Timelion: ignore some values for field

I have a timelion "query" that works great. However, I am using the split function to get the top 10 occurences and I can't figure out how to tell it to ignore, or don't show, the fields that contain certain values.
What I am doing is classifying events from an external system and writing that to ElasticSearch as a field in the document. Some of these classifications are low priority or we don't actually find anything to classify them with, so we put that in the field. In the visualizations, it is easy to ignore as you put that in the "Exclude" part of the viz and they don't show up. Is there a way to do that in Timelion? What I have below "works" in that I get the top 10, but I have to click on the items in the legend to get them to disappear from the graph. Just wondering if this is possible.

.es(index=systemev*,metric=count,split=system_classification.public_name.keyword:10).label(regex='.*system_classifcation.public_name.keyword:(.*)>.*',label='$1').legend(ne)

Thanks

Timelion supports lucene queries on top of splitting.

Does something like .es(q="NOT severity:low", split=severity:5) work for you?

Thanks @jbudz . That totally looks like it would work, but it has (sorta) the opposite effect.

.es(index=systemev*,q="NOT system_classification.public_name.keyword:Low Priority Tags",split=system_classification.public_name.keyword:5)

Gives me the two things that I don't want. Namely:
Low Priority Tags
No Tags Found

And that's all it gives me. No top 5 or anything.

And, regardless of if I change the query to not have the NOT in it, or use different quote placement (i.e. q="NOT system_classification.public_name.keyword:'Low Priority Tags'") I still get the same output. It's weird as I would think that the NOT would work.

So, it's closer but I am still tinkering with it. Any ideas?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.