By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I group timeseries data by field to view on stacked area graph?

0

I would like to view a timeseries data grouped by some field name on a stacked area graph.

It understand how to do either by field or by time slices, but I cannot understand how to do both at the same time so I can view a stacked area graph grouped by a field.

E.g. I group by field like this (it produces only a bar graph):

fields @message
    | parse @message "[*] something*,*" as hash, taskName, restOfMessage
    | display @timestamp, taskName, restOfMessage
    | filter ispresent(taskName)
    | stats count(*) by taskName

Or like this (produces a stacked area with just one line, and I want it to have lines for every taskName):

fields @message
    | parse @message "[*] something*,*" as hash, taskName, restOfMessage
    | display @timestamp, taskName, restOfMessage
    | filter ispresent(taskName)
    | stats count(*) by bin(30s)

Would appreciate any advice

Topics
Management & Governance
Tags
Amazon CloudWatchCloudWatch Logs Insights
Language
English
losty
asked 2 years ago359 views
1 Answer
0

You can visualise in 'Stacked area' or 'Line' graph, when you use the bin() function. Hence, you were able to get the stacked area chart in your second query only.

For queries, where you group by fieldName and not use bin() function, stacked area and line charts cannot be visualised. Such queries generate bar charts only. This restriction is mentioned on AWS documentation here.

To be able to plot a stacked area chart with grouping for different fields - you can modify the query to include aggregation across the fields' possible values in your stats statement. This can be done by having different taskName(s) specified across the function you use for aggregation.

For example, in the query below I have used sum() function across different taskName(s):

fields @message
| parse @message "[*] something*,*" as hash, taskName, restOfMessage
| display @timestamp, taskName, restOfMessage
| filter ispresent(taskName)
| stats sum(taskName = 'task1') as task1, sum(taskName = 'task2') as task2, sum(taskName = 'task3') as task3 by bin(30s)

Change the above query accordingly to include as many taskName(s) necessary, and by using the appropriate values for taskName (task1, task2 etc.) in the sum() function's attributes.

This should allow for a stacked area chart to show up, with stacks for each different taskName. Hope this workaround helps!

profile pictureAWS
SUPPORT ENGINEER
Shreyas_M
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content