I think changing the range of data that I'm viewing from 8 to 10 minutes is relatively trivial. The time bucket interval for the date histogram is set to 5 seconds so there will be around 96 data points visible in 8 minutes. But I'm wondering why the sum values drop from 6600 to 1300. The time bucket intervals don't change as a result of changing from viewing 8 minutes of data to 10 minutes, so there should be no difference at all. Any help would be much appreciated.
This is an odd behavior to experience, but let me do my best to explain.
When you switch the timespan to 10 minutes, you'll notice you get a warning next to the "Interval" dropdown. The error message should say something like, "This time interval creates too many buckets, so we've automatically scaled it to 5 seconds" or something like that. In other words, when you're looking at the 10 minute timespan, the results are per 5 second interval, whereas when you are looking at the 8 minute timespan, the results are per second interval, which is why the aggregate sum is not the same.
If you look at the advanced settings page, you'll find this setting:
histogram:maxBars
Never show more than this many bars in date histograms, scale values if needed
This setting should control the maximum number of buckets for date histograms. Interestingly enough, after looking into this, it looks like we've got a bug in the code here, so I've filed an issue: histogram:maxBars doesn't work as expected · Issue #14823 · elastic/kibana · GitHub
the tl;dr: I'd like my data to continue to show sum values of around 6600 and not drop when I switch timespans while keeping the intervals as is.
the part that still confuses me after this explanation is that the createdAt data is artificially generated in 5 second intervals. But more so confusing is that let's say the data was generated in increments of 1 second, I would think that when the "compression" of the interval happens from 1 second to 5 second intervals, the sum would go up and not down.
To illustrate, if I had 5 entries with quantity values of 100 showing up as such with the 1 second interval time bucket, then when I switch over to a time bucket of 5 seconds, I'd expect that the quantity for that one 5 second interval data point would appear as 500.
If that holds, then that makes me squint at the actual behavior of my kibana, which in the same scenario moves from showing a bunch of data points with quantity 100 to one quantity of, say, 30, which is moving in a direction opposite to what I expected.
Or is this behavior the bug that you were alluding to?
Hopefully, that clarifies the contours of my confusion ok.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.