Kibana histogram - drawing multiple series on a single chart

Question

I have an index in Elasticsearch which contains an array of simple objects (key-value please see example below).

The documents have a timestamp.

I can create separate histograms in Kibana for each key-value (i.e one chart for bytes_sent and another for bytes_received).

I am wondering if there is a way to show both series on one histogram chart.

thanks

Yasir

"_index": "myindex",
    "_type": "showstatus",
    "_id": "JhyLAGbcRDyXmrIMmP5lLg",
    "_score": 1,
    "_source": {
       "_datetime" : "2014-03-21 10:10:10",
       "showstatus": [
          {
             "value": 96451,
             "variable_name": "bytes_sent"
          },
          {
             "value": 435322,
             "variable_name": "bytes_received"
          }
       ]
    }

Answer 1

It can be done using a newer panel called "multifieldhistogram". I could use it in Kibana3 after a Kibana patch got installed recently.

Please see this link which shows the panel. https://code.csdn.net/chenryn/kibana.

Answer 2

This is possible by running two queries, one to plot bytes_sent and one to plot bytes_received. Set the histogram to use the common "value" field. It looks like you may also need to split your data up as well so there's unique records that are timestamp,bytes_sent,value and timestamp,bytes_received,value.

-Brent

Answer 3

I have the solution to this problem. Is similar to the answer given by @OmarOthman but without the aforementioned issues, namely:

1. With the information aggregated in an array is impossible, is a feature that the Elastic team has not addressed yet.

2. You would need to disaggregate your documents in separate documents, one with each value of the array. You can use parent documents features of elastic to gather them.

3. Once you have the documents with this shape:

Disaggregated form:

{ "_datetime" : "2014-03-21 10:10:10", "bytes_sent": 12312, "bytes_received" : 123123 }  
{ "_datetime" : "2014-03-21 10:10:11", "bytes_sent": 12310, "bytes_received" : 12313 }

instead of:

[…]
"_datetime" : "2014-03-21 10:10:10",
"showstatus": [
{
"value": 96451,
"variable_name": "bytes_sent"
},
{
"value": 435322,
"variable_name": "bytes_received"
}
]
}
[…]

You can draw multiple series in Timelion like @OmarOthman said but you can also add a secondary (and even tertiary) Y axis using the method yaxis of Timelion, like:

.es('avg:bytes_sent').yaxis(1, label='Bytes sent').bars(), .es('avg:bytes_received').yaxis(2, label='Bytes received', positon='right').bars()

With the method bars you can draw it as a date histogram.

The other approach proposed by @ OmarOthman would only show the average 'value' taking all the "value" data from all the documents of the showstatus array. This is done because the query 'showstatus.variable_name:bytes_sent' is always true because all documents have that "variable name" in their array showstatus. Hence, both series would be the same unless some documents have not the bytes_sent variable_name inside the array showstatus. Try to draw it, it doesn't work as expected.