[Obs AI Assistant] Use more BUCKET() examples (elastic#186799)

Instead of using DATE_TRUNC, use BUCKET in bucketing examples. BUCKET is more appropriate for bucketing.
peteharverson · Jun 25, 2024 · bf315d1 · bf315d1
1 parent ca41e66
commit bf315d1
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 12 deletions.
diff --git a/...y_solution/observability_ai_assistant_app/scripts/evaluation/scenarios/esql/index.spec.ts b/...y_solution/observability_ai_assistant_app/scripts/evaluation/scenarios/esql/index.spec.ts
@@ -184,8 +184,7 @@ describe('ES|QL query generation', () => {
           'Assume my metrics data is in `metrics-*`. I want to see what a query would look like that gets the average CPU per service, limit it to the top 10 results, in 1m buckets, and only include the last 15m.',
         expected: `FROM .ds-metrics-apm*
         | WHERE @timestamp >= NOW() - 15 minutes
-        | EVAL bucket = DATE_TRUNC(1 minute, @timestamp)
-        | STATS avg_cpu = AVG(system.cpu.total.norm.pct) BY bucket, service.name
+        | STATS avg_cpu = AVG(system.cpu.total.norm.pct) BY BUCKET(@timestamp, 1m), service.name
         | SORT avg_cpu DESC
         | LIMIT 10`,
         execute: false,
@@ -310,9 +309,8 @@ describe('ES|QL query generation', () => {
         question: `i have logs in logs-apm*. Using ESQL, show me the error rate as a percetage of the error logs (identified as processor.event containing the value error) vs the total logs per day for the last 7 days `,
         expected: `FROM logs-apm*
         | WHERE @timestamp >= NOW() - 7 days
-        | EVAL day = DATE_TRUNC(1 day, @timestamp)
         | EVAL error = CASE(processor.event == "error", 1, 0)
-        | STATS total_logs = COUNT(*), total_errors = SUM(is_error) BY day
+        | STATS total_logs = COUNT(*), total_errors = SUM(is_error) BY BUCKET(@timestamp, 1 day)
         | EVAL error_rate = total_errors / total_logs * 100
         | SORT day ASC`,
         execute: true,

diff --git a/...bservability_ai_assistant_app/server/functions/query/correct_common_esql_mistakes.test.ts b/...bservability_ai_assistant_app/server/functions/query/correct_common_esql_mistakes.test.ts
@@ -94,6 +94,11 @@ describe('correctCommonEsqlMistakes', () => {
       'FROM logs-*\n| KEEP date, whatever, @timestamp\n| EVAL my_truncated_date_field = DATE_TRUNC(1 year, date)\n| SORT @timestamp, my_truncated_date_field DESC'
     );
 
+    expectQuery(
+      `FROM logs-*\n| STATS COUNT(*) BY BUCKET(@timestamp, 1m)\n| SORT \`BUCKET(@timestamp, 1m)\` DESC`,
+      `FROM logs-*\n| STATS COUNT(*) BY BUCKET(@timestamp, 1m)\n| SORT \`BUCKET(@timestamp, 1m)\` DESC`
+    );
+
     expectQuery(
       `FROM logs-* | KEEP date, whatever | RENAME whatever AS forever | SORT forever DESC`,
       `FROM logs-*\n| KEEP date, whatever\n| RENAME whatever AS forever\n| SORT forever DESC`

diff --git a/...ion/observability_ai_assistant_app/server/functions/query/correct_common_esql_mistakes.ts b/...ion/observability_ai_assistant_app/server/functions/query/correct_common_esql_mistakes.ts
@@ -191,7 +191,7 @@ function escapeExpressionsInSort(sortCommand: string) {
 
       if (sortOrder) sortOrder = ` ${sortOrder}`;
 
-      if (!column.match(/^`?[a-zA-Z0-9_\.@]+`?$/)) {
+      if (!column.match(/^`.*?`$/) && !column.match(/^[a-zA-Z0-9_\.@]+$/)) {
         column = `\`${column}\``;
       }
 

diff --git a/...ty_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-case.txt b/...ty_solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-case.txt
@@ -33,7 +33,6 @@ FROM sample_data
 ```esql
 FROM sample_data
 | EVAL error = CASE(message LIKE "*error*", 1, 0)
-| EVAL hour = DATE_TRUNC(1 hour, @timestamp)
-| STATS error_rate = AVG(error) BY hour
+| STATS error_rate = AVG(error) BY BUCKET(@timestamp, 1 hour)
 | SORT hour
-```
+```
diff --git a/..._solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-syntax.txt b/..._solution/observability_ai_assistant_app/server/functions/query/esql_docs/esql-syntax.txt
@@ -92,30 +92,30 @@ FROM logs
 
 ```esql
 FROM logs
-| STATS COUNT(*) BY timestamp = DATE_TRUNC(1h, @timestamp)
+| STATS COUNT(*) BY timestamp = BUCKET(@timestamp, 1h)
 | WHERE timestamp >= NOW() - 24h
 ```
 
 3. Finding the average response time per minute for the last hour:
 
 ```esql
 FROM logs
-| STATS AVG(response_time) BY minute = DATE_TRUNC(1m, @timestamp)
+| STATS AVG(response_time) BY minute = BUCKET(@timestamp, 1m)
 | WHERE @timestamp >= NOW() - 1h
 ```
 
 4. Aggregating data on a weekly basis for the past year:
 
 ```esql
 FROM logs
-| STATS COUNT(*) BY week = DATE_TRUNC(1w, @timestamp)
+| STATS COUNT(*) BY week = BUCKET(@timestamp, 1w)
 | WHERE @timestamp >= NOW() - 1y
 ```
 
 5. Finding the maximum response time per second for the last minute:
 
 ```esql
 FROM logs
-| STATS MAX(response_time) BY second = DATE_TRUNC(1s, @timestamp)
+| STATS MAX(response_time) BY second = BUCKET(@timestamp, 1s)
 | WHERE @timestamp >= NOW() - 1m
 ```