Problem with time series graphic in Canvas

Elastic Stack Kibana
1

I am having some issues trying to get a simple cardinal account of documents in an index to show up on a time series graph. I'm using timelion expression and the only thing I ever get back is 0.

The data that I have indexed is performance "problem" data and what I'm trying to do is show the number of problems over a period of time. I've got a time selector filter and a vertical bar graph added to a workpad.

My timelion expression looks like this.

.es(q=_id:*, index=dynatrace-problems-2021, metric=cardinality:_id, timefield=@timestamp).label('Problem Count')

A simplified version of one of my problem documents looks like this.
{
"_index": "dynatrace-problems-2021",
"_type": "_doc",
"_id": "8123481508957858051_1616647380000V2",
"_version": 1,
"_score": null,
}

I appreciate any feedback.

Thanks, Tommy

2

In your example you are not mentioning a time field - is there a time field in your documents? Could you provide a full example?

3

Ahh, yes, cut out a little too much from that document. Here's a full one below. In canvas I have a time filter added to the workpad, fyi.

Here's my workpad

{"css":".canvasPage {\n\n}","variables":[{"name":"customer","value":"DMV","type":"string"}],"id":"workpad-46aaebd2-d78d-4fc5-b384-f10094280d58","name":"My Canvas Workpad","width":1280,"height":720,"page":0,"pages":[{"id":"page-27111dce-a263-4058-b3e4-59d9d64ff513","style":{"background":"#FFF"},"transition":{},"elements":[{"id":"element-5df89346-9bb1-40b8-8cf9-61b275eeba9b","position":{"left":34,"top":75,"width":1001,"height":327,"angle":0,"parent":null},"expression":"filters\n| timelion \n query=".es(q=_id:*, index=dynatrace-problems-2021, metric=cardinality:_id, timefield=@timestamp).label('Problem Count').bars()" interval="1d"\n| pointseries x="@timestamp" y="value"\n| plot xaxis=true yaxis=true defaultStyle={seriesStyle points="5" bars="5" lines="5"}\n| render"},{"id":"element-5031b030-f3ea-4901-8337-4a9c46eea3d9","position":{"left":20,"top":20,"width":1010,"height":50,"angle":0,"parent":null},"expression":"timefilterControl compact=true column=@timestamp\n| render","filter":"timefilter from="2021-03-01T06:00:00.000Z" to=now column=@timestamp"}],"groups":}],"colors":["#37988d","#c19628","#b83c6f","#3f9939","#1785b0","#ca5f35","#45bdb0","#f2bc33","#e74b8b","#4fbf48","#1ea6dc","#fd7643","#72cec3","#f5cc5d","#ec77a8","#7acf74","#4cbce4","#fd986f","#a1ded7","#f8dd91","#f2a4c5","#a6dfa2","#86d2ed","#fdba9f","#000000","#444444","#777777","#BBBBBB","#FFFFFF","rgba(255,255,255,0)"],"isWriteable":true,"assets":{},"@timestamp":"2021-03-25T15:29:40.781Z","@created":"2021-03-24T19:59:54.424Z"}

Here's a full problem doc. I've got 10's of thousands of these loaded.

{
"_index": "dynatrace-problems-2021",
"_type": "_doc",
"_id": "8123481508957858051_1616647380000V2",
"_version": 1,
"_score": null,
"fields": {
"environment.keyword": [
"PRD"
],
"problemFilters.name.keyword": [
"DMV Infrastructure Team",
"RFD Problem Reporting"
],
"evidenceDetails.details.endTime": [
"2021-03-25T04:53:00.000Z"
],
"evidenceDetails.details.eventId.keyword": [
"8123481508957858051_1616647380000"
],
"severityLevel.keyword": [
"RESOURCE_CONTENTION"
],
"impactedEntities.entityId.id.keyword": [
"HOST-D7171907AC74BB72"
],
"durationMins": [
0
],
"entityTags.key": [
"HostName",
"RTS Access",
"RTS"
],
"evidenceDetails.details.unit": [
"Percent"
],
"title.keyword": [
"CPU saturation"
],
"rootCauseEntity.name.keyword": [
"jpstvrracc2"
],
"problemFilters.id.keyword": [
"71d7db72-322a-4b1c-872c-0b9ea04ab6fa",
"82c0d007-8367-4f1e-b2e9-e1dde4c81d6b"
],
"evidenceDetails.details.entity.name": [
"jpstvrracc2",
"jpstvrracc2"
],
"evidenceDetails.details.entity.name.keyword": [
"jpstvrracc2",
"jpstvrracc2"
],
"affectedEntities.entityId.type": [
"HOST"
],
"entityTags.context": [
"CONTEXTLESS",
"CONTEXTLESS",
"CONTEXTLESS"
],
"evidenceDetails.details.evidenceType": [
"EVENT",
"METRIC"
],
"evidenceDetails.details.entity.entityId.type.keyword": [
"HOST",
"HOST"
],
"evidenceDetails.details.unit.keyword": [
"Percent"
],
"customer.keyword": [
"DMV"
],
"affectedEntities.name.keyword": [
"jpstvrracc2"
],
"problemId.keyword": [
"8123481508957858051_1616647380000V2"
],
"evidenceDetails.details.displayName": [
"CPU saturation",
"CPU idle"
],
"evidenceDetails.details.metricId": [
"builtin:host.cpu.idle"
],
"impactedEntities.name": [
"jpstvrracc2"
],
"problemFilters.id": [
"71d7db72-322a-4b1c-872c-0b9ea04ab6fa",
"82c0d007-8367-4f1e-b2e9-e1dde4c81d6b"
],
"entityTags.value.keyword": [
"jpstvrracc2"
],
"displayId": [
"P-21031242"
],
"status": [
"CLOSED"
],
"evidenceDetails.details.metricId.keyword": [
"builtin:host.cpu.idle"
],
"affectedEntities.entityId.id.keyword": [
"HOST-D7171907AC74BB72"
],
"evidenceDetails.details.startTime": [
"2021-03-25T04:43:00.000Z",
"2021-03-25T04:28:00.000Z"
],
"durationHours": [
0
],
"evidenceDetails.details.valueAfterChangePoint": [
34.53905
],
"impactLevel.keyword": [
"INFRASTRUCTURE"
],
"rootCauseEntity.entityId.id.keyword": [
"HOST-D7171907AC74BB72"
],
"evidenceDetails.details.entity.entityId.type": [
"HOST",
"HOST"
],
"status.keyword": [
"CLOSED"
],
"evidenceDetails.details.entity.entityId.id.keyword": [
"HOST-D7171907AC74BB72",
"HOST-D7171907AC74BB72"
],
"impactedEntities.entityId.type": [
"HOST"
],
"evidenceDetails.details.displayName.keyword": [
"CPU saturation",
"CPU idle"
],
"affectedEntities.entityId.type.keyword": [
"HOST"
],
"title": [
"CPU saturation"
],
"affectedEntities.entityId.id": [
"HOST-D7171907AC74BB72"
],
"severityLevel": [
"RESOURCE_CONTENTION"
],
"problemFilters.name": [
"DMV Infrastructure Team",
"RFD Problem Reporting"
],
"evidenceDetails.totalCount": [
2
],
"evidenceDetails.details.entity.entityId.id": [
"HOST-D7171907AC74BB72",
"HOST-D7171907AC74BB72"
],
"impactedEntities.entityId.id": [
"HOST-D7171907AC74BB72"
],
"startTime": [
"2021-03-25T04:48:00.000Z"
],
"rootCauseEntity.entityId.type.keyword": [
"HOST"
],
"evidenceDetails.details.eventType.keyword": [
"CPU_SATURATED"
],
"impactedEntities.name.keyword": [
"jpstvrracc2"
],
"entityTags.key.keyword": [
"HostName",
"RTS Access",
"RTS"
],
"evidenceDetails.details.rootCauseRelevant": [
true,
true
],
"rootCauseEntity.name": [
"jpstvrracc2"
],
"rootCauseEntity.entityId.type": [
"HOST"
],
"evidenceDetails.details.evidenceType.keyword": [
"EVENT",
"METRIC"
],
"entityTags.context.keyword": [
"CONTEXTLESS",
"CONTEXTLESS",
"CONTEXTLESS"
],
"evidenceDetails.details.eventType": [
"CPU_SATURATED"
],
"impactLevel": [
"INFRASTRUCTURE"
],
"environment": [
"PRD"
],
"affectedEntities.name": [
"jpstvrracc2"
],
"impactedEntities.entityId.type.keyword": [
"HOST"
],
"displayId.keyword": [
"P-21031242"
],
"entityTags.stringRepresentation": [
"HostName:jpstvrracc2",
"RTS Access",
"RTS"
],
"evidenceDetails.details.aggregationType.type.keyword": [
"avg"
],
"entityTags.stringRepresentation.keyword": [
"HostName:jpstvrracc2",
"RTS Access",
"RTS"
],
"recentComments.totalCount": [
0
],
"endTime": [
"2021-03-25T04:48:00.000Z"
],
"rootCauseEntity.entityId.id": [
"HOST-D7171907AC74BB72"
],
"problemId": [
"8123481508957858051_1616647380000V2"
],
"evidenceDetails.details.aggregationType.type": [
"avg"
],
"evidenceDetails.details.eventId": [
"8123481508957858051_1616647380000"
],
"evidenceDetails.details.valueBeforeChangePoint": [
92.39013
],
"entityTags.value": [
"jpstvrracc2"
],
"customer": [
"DMV"
]
},
"sort": [
1616647680000,
0
]
}

4

In your workpad you reference @timestamp several times, but I doesn't look like you have that field in your documents

5

I was under the impression that if I were using a time filter in a work pad the time would be driven from that object and to reference I would use "@timestamp".

The time that I use in my index patterns is "startTime" when browsing through the discover app.

Based on your question, I did try to adjust the settings of the objects. In the time filter i set to "startTime" and then in my timelion query i also changed the timefield reference to "startTime" but still got the same result.

6

Ok, got it working by changing "all" references (time filter and query) to use my "startTime" value.

image
image709×538 4.95 KB

Thanks for taking a look at my setup!

7

Glad to hear it worked! @timestamp is not special in any way, it's just a commonly used field name for the main time information of a document.

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.