Hello there!
I'm using the filter aggregation and what I want to visualize is data when a specific field has a specific value AND timestamp:now-1d.
In other words I want to visualize some specific data with an offset of 1 day. Since filter aggregation uses KQL, I tried to filter on the field @timestamp in manyu different ways but none of them worked! Could anyone help me please? Thank you in advance! 
Hi, unfortunately you can't use datemath in neither KQL nor Lucene.
When visualizing specific data offset by a day, I suggest using the TSVB visualization. You can add multiple series there and define an specific offset and a filter for each series:
Thank you for the answer! Unfortunately, that's exactly what I didn't want to hear. I used TSVB for offset already, but what I need to do now is to compare data in a table, in particular I want to create 2 coloumns: one with the actual data and another with the data of the day before.
I tried to use also the Table module in TSVB but I couldn't find the offset setting in it.
Do you have any suggestion for me?
I see, this is a workaround to do the same with tables (with a little gotcha). You can't do time offset there, but you can use "serial difference" which will give you the difference of the current value and the old value. Then you can use the math aggregation to get to the old value again. By adding a second series with the same metric you can show the current metric and the previous metric as two columns (I used count in this example but could be anything):
The "lag" parameter refers to the number of buckets, make sure to pin the interval to the value that makes sense (I used 1d).
This solution won't work with the "Entire time range" mode, because it's not actually shifting a series and data outside of the currently defined time range in the top right won't be available at all.
Thank you for your detailed answer!
Apllying your advice to my case is not that easy, since I have to do tis workaround with the number of the occurrances of each value in a particular field.. There's one thing I didn't get completely: the result will be a table with only one coloumn (the offset) or a table with 2 coloumns?
In TSVB you can define as many independent series as you like (the white boxes in the screenshot above). One series will just give you one column in the table, so you have to create a separate series with the same metric as in the first one without the serial difference/math hack. But if you do that, there will be two columns, one for current value, one for shifted.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.