Hello,
I have this line graph.
It looking at @timestamp and counting the records.
I was asked if there is a way to do an aggregation of the graph by showing only records after 4pm, and allowing to see that through days. Is that possible?
Do you mean every day after 4PM? So Monday after 4PM, Tuesday after 4PM, etc...?
If so, you need to add a field like "after4pm": true in your documents.
Ideally, you should compute that at index time. You can use an ingest pipeline for that with a script processor.
Slower idea, if this is not something that you want to run constantly, you could create a runtime field. This could be done from the data view. And create a new field named after4pm and emit true if the hour of the day is greater or equal to 16.
Another solution is to do that with ES|QL with something like:
ROW a = DATE_PARSE("yyyy-MM-dd HH:mm:ss", "2024-10-31 17:00:00")
| EVAL hourOfDay = DATE_EXTRACT("HOUR_OF_DAY", a)
| WHERE hourOfDay >= 16
2 Likes
Thanks @dadoonet
Very helpful !