What seemed easy is not as easy as i thought.
Here is my usecase:
One of the fields i have is called
Latency. I want average on it over time.
So, my search is like this:
index=index_name | timechart bins=1000 avg(Latency)
Everthing is fine except the x-axis labeling which says 3:58:00 PM, Mon Apr 13 2015
I would like the label to be
0, 60, 120, 180 (representing seconds)
(or) 0,1,2,3,.. representing minutes.
What is the correct approach to do these type of calculations?
You can achieve this by adding some additional commands to the end of your search:
index=index_name | timechart bins=1000 avg(Latency) as AvgLatency | eventstats earliest(_time) as etime | eval ntime=_time-etime | table ntime AvgLatency
eventstats line adds a field called
etime containing the earliest timestamp in your graph. The
eval pushes all the times back by that amount, leaving you with a graph starting at 0. Then just
table those fields and draw your graph.
Excellent. Thanks aweitzman.
Your explanation was even better.
However, while charting, the x-axis label just says ntime. How to make it to say 0,60,...?
In general, i have trouble with the following:
1. making a two column table to appear as a chart. Column-1 is x-axis and Column-2 is y-axis.
2. How to make x-axis labels skip every n units. (For example, if i have 0-180 in column-1, then i would like to have 0,30,60...180 - meaning label every 30th instead of crowding x-axis)
In general, if you make any two-column table with numbers in the second column, you should be able to chart it just by clicking the "Visualization" tab and choosing a line, area or column chart.
In your case, you have too many data points for the x-axis to show each one. There is no room for 1000 data points with numbers across, even across two very wide screens (I just tried). Your best hope is to (a) reduce the number of data points, and (b) go into the Format/X-Axis section of your chart and rotate the labels. There isn't any obvious provision for skipping labels, as far as I can tell.