Timelion escape character for field name

Hi,

I'm trying to make a cumulative sum in Timelion (using the latest ES and Kibana). The problem I have is that it seems that Timelion truncates the name of the field I want to sum because the field name contains a colon ( : ).

This is my expression:
.es(index=myindex, metric='sum:kmeta\:Size', timefield='kmeta:updateTime').cusum()

But what I see in the debug console is this:
Request:
{"sheet":[".es(index=myindex, metric='sum:kmeta\\:Size', timefield='kmeta:updateTime', offset=-50M)"],"time":{"from":"now-5y","to":"now","mode":"quick","interval":"auto","timezone":"Europe/Berlin"}}

Response:
{"sheet":[{"type":"seriesList","list":[{"data":[[1335045600000,0],...,[1492898400000,0]],"type":"series","fit":"nearest","label":"q:* > sum(kmeta\\)"}]}],"stats":{"invokeTime":1493356902258,"queryCount":1,"queryTime":1493356902276,"cacheCount":1,"sheetTime":1493356902279}}

Is there a character other than a backslash that would allow to escape the colon in the field name?

Elasticsearch can store objects of data, so if you have fields that are metadata, you will be much better off structuring the data as:

{
  "kMeta": {
    "Size": 1234,
    "updateTime": <time_value>
  },
  <other_values>
}

The expression would then look like:

.es(index=myindex, metric='sum:kmeta.Size', timefield='kmeta.updateTime').cusum()

I don't know offhand if there is a way to escape the colon to work with it as it is, but I strongly suggest this is a data modeling problem.

Hi Tim, thanks for the answer.

Yes I agree that the data could/should have been modeled in the way you suggested. Unfortunately, the data comes from a legacy app and the cost of migrating the data to the new model is just way too high.
In addition, Lucene query syntax (used in Elasticsearch and Kibana) supports escaping the colon so I'm surprised to see that Timelion doesn't.