I need to show changes of a numeric state over time, of multiple series. Several state changes may happen very quickly, which a single aggregation in timechart will just swallow. Ideally I'd like to visualize all of the unique values that happened for a given series in a given time slice.
A scatter chart seems to make sense, but it doesn't appear to support _time for the X-axis in any sane way. Hopefully I'm just missing some setting?
What I've tried is essentially:
search... | bucket bins=500 _time | rename _time as t | table series t state_value
You end up with either the epoch as the x, or 0-(max(_time)-min(_time)) if you use _time. Formatting the date string doesn't seem to work, either.
Another approach that would be really cool would be the ability to do this:
search... | timechart values(state_value) by series
Even if this just showed the max and min in the slice in the same line, that'd be acceptable.
I see from an ancient question that timechart used to support values(foo), but now it doesn't appear to actually draw anything if there are multiple values returned in a particular time bucket.
Thoughts?
↧