Hello,
I'm trying to create a Timelion aggregation and wondering if its possible.
Basically the case is, I have documents that includes http response codes. What i'm trying to do is:
- The default interval could be days/weeks
- Display the count of 200-299 http status, this is done using (this is ok):
.es(index=application-logs, timefield='@timestamp',q="status:[200 TO 299]").color(color=green).label(label="2xx status log count")
Now the part i'm stumped in is regarding the 500 errors. Regardless of the interval, what i need to figure out is how to display the total count of documents with 500 errors IF there are more than 5 documents with 500 Status in a bucket of 30 seconds
amongst other things, the closes i came to was after i tried using scale_interval :
.es(index=application-logs,timefield='@timestamp',q="status:[500 TO 599]").if(operator=lt,if=5,then=null).color(color=red).points(symbol=circle,radius=5).label(label="5xx status log count over 0/30(sec)").scale_interval(30s),
But my issue here is that when i zoom out on a different interval (daily,weekly) i get a weird value:
If anyone has a clue, or some sort of direction or approach i could try, I'd greatly appreciate it!
Thanks in advance.