In this scenario, you have a service that periodically writes metrics to its logs. This could be tools such as DropWizard or Micrometer or a system monitoring tool like MetricBeat.

Sample input data. Here is example JSON input data for this scenario:

{ "type": "metrics", "id": "1", "ts": "2018-11-01T00:10:11.001", "disk0": 11.21, "disk1": 21.14, "disk2": 12.01  }
{ "type": "metrics", "id": "2", "ts": "2018-11-01T00:10:13.106", "disk0": 11.21, "disk1": 21.14, "disk2": 12.01  }
{ "type": "metrics", "id": "3", "ts": "2018-11-01T00:10:18.771", "disk0": 10.57, "disk1": 20.41, "disk2": 11.91  }
{ "type": "metrics", "id": "4", "ts": "2018-11-01T00:10:18.772", "disk0": 9.15, "disk1": 19.12, "disk2": 10.07  }

where disk0-2 represents some metrics that you would like to create a time chart for.

Query. To create this time chart, use the following query:

type = metrics
| timeChart(function=[max(disk0, as="Disk 0"), max(disk1, as="Disk 1"), max(disk2, as="Disk 2")])

Notice that we provide several aggregate functions to the function parameter. This is because we want to work on several fields on each input event. In this example it creates three series in the resulting time chart — one for each metric. We used the max() function on each field. This means that when the timechart function buckets the data it uses the larger number within the bucket to represent the value of the series in the bucket. In other words, imagine that event id=3 and id=4 in JSON events above end up in the same bucket (which is not an unreasonable assumption since their timestamps are only 1 ms apart).

If we use max() we will get the largest value of the field, max(disk0) of id=3 and id=4 would be 10.57 even though id=4 occurs later in the stream. Alternatively, we could have used avg() to get the average of the two values of disk0, in this case 9.86. Which aggregate function to use depends on what you want to visualize.