Loading...

Split Terms

  • Split terms on _index name in Top 5
  • Use index name value as label
.es(split=_index:5).label(regex='.* _index:(.*) > .*', label='$1')

Use offset

Use offset option for comparison

.es(index=sales, q="city:zurich").label("Sales Zurich"),

Timelion expression allows datemath, e.g. -1w → one week ago

.es(index=sales, q="city:zurich, offset=-1w").label("Sales Zurich"),