convert sql to dsl elasticsearch query

What you probably need is cumulative sum aggregation: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-pipeline-cumulative-sum-aggregation.html

So your query should look as follows:

{  "size": 0,  "aggs": {    "customer": {      "terms": {        "field": "fk_c_c_id",        "size": 5      },      "aggs": {        "sales_per_month": {          "date_histogram": {            "field": "datetime",            "interval": "month"          },          "aggs": {            "sales": {              "sum": {                "field": "s_b_a"              }            },            "cumulative_sales": {              "cumulative_sum": {                "buckets_path": "sales"              }            }          }        }      }    }  }}

Using ES 7, you can translate your query to dsl using the _xpack/format as follows:

curl -H "Content-Type:application/json" -XPOST 127.0.0.1:9200/_xpack/sql/translate?pretty -d '{"query" : "SELECT t.pk_c_c_s,       t.fk_c_c_id,       t.s_b_a,       t.datetime,       SUBSTR(t.datetime, 0, 7) m,       (         SELECT SUM(i.s_b_a) sarpu         FROM TBL_C_C_S i         WHERE substr(i.datetime, 0, 7) = substr(t.datetime, 0, 7)           AND i.datetime <= t.datetime           AND i.fk_c_c_id = t.fk_c_c_id         GROUP BY SUBSTR(i.datetime, 0, 7)        ) sFROM TBL_C_C_S t"}'