IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Create time series visualizations with Timelion Create visualizations with conditional logic and tracking trends using Timelion »
Elastic Docs Kibana Guide [7.10] Dashboard Tutorials

Timelion tutorial: Create visualizations with mathematical functions

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Timelion tutorial: Create visualizations with mathematical functions

edit

To create a visualization for inbound and outbound network traffic, use mathematical functions.

Define the functions

edit

To start tracking the inbound and outbound network traffic, enter the following in the Timelion Expression field:

.es(index=metricbeat*,
    timefield=@timestamp,
    metric=max:system.network.in.bytes)
timelion math01

 

Plot the rate of change

edit

Change how the data is displayed so that you can easily monitor the inbound traffic:

.es(index=metricbeat*,
    timefield=@timestamp,
    metric=max:system.network.in.bytes)
  .derivative()

.derivative plots the change in values over time.
timelion math02

 

Add a similar calculation for outbound traffic:

.es(index=metricbeat*,
    timefield=@timestamp,
    metric=max:system.network.in.bytes)
  .derivative(),
.es(index=metricbeat*,
    timefield=@timestamp,
    metric=max:system.network.out.bytes)
  .derivative()
  .multiply(-1)

.multiply() multiplies the data series by a number, the result of a data series, or a list of data series. For this example, .multiply(-1) converts the outbound network traffic to a negative value since the outbound network traffic is leaving your machine.
timelion math03

 

Change the data metric

edit

To make the visualization easier to analyze, change the data metric from bytes to megabytes:

.es(index=metricbeat*,
    timefield=@timestamp,
    metric=max:system.network.in.bytes)
  .derivative()
  .divide(1048576),
.es(index=metricbeat*,
    timefield=@timestamp,
    metric=max:system.network.out.bytes)
  .derivative()
  .multiply(-1)
  .divide(1048576)

.divide() accepts the same input as .multiply(), then divides the data series by the defined divisor.
timelion math04

 

Customize and format the visualization

edit

Customize and format the visualization using functions:

.es(index=metricbeat*,
    timefield=@timestamp,
    metric=max:system.network.in.bytes)
  .derivative()
  .divide(1048576)
  .lines(fill=2, width=1)
  .color(green)
  .label("Inbound traffic")         
  .title("Network traffic (MB/s)"), 
.es(index=metricbeat*,
    timefield=@timestamp,
    metric=max:system.network.out.bytes)
  .derivative()
  .multiply(-1)
  .divide(1048576)
  .lines(fill=2, width=1)           
  .color(blue)                      
  .label("Outbound traffic")
  .legend(columns=2, position=nw)

.label() adds custom labels to the visualization.

.title() adds a title with a meaningful name.

.lines() changes the appearance of the chart lines. In this example, .lines(fill=2, width=1) sets the fill level to 2, and the border width to 1.

.color() changes the color of the data. Supported color types include standard color names, hexadecimal values, or a color schema for grouped data. In this example, .color(green) represents the inbound network traffic, and .color(blue) represents the outbound network traffic.

.legend() sets the position and style of the legend. For this example, legend(columns=2, position=nw) places the legend in the north west position of the visualization with two columns.
timelion math05

 

« Create time series visualizations with Timelion Create visualizations with conditional logic and tracking trends using Timelion »