sql icon indicating copy to clipboard operation
sql copied to clipboard

Published 20 hours ago verified publisher icon opendistro-for-elasticsearch

stats by do not support date_format function

Open chyun opened this issue 3 years ago • 3 comments

I input PPL "search source=210324|stats max(event_duration) by date_format(inbuilt_meta.log_timestamp, 'yyyy-MM-dd HH')". Got the error { "error": { "reason": "Invalid Query", "details": "Failed to parse query due to offending symbol [date_format] at: 'search source=*210324*|stats max(event_duration) by date_format' <--- HERE... More details: Expecting tokens in {'D', '.', '', 'AVG', 'COUNT', 'MAX', 'MIN', 'SUM', 'FIRST', 'LAST', 'DATE', 'TIME', 'TIMESTAMP', ID, BQUOTA_STRING}", "type": "SyntaxCheckException" }, "status": 400 }`

It looks like stats by do not support very much function

chyun avatar Mar 24 '21 10:03 chyun

I can use "search source=210324|fields event_duration, inbuilt_meta.log_timestamp|eval day_str=date_format(inbuilt_meta.log_timestamp, 'yyyy-MM-dd HH')" to get the right answer, but the method do not aggregate all of data, it just aggregate the head part of data

chyun avatar Mar 24 '21 10:03 chyun

Thanks for reporting the issue! Investigating

dai-chen avatar Mar 24 '21 20:03 dai-chen

It seems BY clause only accepts field name: https://github.com/opendistro-for-elasticsearch/sql/blob/develop/ppl/src/main/antlr/OpenDistroPPLParser.g4#L107. We need to check if this can be enabled easily. For now, could you try to append stats to your eval command. Note that this may have performance issue on big data set. Thanks!

dai-chen avatar Mar 24 '21 20:03 dai-chen