INLINESTATS: each request's deviation from its service's average
INLINESTATS adds the aggregate as a column without collapsing rows — each transaction is compared to its own service's average within the same query.
Prerequisites
Elasticsearch 8.18+ (preview technique)
SQL
FROM "traces-apm-*" | WHERE transaction.type == "request" AND @timestamp >= NOW() - 1 hour | EVAL duree_ms = transaction.duration.us / 1000 | INLINESTATS duree_moy_service = AVG(duree_ms) BY service.name | EVAL ecart_pct = ROUND(100.0 * (duree_ms - duree_moy_service) / duree_moy_service, 1) | WHERE ecart_pct > 300 | KEEP @timestamp, service.name, transaction.name, duree_ms, ecart_pct | SORT ecart_pct DESC | LIMIT 20
Result
@timestamp | service.name | transaction.name | duree_ms | ecart_pct -------------------------+--------------+----------------------+----------+---------- 2026-06-10T14:52:08.412Z | checkout-api | POST /api/v2/payment | 8412.6 | 921.4 2026-06-10T14:47:31.090Z | checkout-api | POST /api/v2/payment | 6230.8 | 656.5 2026-06-10T14:55:02.771Z | catalog-api | GET /api/v2/search | 4106.2 | 587.3 2026-06-10T14:41:19.205Z | auth-svc | POST /login | 1893.4 | 412.9 2026-06-10T14:58:44.630Z | catalog-api | GET /api/v2/search | 2950.1 | 393.8
INLINESTATSLatenceAPMAnomalie