How do I create a stacked graph of HTTP codes in Kibana?

Question

I\'m sending HTTP logs into Kibana, and the response code (200, 401, 500, etc) are correctly parsed out of them as a field. I\'d like a time-series chart with the count of each

Answer 1

This is a Kibana 3 answer, check this answer if you are using Kibana 4 or 5

Kibana 3

If I do not misunderstand your question what you need is:

• Define your queries. If you want a bar per response type you need to define one query per response. You have to define a query field: <value> for filtering the exact value. For instance, you can have queries like:

• Create an Histogram.
• Configure the Histogram with:
  • Queries: You can select all the queries, or select only a few that the ones that you wrote in the first place.

• Panel: You can put a configuration like this. You can set a custom interval to group your logs, you stack the values as individual (makes more sense I think, when you put the mouse over the graph will show the correct value and not the stacked one...). You can experiment a bit with the options.

The final result will be something like:

Answer 2

This is a Kibana 4/5 answer, check this answer if you are using Kibana 3

Kibana 4/5

At the moment of writing, the only version available for Kibana 4 is beta1, so these screenshots might be different in future versions of Kibana. I will try to keep them updated, if relevant changes are applied.

Kibana 4 (and 5) provides some features that the previous version didn't have. For example, now we can build panels using the aggregations that were available in ES since version 1.0.

To build a stacked graph of HTTP codes (or other field), you have to:

• Click on the Visualize tab. This tab allows you to build panels that you can put afterwards in a dashboard.

• Then you have to select that you want to create the visualization making a new search (or using an existing one, if you played before in the Discover tab. You have to select an existing index that you previously configured.

• Once you selected your index, you have to select the type of panel that you want. In this case, we will select a Vertical bar chart.

• Next we will find a beautiful page with a graph on the right part and a panel with different options. This panel will let us to define a query to plot our data. Basically, what we want to plot in the Y axis is a count of documents (by default is the one that is selected).

• Then we add a new aggregation, first we want a total count of documents distributed on time and then we want to split this total with the different existing codes. Furthermore, the first aggregation will be per timestamp and the second one per codes. You want to plot the timestamp on the X axis (select X axis) and you want to split the bars into the different codes (select Split bars). Your final configuration should be something like this:

• After applying, the final result should be something like this.

• You can play with the interval, if you want to aggregate data for more or less time (there are several options like hourly, daily, monthly ...). Remember to change the timespan on the top, if you want to see more data, because this graph is limited by that timestamp.