Make Data Compatible With Time Chart Widget - Example 2 | LogScale Query Examples

Make Data Compatible With Time Chart Widget - Example 2

Make data compatible with Time Chart Widget using the timeChart() function with window() and buckets parameter

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} result{{Result Set}} repo --> 0 0 --> result

logscale

timeChart(host, function=window( function=[avg(cpu_load), max(cpu_load)], buckets=3))

Introduction

The Time Chart Widget displays bucketed time series data on a timeline. The timeline shows the precise value and time for the displayed bucket, with the time showing the point where the bucket starts. The timeChart() function is used to create the required input format for the time chart widget. Also the window() function is used to compute the running aggregate (for example, avg() or sum()) for a field over a sliding window of data in the time chart.

Note that the window() function cannot be used elsewhere and with functions other than timeChart() or bucket().

In this example, the window() function uses the number of buckets to calculate average and maximum CPU load. The timespan for each bucket will depend on the time interval of the query. The number of buckets are defined by the buckets parameter. The timeChart() function is used to create the required input format for the Time Chart Widget.

The query calculates both average AND maximum values across the requested timespan. In this example, the number of buckets is specified, so the events will be distributed across the specified number of buckets using a time span calculated from the time interval of the query. For example, a 15 minute time interval with 3 buckets would use a timespan of 5 minutes per bucket.

Note

The difference between window() and bucket() is that window() will create buckets with a consistent interval, whereas bucket() creates the buckets based on the query time.

Step-by-Step

Starting with the source repository events.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
timeChart(host, function=window( function=[avg(cpu_load), max(cpu_load)], buckets=3))
```
Groups by host, and calculates both the average of CPU load time and the maximum CPU load time (using aggregates (avg() and max()) for the cpu_load field), displaying the results in 5 buckets showing a stacked graph for each host using a Time Chart Widget.
Event Result set.

Summary and Results

Selecting the number of buckets or the timespan of each bucket enables you to show a consistent view either by time or by number of buckets independent of the time interval of the query. For example, the widget could show 10 buckets whether displaying 15 minutes or 15 days of data; alternatively the display could always show the data for each 15 minutes.

The query is used to make CPU load data compatible with the Time Chart Widget. This query is, for example, useful for CPU load monitoring to compare intervals, compare hourly performance etc.

For an example of dividing the input data by the timespan of each bucket, see Make Data Compatible With Time Chart Widget - Example 1.

Examples Library