ES|QL TS_INFO command
The TS_INFO processing command retrieves
information about individual time series available in
time series data streams,
along with the dimension values that identify each series.
TS_INFO is a more fine-grained variant of
METRICS_INFO. Where METRICS_INFO returns one row
per distinct metric, TS_INFO returns one row per metric and time series combination. This
lets you discover the exact dimension values (labels) that identify each series. Like
METRICS_INFO, any WHERE filters that precede
TS_INFO narrow the set of time series considered.
TS_INFO
TS_INFO takes no parameters.
TS_INFO produces one row for every (metric, time series) combination that matches the
preceding filters. It includes all columns from
METRICS_INFO, plus a dimensions column
containing a JSON-encoded representation of the dimension key/value pairs that identify the
time series.
The output contains the following columns, all of type keyword:
metric_name- The name of the metric field (single-valued).
data_stream- The data stream(s) that contain this metric (multi-valued when the metric is included in multiple data streams which align on the unit, metric type, and field type).
unit- The unit declared in the field mapping,
such as
bytesorpackets(multi-valued when definitions differ across backing indices; may benullif no unit is declared). metric_type- The metric type, for example
counterorgauge(multi-valued when definitions differ across backing indices). field_type- The Elasticsearch field type, for example
long,double, orinteger(multi-valued when definitions differ across backing indices). dimension_fields- The dimension field names associated with this metric (multi-valued). The union of dimension keys across all time series for that metric.
dimensions- A JSON-encoded object containing the dimension key/value pairs that identify the time series (single-valued).
For example:
{"job":"elasticsearch","instance":"instance_1"}.
TS_INFOcan only be used after aTSsource command. Using it afterFROMor other source commands produces an error.TS_INFOmust appear before pipeline-breaking commands such asSTATS,SORT, orLIMIT.- The output replaces the original table: downstream commands operate on the metadata rows, not the raw time series documents.
Return every (metric, time series) pair in the targeted data stream, sorted by metric name and dimension values:
TS k8s
| TS_INFO
| SORT metric_name, dimensions
Place a WHERE clause before TS_INFO to restrict
the time series considered. Only metrics and series with matching data are returned:
TS k8s
| WHERE cluster == "prod"
| TS_INFO
| SORT metric_name, dimensions
Use KEEP to return only the columns you need:
TS k8s
| WHERE cluster == "prod"
| TS_INFO
| KEEP metric_name, dimensions
| SORT metric_name, dimensions
Use WHERE after TS_INFO to narrow results by
metadata:
TS k8s
| TS_INFO
| WHERE metric_type == "gauge"
| SORT metric_name, dimensions
Combine with STATS to count how many
time series exist for each metric:
TS k8s
| TS_INFO
| STATS series_count = COUNT(*) BY metric_name
| SORT metric_name
| series_count:long | metric_name:keyword |
|---|---|
| 9 | network.eth0.rx |
| 9 | network.eth0.tx |
| 9 | network.total_bytes_in |
| 9 | network.total_cost |
Find out how many different metrics each time series reports. This can help identify series that report an unusually small or large number of metrics:
TS k8s
| TS_INFO
| STATS metric_count = COUNT_DISTINCT(metric_name) BY dimensions
| SORT dimensions
| metric_count:long | dimensions:keyword |
|---|---|
| 4 | {"cluster":"prod","pod":"one","region":"[eu, us]"} |
| 4 | {"cluster":"prod","pod":"three","region":"[eu, us]"} |
| 4 | {"cluster":"prod","pod":"two","region":"[eu, us]"} |
| 4 | {"cluster":"qa","pod":"one"} |
| 4 | {"cluster":"qa","pod":"three"} |
| 4 | {"cluster":"qa","pod":"two"} |
| 4 | {"cluster":"staging","pod":"one","region":"us"} |
| 4 | {"cluster":"staging","pod":"three","region":"us"} |
| 4 | {"cluster":"staging","pod":"two","region":"us"} |