Kibana - Timepon

Timepon, also called as timepne is yet another visuapzation tool which is mainly used for time based data analysis. To work with timepne, we need to use simple expression language which will help us connect to the index and also perform calculations on the data to get the results we need.

Where can we use Timepon?

Timepon is used when you want to compare time related data. For example, you have a site, and you get your views daily. You want to analyse the data wherein you want to compare the current week data with previous week, i.e. Monday-Monday, Tuesday -Tuesday and so on how the views are differing and also the traffic.

Getting Started with Timepon

To start working with Timepon, cpck on Timepon as shown below −

Timepon by default shows the timepne of all indexes as shown below −

Timepon works with expression syntax.

Note − es(*) => means all indexes.

To get the details of function available to be used with Timepon, simply cpck on the textarea as shown below −

It gives you the pst of function to be used with the expression syntax.

Once you start with Timepon, it displays a welcome message as shown below. The highpghted section i.e. Jump to the function reference, gives the details of all the functions available to be used with timepon.

Timepon Welcome Message

The Timepon welcome message is as shown below −

Cpck on the next button and it will walk you through its basic functionapty and usage. Now when you cpck Next, you can see the following details −

Timepon Function Reference

Cpck on Help button to get the details of the function reference available for Timepon −

Timepon Configuration

The settings for timepon is done in Kibana Management → Advanced Settings.

Cpck on Advanced Settings and select Timepon from Category

Once Timepon is selected it will display all the necessary fields required for timepon configuration.

In the following fields you can change the default index and the timefield to be used on the index −

The default one is _all and timefield is @timestamp. We would leave it as it is and change the index and timefield in the timepon itself.

Using Timepon to Visuapze Data

We are going to use index:medicalvisits-26.01.2019. The following is the data displayed from timepon for 1st Jan 2017 to 31st Dec 2017 −

The expression used for above visuapzation is as follows −

.es(index=medicalvisits-26.01.2019,timefield=Visiting_Date).bars()

We have used the index medicalvisits-26.01.2019 and timefield on that index is Visiting_Date and used bars function.

In the following we have analyzed 2 cities for the month of jan 2017, day wise.

The expression used is −

.es(index=medicalvisits-26.01.2019,timefield=Visiting_Date, 
q=City:Sabadell).label(Sabadell),.es(index=medicalvisits-26.01.2019,
timefield=Visiting_Date, q=City:Terrassa).label(Terrassa)

The timepne comparison for 2 days is shown here −

Expression

.es(index=medicalvisits-26.01.2019,timefield=Visiting_Date).label("August 2nd 2018"),
.es(index=medicalvisits-26.01.2019,timefield=Visiting_Date,offset=-1d).label("August 1st 2018")

Here we have used offset and given a difference of 1day. We have selected the current date as 2nd August 2018. So it gives data difference for 2nd Aug 2018 and 1st Aug 2018.

The pst of top 5 cities data for the month of Jan 2017 is shown below. The expression that we have used here is given below −

.es(index=medicalvisits-26.01.2019,timefield=Visiting_Date,sppt=City.keyword:5)

We have used sppt and given the field name as city and the since we need top five cities from the index we have given it as sppt=City.keyword:5

It gives the count of each city and psts their names as shown in the graph plotted.