present_over_time_events_received required_capability: ts_command_v0 TS k8s | WHERE cluster == "prod" AND pod == "two" | STATS events_received = max(present_over_time(events_received)) BY pod, time_bucket = tbucket(2 minute) | SORT time_bucket ; ignoreOrder:true events_received:boolean | pod:keyword | time_bucket:datetime true | two | 2024-05-10T00:02:00.000Z true | two | 2024-05-10T00:08:00.000Z false | two | 2024-05-10T00:10:00.000Z false | two | 2024-05-10T00:12:00.000Z true | two | 2024-05-10T00:14:00.000Z true | two | 2024-05-10T00:16:00.000Z false | two | 2024-05-10T00:18:00.000Z true | two | 2024-05-10T00:20:00.000Z true | two | 2024-05-10T00:22:00.000Z ; present_over_time_events_received_promql required_capability: promql_command_v0 PROMQL index=k8s step=2m start="2024-05-10T00:02:00.000Z" end="2024-05-10T00:22:00.000Z" events_received=(max by (pod) (present_over_time(events_received{cluster="prod",pod="two"}[2m]))) | SORT step; ignoreOrder:true events_received:double | step:datetime | pod:keyword 1.0 | 2024-05-10T00:02:00.000Z | two 1.0 | 2024-05-10T00:08:00.000Z | two 0.0 | 2024-05-10T00:10:00.000Z | two 0.0 | 2024-05-10T00:12:00.000Z | two 1.0 | 2024-05-10T00:14:00.000Z | two 1.0 | 2024-05-10T00:16:00.000Z | two 0.0 | 2024-05-10T00:18:00.000Z | two 1.0 | 2024-05-10T00:20:00.000Z | two ; present_over_time_of_long required_capability: ts_command_v0 TS k8s | STATS is_present = max(present_over_time(network.bytes_in)) BY cluster, time_bucket = tbucket(10minute) | SORT cluster, time_bucket | LIMIT 10; is_present:boolean | cluster:keyword | time_bucket:datetime true | prod | 2024-05-10T00:00:00.000Z true | prod | 2024-05-10T00:10:00.000Z true | prod | 2024-05-10T00:20:00.000Z true | qa | 2024-05-10T00:00:00.000Z true | qa | 2024-05-10T00:10:00.000Z true | qa | 2024-05-10T00:20:00.000Z true | staging | 2024-05-10T00:00:00.000Z true | staging | 2024-05-10T00:10:00.000Z true | staging | 2024-05-10T00:20:00.000Z ; present_over_time_of_long_promql required_capability: promql_command_v0 PROMQL index=k8s step=10m is_present=(max by (cluster) (present_over_time(network.bytes_in[10m]))) | SORT cluster, step | LIMIT 10; is_present:double | step:datetime | cluster:keyword 1.0 | 2024-05-10T00:00:00.000Z | prod 1.0 | 2024-05-10T00:10:00.000Z | prod 1.0 | 2024-05-10T00:20:00.000Z | prod 1.0 | 2024-05-10T00:00:00.000Z | qa 1.0 | 2024-05-10T00:10:00.000Z | qa 1.0 | 2024-05-10T00:20:00.000Z | qa 1.0 | 2024-05-10T00:00:00.000Z | staging 1.0 | 2024-05-10T00:10:00.000Z | staging 1.0 | 2024-05-10T00:20:00.000Z | staging ; present_over_time_of_boolean required_capability: ts_command_v0 TS k8s | STATS is_present = max(present_over_time(network.eth0.up)) BY cluster, time_bucket = tbucket(10minute) | SORT time_bucket, cluster | LIMIT 10; is_present:boolean | cluster:keyword | time_bucket:datetime true | prod | 2024-05-10T00:00:00.000Z true | qa | 2024-05-10T00:00:00.000Z true | staging | 2024-05-10T00:00:00.000Z true | prod | 2024-05-10T00:10:00.000Z true | qa | 2024-05-10T00:10:00.000Z true | staging | 2024-05-10T00:10:00.000Z true | prod | 2024-05-10T00:20:00.000Z true | qa | 2024-05-10T00:20:00.000Z true | staging | 2024-05-10T00:20:00.000Z ; present_over_time_of_boolean_promql required_capability: promql_command_v0 PROMQL index=k8s step=10m is_present=(max by (cluster) (present_over_time(network.eth0.up[10m]))) | SORT step, cluster | LIMIT 10; is_present:double | step:datetime | cluster:keyword 1.0 | 2024-05-10T00:00:00.000Z | prod 1.0 | 2024-05-10T00:00:00.000Z | qa 1.0 | 2024-05-10T00:00:00.000Z | staging 1.0 | 2024-05-10T00:10:00.000Z | prod 1.0 | 2024-05-10T00:10:00.000Z | qa 1.0 | 2024-05-10T00:10:00.000Z | staging 1.0 | 2024-05-10T00:20:00.000Z | prod 1.0 | 2024-05-10T00:20:00.000Z | qa 1.0 | 2024-05-10T00:20:00.000Z | staging ; present_over_time_of_date_nanos required_capability: ts_command_v0 TS k8s | STATS is_present = max(present_over_time(network.eth0.last_up)) BY cluster, time_bucket = tbucket(10minute) | SORT time_bucket, cluster | LIMIT 10; is_present:boolean | cluster:keyword | time_bucket:datetime true | prod | 2024-05-10T00:00:00.000Z true | qa | 2024-05-10T00:00:00.000Z true | staging | 2024-05-10T00:00:00.000Z true | prod | 2024-05-10T00:10:00.000Z true | qa | 2024-05-10T00:10:00.000Z true | staging | 2024-05-10T00:10:00.000Z true | prod | 2024-05-10T00:20:00.000Z true | qa | 2024-05-10T00:20:00.000Z true | staging | 2024-05-10T00:20:00.000Z ; present_over_time_of_date_nanos_promql required_capability: promql_command_v0 PROMQL index=k8s step=10m is_present=(max by (cluster) (present_over_time(network.eth0.last_up[10m]))) | SORT step, cluster | LIMIT 10; is_present:double | step:datetime | cluster:keyword 1.0 | 2024-05-10T00:00:00.000Z | prod 1.0 | 2024-05-10T00:00:00.000Z | qa 1.0 | 2024-05-10T00:00:00.000Z | staging 1.0 | 2024-05-10T00:10:00.000Z | prod 1.0 | 2024-05-10T00:10:00.000Z | qa 1.0 | 2024-05-10T00:10:00.000Z | staging 1.0 | 2024-05-10T00:20:00.000Z | prod 1.0 | 2024-05-10T00:20:00.000Z | qa 1.0 | 2024-05-10T00:20:00.000Z | staging ; present_over_time_of_date required_capability: ts_command_v0 TS k8s | STATS is_present = max(present_over_time(to_datetime(network.eth0.last_up))) BY cluster, time_bucket = tbucket(10minute) | SORT time_bucket, cluster | LIMIT 10; is_present:boolean | cluster:keyword | time_bucket:datetime true | prod | 2024-05-10T00:00:00.000Z true | qa | 2024-05-10T00:00:00.000Z true | staging | 2024-05-10T00:00:00.000Z true | prod | 2024-05-10T00:10:00.000Z true | qa | 2024-05-10T00:10:00.000Z true | staging | 2024-05-10T00:10:00.000Z true | prod | 2024-05-10T00:20:00.000Z true | qa | 2024-05-10T00:20:00.000Z true | staging | 2024-05-10T00:20:00.000Z ; present_over_time_of_date_promql required_capability: promql_command_v0 PROMQL index=k8s step=10m is_present=(max by (cluster) (present_over_time(network.eth0.last_up[10m]))) | SORT step, cluster | LIMIT 10; is_present:double | step:datetime | cluster:keyword 1.0 | 2024-05-10T00:00:00.000Z | prod 1.0 | 2024-05-10T00:00:00.000Z | qa 1.0 | 2024-05-10T00:00:00.000Z | staging 1.0 | 2024-05-10T00:10:00.000Z | prod 1.0 | 2024-05-10T00:10:00.000Z | qa 1.0 | 2024-05-10T00:10:00.000Z | staging 1.0 | 2024-05-10T00:20:00.000Z | prod 1.0 | 2024-05-10T00:20:00.000Z | qa 1.0 | 2024-05-10T00:20:00.000Z | staging ; present_over_time_of_version required_capability: ts_command_v0 TS k8s | STATS is_present = max(present_over_time(network.eth0.firmware_version)) BY cluster, time_bucket = tbucket(10minute) | SORT time_bucket, cluster | LIMIT 10; is_present:boolean | cluster:keyword | time_bucket:datetime true | prod | 2024-05-10T00:00:00.000Z true | qa | 2024-05-10T00:00:00.000Z true | staging | 2024-05-10T00:00:00.000Z true | prod | 2024-05-10T00:10:00.000Z true | qa | 2024-05-10T00:10:00.000Z true | staging | 2024-05-10T00:10:00.000Z true | prod | 2024-05-10T00:20:00.000Z true | qa | 2024-05-10T00:20:00.000Z true | staging | 2024-05-10T00:20:00.000Z ; present_over_time_of_version_promql required_capability: promql_command_v0 PROMQL index=k8s step=10m is_present=(max by (cluster) (present_over_time(network.eth0.firmware_version[10m]))) | SORT step, cluster | LIMIT 10; is_present:double | step:datetime | cluster:keyword 1.0 | 2024-05-10T00:00:00.000Z | prod 1.0 | 2024-05-10T00:00:00.000Z | qa 1.0 | 2024-05-10T00:00:00.000Z | staging 1.0 | 2024-05-10T00:10:00.000Z | prod 1.0 | 2024-05-10T00:10:00.000Z | qa 1.0 | 2024-05-10T00:10:00.000Z | staging 1.0 | 2024-05-10T00:20:00.000Z | prod 1.0 | 2024-05-10T00:20:00.000Z | qa 1.0 | 2024-05-10T00:20:00.000Z | staging ; present_over_time_of_integer required_capability: ts_command_v0 TS k8s | STATS is_present = max(present_over_time(network.eth0.currently_connected_clients)) BY cluster, time_bucket = tbucket(10minute) | SORT time_bucket, cluster | LIMIT 10; is_present:boolean | cluster:keyword | time_bucket:datetime true | prod | 2024-05-10T00:00:00.000Z true | qa | 2024-05-10T00:00:00.000Z true | staging | 2024-05-10T00:00:00.000Z true | prod | 2024-05-10T00:10:00.000Z true | qa | 2024-05-10T00:10:00.000Z true | staging | 2024-05-10T00:10:00.000Z true | prod | 2024-05-10T00:20:00.000Z true | qa | 2024-05-10T00:20:00.000Z true | staging | 2024-05-10T00:20:00.000Z ; present_over_time_of_integer_promql required_capability: promql_command_v0 PROMQL index=k8s step=10m is_present=(max by (cluster) (present_over_time(network.eth0.currently_connected_clients[10m]))) | SORT step, cluster | LIMIT 10; is_present:double | step:datetime | cluster:keyword 1.0 | 2024-05-10T00:00:00.000Z | prod 1.0 | 2024-05-10T00:00:00.000Z | qa 1.0 | 2024-05-10T00:00:00.000Z | staging 1.0 | 2024-05-10T00:10:00.000Z | prod 1.0 | 2024-05-10T00:10:00.000Z | qa 1.0 | 2024-05-10T00:10:00.000Z | staging 1.0 | 2024-05-10T00:20:00.000Z | prod 1.0 | 2024-05-10T00:20:00.000Z | qa 1.0 | 2024-05-10T00:20:00.000Z | staging ; present_over_time_of_text required_capability: ts_command_v0 TS k8s | STATS is_present = max(present_over_time(event_log)) BY cluster, time_bucket = tbucket(10minute) | SORT cluster, time_bucket | LIMIT 10; is_present:boolean | cluster:keyword | time_bucket:datetime true | prod | 2024-05-10T00:00:00.000Z true | prod | 2024-05-10T00:10:00.000Z true | prod | 2024-05-10T00:20:00.000Z true | qa | 2024-05-10T00:00:00.000Z true | qa | 2024-05-10T00:10:00.000Z true | qa | 2024-05-10T00:20:00.000Z true | staging | 2024-05-10T00:00:00.000Z true | staging | 2024-05-10T00:10:00.000Z true | staging | 2024-05-10T00:20:00.000Z ; present_over_time_of_text_promql required_capability: promql_command_v0 PROMQL index=k8s step=10m is_present=(max by (cluster) (present_over_time(event_log[10m]))) | SORT cluster, step | LIMIT 10; is_present:double | step:datetime | cluster:keyword 1.0 | 2024-05-10T00:00:00.000Z | prod 1.0 | 2024-05-10T00:10:00.000Z | prod 1.0 | 2024-05-10T00:20:00.000Z | prod 1.0 | 2024-05-10T00:00:00.000Z | qa 1.0 | 2024-05-10T00:10:00.000Z | qa 1.0 | 2024-05-10T00:20:00.000Z | qa 1.0 | 2024-05-10T00:00:00.000Z | staging 1.0 | 2024-05-10T00:10:00.000Z | staging 1.0 | 2024-05-10T00:20:00.000Z | staging ; present_over_time_of_keyword required_capability: ts_command_v0 TS k8s | STATS is_present = max(present_over_time(network.eth0.up)) BY cluster, time_bucket = tbucket(10minute) | SORT time_bucket, cluster | LIMIT 10; is_present:boolean | cluster:keyword | time_bucket:datetime true | prod | 2024-05-10T00:00:00.000Z true | qa | 2024-05-10T00:00:00.000Z true | staging | 2024-05-10T00:00:00.000Z true | prod | 2024-05-10T00:10:00.000Z true | qa | 2024-05-10T00:10:00.000Z true | staging | 2024-05-10T00:10:00.000Z true | prod | 2024-05-10T00:20:00.000Z true | qa | 2024-05-10T00:20:00.000Z true | staging | 2024-05-10T00:20:00.000Z ; present_over_time_of_keyword_promql required_capability: promql_command_v0 PROMQL index=k8s step=10m is_present=(max by (cluster) (present_over_time(network.eth0.up[10m]))) | SORT step, cluster | LIMIT 10; is_present:double | step:datetime | cluster:keyword 1.0 | 2024-05-10T00:00:00.000Z | prod 1.0 | 2024-05-10T00:00:00.000Z | qa 1.0 | 2024-05-10T00:00:00.000Z | staging 1.0 | 2024-05-10T00:10:00.000Z | prod 1.0 | 2024-05-10T00:10:00.000Z | qa 1.0 | 2024-05-10T00:10:00.000Z | staging 1.0 | 2024-05-10T00:20:00.000Z | prod 1.0 | 2024-05-10T00:20:00.000Z | qa 1.0 | 2024-05-10T00:20:00.000Z | staging ; present_over_time_of_aggregate_metric_double required_capability: ts_command_v0 required_capability: aggregate_metric_double_v0 TS k8s-downsampled | STATS is_present = max(present_over_time(network.eth0.tx)) BY cluster, time_bucket = tbucket(10 minute) | SORT time_bucket, cluster | LIMIT 10; is_present:boolean | cluster:keyword | time_bucket:datetime true | prod | 2024-05-09T23:30:00.000Z true | qa | 2024-05-09T23:30:00.000Z true | staging | 2024-05-09T23:30:00.000Z true | prod | 2024-05-09T23:40:00.000Z true | qa | 2024-05-09T23:40:00.000Z true | staging | 2024-05-09T23:40:00.000Z true | prod | 2024-05-09T23:50:00.000Z true | qa | 2024-05-09T23:50:00.000Z true | staging | 2024-05-09T23:50:00.000Z ; present_over_time_of_aggregate_metric_double_promql required_capability: promql_command_v0 required_capability: aggregate_metric_double_v0 PROMQL index=k8s-downsampled step=10m is_present=(max by (cluster) (present_over_time(network.eth0.tx[10m]))) | SORT step, cluster | LIMIT 10; is_present:double | step:datetime | cluster:keyword 1.0 | 2024-05-09T23:30:00.000Z | prod 1.0 | 2024-05-09T23:30:00.000Z | qa 1.0 | 2024-05-09T23:30:00.000Z | staging 1.0 | 2024-05-09T23:40:00.000Z | prod 1.0 | 2024-05-09T23:40:00.000Z | qa 1.0 | 2024-05-09T23:40:00.000Z | staging 1.0 | 2024-05-09T23:50:00.000Z | prod 1.0 | 2024-05-09T23:50:00.000Z | qa 1.0 | 2024-05-09T23:50:00.000Z | staging ; present_over_time_of_geopoint required_capability: ts_command_v0 TS k8s | STATS is_present = max(present_over_time(event_city)) BY cluster, time_bucket = tbucket(10minute) | SORT time_bucket, cluster | LIMIT 10; is_present:boolean | cluster:keyword | time_bucket:datetime true | prod | 2024-05-10T00:00:00.000Z true | qa | 2024-05-10T00:00:00.000Z true | staging | 2024-05-10T00:00:00.000Z true | prod | 2024-05-10T00:10:00.000Z true | qa | 2024-05-10T00:10:00.000Z true | staging | 2024-05-10T00:10:00.000Z true | prod | 2024-05-10T00:20:00.000Z true | qa | 2024-05-10T00:20:00.000Z true | staging | 2024-05-10T00:20:00.000Z ; present_over_time_of_geopoint_promql required_capability: promql_command_v0 PROMQL index=k8s step=10m is_present=(max by (cluster) (present_over_time(event_city[10m]))) | SORT step, cluster | LIMIT 10; is_present:double | step:datetime | cluster:keyword 1.0 | 2024-05-10T00:00:00.000Z | prod 1.0 | 2024-05-10T00:00:00.000Z | qa 1.0 | 2024-05-10T00:00:00.000Z | staging 1.0 | 2024-05-10T00:10:00.000Z | prod 1.0 | 2024-05-10T00:10:00.000Z | qa 1.0 | 2024-05-10T00:10:00.000Z | staging 1.0 | 2024-05-10T00:20:00.000Z | prod 1.0 | 2024-05-10T00:20:00.000Z | qa 1.0 | 2024-05-10T00:20:00.000Z | staging ; present_over_time_of_geoshape required_capability: ts_command_v0 TS k8s | STATS is_present = max(present_over_time(event_city_boundary)) BY cluster, time_bucket = tbucket(10minute) | SORT time_bucket, cluster | LIMIT 10; is_present:boolean | cluster:keyword | time_bucket:datetime true | prod | 2024-05-10T00:00:00.000Z true | qa | 2024-05-10T00:00:00.000Z true | staging | 2024-05-10T00:00:00.000Z true | prod | 2024-05-10T00:10:00.000Z true | qa | 2024-05-10T00:10:00.000Z true | staging | 2024-05-10T00:10:00.000Z true | prod | 2024-05-10T00:20:00.000Z true | qa | 2024-05-10T00:20:00.000Z true | staging | 2024-05-10T00:20:00.000Z ; present_over_time_of_geoshape_promql required_capability: promql_command_v0 PROMQL index=k8s step=10m is_present=(max by (cluster) (present_over_time(event_city_boundary[10m]))) | SORT step, cluster | LIMIT 10; is_present:double | step:datetime | cluster:keyword 1.0 | 2024-05-10T00:00:00.000Z | prod 1.0 | 2024-05-10T00:00:00.000Z | qa 1.0 | 2024-05-10T00:00:00.000Z | staging 1.0 | 2024-05-10T00:10:00.000Z | prod 1.0 | 2024-05-10T00:10:00.000Z | qa 1.0 | 2024-05-10T00:10:00.000Z | staging 1.0 | 2024-05-10T00:20:00.000Z | prod 1.0 | 2024-05-10T00:20:00.000Z | qa 1.0 | 2024-05-10T00:20:00.000Z | staging ; present_over_time_of_shape required_capability: ts_command_v0 TS k8s | STATS is_present = max(present_over_time(event_shape)) BY cluster, time_bucket = tbucket(10minute) | SORT time_bucket, cluster | LIMIT 10; is_present:boolean | cluster:keyword | time_bucket:datetime true | prod | 2024-05-10T00:00:00.000Z true | qa | 2024-05-10T00:00:00.000Z true | staging | 2024-05-10T00:00:00.000Z true | prod | 2024-05-10T00:10:00.000Z true | qa | 2024-05-10T00:10:00.000Z true | staging | 2024-05-10T00:10:00.000Z true | prod | 2024-05-10T00:20:00.000Z true | qa | 2024-05-10T00:20:00.000Z true | staging | 2024-05-10T00:20:00.000Z ; present_over_time_of_shape_promql required_capability: promql_command_v0 PROMQL index=k8s step=10m is_present=(max by (cluster) (present_over_time(event_shape[10m]))) | SORT step, cluster | LIMIT 10; is_present:double | step:datetime | cluster:keyword 1.0 | 2024-05-10T00:00:00.000Z | prod 1.0 | 2024-05-10T00:00:00.000Z | qa 1.0 | 2024-05-10T00:00:00.000Z | staging 1.0 | 2024-05-10T00:10:00.000Z | prod 1.0 | 2024-05-10T00:10:00.000Z | qa 1.0 | 2024-05-10T00:10:00.000Z | staging 1.0 | 2024-05-10T00:20:00.000Z | prod 1.0 | 2024-05-10T00:20:00.000Z | qa 1.0 | 2024-05-10T00:20:00.000Z | staging ; present_over_time_of_point required_capability: ts_command_v0 TS k8s | STATS is_present = max(present_over_time(event_location)) BY cluster, time_bucket = tbucket(10minute) | SORT time_bucket, cluster | LIMIT 10; is_present:boolean | cluster:keyword | time_bucket:datetime true | prod | 2024-05-10T00:00:00.000Z true | qa | 2024-05-10T00:00:00.000Z true | staging | 2024-05-10T00:00:00.000Z true | prod | 2024-05-10T00:10:00.000Z true | qa | 2024-05-10T00:10:00.000Z true | staging | 2024-05-10T00:10:00.000Z true | prod | 2024-05-10T00:20:00.000Z true | qa | 2024-05-10T00:20:00.000Z true | staging | 2024-05-10T00:20:00.000Z ; present_over_time_of_point_promql required_capability: promql_command_v0 PROMQL index=k8s step=10m is_present=(max by (cluster) (present_over_time(event_location[10m]))) | SORT step, cluster | LIMIT 10; is_present:double | step:datetime | cluster:keyword 1.0 | 2024-05-10T00:00:00.000Z | prod 1.0 | 2024-05-10T00:00:00.000Z | qa 1.0 | 2024-05-10T00:00:00.000Z | staging 1.0 | 2024-05-10T00:10:00.000Z | prod 1.0 | 2024-05-10T00:10:00.000Z | qa 1.0 | 2024-05-10T00:10:00.000Z | staging 1.0 | 2024-05-10T00:20:00.000Z | prod 1.0 | 2024-05-10T00:20:00.000Z | qa 1.0 | 2024-05-10T00:20:00.000Z | staging ; present_over_time_with_filtering required_capability: ts_command_v0 TS k8s | WHERE pod != "three" | STATS is_present = max(present_over_time(network.bytes_in)) BY cluster, time_bucket = tbucket(10 minute) | SORT time_bucket, cluster | LIMIT 10; is_present:boolean | cluster:keyword | time_bucket:datetime true | prod | 2024-05-10T00:00:00.000Z true | qa | 2024-05-10T00:00:00.000Z true | staging | 2024-05-10T00:00:00.000Z true | prod | 2024-05-10T00:10:00.000Z true | qa | 2024-05-10T00:10:00.000Z true | staging | 2024-05-10T00:10:00.000Z true | prod | 2024-05-10T00:20:00.000Z true | qa | 2024-05-10T00:20:00.000Z true | staging | 2024-05-10T00:20:00.000Z ; present_over_time_with_filtering_promql required_capability: promql_command_v0 PROMQL index=k8s step=10m is_present=(max by (cluster) (present_over_time(network.bytes_in{pod!="three"}[10m]))) | SORT step, cluster | LIMIT 10; is_present:double | step:datetime | cluster:keyword 1.0 | 2024-05-10T00:00:00.000Z | prod 1.0 | 2024-05-10T00:00:00.000Z | qa 1.0 | 2024-05-10T00:00:00.000Z | staging 1.0 | 2024-05-10T00:10:00.000Z | prod 1.0 | 2024-05-10T00:10:00.000Z | qa 1.0 | 2024-05-10T00:10:00.000Z | staging 1.0 | 2024-05-10T00:20:00.000Z | prod 1.0 | 2024-05-10T00:20:00.000Z | qa 1.0 | 2024-05-10T00:20:00.000Z | staging ; present_over_time_older_than_10d required_capability: ts_command_v0 required_capability: aggregate_metric_double_v0 TS k8s-downsampled | WHERE cluster == "qa" AND @timestamp < now() - 10 day | STATS is_present = max(present_over_time(network.eth0.rx)) BY pod, time_bucket = tbucket(10 minute) | SORT time_bucket, pod | LIMIT 5; is_present:boolean | pod:keyword | time_bucket:datetime true | one | 2024-05-09T23:30:00.000Z true | three | 2024-05-09T23:30:00.000Z true | two | 2024-05-09T23:30:00.000Z true | one | 2024-05-09T23:40:00.000Z true | three | 2024-05-09T23:40:00.000Z ; eval_on_present_over_time required_capability: ts_command_v0 TS k8s | STATS is_present = max(present_over_time(network.bytes_in)) BY pod, time_bucket = tbucket(10 minute) | EVAL int = to_integer(is_present) | LIMIT 10 | SORT time_bucket, pod; is_present:boolean | pod:keyword | time_bucket:datetime | int:integer true | one | 2024-05-10T00:00:00.000Z | 1 true | three | 2024-05-10T00:00:00.000Z | 1 true | two | 2024-05-10T00:00:00.000Z | 1 true | one | 2024-05-10T00:10:00.000Z | 1 true | three | 2024-05-10T00:10:00.000Z | 1 true | two | 2024-05-10T00:10:00.000Z | 1 true | one | 2024-05-10T00:20:00.000Z | 1 true | three | 2024-05-10T00:20:00.000Z | 1 true | two | 2024-05-10T00:20:00.000Z | 1 ; eval_on_present_over_time_promql required_capability: promql_command_v0 PROMQL index=k8s step=10m is_present=(max by (pod) (present_over_time(network.bytes_in[10m]))) | EVAL int = to_integer(is_present) | SORT step, pod | LIMIT 10; is_present:double | step:datetime | pod:keyword | int:integer 1.0 | 2024-05-10T00:00:00.000Z | one | 1 1.0 | 2024-05-10T00:00:00.000Z | three | 1 1.0 | 2024-05-10T00:00:00.000Z | two | 1 1.0 | 2024-05-10T00:10:00.000Z | one | 1 1.0 | 2024-05-10T00:10:00.000Z | three | 1 1.0 | 2024-05-10T00:10:00.000Z | two | 1 1.0 | 2024-05-10T00:20:00.000Z | one | 1 1.0 | 2024-05-10T00:20:00.000Z | three | 1 1.0 | 2024-05-10T00:20:00.000Z | two | 1 ; present_over_time_events_received_as_integer required_capability: ts_command_v0 TS k8s | WHERE cluster == "prod" AND pod == "two" | STATS events_received = max(to_integer(present_over_time(events_received))) BY pod, time_bucket = tbucket(2 minute) | SORT time_bucket ; ignoreOrder:true events_received:integer | pod:keyword | time_bucket:datetime 1 | two | 2024-05-10T00:02:00.000Z 1 | two | 2024-05-10T00:08:00.000Z 0 | two | 2024-05-10T00:10:00.000Z 0 | two | 2024-05-10T00:12:00.000Z 1 | two | 2024-05-10T00:14:00.000Z 1 | two | 2024-05-10T00:16:00.000Z 0 | two | 2024-05-10T00:18:00.000Z 1 | two | 2024-05-10T00:20:00.000Z 1 | two | 2024-05-10T00:22:00.000Z ; present_over_time_events_received_as_integer_promql required_capability: promql_command_v0 PROMQL index=k8s step=2m start="2024-05-10T00:02:00.000Z" end="2024-05-10T00:22:00.000Z" events_received=(max by (pod) (present_over_time(events_received{cluster="prod",pod="two"}[2m]))) | SORT step; ignoreOrder:true events_received:double | step:datetime | pod:keyword 1.0 | 2024-05-10T00:02:00.000Z | two 1.0 | 2024-05-10T00:08:00.000Z | two 0.0 | 2024-05-10T00:10:00.000Z | two 0.0 | 2024-05-10T00:12:00.000Z | two 1.0 | 2024-05-10T00:14:00.000Z | two 1.0 | 2024-05-10T00:16:00.000Z | two 0.0 | 2024-05-10T00:18:00.000Z | two 1.0 | 2024-05-10T00:20:00.000Z | two ;