Timeline expression
When we open the Timeline window for the first time, it shows the expression .es(*)
, which means it shows all the indexes of Elasticsearch and combines them. If we want to fetch any specific Elasticsearch index, then we need to provide the name of the index inside the .es()
method, as shown in the following command:
.es(index=metricbeat-*)
In this way, we are specifying the name of the index as metricbeat-*
. It helps us to get the details from any specific index:
The Timelion expression starts with a dot. After that, we provide the function name and then the parentheses, in which we provide all the parameters that we can apply. By default, an asterisk is shown inside the parentheses to fetch all the available index data.