Experiments with Kibana Timelion

Timelion was released in November 2015 and with the 4.4.2 release of Kibana is available as a native visualisation once installed. It adds some powerful capabilities to Kibana as an timeseries analysis tool, using its own data manipulation language.

Installing Timelion is a piece of cake:

./bin/kibana plugin -i kibana/timelion

After restarting Kibana, you'll see it as an option from the application picker

There's a bit of a learning curve with Timelion, but it's worth it. The blog gives some basics, and the built-in help is really good too:

Best of all is the built-in context completion when you're building up your expression:

The default expression, .es(*) shows a count of everything in Elasticsearch:

We can access metrics and perform aggregations on them. In this example I'm using OS data collected from Topbeat, and showing the system 1-minute load average:

.es(metric='max:load.load1')

You can specify multiple metrics to plot, by comma-separating each expression:

.es(metric='max:load.load1'), .es(metric='max:load.load5')

It starts to get really cool when you consider the chaining you can do with the Timelion functions within each expression. For example, adding a moving average to the data is as simple as including the function on the end of the expression:

.es(index=logstash-*).movingaverage(12)

As well as data manipulation you can do formatting and labelling too, for example here with the .label function, and combined with the second time series to plot the actual and the moving average:

.es(index=logstash-*),.es(index=logstash-*).movingaverage(12).label('12hr moving average')

In this syntax you can also see how you restrict the timeseries to a given set of Elasticsearch indices.

So that's data from Elasticsearch - but Timelion does more than that. It has support for pulling in data from other sources, including Quandl. This is useful as it provides a great way to access complex datasets for experimenting with Timelion.

Quandl gives free access to a whole bunch of time series data, including financial, economic and commodity prices. There's a paid option too for the most recent or intra-day data, but plenty of free stuff to play with. To get started simply sign up, which gives you access to your API key. Take this, and add it to the Timelion configuration file

cd my-kibana-install-folder  
cd installedPlugins/timelion/  
cp timelion.json timelion.json.bak  
vi timelion.json  

Add your API key into the quandl part of the configuration:

{
  "quandl": {
    "key": "nevergonnagiveyouup"
  },
[...]

Restart Kibana, and you're good to go. To use Quandl find the timeseries of interest on the Quandl website. In this example we've got the stock price of Heineken. In the top-right you'll see the Quandl API code (in this example, it's EURONEXT/HEIA):

Head over to Timelion and create a new timeseries expression, using the Quandl API code you just got and the Timelion .quandl function:

.quandl('EURONEXT/HEIA')

As before, you can plot multiple series on the same chart (note the use of the .yaxis function here to put the second series on the right-hand y-axis:

.quandl('EURONEXT/HEIA'), .quandl('DY2/I3020000060').yaxis(2)

Multiple charts can be included on the same sheet, using the "Add Chart" button available from the options menu on the top-right of the page:

With multiple charts note that the hover-over cursor is mirrored on all charts for aiding comprehension:


The Timelion plugin as seen above is a good place to start for trying it out, but as of 4.4.2 release of Kibana once you've installed Timelion it's available within Kibana itself:

You can build up the visualisation using the same syntax as before:

.quandl('EURONEXT/HEIA'),.quandl('GOOG/NASDAQ_MLHR')

Since it's a native visualisation object in Kibana, this means that you can include Timelion in your Kibana dashboards too:

(Just in case you ever want to show CPU performance against the stock price of a beer company...)


So I think Timelion is pretty damned neat. It's worth taking the time to figure out the syntax, as its potential is great - and its close integration with Kibana bodes well for its future in the product.

What are you waiting for? Even if you've not got any data in Elasticsearch, you can use Quandl to start exploring the potential for Timelion. Go get it now!