Line chart

Line charts facilitate the viewing of trends over time.

The NQL query must include a timestamp field and one or more aggregations.

Data shape

<timestamp>, <kpi1>, <kpi2>, ...

NQL structure

Refer to the Live Dashboards NQL examples documentation for query examples of line chart widgets.

Aggregated KPI over time

<event table> <time_duration>
...
summarize <kpi1>, <kpi2>, ... by <time_duration_granularity>
(list <time>, <kpi1>, <kpi2>, ...)

The list line is optional. If you don’t specify the list line, the system uses start_time by default. If you would like to use a different time field, for example end_time, you can use the list line to specify this.

Series names

Series names come from their corresponding variable names in the NQL query.

The variable names are formatted with the following heuristic:

Underscores are replaced with spaces.
The first character of the variable is changed to upper-case.

Configuring visualization fields specific to line charts

Refer to the Managing Live Dashboards documentation to learn how to fill in the remaining configuration fields that are not specific to this widget.

After selecting the Line chart option from the Chart type dropdown in the Add widget/Edit a widget pop-up:

Give the widget a Title (optional).
Enter an Widget description (optional) to explain, for example, how the metric should be interpreted, calculated, or any subtleties to the metric.
- The widget description appears by hovering over the info icon next to the line chart widget in the dashboard.
Establish Rating thresholds to shade portions of the line chart in red or yellow, and quickly assess data for troubleshooting. Choose from:
- 1 threshold: The line chart shows a red section to indicate a bad range.
  - The system evaluates thresholds with the >= operator. The example above is evaluated as follows:
    Good: if the metric is < 2.2
    Bad: f the metric is >= 2.2
  - Select Invert to invert the good and bad conditions. When inverted, the example above is evaluated as follows:
    Bad: if the metric is < 2.2
    Good: if the metric is >= 2.2
- 2 thresholds: the line chart shows a red section to indicate a bad range and a yellow section to indicate an average range.
  - The system evaluates thresholds with the >= operator. The example above is evaluated as follows:
    Good: if the metric is < 100
    Average: if the metric is >= 100 AND the metric is < 500
    Bad: if the metric is >= 500
  - Select Invert to invert the good and bad conditions. When inverted, the example above is evaluated as follows:
    Bad: if the metric is < 100
    Average: if the metric is >= 100 AND the metric is < 500
    Good: if the metric is >= 500

Multiple metrics in line charts

Nexthink does not recommend mixing metrics with different units on the same line chart. If you choose to mix metrics of different units in the same line chart, note that the unit of measure is dictated by the order of the metric in the query:

The y-axis displays the unit of the first metric in the query.
The maximum value depends on the maximum value of all series, i.e., it may take the maximum value from the second series even though they are different units.

Example 1

execution.events during past 7d
| where binary.name == "outlook.exe" 
| summarize 
   memory__ = memory.avg() , 
   execution_duration__ = execution_duration.sum() by 1d

The system takes the unit from memory__, which is a bytes field. To obtain the maximum value for the y-axis, the system compares the maximum value of the memory__ series, which is 262MB (274 million bytes), to the maximum value of execution_duration__, which is 13 weeks (7 million seconds). The system uses the value of 262MB.

Example 2

execution.events during past 7d
| where binary.name == "outlook.exe"
| summarize 
   execution_duration__ = execution_duration.sum(), 
   memory__ = memory.avg() by 1d

The system takes the unit from execution_duration__, which is a duration field. To obtain the maximum value for the y-axis, the system compares the maximum value of the memory__ series, which is 262MB (274 million bytes), to the maximum value of execution_duration__, which is 13 weeks (7 million seconds). The system uses the value of 274 million and treats it as seconds (274 million seconds = 454 weeks, 4 days).

Breaking metrics down into segments

Line chart queries support the use of statements to break metrics down into data segments, by adding properties after the summarize ... by keyword.

For example, the query below retrieves custom trend snapshots. It breaks down the evolution of the number of crashes per hardware_manufacturer.

custom_trend.#execution.snapshots during past 90d
| summarize 
  crashes_per_device = nb_crashed.sum() / device.count() by 1d, 
  hardware_manufacturer
| sort crashes_per_device desc

Display more breakdowns by adding properties at the end of the summarize statement. For example, add device.hardware.model after hardware_manufacturer to display a breakdown of both manufacturer and model.

custom_trend.#execution.snapshots during past 90d
| summarize 
  crashes_per_device = nb_crashed.sum() / device.count() by 1d, 
  hardware_manufacturer, 
  device.hardware.model
| sort crashes_per_device desc

The line chart only displays the top 5 series.

Use the sort clause to select the series with the largest metric value for a given period. For example, the | sort crashes_per_device desc in the query above selects the 5 hardware manufacturer and models with the most crashes per device.

Apply filters to the dashboard to see other series.