The .es function is used to pull the data from the Elasticsearch instance. The .es function can have multiple parameters and each parameter has a name that can be set inside the parentheses to set the value of that property. The parameter also has an order and we must follow the order to run the expression. If we skip the name of the parameter, Timelion will automatically assign the name as per the chosen order for the values. Now, let's speak about the parameters:
- The first parameter is q, which is used in queries and is used to filter the data based on the given value:
.es(q=*)
.es(q=country:de)
- The second parameter is index, which can be used to specify the name of the Elasticsearch index on which we will perform the operations. In this way, we can apply the query on a single index instead of multiple indices:
.es(index=metricbeat-*)
.es(q='some query', index=logstash-*)
- Another parameter is metric in which we can specify the type of metric we want to apply on the index such as agg, avg, sum, min, and max followed by the field name:
.es(metric=min:system.process.name)
- We can use the split parameter for splitting the series by a limit, for example, hostname:5 to fetch the top five hostnames:
.es(split=country:4, metric=sum:bytes)
- Another parameter is offset, which can be used to offset the data by giving a time range:
.es(offset=-1w)
- We also have the time-field parameter, which can be used to set any field of type date for the x axis. We have two options to set the time field: setting timelion:es.timefield from the Advanced Setting link of Kibana or by using this time-field parameter of the .es function. The Advanced Setting option applies the time field globally while the parameter option sets it for individual series.