Using ML data in Timelion

Timelion is an expression-oriented visualization framework. It allows you to connect to Elasticsearch (but also to other data stores), as well as take multiple data series and combine them. In our case, we'll make a pretty simple operation, calculate the average bytes per request over time, and overlay the anomalies related to the traffic.

To do so, add a Timelion visualization from the palette, and start by adding the following expression:

.es(index=nasa-*)

Remember to configure the time picker to surround the temporal zone where our data exists. The preceding expression will just draw the traffic we've already seen so far:

Now, let's calculate the bytes per request. Let's divide the two expressions. Here's the first one:

.es(index=nasa-*, metric=avg:bytes).divide(.es(index=nasa-*))

This will render the following line chart:

Now, we just need to add our ML results on top of it by completing the expression, like so:

.es(index=nasa-*, metric=avg:bytes) 
  .divide(.es(index=nasa-*)).yaxis(1), 
.es(index='.ml-anomalies*',  
    timefield=timestamp,  
    metric=max:anomaly_score) 
  .points(symbol=cross).yaxis(2).if(lt, 50, null)

Take note of the following:

  • The data sources are separated by a comma; the first data source is the ratio and the second is the anomaly detection results
  • The anomalies are represented in the form of crosses, thanks to the .points() function
  • Each data source has its own y axis to avoid different scales of data

The results will be as follows:

We finally have all of our visualizations created and we can now compose them as part of the same dashboard.

Don't forget to save and name your visualizations!
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset