Filter in Timelion

I created a timelion to display cpu usage, I need to pass server names dynamically, using filter. Created dashboard but not finding all the options in "add filter" , it just shows me index, message, message.keyword but I need beat.hostname , how do I get that?

Add filter shows all the options in other visualizations but not showing on timelion

Hi @sai_16,

The filter list will only show the fields for your default index pattern.

If you want to make the beats index the default index pattern, you can do so by going into Management -> Index Patterns -> Select the index pattern you wish to make your default -> Click the star on the top right where it says "Set as default index".

Screen Shot 2020-03-30 at 9.35.38 AM

If changing the default index pattern doesn't work for you, you can still filter your field by using "Edit as Query DSL" in the top right of the filter window and set something like this:

{
  "query": {
    "bool": {
      "must": {
        "term": {
          "beat.hostname": "artifacts.elastic.co"
        }
      }
    }
  }
}

Thanks @mikecote

And one more query,is there a way to sum 2 fileds in area chart.
I want my y-axis to be sum of these 2 fileds system.cpu.system.pct and system.cpu.user.pct
I tried passing json input as doc['field1'].value + doc['field2'].value but didnt work,

Hi @sai_16,

You should be able to do so by creating a scripted field in the index pattern as follows

Once that is created, the field should show up in your field select for your area chart.

@mikecote Thank you ,it helps.
and sorry for too many followup questions,i do have one more now.

i'm doing a split series with system.process.name. It works fine but i want to know if i need to group some of the process into one category,how is that possible?

eg: system.process name has 10 process displayed,3 need to be grouped as one name ,2 as some other name.
like group java and sql as Application and different name for some other procesess,is that possible?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.