Timelion is a Kibana module which allows you to query multiple datasources from a single Kibana instance a bit like Grafana. This tool is very powerful to analyze metric contained in logs (or simply analyze the logs count) sent to Elasticsearch (so Logs Data Platform here).

What you can do include but is not limited to :

  • Compute an average over a period of time, compute a moving average over a period of time
  • Compute the derivative of a metric or the results of a specific query to quickly see the variations.
  • Doing arithmetic operation between your metric (division, sum, cumulative sum, multiply, percentage...)
  • Grabbing series from other sources to mix your data with it (Quandl, World Bank Indicators, Graphite).

An introduction about this wonderful plugin can be found here :

https://www.elastic.co/blog/timelion-timeline.

In order to use Timelion, your Kibana access has to be already configured. If you don't have it already, you can visit this Kibana tutorial. If you're ready, let's get started!

First contact with Timelion on Kibana

To go to the Timelion module, use the link in Kibana interface:

timelion

Once the module is loaded, it should complain about an error on access right. This is expected since by default the timelion plugins try to load data for the index _all and this is forbidden. but don't worry, you can change the index on the fly by using the search bar with the parameter index. If you use an alias on your stream, you also need to change the timefield used from @timestamp to timestamp.

timelion2

Configuring Timelion

To configure your default index and timefield for Timelion, go to the Management Page, and select the Advanced Settings. From there, locate the timelion settings and change the default index and timefield.

Where do I go from here?

Timelion has a built-in documentation that allows you to discover the different functions. To access it, use the Docs button next to the time range selector at the top-right of the interface. The auto complete feature can also helps you to remember and have a short description of the available commands.

The Elasticsearch commands start by ".es", you can change the resolution of the chart by using the drop down menu at the right of the search bar.

To display all your data at the selected timerange (top right), use:

 .es()

To display only the data that have a certain field use

 .es(field:value)

To display the average on a numeric value present in your logs use :

 .es(metric='avg:my_field_num')

You can display only the variation (derivative) on this value by using the following formula :

 .es(metric='avg:my_field_num').derivative()

To display different data on different yaxis, use the yaxis() functions.

 .es(metric='avg:my_field_num').derivative(), es(*).yaxis(2)

In the following screenshot, you can easily see if there is a correlation between different metrics we have in your softwares (here we tried to find one in HA Proxy between the variation of the bytes_read and the duration of requests).

timelion3

Every visualization you create through Timelion can be embedded in a Kibana Dashboard so you can further query and refine your datas.

dashboard

We have only scratched the surface of what you can do with Timelion. Head to these resources to learn even more cool tricks:


Getting Help