By "counter" field, I mean: a numeric field whose value only ever monotonically increases over time, except when it resets to 0 (or rather, in practice, precipitously drops to near-zero; it's possible, due to the periodic nature of the data collection, that the 0 value might never get forwarded/ingested).
Suppose I already have data in Elasticsearch. I want to query the values of numeric fields to identify which of those fields might be counters.
Given an index pattern to search, can someone suggest an elegant method (say, scripted Elasticsearch queries) to do that? (Without having to explicitly provide a list of numeric fields in that index pattern?)
Here, I'm just after a list of candidate field names. It's okay if the method catches some fields that turn out, on further investigation, to be gauges, not counters. But I'd like it to identify all possible counter candidates, preferably without catching too many gauges.
SQL LAG()
function
The accepted answer to the Stack Overflow question "Check rows for monotonically increasing values" indicates that the SQL LAG()
function might be a solution, but I gather that Elasticsearch does not support that function, and anyway I imagine that a simple LAG()
-based solution would be confounded by a reset to 0.
Prometheus resets()
function
Prometheus has a resets()
function that returns a number of resets, where a reset is:
Any decrease in the value between two consecutive float samples
Fields with a relatively high number of "resets" are more likely to be gauges than counters.
To my knowledge, Elasticsearch doesn't have an equivalent function. (I acknowledge that I could forward data to Prometheus and then use that function, but here, in this Elastic-specific forum, I'm hope for a solution based on data already ingested in Elastic.)