I'm trying to create a single visulization for the following:
I run one search filter to grab all log entries where the 'FeedFileName' property isn't empty. This collates log entries for when the system receives files.
Based on the above each log entry has a FeedFileName which could be filtered down further to *f1.xml or *f2.xml and so on.
Every log entry also has a milisecond value in field 'TimeSinceCreation'
I would like to put a metric on my graph for each file type i.e. f1.xml, f2.xml, f3.xml creating a graph for latency on a per file type basis rather than having to create separate visulizations (which I initially have done).
The issue I have is I'm not sure how I can filter the entry down to a single FeedFileName entry on the visulization.
I think this is how you want to build it. I'm not sure how your TimeSinceCreation relates to Latency, but assuming you want to see the average TimeSinceCreation over time;
Save your search which has FeedFileName not empty
Go to Visualize and create a new Line Chart, and select your Saved Search
Select buckets type = X-Axis, Date Histogram. select your timestamp field
If you click the Play button at this point you should see a Date Histogram of Count for all file types.
click Add sub-buckets under the X-Axis
Split Lines
Sub Aggregation = Terms
Field = FeedFileName
If you click the Play button at this point you should see a Date Histogram of Count for each file type.
Expand Y-Axis panel and change Aggregation from Count to Average
Field = TimeSinceCreation
If you click the Play button at this point you should see a Date Histogram of average TimeSinceCreation for each file type.
Here's an example with packetbeat data where I split lines by method and show the Average responsetime;
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
