Visualization of sparse data in TSVB

Chenlrv · September 1, 2020, 3:16pm

Hello,
I use TSVB to visualize data that is being sent every 1 minute to Elasticsearch.
The problem is, sometimes the data takes a little bit more time to be calculated, and so it is being sent after 1 min and 5 seconds, etc.
Because of that reason, when aggregating the data every 1 minute, sometimes there are empty buckets, and that's leading to some ugly gaps in the visualization: (here the visualization interval is 1m)

When I reduce the Interval to 30s the data is presented as dots, which doesn't look as clear and informative..

How can I avoid the gaps, but also visualize the data smoothly?

wylie · September 1, 2020, 3:36pm

You can increase the time interval you're querying in TSVB.

You can switch to Lens in 7.9.0, which supports fitting functions for line charts.

You can use Vega.

Chenlrv · September 7, 2020, 9:32am

Hi, thank you a lot.
So, I used Lens and created this visualization:

and indeed the gaps are gone (this was the visualization on the same data using TSVB):

However, there are a few capabilities that I can't seem to find in Lens and would like to get some help-

I'd like to add "ms" word near the values, as I did in TSVB. I tried to do in Lens but that's all that appears in the Format & style popup:

Is there a way to do in Lens?
In Lens I used the "Break down by" option and broke down the data by server address.
However, I'd like to present only part of the values. How can I predefine which exact values I want to present in the visualization?

Chenlrv · September 8, 2020, 6:36am

Hi wylie, can you please pay attention to my new reply?

wylie · September 8, 2020, 3:10pm

The formatting option you're asking for isn't currently possible in Lens, but I'm working on a PR to do this across Kibana if you add it to the field: https://github.com/elastic/kibana/pull/76729

I don't understand the behavior you are looking for with IP addresses, can you be more specific? You probably haven't missed something, there aren't very many options today.

Chenlrv · September 13, 2020, 11:39am

In Lens I'm breaking down the data by IP addresses:

But I'd like to display data for only 3 of these addresses.
Is there a way to do it? (In other visualizations it is possible using buckets)

wylie · September 14, 2020, 2:49pm

If you want the top N IP addresses, Lens supports that by putting the IP aggregation first, as in "Top values of IP field overall" as opposed to "top values per timestamp".

It sounds like that's not what you want, and I can think of three possibilities. Can you indicate which one you want?

You want the top IP addresses, but excluding some values
You want to write a KQL filter which matches certain IP addresses
You want to write cidr ranges to match specific IP ranges