In Timelion, how do I reference the current value that my "if" statement is working on so that I can use that value in my "then" statement?

.es(index="metricbeat-*",q="beat.hostname:srvwin01", metric="max:system.network.in.bytes", kibana=true,split=system.network.name:64).fit(scale).scale_interval(1s).derivative().if(lt,0,0).divide(1048576).lines(fill=2, width=1).multiply(8).trim(start=1,end=1).label(regex='.* system.network.name:(.*) >.*', label="Inbound $1")

Above is the query I'm using to report on metricbeat data to determine bandwidth utilization, but since the Windows byte counter resets after it hits 4GB, I had to add the "if(lt,0,0)" to zero out the derivative anytime it goes negative. What I'd rather do is some form of addition to try and compensate anytime the derivative goes negative, but I don't know how to reference the current value in the dataset that the if statement is working on. (i.e. if the value is -278987942, then return -278987942 plus 4000000000 (and yes I'm aware that math isn't accurate..just needed an example))

The "then" clause can accept a series. It's a bit verbose, but you should be able to duplicate your original series in the "then" clause and add the additional math statements you need. Here's an example of a series in the then clause in the docs: https://www.elastic.co/guide/en/kibana/current/timelion-conditional.html

For whatever reason, I have not been able to duplicate my exact clause..and I suspect it's because I'm using a split in the original one. When I've tried to do it, my graph blows up.

In that case I would open a ticket on the Kibana github repo

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.