'Elastic SQL translate API ignored a count

I had to write a simple query in Elastic and (I'm lazy) I choose to write a (working) SQL equivalent query and let Elastic translate it:

SELECT 
  count(*)/7.0 AS moving_average, 
  sum(CASE WHEN "@timestamp" > DATE_ADD('days', -2, CURRENT_DATE) THEN 1 ELSE 0 END) AS yesterday_value 
FROM "index-*" 
WHERE "@timestamp" < CURRENT_DATE
  AND "@timestamp" > DATE_ADD('days', -8, CURRENT_DATE) 
GROUP BY field

I received this query:

{
"size": 0,
"query": {
    "range": {
        "@timestamp": {
            "from": "2022-01-26T00:00:00.000Z",
            "to": "2022-02-03T00:00:00.000Z",
            "include_lower": false,
            "include_upper": false,
            "time_zone": "Z",
            "format": "strict_date_optional_time_nanos",
            "boost": 1.0
        }
    }
},
"_source": false,
"aggregations": {
    "groupby": {
        "composite": {
            "size": 1000,
            "sources": [
                {
                    "c3b53914": {
                        "terms": {
                            "field": "field.keyword",
                            "missing_bucket": true,
                            "order": "asc"
                        }
                    }
                }
            ]
        },
        "aggregations": {
            "fd78731a": {
                "stats": {
                    "script": {
                        "source": "InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.gt(InternalQlScriptUtils.docValue(doc,params.v0),InternalSqlScriptUtils.asDateTime(params.v1))) ? params.v2 : params.v3",
                        "lang": "painless",
                        "params": {
                            "v0": "@timestamp",
                            "v1": "2022-02-01T00:00:00.000Z",
                            "v2": 1,
                            "v3": 0
                        }
                    }
                }
            }
        }
    }
}
}

Now: this query has some problems, for example uses the actual current date and not some datemath expression like now-8d/d, but the main problem is that it's ignoring the /7.0 part (and also the painless script is not working as expected).

In the end, I had to write it from scratch (and divide by 7 in a later passage - or use a moving function aggregation):

{
    "size": 0,
    "query": {
        "range": {
            "@timestamp": {
                "from": "now-8d/d",
                "to": "now-1d/d",
                "include_lower": false,
                "include_upper": true,
                "time_zone": "Z",
                "format": "strict_date_optional_time_nanos",
                "boost": 1.0
            }
        }
    },
    "_source": false,
    "aggregations": {
        "groupby": {
            "composite": {
                "size": 100,
                "sources": [
                    {
                        "field": {
                            "terms": {
                                "field": "field",
                                "missing_bucket": true,
                                "order": "asc"
                            }
                        }
                    }
                ]
            },
            "aggregations": {
                "doc_count_yesterday": {
                    "range": {
                        "field": "@timestamp",
                        "ranges": [{
                            "from": "now-1d/d",
                            "to": "now/d"
                        }]
                    }
                }
            }
        }
    }
}

Does anybody know this phenomenon? It doesn't seem to appear in the SQL limitations.

sql


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions