IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Timelion tutorial: Create visualizations with mathematical functions Aggregation reference »

› › ›

Create visualizations with conditional logic and tracking trends using Timelion

edit

Create visualizations with conditional logic and tracking trends using Timelion

edit

To easily detect outliers and discover patterns over time, modify time series data with conditional logic and create a trend with a moving average.

With Timelion conditional logic, you can use the following operator values to compare your data:

`eq`	equal
`ne`	not equal
`lt`	less than
`lte`	less than or equal to
`gt`	greater than
`gte`	greater than or equal to

Define the functions

edit

To chart the maximum value of system.memory.actual.used.bytes, enter the following in the Timelion Expression field:

.es(index=metricbeat-*,
    timefield='@timestamp',
    metric='max:system.memory.actual.used.bytes')

Track used memory

edit

To track the amount of memory used, create two thresholds:

.es(index=metricbeat-*,
    timefield='@timestamp',
    metric='max:system.memory.actual.used.bytes'),
.es(index=metricbeat-*,
    timefield='@timestamp',
    metric='max:system.memory.actual.used.bytes')
  .if(gt,                             
      11300000000,                    
      .es(index=metricbeat-*,
          timefield='@timestamp',
          metric='max:system.memory.actual.used.bytes'),
      null)
    .label('warning')
    .color('#FFCC11'),
.es(index=metricbeat-*,
    timefield='@timestamp',
    metric='max:system.memory.actual.used.bytes')
  .if(gt,
      11375000000,
      .es(index=metricbeat-*,
          timefield='@timestamp',
          metric='max:system.memory.actual.used.bytes'),
      null)
  .label('severe')
  .color('red')

	Timelion conditional logic for the greater than operator. In this example, the warning threshold is 11.3GB (`11300000000`), and the severe threshold is 11.375GB (`11375000000`). If the threshold values are too high or low for your machine, adjust the values accordingly.
	`if()` compares each point to a number. If the condition evaluates to `true`, adjust the styling. If the condition evaluates to `false`, use the default styling.

Determine the trend

edit

To determine the trend, create a new data series:

.es(index=metricbeat-*,
    timefield='@timestamp',
    metric='max:system.memory.actual.used.bytes'),
.es(index=metricbeat-*,
    timefield='@timestamp',
    metric='max:system.memory.actual.used.bytes')
  .if(gt,11300000000,
      .es(index=metricbeat-*,
          timefield='@timestamp',
          metric='max:system.memory.actual.used.bytes'),
      null)
      .label('warning')
      .color('#FFCC11'),
.es(index=metricbeat-*,
    timefield='@timestamp',
    metric='max:system.memory.actual.used.bytes')
  .if(gt,11375000000,
      .es(index=metricbeat-*,
          timefield='@timestamp',
          metric='max:system.memory.actual.used.bytes'),
      null).
      label('severe')
      .color('red'),
.es(index=metricbeat-*,
    timefield='@timestamp',
    metric='max:system.memory.actual.used.bytes')
  .mvavg(10)

mvavg() calculates the moving average over a specified period of time. In this example, .mvavg(10) creates a moving average with a window of 10 data points.

Customize and format the visualization

edit

Customize and format the visualization using functions:

.es(index=metricbeat-*,
    timefield='@timestamp',
    metric='max:system.memory.actual.used.bytes')
  .label('max memory')                    
  .title('Memory consumption over time'), 
.es(index=metricbeat-*,
    timefield='@timestamp',
    metric='max:system.memory.actual.used.bytes')
  .if(gt,
      11300000000,
      .es(index=metricbeat-*,
          timefield='@timestamp',
          metric='max:system.memory.actual.used.bytes'),
      null)
    .label('warning')
    .color('#FFCC11')                 
    .lines(width=5),                  
.es(index=metricbeat-*,
    timefield='@timestamp',
    metric='max:system.memory.actual.used.bytes')
  .if(gt,
      11375000000,
      .es(index=metricbeat-*,
          timefield='@timestamp',
          metric='max:system.memory.actual.used.bytes'),
      null)
    .label('severe')
    .color('red')
    .lines(width=5),
.es(index=metricbeat-*,
    timefield='@timestamp',
    metric='max:system.memory.actual.used.bytes')
  .mvavg(10)
  .label('mvavg')
  .lines(width=2)
  .color(#5E5E5E)
  .legend(columns=4, position=nw)

	`.label()` adds custom labels to the visualization.
	`.title()` adds a title with a meaningful name.
	`.color()` changes the color of the data. Supported color types include standard color names, hexadecimal values, or a color schema for grouped data.
	`.lines()` changes the appearance of the chart lines. In this example, .lines(width=5) sets border width to `5`.
	`.legend()` sets the position and style of the legend. For this example, `(columns=4, position=nw)` places the legend in the north west position of the visualization with four columns.

For additional information on Timelion conditional capabilities, go to I have but one .condition().

« Timelion tutorial: Create visualizations with mathematical functions Aggregation reference »