Currently, when a time-series aggregation does not specify an inner over_time aggregation, we default to using last_over_time. However, this approach is not suitable for types that require a different default over_time aggregation, such as exponential_histogram. Also, if the internal aggregation is not an original field (e.g., TS .. | STATS sum(a + b)), the correct rewrite should be TS .. | STATS SUM(last_over_time(a) + last_over_time(b)) instead.
Relates #138563
Currently, when a time-series aggregation does not specify an inner
over_timeaggregation, we default to usinglast_over_time. However, this approach is not suitable for types that require a different defaultover_timeaggregation, such asexponential_histogram. Also, if the internal aggregation is not an original field (e.g.,TS .. | STATS sum(a + b)), the correct rewrite should beTS .. | STATS SUM(last_over_time(a) + last_over_time(b))instead.Relates #138563