[FEATURE] Support eval-style expressions inside stats command in PPL.

[vamsimanohar]

Currently, OpenSearch PPL (stats command) does not support inline eval-style expressions, such as conditional aggregation using functions like if() or case(). In tools like Splunk, it is common to write expressions such as:

... | stats count(eval(status="200")) as success_count, count(eval(status="400")) as  bad_request_count

... | stats sum(eval(duration * 2)) as total_doubled_duration

This allows users to write intuitive conditional aggregations without needing to add an extra eval stage.

One of the use cases that customer reported is the following:

Index=xxxx 
| stats count avg(duration) as “Average Request Duration (MS)” count)eval(http_status LIKE “0%)) as “Zero” count(eval(http_status LIKE “2%”)) as “TwoX” count(eval(http_status_status LIKE “3%”)) as “ThreeX” count(eval(http_status LIKE “4%”)) as “FourX” count(eval(http_status LIKE “5%”)) as “FiveX”
| eval 0% = round ((Zero/count),4*)*100
| eval 2xx% = round ((TwoX/count),4*)*100
| eval 3xx% = round ((ThreeX/count),4*)*100
| eval 4xx% = round ((FourX/count),4*)*100
| eval 5xx% = round ((FiveX/count),4*)*100
| fields “Average Request Duration (MS)” 2xx% 3xx% 4xx% 5xx%

[LantaoJin]

@vamsimanohar are you still working on this?

[dai-chen]

I'm doing gap analysis and estimation for aggregation functions in P1. To avoid overlap, is anyone working on this?

[dai-chen]

Implementation Options count(eval)

1. Rewrite to COUNT(CASE WHEN ...)
2. Rewrite to COUNT(*) FILTER(WHERE ...) is preferred because of clearer semantics and easier pushdown to the DSL (what the V2 engine does below). However this requires eval expression is a predicate and cannot support coercion like count(eval(if(a, 1, 0))

opensearchsql>
.... SELECT
....   COUNT(*) FILTER(WHERE gender = 'M'),
....   AVG(age) FILTER(WHERE gender = 'F')
.... FROM accounts;
fetched rows / total rows = 1/1
+---------------------------------------+---------------------------------------+
| COUNT(*) FILTER(WHERE gender = 'M')   | AVG(age) FILTER(WHERE gender = 'F')   |
|---------------------------------------+---------------------------------------|
| 3                                     | 32.0                                  |
+---------------------------------------+---------------------------------------+

curl -s -H "Content-Type: application/json" \
  -X POST "http://localhost:9200/_plugins/_sql/_explain" \
  -d "{\"query\":\"SELECT COUNT(*) FILTER(WHERE gender = 'M'), AVG(age) FILTER(WHERE gender = 'F') FROM accounts;\"}"

{
  "root": {
    "name": "ProjectOperator",
    "description": {
      "fields": "[COUNT(*) FILTER(WHERE gender = 'M'), AVG(age) FILTER(WHERE gender = 'F')]"
    },
    "children": [
      {
        "name": "OpenSearchIndexScan",
        "description": {
          "request": "OpenSearchQueryRequest(indexName=accounts, sourceBuilder=
{\"from\":0,\"size\":0,\"timeout\":\"1m\",
  \"aggregations\":{
    \"COUNT(*) FILTER(WHERE gender = 'M')\":
      {\"filter\":{\"term\":{\"gender.keyword\":{\"value\":\"M\",\"boost\":1.0}}},
      \"aggregations\":{\"COUNT(*) FILTER(WHERE gender = 'M')\":{\"value_count\":{\"field\":\"_index\"}}}},
    \"AVG(age) FILTER(WHERE gender = 'F')\":
      {\"filter\":{\"term\":{\"gender.keyword\":{\"value\":\"F\",\"boost\":1.0}}},
      \"aggregations\":{\"AVG(age) FILTER(WHERE gender = 'F')\":{\"avg\":{\"field\":\"age\"}}}}}},
needClean=true, searchDone=false, pitId=null, cursorKeepAlive=null, searchAfter=null, searchResponse=null)"
        },
        "children": []
      }
    ]
  }
}

Ref: https://github.com/opensearch-project/sql/blob/main/docs/user/dql/aggregations.rst#filter-clause