Summing values of similar fields in a time range

Hello,

I am shipping custom log data into Elasticsearch and my source data look like this:

1621805488 foo_126 cpu 0.62
1621805488 foo_59 cpu 0.63
1621805489 foo_183 cpu 0.82
1621805489 foo_2 cpu 0.67
1621805489 foo_25 23316 cpu 0.77
1621805489 foo_189 cpu 0.80
1621805489 foo_245 cpu 0.75
1621805688 foo_126 cpu 0.62
1621805688 foo_59 cpu 0.63
1621805689 foo_183 cpu 0.82
1621805689 foo_2 cpu 0.67
1621805689 foo_25 cpu 0.77
1621805689 foo_189 cpu 0.80
1621805689 foo_245 cpu 0.75

I would like to be able to sum all the cpu values for all the fields named foo_* and display a per minute value in a kibana dashboard. what is the best way to do it?

Hi,
First you have to make sure the field data you want to sum is on the right data type. You can't sum text right?

Assuming there are other value than foo* on your_field, then you have to query only the foo*, create a save search on discover and query it as your_field : foo*

ps: I'm not the best dashboard designer

use your created saved search as source
you can use aggregation based > line chart, as it will show the value growth

1. for the Y-Axis choose the sum Aggregation
2. add X-Axis and choose the Date Histogram Aggregation, choose the desired time field , set the minimum interval to Minute

I would like to know the feedback

Thanks Charles, but that did not work. i had a bit of progress with timelion using:

    .es(index=myindex*,timefield=timestamp,metric=sum:foo_126_cpu,interval=1m)

    .sum(.es(index=myindex*,timefield=timestamp,metric=sum:foo_59_cpu,interval=1m))

    .sum(.es(index=myindex*,timefield=timestamp,metric=sum:foo_183_cpu,interval=1m))

however to make the code better I would have preferred to have a wildcard in the metric field. something like: foo_*_cpu

it seems to be not supported or am i missing something.

It is working with me.
Seems you've answered your own question.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.