Hi,
i would like to display column chart based on events count and display events size in bytes,KB,MB and GB
if events<1000 ---> display count and size in bytes
if events between 1000 to 10000 ---> display count and size in KB
if events between 10000 to 100000 ----> display count and size in MB
if events between >100000 ----> display count and size in GB
currently i am using below search to get count and size in KB's
index=myindex |eval esize=len(_raw) |timechart span=1m count as Count, sum(esize) as "EventsSize" | eval kb=EventsSize/1024 | fields - EventsSize
You can also put each value on a separate axis or use a horizon chart
The best way to handle this is to edit your visualization, click on the Format
(the pen/paintbrush icon), click on the Y-Axis
tab, then the Log
button in the Scale
control. This will ensure that the smaller amounts on the view are not dwarfed to a flat line by the bigger values.
If you change the scale (by converting bytes to kb/mb/gb), the size of columns would not look realistic. (e.g. 900 bytes would be much higher than 55 kb, but in reality 55kb is bigger).
hi,
thank you.
when i was trying to display events for timerange 2 hours
if i have a events count like 100000 and if i count the sum of these events in bytes,size is coming as a big number,when i display events count and size in column chart,i always see size chart because event size is big.
so i was thinking based on events count,may be we can display size of total events
In that case, you should use chart overlay feature so that you can show two series (event count and event size) in single graph but both can use separate y-axis. See this for more information on the same.