Make Data Compatible with Time Chart Widget - Example 1 | LogScale Query Examples

Make Data Compatible with Time Chart Widget - Example 1

Make data compatible with Time Chart Widget using the timeChart() function with window() and span parameter

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} result{{Result Set}} repo --> 0 0 --> result

logscale

timeChart(host, function=window( function=avg(cpu_load), span=15min))

Introduction

The Time Chart Widget displays bucketed time series data on a timeline. The timeline shows the precise value and time for the displayed bucket, with the time showing the point where the bucket starts. The timeChart() function is used to create the required input format for the time chart widget. Also the window() function is used to compute the running aggregate (for example, avg() or sum()) for a field over a sliding window of data in the time chart.

Note that the window() function cannot be used elsewhere and with functions other than timeChart() or bucket().

In this example, the timeChart() function is used to create the required input format for the Time Chart Widget and the window() function is used to compute the running aggregate (avg()) for the cpu_load field over a sliding window of data in the time chart. The span width, for example 15 minutes, is defined by the span parameter. This defines the duration of the average calculation of the input data, the average value over 15 minutes. The number of buckets created will depend on the time interval of the query. A 2 hour time interval would create 8 buckets.

Note

The difference between window() and bucket() is that window() will create buckets with a consistent interval, whereas bucket() creates the buckets based on the query time.

Step-by-Step

Starting with the source repository events.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
timeChart(host, function=window( function=avg(cpu_load), span=15min))
```
Groups by host, and calculates the average CPU load time per each 15 minutes over the last 24 hours for each host, displaying the results in a Time Chart Widget.
The running average time of CPU load is grouped into spans of 30 minutes. Note that the time interval of the query must be larger than the window span to produce any result.
Event Result set.

Summary and Results

Selecting the number of buckets or the timespan of each bucket enables you to show a consistent view either by time or by number of buckets independent of the time interval of the query. For example, the widget could show 10 buckets whether displaying 15 minutes or 15 days of data; alternatively the display could always show the data for each 15 minutes.

The query is used to make CPU load data compatible with the Time Chart Widget. This query is, for example, useful for CPU load monitoring to identify sustained high CPU usage over specific time periods.

For an example of dividing the input data by the number of buckets, see Make Data Compatible with Time Chart Widget - Example 2.