ServerOps.ggbeta
GuidesLogsDashboard

Sparkline timeline

The stacked bar chart above the result list. Click bars to filter, drag across them to select a range.

Sparkline timeline

When your search returns events, a small chart appears above the result list. It plots the events across the picker-controlled time window, bucketed into roughly 60 columns, stacked by severity.

Reading the chart

  • Width. The chart spans the full selected time range (last hour, last 24h, etc.). The newest bucket is on the right, oldest on the left.
  • Height. Each bar's height is the count of events that fell into that bucket.
  • Colours. Stacking order matches severity, with the most attention-grabbing at the bottom of each bar:
    • Magenta: fatal
    • Red: error
    • Amber: warn
    • Slate: info
    • Dim slate: debug / trace

So at a glance you can see "this minute had 80 events, mostly info but a chunk of warns".

Hover for the breakdown

Hover any bar and a small tooltip appears with the exact time, total count, and a per-severity breakdown for that bucket.

Click to narrow to a bucket

Click any bar. The search bar gets a ts between clause covering just that bucket's window (typically a minute or two depending on your range). The result list re-renders to only those events.

This is the fastest way to investigate a visible spike: see the tall red bar, click it, see the events that caused it.

Drag across multiple bars

Mouse down on the first bar of interest and drag across to the right (or left). A semi-transparent orange overlay tracks the selection. Release and the search bar gets a ts between clause covering the entire span you highlighted.

Use drag when one bucket is too narrow but you do not want to widen the picker all the way.

Repeated clicks replace, do not stack

If you have already clicked one bar and then click another, the second click replaces the first ts between clause. You will not get five overlapping AND ts between clauses in your query. Same for drag.

When the chart hides

The sparkline is rendered only for events queries that have results. It is hidden when:

  • You have not run a query yet
  • The result list is empty
  • The query has a group by clause (the bar chart below replaces it)
  • Live tail is active

What the chart represents

The bucket layout is anchored to the moment the search ran, not "now". If you sit on the page for several minutes, the bars do not drift: they show the same window that produced the visible events. To slide the window forward, re-run the search.

Counts reflect the visible page of results (typically 100 events). If your search has more matches than fit on one page, the sparkline does not see the rest. For an authoritative time-series across the full retention window, write a group by query against your dataset.

Back button

Step backwards through the queries you ran during a session.

Facets sidebar

Top values for severity, dataset, and source across the current result page, with one-click filters.

On this page

Sparkline timelineReading the chartHover for the breakdownClick to narrow to a bucketDrag across multiple barsRepeated clicks replace, do not stackWhen the chart hidesWhat the chart represents