# Line chart Line charts facilitate the viewing of trends over time.

The NQL query must include a timestamp field and at least one aggregation. ## Data shape `, , , ...` ## NQL structure {% hint style="info" %} Refer to the [Live Dashboards NQL examples](https://docs.nexthink.com/platform/user-guide/live-dashboards-nql-examples#livedashboardsnqlexamples-linechart) documentation for query examples of line chart widgets. {% endhint %} Aggregated KPI over time ``` ... summarize , , ... by (list , , , ...) ``` The list line is optional. If you don’t specify the list line, the system uses `start_time` by default. If you would like to use a different time field, for example `end_time`, you can use the list line to specify this. ### Series names Series names come from their corresponding variable names in the NQL query.

The variable names are formatted with the following heuristic: * Underscores are replaced with spaces. * The first character of the variable is changed to upper-case. ## Configuring visualization fields specific to line charts {% hint style="info" %} To learn how to fill in the remaining configuration fields that are not specific to this widget, refer to the [Managing Live Dashboards](https://docs.nexthink.com/platform/user-guide/managing-live-dashboards#filling-in-widget-visualization-fields) documentation. {% endhint %} After selecting the **Line chart** option from the **Chart type** dropdown in the [Add widget](https://docs.nexthink.com/platform/user-guide/managing-live-dashboards#adding-widgets)/[Edit a widget](https://docs.nexthink.com/platform/user-guide/managing-live-dashboards#managing-widgets) pop-up: 1. Give the widget a **Title (optional)**. 2. Enter an **Widget description (optional)** to explain, for example, how the metric should be interpreted, calculated, or any subtleties to the metric. * The widget description appears by hovering over the info icon next to the line chart widget in the dashboard. 3. Establish **Rating** thresholds to shade portions of the line chart in red or yellow, and quickly assess data for troubleshooting. Choose from:

\ **1 threshold**: The line chart shows a red section to indicate a **bad** range. * The system evaluates thresholds with the >= operator. The example above is evaluated as follows: * **Good**: if the metric is < 2.2 * **Bad**: if the metric is >= 2.2 * Select **Invert** to invert the good and bad conditions. When inverted, the example above is evaluated as follows: * **Bad**: if the metric is < 2.2 * **Good**: if the metric is >= 2.2

\ **2 thresholds**: the line chart shows a red section to indicate a **bad** range and a yellow section to indicate an **average** range. * The system evaluates thresholds with the >= operator. The example above is evaluated as follows: * **Good**: if the metric is < -80 * **Average**: if the metric is >= -80 AND the metric is < -60 * **Bad**: if the metric is >= -60 * Select **Invert** to invert the good and bad conditions. When inverted, the example above is evaluated as follows: * **Bad**: if the metric is < -80 * **Average**: if the metric is >= -80 AND the metric is < -60 * **Good**: if the metric is >= -60 {% hint style="info" %} The **y-axis** maximum and minimum values are based on the highest and lowest values across the data series. The system extends these bounds to ensure the thresholds are visible, at a relative distance from the data series, enabling accurate interpretation. {% endhint %} ## Multiple metrics in line charts Nexthink does not recommend mixing metrics with different units on the same line chart. If you choose to mix metrics of different units in the same line chart, note that the unit of measure is dictated by the order of the metric in the query: * The **y-axis** displays the unit of the first metric in the query. * The y-axis maximum and minimum values are based on the highest and lowest values across all displayed series, regardless of the series metric units. The system expands these values for scaling purposes. **Example 1** ``` execution.events during past 7d | where binary.name == "outlook.exe" | summarize memory__ = memory.avg() , execution_duration__ = execution_duration.sum() by 1d ``` The system takes the unit from `memory__`, which is a **bytes field**. To obtain the maximum value for the **y-axis**, the system compares the maximum value of the `memory__` series, which is 386MB (405 million bytes), to the maximum value of `execution_duration__`, which is 64 weeks (38 million seconds). The system uses 386 MB as the maximum value to scale the y-axis up to 477 MB for display and interpretation.

#### Example 2

execution.events during past 7d
| where binary.name == "outlook.exe"
| summarize 
   execution_duration__ = execution_duration.sum(), 
   memory__ = memory.avg() by 1d

The system takes the unit from `execution_duration__`, which is a **duration field**. To obtain the maximum value for the **y-axis**, the system compares the maximum value of the `memory__` series, which is 386MB (405 million bytes), to the maximum value of `execution_duration__`, which is 64 weeks (38 million seconds). The system uses the value of 405 million and treats it as seconds (405 million seconds = 669 weeks and 4,5 days) to scale the y-axis up to 826 weeks and 5 days for display and interpretation.

### Breaking metrics down into segments Line chart queries support the use of [`summarize`](#user-content-fn-1)[^1] statements to break metrics down into data segments, by adding properties after the `summarize ... by` keyword. For example, the query below retrieves custom trend snapshots. It breaks down the evolution of the number of crashes per `hardware_manufacturer`. ``` execution.crashes during past 30d | summarize crashes_per_device = count() / device.count() by 1d, device.hardware.manufacturer | sort crashes_per_device desc ```

Display more breakdowns by adding properties at the end of the `summarize` statement. For example, add `device.hardware.model` after `hardware_manufacturer` to display a breakdown of both manufacturer and model. ``` execution.crashes during past 30d | summarize total_crashes = count(), unique_devices = device.count(), crashes_per_device = count() / device.count() by device.hardware.manufacturer, device.hardware.model, 1d | sort crashes_per_device desc ``` {% hint style="info" %} The line chart only displays the top 5 series. {% endhint %} Use the `sort` clause to select the series with the largest metric value for a given period. For example, the `| sort crashes_per_device desc` in the query above selects the 5 hardware manufacturers and models with the most crashes per device. Apply filters to the dashboard to see other series.

*** RELATED TOPICS * [KPI](https://docs.nexthink.com/platform/user-guide/live-dashboards/widget-types/kpi) * [Bar chart](https://docs.nexthink.com/platform/user-guide/live-dashboards/widget-types/bar-chart) * [Single-metric gauge chart](https://docs.nexthink.com/platform/user-guide/live-dashboards/widget-types/single-metric-gauge-chart) * [Multi-metric gauge chart](https://docs.nexthink.com/platform/user-guide/live-dashboards/widget-types/multi-metric-gauge-chart) * [Table](https://docs.nexthink.com/platform/user-guide/live-dashboards/widget-types/table) * [Heading](https://docs.nexthink.com/platform/user-guide/live-dashboards/widget-types/heading) * [Filter widget](https://docs.nexthink.com/platform/user-guide/live-dashboards/widget-types/filter-widget) * [Timeframe picker](https://docs.nexthink.com/platform/user-guide/live-dashboards/widget-types/timeframe-picker) [^1]: summarize?