The timeline also called a timeline is yet another visualization tool that is mainly used for time-based data analysis. To work with the timeline, we need to use simple expression language which will help us connect to the index and also perform calculations on the data to get the results we need.
Where can we use Timelion?
Timeline is used when you want to compare time-related data. For example, you have a site, and you get your views daily. You want to analyze the data wherein you want to compare the current week data with the previous week, i.e. Monday-Monday, Tuesday -Tuesday, and so on how the views are different and also the traffic.
Getting Started with Timelion
To start working with Timelion, click on Timelion as shown below −
Timelion by default shows the timeline of all indexes as shown below −
Timelion works with expression syntax.
Note − es(*) => means all indexes.
To get the details of function available to be used with Timelion, simply click on the text area as shown below −
It gives you the list of functions to be used with the expression syntax.
Once you start with Timelion, it displays a welcome message as shown below. The highlighted section i.e. Jump to the function reference, gives the details of all the functions available to be used with the timeline.
Timelion Welcome Message
The Timelion welcome message is as shown below −
Click on the Next button and it will walk you through its basic functionality and usage. Now when you click Next, you can see the following details −
Timelion Function Reference
Click on the Help button to get the details of the function reference available for Timelion −
Timelion Configuration
The settings for the timeline are done in Kibana Management → Advanced Settings.
Click on Advanced Settings and select Timelion from Category
Once Timelion is selected it will display all the necessary fields required for timeline configuration.
In the following fields, you can change the default index and the time field to be used on the index −
The default one is _all and the time field is @timestamp. We would leave it as it is and change the index and time field in the timeline itself.
Using Timelion to Visualize Data
We are going to use the index: medical visits-26.01.2019. The following is the data displayed from timeline for 1st Jan 2017 to 31st Dec 2017 −
The expression used for the above visualization is as follows −
.es(index=medicalvisits-26.01.2019,timefield=Visiting_Date).bars()
We have used the index medical visits-26.01.2019 and the time field on that index is Visiting_Date and used bars function.
In the following, we have analyzed 2 cities for the month of Jan 2017, day-wise.
The expression used is −
.es(index=medicalvisits-26.01.2019,timefield=Visiting_Date,
q=City:Sabadell).label(Sabadell),.es(index=medicalvisits-26.01.2019,
timefield=Visiting_Date, q=City:Terrassa).label(Terrassa)
The timeline comparison for 2 days is shown here −
Expression
.es(index=medicalvisits-26.01.2019,timefield=Visiting_Date).label("August 2nd 2018"),
.es(index=medicalvisits-26.01.2019,timefield=Visiting_Date,offset=-1d).label("August 1st 2018")
Here we have used offset and given a difference of one day. We have selected the current date as 2nd August 2018. So it gives data difference for 2nd Aug 2018 and 1st Aug 2018.
The list of top 5 cities data for the month of Jan 2017 is shown below. The expression that we have used here is given below −
.es(index=medicalvisits-26.01.2019,timefield=Visiting_Date,split=City.keyword:5)
We have used split and given the field name as city and the since we need the top five cities from the index we have given it as split=City.keyword:5
It gives the count of each city and lists their names as shown in the graph plotted.
This is one awesome article post. Fantastic.