Arithmetic operation support in STATS

[pabloem]

Elasticsearch Version

9.3.0

Installed Plugins

No response

Java Version

bundled

OS Version

mac os

Problem Description

Received this report:

Maybe it is expected but I don't find a note in the documentation. It's perfectly legit to compute expressions in the STATS command (https://www.elastic.co/docs/reference/query-languages/esql/commands/stats-by) . For example:

TS metrics-prometheusreceiver* | STATS foo = 1000*MAX(x509_cert_not_after)

works. However, as soon as we perform some computations with "time-series" functions/aggregations like:

TS metrics-prometheusreceiver* | STATS foo = 1000*MAX(LAST_OVER_TIME(x509_cert_not_after)

This will return the following non-user-friendly error.

Unsupported expression [last_over_time(x509_cert_not_after{f}#74502, @timestamp{f}#74513)]

This works:

TS metrics-prometheusreceiver* | STATS foo = MAX(LAST_OVER_TIME(x509_cert_not_after) | EVAL foo = 1000 * foo

(don't think it's a good user-experience or at least the error does not seem very informative.

Steps to Reproduce

steps are described above (using a ts index)

Logs (if relevant)

No response

[pabloem]

huh interesting stack trace:

[2025-12-15T18:25:53,987][WARN ][o.e.x.e.a.EsqlResponseListener] [test-cluster-0] partial failure at path: /_query, params: {pretty=true, format=json, error_trace=true} shard [[_na_][k8s][0]], reason [org.elasticsearch.xpack.esql.core.QlIllegalArgumentException: Unsupported expression [rate(network.total_bytes_in{f}#16, @timestamp{f}#12)]
	at org.elasticsearch.xpack.esql.evaluator.EvalMapper.toEvaluator(EvalMapper.java:92)
	at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.planEval(LocalExecutionPlanner.java:545)
	at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.plan(LocalExecutionPlanner.java:268)
	at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.planFieldExtractNode(LocalExecutionPlanner.java:403)
	at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.plan(LocalExecutionPlanner.java:262)
	at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.planAggregation(LocalExecutionPlanner.java:373)
	at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.plan(LocalExecutionPlanner.java:260)
	at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.planExchangeSink(LocalExecutionPlanner.java:451)
	at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.plan(LocalExecutionPlanner.java:315)
	at org.elasticsearch.xpack.esql.planner.LocalExecutionPlanner.plan(LocalExecutionPlanner.java:235)
	at org.elasticsearch.xpack.esql.plugin.ComputeService.runCompute(ComputeService.java:689)
	at org.elasticsearch.xpack.esql.plugin.DataNodeComputeHandler$DataNodeRequestExecutor.lambda$runBatch$4(DataNodeComputeHandler.java:369)
	at org.elasticsearch.server@9.3.0-SNAPSHOT/org.elasticsearch.action.ActionListener$2.onResponse(ActionListener.java:258)
	at org.elasticsearch.server@9.3.0-SNAPSHOT/org.elasticsearch.action.ActionRunnable$2.accept(ActionRunnable.java:58)
	at org.elasticsearch.server@9.3.0-SNAPSHOT/org.elasticsearch.action.ActionRunnable$2.accept(ActionRunnable.java:55)
	at org.elasticsearch.server@9.3.0-SNAPSHOT/org.elasticsearch.action.ActionRunnable$4.doRun(ActionRunnable.java:101)
	at org.elasticsearch.server@9.3.0-SNAPSHOT/org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:27)
	at org.elasticsearch.xpack.esql.plugin.DataNodeComputeHandler$DataNodeRequestExecutor.lambda$acquireSearchContexts$7(DataNodeComputeHandler.java:438)
	at org.elasticsearch.base@9.3.0-SNAPSHOT/org.elasticsearch.core.AbstractRefCounted$1.closeInternal(AbstractRefCounted.java:125)
	at org.elasticsearch.base@9.3.0-SNAPSHOT/org.elasticsearch.core.AbstractRefCounted.decRef(AbstractRefCounted.java:77)
	at org.elasticsearch.server@9.3.0-SNAPSHOT/org.elasticsearch.action.support.RefCountingRunnable.close(RefCountingRunnable.java:113)
	at org.elasticsearch.xpack.esql.plugin.DataNodeComputeHandler$DataNodeRequestExecutor.acquireSearchContexts(DataNodeComputeHandler.java:451)
	at org.elasticsearch.xpack.esql.plugin.DataNodeComputeHandler$DataNodeRequestExecutor.runBatch(DataNodeComputeHandler.java:323)
	at org.elasticsearch.xpack.esql.plugin.DataNodeComputeHandler$DataNodeRequestExecutor.start(DataNodeComputeHandler.java:284)
	at org.elasticsearch.xpack.esql.plugin.DataNodeComputeHandler.runComputeOnDataNode(DataNodeComputeHandler.java:523)
	at org.elasticsearch.xpack.esql.plugin.DataNodeComputeHandler.messageReceived(DataNodeComputeHandler.java:606)
	at org.elasticsearch.xpack.esql.plugin.DataNodeComputeHandler.messageReceived(DataNodeComputeHandler.java:75)
	at org.elasticsearch.server@9.3.0-SNAPSHOT/org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:86)
	at org.elasticsearch.server@9.3.0-SNAPSHOT/org.elasticsearch.transport.TransportService$6.doRun(TransportService.java:1111)
	at org.elasticsearch.server@9.3.0-SNAPSHOT/org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:1113)
	at org.elasticsearch.server@9.3.0-SNAPSHOT/org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:27)
	at org.elasticsearch.server@9.3.0-SNAPSHOT/org.elasticsearch.common.util.concurrent.TimedRunnable.doRun(TimedRunnable.java:35)
	at org.elasticsearch.server@9.3.0-SNAPSHOT/org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:1113)
	at org.elasticsearch.server@9.3.0-SNAPSHOT/org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:27)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1090)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:614)
	at java.base/java.lang.Thread.run(Thread.java:1474)

[pabloem]

Plan looks fine...

[2025-12-15T18:25:54,011][INFO ][o.e.x.e.q.r.ProfileLogger][test] Profile: {planning={took_millis=127, start_millis=1765841153783, stop_millis=1765841153910, took_nanos=127430125}, minimumTransportVersion=9245000, plans=[{cluster_name=test-cluster, reduction_nanos=0, node_name=test-cluster-0, description=node_reduce, plan=ExchangeSinkExec[[_tsid{m}#20, $$LASTOVERTIME_$1$timestamps{r}#22, $$LASTOVERTIME_$1$values{r}#23],true]
\_ExchangeSourceExec[[_tsid{m}#20, $$LASTOVERTIME_$1$timestamps{r}#22, $$LASTOVERTIME_$1$values{r}#23],true]}, {cluster_name=test-cluster, physical_optimization_nanos=10244667, node_name=test-cluster-0, description=final, plan=OutputExec[org.elasticsearch.xpack.esql.plugin.ComputeService$$Lambda/0x00003800017004b8@2de762d5]
\_ProjectExec[[max{r}#6]]
  \_EvalExec[[$$MAX$10_+_max(rate(n>$0{r$}#19 + 10[INTEGER] AS max#3, ROUND(max{r}#3,6[INTEGER]) AS max#6]]
    \_LimitExec[1000000[INTEGER],8]
      \_AggregateExec[[],[MAX(LASTOVERTIME_$1{r}#21,true[BOOLEAN],PT0S[TIME_DURATION]) AS $$MAX$10_+_max(rate(n>$0#19],SINGLE,[$$MAX$10
_+_max(rate(n>$0$max{r}#24, $$MAX$10_+_max(rate(n>$0$seen{r}#25],24]
        \_TimeSeriesAggregateExec[[_tsid{m}#20],[LASTOVERTIME($$RATE$MAX$0{r$}#18,true[BOOLEAN],PT0S[TIME_DURATION],@timestamp{f}#12) AS LASTOVER
TIME_$1#21],FINAL,[_tsid{m}#20, $$LASTOVERTIME_$1$timestamps{r}#22, $$LASTOVERTIME_$1$values{r}#23],8,null]
          \_ExchangeSourceExec

[elasticsearchmachine]

Pinging @elastic/es-analytical-engine (Team:Analytics)

[luigidellaquila]

Related (or probably just duplicate) #139580

I'm leaving both open just because the other one contains a slightly different case, but there is a chance that we can consolidate them in a single one.

[pabloem]

hm we probably want to support this actually. Looking into what we are missing. It can be executed as Source-> Agg -> Eval, which should be completely doable

[pabloem]

writing a couple tests where it doesnt repro and the csv test where it does: #139660