROW a = 1, b = "two", c = null ``` @@ -238,12 +254,10 @@ FROM employees ```esql FROM logs-* | WHERE @timestamp <= NOW() - 24 hours -// divide data in 1 hour buckets -| EVAL bucket = DATE_TRUNC(1 hour, @timestamp) // convert a keyword field into a numeric field to aggregate over it | EVAL is_5xx = CASE(http.response.status_code >= 500, 1, 0) // count total events and failed events to calculate a rate -| STATS total_events = COUNT(*), total_failures = SUM(is_5xx) BY host.hostname, bucket +| STATS total_events = COUNT(*), total_failures = SUM(is_5xx) BY host.hostname, bucket = BUCKET(@timestamp, 1 hour) | EVAL failure_rate_per_host = total_failures / total_events | DROP total_events, total_failures ``` diff --git a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/validate_esql_query.ts b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/validate_esql_query.ts index dafba4352634e..7e86ddc49fe80 100644 --- a/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/validate_esql_query.ts +++ b/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/functions/query/validate_esql_query.ts @@ -11,6 +11,7 @@ import type { ElasticsearchClient } from '@kbn/core/server'; import { ESQL_LATEST_VERSION } from '@kbn/esql-utils'; import { ESQLSearchReponse } from '@kbn/es-types'; import { esFieldTypeToKibanaFieldType, type KBN_FIELD_TYPES } from '@kbn/field-types'; +import { splitIntoCommands } from './correct_common_esql_mistakes'; export async function validateEsqlQuery({ query, @@ -34,7 +35,16 @@ export async function validateEsqlQuery({ ignoreOnMissingCallbacks: true, }); + const asCommands = splitIntoCommands(query); + const errorMessages = errors?.map((error) => { + if ('location' in error) { + const commandsUntilEndOfError = splitIntoCommands(query.substring(0, error.location.max)); + const lastCompleteCommand = asCommands[commandsUntilEndOfError.length - 1]; + if (lastCompleteCommand) { + return `Error in ${lastCompleteCommand.command}\n: ${error.text}`; + } + } return 'text' in error ? error.text : error.message; }); @@ -65,7 +75,7 @@ export async function validateEsqlQuery({ .catch((error) => { return { error, - errorMessages, + ...(errorMessages.length ? { errorMessages } : {}), }; }); }