Support window functions in time-series aggregations

[dnhatn]

This change adds window function support for time-series aggregation functions including rate, avg_over_time, and last_over_time. Additional time-series aggregation functions will be supported in a follow-up to keep this PR focused.

Examples:

TS k8s
| WHERE TRANGE("2024-05-10T00:05:00.000Z", "2024-05-10T00:10:00.000Z")
| STATS rate_bytes_in=avg(rate(network.total_bytes_in, 5minute)) 
              BY cluster, time_bucket = bucket(@timestamp, 1minute)

Window 5-minute over 1-minute buckets.

TS k8s 
| STATS events = sum(avg_over_time(events_received, 10minute)) 
             BY pod, time_bucket = tbucket(5minute)
| SORT time_bucket, pod
| LIMIT 10

Window 10-minute over 5-minute buckets.

Limitation:

ES|QL currently supports only windows that are multiples of the bucket size.

[elasticsearchmachine]

Hi @dnhatn, I've created a changelog YAML for you.

[github-actions]

ℹ️ Important: Docs version tagging

👋 Thanks for updating the docs! Just a friendly reminder that our docs are now cumulative. This means all 9.x versions are documented on the same page and published off of the main branch, instead of creating separate pages for each minor version.

We use applies_to tags to mark version-specific features and changes.

Expand for a quick overview

When to use applies_to tags:

✅ At the page level to indicate which products/deployments the content applies to (mandatory)
✅ When features change state (e.g. preview, ga) in a specific version
✅ When availability differs across deployments and environments

What NOT to do:

❌ Don't remove or replace information that applies to an older version
❌ Don't add new information that applies to a specific version without an applies_to tag
❌ Don't forget that applies_to tags can be used at the page, section, and inline level

🤔 Need help?

• Check out the cumulative docs guidelines
• Reach out in the #docs Slack channel

[dnhatn]

Existing bug in rate that only manifests when using window functions.

[elasticsearchmachine]

Pinging @elastic/es-storage-engine (Team:StorageEngine)

[kkrik-es]

What happens if the window is smaller than the bucket, e.g.

TS metrics | STATS sum(rate(reqs, 1m) BY TBUCKET(5m)

[dnhatn]

We should reject this query during translation.

[kkrik-es]

Can we skip the version with window for now? I think it's gonna show up in the documentation, which will be confusing for users in 9.2.. Let's discuss separate with Liam on how best to approach this, once we have all functions updated to support windows.

We do need to add them in the tests so that Kibana documentation is updated..

[dnhatn]

++ I removed this in 3e42bb7

[kkrik-es]

Nit: use TBUCKET?

[kkrik-es]

or smaller than the time bucker?

[dnhatn]

++ I pushed e0a3c5a

[kkrik-es]

Nice, so clean! Mostly a question around the documentation, to avoid confusing users of 9.2.

[dnhatn]

Thanks Kostas!