Hi everyone,
I'm using Timelion and wht I would love to do now is setting a different color for data with timestamp from 9pm to 7am.
How can I write the query?
I read about the syntax FROM...TO but the examples I found are with date; I want to select a time range, not a date range. My query should be valid everyday.
Thank you in advance for your help 
I don't believe that is a feature, but you should be able to get the same approach by stacking, similar to what was outline under "conditional selection" in https://www.elastic.co/blog/timelion-tutorial-from-zero-to-hero.
The idea is, draw one line with a color - then draw a second line with another color, but exclude data between 9pm and 7am.
Thank you @tylersmalley for the reply!
My "problem" is that I want to filter on @timestamp field, and there is nothing about it in the article you linked. I've tried the syntax FROM [21:00:00] TO [07:00:00] but it didn't work; plus, I can't add the day because I need to set this condition for every date I select from the proper tool on the top right in Kibana.
My bad, you're right. Tim wrote about this in the past here: Kibana Filter for a specific time range
You would have to extract that into something that is filterable, like a boolean field "is_working_hours". You could use a scripted field, but that wouldn't be very performant.
Thank you Tyler, that's exactly what I was looking for!
Could you explain me why scripted fields are less performant that a new field created before the ingestion?
Thank you in advance!
Scripted fields are sent to Elasticsearch and calculated on request - this means to determine whether a document should be included in the response or not, Elasticsearch has to run the script for each document in the matching time range - and again for each new request.
When a field is created before ingestion, Elasticsearch can create an inverted index which speeds up the decision whether to include a document significantly.
Scripted fields are handy and if you are working with small data sets they can be totally fine, but it's important to know it's likely to hit performance limits quickly when scaling up the data - a classical trade-off between performance and flexibility.
It's recommended to use scripted fields for prototyping if you don't know yet how you will query your data - once you know, you can "productionize" and move the calculation to ingest time.
Thank you very much for your exhaustive reply! It's extremely useful and clear 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.