maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
kibana/docs/timelion/getting-started/timelion-create.asciidoc
Alex F c30d8ea38c [DOCS] Timelion Getting Started Guide (#11065) 
* timelion docs rough draft 1

* timelion docs rough draft updates

* timelion docs rough draft typo

* timelion docs rough draft typo

* tanya feedback

* nbsp after images, made getting started a chapter with sections, removed inclusive we

* minor updates

* feedback from Bohyun
2017-04-26 16:11:03 -07:00

38 lines
2.6 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[[timelion-create]]
=== Creating time series visualizations
This tutorial will be using the time series data from https://www.elastic.co/guide/en/beats/metricbeat/current/index.html[Metricbeat] to walk you through a number of functions that Timelion offers. To get started, download Metricbeat and follow the https://www.elastic.co/downloads/beats/metricbeat[instructions here] to start ingesting the data locally.
The first visualization you'll create will compare the real-time percentage of CPU time spent in user space to the results offset by one hour. In order to create this visualization, well need to create two Timelion expressions. One with the real-time average of `system.cpu.user.pct` and another with the average offset by one hour.
To start, you will need to define an `index`, `timefield` and `metric` in the first expression. Go ahead and enter the below expression into the Timelion query bar.
[source,text]
----------------------------------
.es(index=metricbeat-*, timefield='@timestamp', metric='avg:system.cpu.user.pct')
----------------------------------
image::images/timelion-create01.png[]
{nbsp}
Now you need to add another series with data from the previous hour for comparison. To do so, you'll have to add an `offset` arguement to the `.es()` function. `offset` will offset the series retrieval by a date expression. For this example, you'll want to offset the data back one hour and will be using the date expression `-1h`. Using a comma to separate the two series, enter the following expression into the Timelion query bar:
[source,text]
----------------------------------
.es(index=metricbeat-*, timefield='@timestamp', metric='avg:system.cpu.user.pct'), .es(offset=-1h,index=metricbeat-*, timefield='@timestamp', metric='avg:system.cpu.user.pct')
----------------------------------
image::images/timelion-create02.png[]
{nbsp}
Its a bit hard to differentiate the two series. Customize the labels in order to easily distinguish them. You can always append the `.label()` function to any expression to add a custom label. Enter the below expression into the Timelion query bar to customize your labels:
[source,text]
----------------------------------
.es(offset=-1h,index=metricbeat-*, timefield='@timestamp', metric='avg:system.cpu.user.pct').label('last hour'), .es(index=metricbeat-*, timefield='@timestamp', metric='avg:system.cpu.user.pct').label('current hour')
----------------------------------
image::images/timelion-create03.png[]
{nbsp}
Save the entire Timelion sheet as _Metricbeat Example_. As a best practice, you should be saving any significant changes made to this sheet as you progress through this tutorial.
Reference in a new issue View git blame Copy permalink