ES|QL TO_COUNTER function
field-
Input value. The input can be a single- or multi-valued column or an expression.
Converts a numeric value to its counter equivalent. The output type is determined by the input: long converts to counter_long, integer to counter_integer, and double to counter_double. No values are modified; only the type annotation changes. If the input is already a counter, the function is a no-op. This is useful when a metric field was misclassified as a plain numeric type instead of a counter in the index mapping. This function is also available as the ::counter cast operator.
| field | result |
|---|---|
| counter_double | counter_double |
| counter_integer | counter_integer |
| counter_long | counter_long |
| double | counter_double |
| integer | counter_integer |
| long | counter_long |
TS k8s
| STATS rate_bytes_in=avg(rate(network.total_bytes_in::counter)) BY time_bucket = bucket(@timestamp,1minute)
| EVAL rate_bytes_in=ROUND(rate_bytes_in, 6) | KEEP rate_bytes_in, time_bucket
| SORT rate_bytes_in DESC, time_bucket DESC | LIMIT 10;
| rate_bytes_in:double | time_bucket:datetime |
|---|---|
| 26.69853 | 2024-05-10T00:04:00.000Z |
| 25.238823 | 2024-05-10T00:20:00.000Z |
| 22.148003 | 2024-05-10T00:01:00.000Z |
| 19.281831 | 2024-05-10T00:19:00.000Z |
| 18.744102 | 2024-05-10T00:11:00.000Z |
| 17.752681 | 2024-05-10T00:17:00.000Z |
| 16.945882 | 2024-05-10T00:10:00.000Z |
| 16.65479 | 2024-05-10T00:07:00.000Z |
| 15.773894 | 2024-05-10T00:18:00.000Z |
| 15.515104 | 2024-05-10T00:00:00.000Z |
| ; |
Applying TO_COUNTER to a field that is a genuine gauge, rather than a misclassified counter, will produce raw gauge values with counter semantics. Results from aggregations on such values are not meaningful.