How to split lines based on a term in Timelion using split() or other?

elasticheart · May 16, 2017, 4:42am

Hi,

I am using ELK GA 5.0.0. In my timelion, I am plotting success error ratio. My log contain time, user, and response. Response can be either error or success. My current timelion code is;

.es(index=mylogs-*, q='response:error',metric=count).divide(.es(index=mylogs-*, q='response:success',metric=count).if("eq", 0, .es(index=mylogs-*, q='response:error',metric=count).multiply(-1))).label("Ratio").lines(show=true,width=2).points(show=true,radius=4,fill=9,weight=0).color(#F00)

The code queries for success and error, and finds the ratio. Also, it handles divion by zero.

I want to split the lines using username. That is, the ratio should show for every user. How can I do this?

Thanks in advance.

Stacey_Gammon · May 16, 2017, 3:25pm

Should be able to do this with something like .es(split=username:X) where x is the limit of the split.

elasticheart · May 17, 2017, 4:49am

Hi @Stacey_Gammon ,

Thanks for your reply. Could you tell me where should i place it in my code? I tried;

.es(index=mylogs-*, q='response:error',metric=count,split=username:10).divide(.es(index=mylogs-*, q='response:success',metric=count).if("eq", 0, .es(index=mylogs-*, q='response:error',metric=count).multiply(-1))).label("Ratio").lines(show=true,width=2).points(show=true,radius=4,fill=9,weight=0)

Is this correct? I have another doubt, I want to display username as labels here. Currently, what I can see is 10 lines and all lines have label Ratio. I want to display username there. How can I do this?

Stacey_Gammon · May 17, 2017, 11:14am

I think the .label("ratio") part is overriding all labels to the string "ratio". What does it look like if you get rid of that?

elasticheart · May 18, 2017, 4:54am

Hi @Stacey_Gammon , the labels looks like;

q:response:error > username.keyword:USER_C > count(84.23)
q:response:error > username.keyword:USER_A > count(35.57)
q:response:error > username.keyword:USER_F > count(20.47)

etc

Nico-DF · May 18, 2017, 7:05am

You can use Regex in your label.

It will be something like:

.label(regex='.* username.keyword:(.*) > .*', label='$1')

elasticheart · May 18, 2017, 8:14am

Thanks @Nico-DF , it helped

system · June 15, 2017, 8:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Split in Timelion Kibana timelion	3	5455	August 5, 2017
Timelion - Failure Rate problem Kibana timelion	3	277	August 18, 2020
Kibana Timelion Question Split Label More than 1 field Kibana timelion	2	1475	October 12, 2020
How split function works in Timelion chart Kibana timelion	7	2399	April 26, 2021
Split chart in Timelion Kibana timelion	4	1992	October 4, 2019

How to split lines based on a term in Timelion using split() or other?

Related topics