Draw a Time Chart
where the x-axis is time.
Time is grouped into buckets.
Parameter | Type | Required | Default | Description |
---|---|---|---|---|
buckets | number | optional[a] | Defines the number of buckets. The time span is defined by splitting the query time interval into this many buckets. | |
Minimum | 0 | |||
Maximum | 1500 | |||
function | Array of Aggregate Functions | optional[a] | count() | Specifies which aggregate functions to perform on each group. |
limit | number | optional[a] | 10 | Defines the maximum number of series to produce. A warning is produced if this limit is exceeded, unless the parameter is specified explicitly. |
Maximum | 500 | |||
minSpan | string | optional[a] | Determines the minimum span or size of the buckets that can be produced by timeChart() : for example, if set to 5h , a query duration of 1 day (24 hours), can only be split into 5 buckets, with the last bucket covering an additional hour into the future. Relative Time Syntax values are valid values for this parameter. | |
series [b] | string | optional[a] | Each value in the field specified by this parameter becomes a series on the graph. | |
span | string | optional[a] | auto | Defines the time span for each bucket. The time span is defined as a Relative Time Syntax like 1hour or 3 weeks . If not provided or set to auto , the search time interval —and thus the number of buckets— is determined dynamically. |
timezone | string | optional[a] | Defines the time zone for bucketing. This value overrides timeZoneOffsetMinutes which may be passed in the HTTP/JSON query API. For example: timezone=UTC or timezone='+02:00' . | |
unit | string | optional[a] | No conversion | Each value is a unit conversion for the given column. For instance: bytes/span to Kbytes/day converts a sum of bytes into Kb/day automatically taking the time span into account. If present, this array must be either length 1 (apply to all series) or have the same length as the function parameter. See the reference at Relative Time Syntax. |
[a] Optional parameters use their default value unless explicitly set |
Omitted Argument NamesThe argument name for
series
can be omitted; the following forms of this function are equivalent:logscaletimeChart("value")
and:
logscaletimeChart(series="value")
These examples show basic structure only; full examples are provided below.
timeChart()
Examples
Show the number of events per hour over the last 24 hours. We do this by selecting to search over the last 24 hours in the time selector in the UI, and then we tell the function to make each time bucket one hour long (with
span=1hour
):logscaletimeChart(span=1h, function=count())
The above creates 24 time buckets when we search over the last 24 hours, and all searched events get sorted into groups depending on the bucket they belong to (based on their @timestamp value). When all events have been divided up by time, the
count()
function is run on each group, giving us the number of events per hour.Instead of counting all events together, you can also count different kinds of events. For example, you may want to count different kinds of HTTP methods used for requests in the logs. If those are stored in a field named method, you can use this field as a series:
logscaletimeChart(span=1h, function=count(), series=method)
Instead of having one group of events per time bucket (as in the previous example), we will now get multiple groups: one group for every value of method that exists in the timespan we're searching in. So if we are still searching over a 24 hour period, and we have received only
GET
,PUT
, andPOST
requests in that timespan, we will get three groups of events per bucket (because we have three different values for method).This means we end up with 72 groups of events. And every group contains only events which correspond to some time bucket and a specific value of method. Then
count()
is run on each of these groups, to give us the number ofGET
events per hour,PUT
events per hour, andPOST
events per hour.Figure 195. Counting Events Divided Into Buckets
Show the number of different HTTP methods by dividing events into time buckets of 1 minute and counting the HTTP methods (
GET
,POST
,PUT
etc). As in the previous example, the timechart will have a line for each HTTP method.logscaletimechart(span=1min, series=method, function=count())
Use the number of buckets —instead of the time span — to show the number of different HTTP methods over time:
logscaletimechart(buckets=1000, series=method, function=count())
Get a graph with the response time percentiles:
logscaletimechart(function=percentile(field=responsetime, percentiles=[50, 75, 90, 99, 99.9]))
Use an array of functions in
function
to get a graph with the response time average as well as the percentiles:logscaletimechart(function=[avg(responsetime), percentile(field=responsetime, percentiles=[50, 75, 90, 99, 99.9])])
Use coda hale metrics to print rates of various events once per minute. Such lines include 1-minute average rates
m1=N
whereN
is some number. This example displays all such meters (which are identified by the field name), converting the rates fromevents/sec
toKi/day
.logscaletype=METER rate_unit=events/second | timechart(name, function=avg(m1), unit="events/sec to Ki/day", span=5m)
Upon completion of every LogScale request, we issue a log entry which (among other things) prints the
size=N
of the result. When summing such size's you would need to be aware of the span, but using a unit conversion, we can display the number in Mbytes/hour, and the graph will be agnostic to the span.logscaletimechart(function=sum(size), unit="bytes/bucket to Mbytes/hour", span=30m)