ES|QL: Add TRANGE function #135599
Description
Description
TRANGE(<start time>, <end time>)
TRANGE(<time interval>)
Filters @timestamp values for the given time range. The first version implicitly uses now() as end time, giving an interval for the last hour or day, while the second one can consume regular DateTime specs or negative intervals:
TRANGE(1h) is equivalent to @timestamp >= now() - 1 hour
TRANGE(-3h, -2h) is equivalent to @timestamp >= now() - 3 hour AND @timestamp < now() - 2h
TRANGE(2024-05-12T12:00:00, 2024-05-12T15:30:00) is equivalent to @timestamp >= DATE_PARSE(2024-05-12T12:00:00) AND @timestamp < DATE_PARSE(2024-05-12T15:30:00)
TRANGE(1715504400000, 1715517000000) is equivalent to the above, using ms since Epoch instead of text-formatted dates.
Examples
A. TS index
| WHERE TRANGE(1d) AND cluster == 'foo'
| STATS max(search_requests) BY TBUCKET(1h), host
B. TS index
| WHERE TRANGE(1d) AND cluster == 'foo'
| STATS max(last_over_time(search_requests)) BY TBUCKET(1h), host
C. TS index
| WHERE TRANGE(1d) AND cluster == 'foo'
| STATS max(max_over_time(search_requests)) BY TBUCKET(1h), host
D. TS index
| WHERE TRANGE(1d) AND cluster == 'foo'
| STATS max(max_over_time(search_requests, 2h)) BY TBUCKET(1h), host
E. TS index
| WHERE TRANGE(5m)
| STATS rate(search_requests) BY TBUCKET(1m)