Reject unsupported last_over_time during verification (#136517) (#136582)

This change updates the validation to reject time-series aggregations
that cannot be executed. Specifically, if FN(field) is rewritten to
FN(last_over_time(field)), and we don't support last_over_time(field),
we should throw an error during planning rather than at runtime.

Closes #136270

(cherry picked from commit 80b4b95)

Author: dnhatn

x-pack/plugin/esql/qa/server/src/main/java/org/elasticsearch/xpack/esql/qa/rest/generative/GenerativeRestTest.java

@@ -76,10 +76,9 @@ public abstract class GenerativeRestTest extends ESRestTestCase implements Query
         "time-series.*the first aggregation.*is not allowed",
         "count_star .* can't be used with TS command",
         "time_series aggregate.* can only be used with the TS command",
-        "Invalid call to dataType on an unresolved object \\?LASTOVERTIME", // https://github.com/elastic/elasticsearch/issues/134791
-        // https://github.com/elastic/elasticsearch/issues/134793
-        "class org.elasticsearch.compute.data..*Block cannot be cast to class org.elasticsearch.compute.data..*Block",
-        "Output has changed from \\[.*\\] to \\[.*\\]" // https://github.com/elastic/elasticsearch/issues/134794
+        // https://github.com/elastic/elasticsearch/issues/134794
+        "Output has changed from \\[.*\\] to \\[.*\\]",
+        "implicit time-series aggregation function .* doesn't support type .*"
     );
 
     public static final Set<Pattern> ALLOWED_ERROR_PATTERNS = ALLOWED_ERRORS.stream()

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/plan/logical/TimeSeriesAggregate.java

@@ -14,11 +14,14 @@
 import org.elasticsearch.xpack.esql.core.expression.Alias;
 import org.elasticsearch.xpack.esql.core.expression.Expression;
 import org.elasticsearch.xpack.esql.core.expression.FieldAttribute;
+import org.elasticsearch.xpack.esql.core.expression.Literal;
 import org.elasticsearch.xpack.esql.core.expression.NamedExpression;
 import org.elasticsearch.xpack.esql.core.tree.NodeInfo;
 import org.elasticsearch.xpack.esql.core.tree.Source;
+import org.elasticsearch.xpack.esql.core.type.DataType;
 import org.elasticsearch.xpack.esql.expression.function.aggregate.AggregateFunction;
 import org.elasticsearch.xpack.esql.expression.function.aggregate.Count;
+import org.elasticsearch.xpack.esql.expression.function.aggregate.LastOverTime;
 import org.elasticsearch.xpack.esql.expression.function.aggregate.TimeSeriesAggregateFunction;
 import org.elasticsearch.xpack.esql.expression.function.grouping.Bucket;
 import org.elasticsearch.xpack.esql.plan.logical.join.LookupJoin;
@@ -201,6 +204,22 @@ protected void checkTimeSeriesAggregates(Failures failures) {
                     failures.add(
                         fail(count, "count_star [{}] can't be used with TS command; use count on a field instead", outer.sourceText())
                     );
+                    // reject COUNT(keyword), but allow COUNT(numeric)
+                } else if (outer instanceof TimeSeriesAggregateFunction == false && outer.field() instanceof AggregateFunction == false) {
+                    Expression field = outer.field();
+                    var lastOverTime = new LastOverTime(source(), field, new Literal(source(), null, DataType.DATETIME));
+                    if (lastOverTime.typeResolved() != Expression.TypeResolution.TYPE_RESOLVED) {
+                        failures.add(
+                            fail(
+                                this,
+                                "implicit time-series aggregation function [{}] generated from [{}] doesn't support type [{}], "
+                                    + "only numeric types are supported; use the FROM command instead of the TS command",
+                                outer.sourceText().replace(field.sourceText(), "last_over_time(" + field.sourceText() + ")"),
+                                outer.sourceText(),
+                                field.dataType().typeName()
+                            )
+                        );
+                    }
                 }
                 if (outer instanceof TimeSeriesAggregateFunction ts) {
                     outer.field()

x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/analysis/VerifierTests.java

@@ -2688,6 +2688,25 @@ public void testNoMetricInStatsByClause() {
         );
     }
 
+    public void testNoDimensionsInAggsOnlyInByClause() {
+        assertThat(
+            error("TS test | STATS count(host) BY bucket(@timestamp, 1 minute)", tsdb),
+            equalTo(
+                "1:11: implicit time-series aggregation function [count(last_over_time(host))] "
+                    + "generated from [count(host)] doesn't support type [keyword], only numeric types are supported; "
+                    + "use the FROM command instead of the TS command"
+            )
+        );
+        assertThat(
+            error("TS test | STATS max(name) BY bucket(@timestamp, 1 minute)", tsdb),
+            equalTo(
+                "1:11: implicit time-series aggregation function [max(last_over_time(name))] "
+                    + "generated from [max(name)] doesn't support type [keyword], only numeric types are supported; "
+                    + "use the FROM command instead of the TS command"
+            )
+        );
+    }
+
     public void testSortInTimeSeries() {
         assertThat(
             error("TS test | SORT host | STATS avg(last_over_time(network.connections))", tsdb),