The simplest Timelion expression used for generating graphs is as follows:
.es(*)
Timelion expressions always start with a dot followed by the function name that can accept one or more parameters. The .es(*) expression queries data from all the indexes present in Elasticsearch. By default, it will just count the number of documents, resulting in a graph showing the number of documents over time.
If you'd like to restrict Timelion to data within a specific index (for example, logstash-*), you can specify the index within the function as follows:
.es(index=logstash-*)
As Timelion is a time-series visualizer, it uses the @timestamp field present in the index as the time field for plotting the values on an x axis. You can change it by passing the appropriate time field as a value to the timefield parameter.
Timelion's helpful autocompletion feature will help you build the expression as you go along, as follows:
Let's see some examples in action to understand Timelion better.
Let's find the average bytes usage over time for the US. The expression for this would be as follows:
.es(q='geoip.country_code3:US',metric='avg:bytes')
The output is displayed in the following screenshot:
Timelion allows for the plotting of multiple graphs in the same chart as well. By separating expressions with commas, you can plot multiple graphs.
Let's find the average bytes usage over time for the US and the average bytes usage over time for China. The expression for this would be as follows:
es(q='geoip.country_code3:US',metric='avg:bytes'), .es(q='geoip.country_code3:CN',metric='avg:bytes')
The output is displayed in the following screenshot:
Timelion also allows for the chaining of functions. Let's change the label and color of the preceding graphs. The expression for this would be as follows:
.es(q='geoip.country_code3:US',metric='avg:bytes').label('United States').color('yellow'), .es(q='geoip.country_code3:CN',metric='avg:bytes').label('China').color('red')
The output is displayed in the following screenshot:
One more useful option in Timelion is using offsets to analyze old data. This is useful for comparing current trends to earlier patterns. Let's compare the sum of bytes usage to the previous week for the US. The expression for this would be as follows:
.es(q='geoip.country_code3:US',metric='sum:bytes').label('Current Week'), .es(q='geoip.country_code3:US',metric='sum:bytes', offset=-1w).label('Previous Week')
The output is displayed in the following screenshot:
Timelion also supports the pulling of data from external data sources using a public API. Timelion has a native API for pulling data from the World Bank, Quandl, and Graphite.