Timelion Chart Custom Label Issue

j_a_griffiths · October 22, 2019, 8:39am

Hi - Im trying to define a TimeLion visualisation usint the following expression

.es(corr,timefield=rt,split="DeviceVendor.keyword:10")

This works but the labels show ion the chart are as follows

q:corr > DeviceVendor.keyword:F-Secure > count
q:corr > DeviceVendor.keyword:Microsoft > count
q:corr > DeviceVendor.keyword:ArcSight > count
q:corr > DeviceVendor.keyword:Check Point > count

I want to make these look a little tidier so tried to specify my own label by changing the expression to

.es(corr,timefield=rt,split="DeviceVendor.keyword:10").label("[$1]", "^.* > DeviceVendor.keyword:(\S+) > .*")

The labels now show

[F-Secure]
[Microsoft]
[ArcSight]
q:corr > DeviceVendor.keyword:Check Point > count

Note the issue with the last label - is this caused by this vendor string having a space in it? if so how can I change it so that the space is ignored and I get
[Check Point] as the last label

Thanks for your help

markov00 · October 28, 2019, 6:15pm

Yes, that's the reason. If I'm not wrong you can fix the regex as the following:

.label("[$1]", "^.* > DeviceVendor.keyword(.*?) > .*")

system · November 25, 2019, 6:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Timelion dynamic lable by q=type Kibana timelion	4	393	June 28, 2019
Timelion .label() not working Kibana timelion	5	672	May 22, 2018
Bug in Timelion (Kibana 5.3.2)? Kibana timelion	2	475	December 12, 2017
Timelion Label Multi Regex not working Kibana timelion	3	515	December 17, 2019
Timelion label Regex Kibana timelion	1	606	January 8, 2020

Timelion Chart Custom Label Issue

Related topics