Timelion counting dates for rows

Elastic Stack Kibana
1

Hello!

I am using timelion and I am having an issue with the display. It seems that timelion is doing a count of all rows that hit on a certain date and is displaying that. For example. I have the "date" field below. Instead of the date displaying the gestures seen on jan1 of hellos I get the date showing there is one row in 1jan.

I need timelion to show me 1jan with 57 counts and 2jan with 31 counts. I hope this makes sense.

Date| gesture | counts of gestures
1jan| hello | 57
2jan| hello | 31
3jan| hello | 21

2

The default metric aggregation for each time bucket in the histogram is count, so you get a count of the documents that were bucketed for each date.

There are other metric aggregations to choose from. The metric parameter to the .es() function has help text that talks about it:

image
image.png3120×928 275 KB

I think you are looking for something like: .es(index=mydata-*, metric=sum:counts_of_gestures, split=gesture)

3

Thank you for the reply! I was able to change the split=date and that is correct. However, when I tried:
split=gesture:1000 (it asked for field:limit)
I get the error that "fielddata is disabled on text fields".
I did some searching and found that I need to edit in my mapping but am having difficult with the syntax I believe.

4

Check to see if your gesture field is possibly a multi-field. If so, then whenever you reference the data as gesture, it will use the part of the multi-field that is mapped as text. If you have a gesture.raw field, that is the part of the multi-field that is non-analyzed text (mapped as keyword) and you can use that for a field to aggregate on.

Most of the ingestion tools default to mapping text data as a multi-field with analyzed text and the non-analyzed keyword that I described. Documentation: https://www.elastic.co/guide/en/elasticsearch/reference/6.2/multi-fields.html

If the text data is not a multi-field, or you don't have any other fields that represent the non-analyzed version of the gesture, then you'll need to come up with a custom mapping and re-index the data into an index that has the working mapping.

5

I changed it from split=gesture:10 to split=gesture.keyword:10 and that worked.

I appreciate the guidance it has helped me out a lot. Thank you!!

6

Tim,

I would like to pull out and only see the "hi gesture" and filter those based on the days. so how would i construct the query to show me "hi" for both jan and february?

Date| gesture | counts of gestures
1jan| hello | 57
2jan| hello | 31
3jan| hello | 21
3jan| hi | 39
4jan| hi | 17
5jan| wave | 3
6jan|wave | 20
1feb| hello | 57
2feb| hello | 31
3feb| hello | 21
3feb| hi | 39
4feb| hi | 17
5feb| wave | 3
6feb|wave | 20

Also, do you offer official timelion training like the other Elastic courses?

7

Hi,

You can use the q parameter in the .es function add a query that will filter for the hi gesture:

.es(index=mydata-*, metric=sum:counts_of_gestures, split=gesture.keyword:10, q="gesture.keyword:hi")

The q parameter can do any kind of Lucene query to filter the data. :slight_smile:

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.