Create a horizon chart query
To generate a horizon chart, write a query that returns events in the correct data format.
To generate a horizon chart, use this query syntax.
... | timechart <stats_function> by <resource_field>
- Generates the _time field indicating the start time for the behavior you are tracking.
- Use a <stats_function> to aggregate the metric you are tracking by resource.
- Indicates resources in the set you are monitoring.
Search result data formatting
A horizon chart query returns results in a table with multiple columns. The first column must have _time field values. Additional columns represent resources in the set you are monitoring.
Check the Statistics tab after running a query to make sure that the results table includes the correct columns in the required order.
Results table columns
|_time (Required)||Resource||Additional resources|
Aggregating by resource over time
This query tracks recent earthquake activity by location.
source="earthquakes.csv" | timechart count by Region
This query generates a results table with columns for the _time field and each region.
Additional data formatting options
Here is a more complex example. This query tracks host activity by measuring byte transfers across a group of servers.
| inputlookup firewall_data.csv | eval _time = timestamp | eval bytes_out = -bytes_out | timechart span=10s sum(bytes_in) sum(bytes_out) by server_name | table _time *sv111 *sv18 *sv19 *sv2 *sv241 *sv248 *sv254 *sv8
The query includes the following optional data formatting.
eval bytes_out = -bytes_out
- Inverts the bytes_out to compare incoming and outgoing traffic more easily.
timechart span=10s ...
- Summarizes traffic in ten second spans.
... sum(bytes_in) sum(bytes_out) by server_name
- Aggregates the incoming and outgoing series so that they are easier to compare.
Horizon chart installation
Horizon chart components
This documentation applies to the following versions of Horizon Chart: 1.0.0, 1.1.0, 1.2.0, 1.3.0