I have build system for couple components with some branches and some jobs on these branches. Typical JSON for event look more or less like that (I removed unrelated information):
{
"_index": "logstash-2015.04.08",
"_type": "time",
"_id": "AUyeQ2u19d6vbBbSmlDE",
"_score": null,
"_source": {
"@timestamp": "2015-04-08T02:34:17.000Z",
"column6": "component1",
"column7": "trunk",
"column8": "['x86', 'UT']",
"column10": 500
},
"fields": {
"@timestamp": [
1428460457000
]
},
"sort": [
1428460457000
]
}
I would like to build Area Chart based on following query: one particular branch (column7) AND one particular component (column6). Each job type (column8) would contribute with value located in column10. How to do that?
First create an Area Chart with the Y axis being the Sum, Average, Min, or Max of column10.
Next on the X axis, create a Date Histogram on the @timestamp field.
Add a sub-aggregation that is a split area aggregation with either a terms or a filter sub-aggregation. If you choose the terms, select field column6 and how many values you want to see.
If you choose the filter aggregation, you can enter as many filters as you like (so you don't have to rely on the terms). For example, if you only want to see two specific values from column6. you could put one filter of column6:component1 and another of column6:component2.