ES|QL: Add TRANGE ES|QL function

[leontyevdv]

Add a new ES|QL function that filters @timestamp values for the given time range. It transforms into a fileter and is pushed down to Lucene.

What is currently supported

1. Explicit start and end times:

TRANGE("2024-05-12T12:00:00", "2024-05-12T15:30:00") - [explicit start; explicit end]
TRANGE(1715504400000, 1715517000000) - [explicit start in millis; explicit end in millis]

2. Offset from now:

TRANGE(1h) - [now - 1h; now] - supports time_duration (1h, 1min, etc) and period (1day, 1month, etc.)

---

What is not supported and requires consideration

1. Explicit start time:

TRANGE("2024-05-12T12:00:00") - [explicit start; now]
TRANGE(1715504400000) - [explicit start in millis; now]

2. Modifier for an explicit start time (start time with offset):

TRANGE("2024-05-12T12:00:00", 1h) - [explicit start; start + 1h] - supports time_duration (1h, 1min, etc) and period (1day, 1month, etc.)
TRANGE("2024-05-12T12:00:00", -1h) - [explicit start; start - 1h] - supports time_duration (1h, 1min, etc) and period (1day, 1month, etc.)
TRANGE(1715504400000, 1h) - [explicit start in millis; start + 1h] - supports time_duration (1h, 1min, etc) and period (1day, 1month, etc.)
TRANGE(1715504400000, -1h) - [explicit start in millis; start - 1h] - supports time_duration (1h, 1min, etc) and period (1day, 1month, etc.)

3. TRANGE(1w + 1h, 1w)

Closes #135599

[elasticsearchmachine]

Pinging @elastic/es-analytical-engine (Team:Analytics)

[elasticsearchmachine]

Pinging @elastic/es-storage-engine (Team:StorageEngine)

[elasticsearchmachine]

Hi @leontyevdv, I've created a changelog YAML for you.

[github-actions]

🔍 Preview links for changed docs

• docs/reference/query-languages/esql/kibana/docs/functions/trange.md
• docs/reference/query-languages/esql/functions-operators/date-time-functions.md

[github-actions]

ℹ️ Important: Docs version tagging

👋 Thanks for updating the docs! Just a friendly reminder that our docs are now cumulative. This means all 9.x versions are documented on the same page and published off of the main branch, instead of creating separate pages for each minor version.

We use applies_to tags to mark version-specific features and changes.

Expand for a quick overview

When to use applies_to tags:

✅ At the page level to indicate which products/deployments the content applies to (mandatory)
✅ When features change state (e.g. preview, ga) in a specific version
✅ When availability differs across deployments and environments

What NOT to do:

❌ Don't remove or replace information that applies to an older version
❌ Don't add new information that applies to a specific version without an applies_to tag
❌ Don't forget that applies_to tags can be used at the page, section, and inline level

🤔 Need help?

• Check out the cumulative docs guidelines
• Reach out in the #docs Slack channel

[dnhatn]

Thank you, Dima! Is there a reason we don't translate TRANGE to GreaterThanEquals() or BinaryLogicOperation(GreaterThanEquals, LessThanOrEquals)?

[leontyevdv]

Thank you, Dima! Is there a reason we don't translate TRANGE to GreaterThanEquals() or BinaryLogicOperation(GreaterThanEquals, LessThanOrEquals)?

Hi @dnhatn ! Thank you for the review! Initially, I implemented TRANGE as a surrogate and struggled with the tests for quite a while. The issue was with the assertion ("Duplicate name ids are not allowed in layouts"): see Layout. Then, inspired by the StartsWith function, I rewrote it using TranslationAware.SingleValueTranslationAware directly.

I have the surrogate version in my stash. We can take a look at it together. Wdyt?

[dnhatn]

I'll postpone the TRANGE(1w + 1h, 1w) one. The function will guarantee the order and types of the arguments and will be failing with the wrong input.

Yes, this case needs more thought!

[bpintea]

Looking good.

[dnhatn]

I left two questions, but this looks good. Thanks Dima!

[dnhatn]

Great work, Dima! Thank you for all the iterations. Could you please wait for Bogdan’s approval before merging?

[bpintea]

Left a set of notes, but LGTM otherwise.

[bpintea]

We should continue with the inspection of the plan here: what happens here is that since timestampValue is within the intervals passed to TRANGE, the WHERE should fold away (it's always true). The test should confirm that. We usually inspect the plan all the way down to the source (just like in the null folding case, though there's compacter, cause it's folded down to just one node).

Optionally, you could also add a test that folds to false.

BTW, you could add a similar test as a CSV spec, to also check the results. But optional.

[leontyevdv]

Thanks Bogdan! I added inspection all the way down to the source, also added a test which tests folding to false.

[bpintea]

Can we add a test for this condition?
Ideally for the one above too.

[leontyevdv]

Done! Added to TRangeErrorTests

[bpintea]

Added some notes on instantiating the function. Otherwise all good.

[bpintea]

This should be protected, as then the public one can be called unanbigously directly from the function registry.

[leontyevdv]

Changed this and removed the bic() method from the function registry.

[bpintea]

Having one public c'tor in TRange will allow this direct call, since we have already a BinaryConfigurationAwareBuilder. The bic method can then be removed.

Suggested change

	def(TRange.class, bic(TRange::new), "trange") },
	def(TRange.class, TRange::new, "trange") },

[bpintea]

@leontyevdv, hopefully this will make the call unambiguous and also have EsqlNodeSubclassTests tests pass.

Suggested change

	def(TRange.class, bic(TRange::new), "trange") },
	def(TRange.class, (BinaryConfigurationAwareBuilder<TRange>)TRange::new, "trange") },