Creating an index pattern
editCreating an index pattern
editTo explore and visualize data in Kibana, you must create an index pattern. An index pattern tells Kibana which Elasticsearch indices contain the data that you want to work with. Once you create an index pattern, you’re ready to:
Read-only access
editIf you have insufficient privileges to create or save index patterns, a read-only indicator appears in Kibana. The buttons to create new index patterns or save existing index patterns are not visible. For more information, see Granting access to Kibana.
Create an index pattern
editIf you are in an app that requires an index pattern, and you don’t have one yet, Kibana prompts you to create one. Or, you can go directly to Management > Kibana > Index Patterns.
Standard index pattern
editJust start typing in the Index pattern field, and Kibana looks for the names of Elasticsearch indices that match your input. Make sure that the name of the index pattern is unique.
Your index pattern can match multiple Elasticsearch indices.
Use a comma to separate the names, with no space after the comma. The notation for
wildcards (*
) and the ability to "exclude" (-
) also apply
(for example, test*,-test3
).
If Kibana detects an index with a timestamp, you’re asked to choose a field to filter your data by time. If you don’t specify a field, you won’t be able to use the time filter.
Rollup index pattern
editIf a rollup index is detected in the cluster, clicking Create index pattern includes an item for creating a rollup index pattern. You can match an index pattern to only rolled up data, or mix both rolled up and raw data to explore and visualize all data together. An index pattern can match only one rollup index. When matching multiple indices, use a comma to separate the names, with no space after the comma.
For specific fields, the data in a rollup index includes only summarized metrics. From the original raw data, you are unable to search any other field.
Cross-cluster search index pattern
editIf your Elasticsearch clusters are configured for cross-cluster search, you can create
index patterns to search across the clusters of your choosing. Using the
same syntax that you’d use in a raw cross-cluster search request in Elasticsearch, create your
index pattern with the convention <cluster-names>:<pattern>
.
For example, to query Logstash indices across two Elasticsearch clusters
that you set up for cross-cluster search, which are named cluster_one
and cluster_two
,
you would use cluster_one:logstash-*,cluster_two:logstash-*
as your index pattern.
You can use wildcards in your cluster names
to match any number of clusters, so if you want to search Logstash indices across
clusters named cluster_foo
, cluster_bar
, and so on, you would use cluster_*:logstash-*
as your index pattern.
To query across all Elasticsearch clusters that have been configured for cross-cluster search,
use a standalone wildcard for your cluster name in your index
pattern: *:logstash-*
.
You can use exclusions to exclude indices that might contain mapping errors.
To match indices starting with logstash-
, and exclude those starting with logstash-old
from
all clusters having a name starting with cluster_
, you can use cluster_*:logstash-*,cluster*:logstash-old*
.
To exclude a cluster, use cluster_*:logstash-*,cluster_one:-*
.
Once an index pattern is configured using the cross-cluster search syntax, all searches and aggregations using that index pattern in Kibana take advantage of cross-cluster search.
Manage your index pattern
editTo drill down into the fields and associated data types in an index pattern, click its name in the Index patterns overview page. For more information, refer to Index Patterns and Fields.