ES|QL PRESENT_OVER_TIME function
field- the metric field to calculate the value for
window-
the time window over which to compute the present over time
Calculates the presence of a field in the output result over time range.
| field | window | result |
|---|---|---|
| aggregate_metric_double | time_duration
|
boolean |
| boolean | time_duration
|
boolean |
| cartesian_point | time_duration
|
boolean |
| cartesian_shape | time_duration
|
boolean |
| date | time_duration
|
boolean |
| date_nanos | time_duration
|
boolean |
| double | time_duration
|
boolean |
| exponential_histogram
|
time_duration
|
boolean |
| geo_point | time_duration
|
boolean |
| geo_shape | time_duration
|
boolean |
| geohash | time_duration
|
boolean |
| geohex | time_duration
|
boolean |
| geotile | time_duration
|
boolean |
| histogram
|
time_duration
|
boolean |
| integer | time_duration
|
boolean |
| ip | time_duration
|
boolean |
| keyword | time_duration
|
boolean |
| long | time_duration
|
boolean |
| tdigest
|
time_duration
|
boolean |
| text | time_duration
|
boolean |
| unsigned_long | time_duration
|
boolean |
| version | time_duration
|
boolean |
TS k8s
| WHERE cluster == "prod" AND pod == "two"
| STATS events_received = MAX(PRESENT_OVER_TIME(events_received)) BY pod, time_bucket = TBUCKET(2 minute)
| events_received:boolean | pod:keyword | time_bucket:datetime |
|---|---|---|
| true | two | 2024-05-10T00:02:00.000Z |
| true | two | 2024-05-10T00:08:00.000Z |
| false | two | 2024-05-10T00:10:00.000Z |
| false | two | 2024-05-10T00:12:00.000Z |