Hi,
I am using ELK GA 5.0.0. In my timelion, I am plotting success error ratio. My log contain time, user, and response. Response can be either error or success. My current timelion code is;
.es(index=mylogs-*, q='response:error',metric=count).divide(.es(index=mylogs-*, q='response:success',metric=count).if("eq", 0, .es(index=mylogs-*, q='response:error',metric=count).multiply(-1))).label("Ratio").lines(show=true,width=2).points(show=true,radius=4,fill=9,weight=0).color(#F00)
The code queries for success and error, and finds the ratio. Also, it handles divion by zero.
I want to split the lines using username. That is, the ratio should show for every user. How can I do this?
Thanks in advance.
Should be able to do this with something like .es(split=username:X) where x is the limit of the split.
Hi @Stacey_Gammon ,
Thanks for your reply. Could you tell me where should i place it in my code? I tried;
.es(index=mylogs-*, q='response:error',metric=count,split=username:10).divide(.es(index=mylogs-*, q='response:success',metric=count).if("eq", 0, .es(index=mylogs-*, q='response:error',metric=count).multiply(-1))).label("Ratio").lines(show=true,width=2).points(show=true,radius=4,fill=9,weight=0)
Is this correct? I have another doubt, I want to display username as labels here. Currently, what I can see is 10 lines and all lines have label Ratio. I want to display username there. How can I do this?
I think the .label("ratio") part is overriding all labels to the string "ratio". What does it look like if you get rid of that?
Hi @Stacey_Gammon , the labels looks like;
q:response:error > username.keyword:USER_C > count(84.23)
q:response:error > username.keyword:USER_A > count(35.57)
q:response:error > username.keyword:USER_F > count(20.47)
etc
You can use Regex in your label.
It will be something like:
.label(regex='.* username.keyword:(.*) > .*', label='$1')
Thanks @Nico-DF , it helped 
