Creating an index pattern

edit

Creating an index pattern

edit

To explore and visualize data in Kibana, you must create an index pattern. An index pattern tells Kibana which Elasticsearch indices contain the data that you want to work with. Once you create an index pattern, you’re ready to:

  • Interactively explore your data in Discover.
  • Analyze your data in charts, tables, gauges, tag clouds, and more in Visualize.
  • Show off your data in a Canvas workpad.
  • If your data includes geo data, visualize it with Maps.

Read-only access

edit

If you have insufficient privileges to create or save index patterns, a read-only indicator appears in Kibana. The buttons to create new index patterns or save existing index patterns are not visible. For more information, see Granting access to Kibana.

Example of Index Pattern Management’s read only access indicator in Kibana’s header

Create an index pattern

edit

If you are in an app that requires an index pattern, and you don’t have one yet, Kibana prompts you to create one. Or, you can go directly to Management > Kibana > Index Patterns.

Menu with rollup index pattern

Standard index pattern

edit

Just start typing in the Index pattern field, and Kibana looks for the names of Elasticsearch indices that match your input. Make sure that the name of the index pattern is unique.

Create index pattern

Your index pattern can match multiple Elasticsearch indices. Use a comma to separate the names, with no space after the comma. The notation for wildcards (*) and the ability to "exclude" (-) also apply (for example, test*,-test3).

If Kibana detects an index with a timestamp, you’re asked to choose a field to filter your data by time. If you don’t specify a field, you won’t be able to use the time filter.

Rollup index pattern

edit

If a rollup index is detected in the cluster, clicking Create index pattern includes an item for creating a rollup index pattern. You can match an index pattern to only rolled up data, or mix both rolled up and raw data to explore and visualize all data together. An index pattern can match only one rollup index. When matching multiple indices, use a comma to separate the names, with no space after the comma.

For specific fields, the data in a rollup index includes only summarized metrics. From the original raw data, you are unable to search any other field.

Cross-cluster search index pattern

edit

If your Elasticsearch clusters are configured for cross-cluster search, you can create index patterns to search across the clusters of your choosing. Using the same syntax that you’d use in a raw cross-cluster search request in Elasticsearch, create your index pattern with the convention <cluster-names>:<pattern>.

For example, to query Logstash indices across two Elasticsearch clusters that you set up for cross-cluster search, which are named cluster_one and cluster_two, you would use cluster_one:logstash-*,cluster_two:logstash-* as your index pattern.

You can use wildcards in your cluster names to match any number of clusters, so if you want to search Logstash indices across clusters named cluster_foo, cluster_bar, and so on, you would use cluster_*:logstash-* as your index pattern.

To query across all Elasticsearch clusters that have been configured for cross-cluster search, use a standalone wildcard for your cluster name in your index pattern: *:logstash-*.

You can use exclusions to exclude indices that might contain mapping errors. To match indices starting with logstash-, and exclude those starting with logstash-old from all clusters having a name starting with cluster_, you can use cluster_*:logstash-*,cluster*:logstash-old*. To exclude a cluster, use cluster_*:logstash-*,cluster_one:-*.

Once an index pattern is configured using the cross-cluster search syntax, all searches and aggregations using that index pattern in Kibana take advantage of cross-cluster search.

Manage your index pattern

edit

To drill down into the fields and associated data types in an index pattern, click its name in the Index patterns overview page. For more information, refer to Index Patterns and Fields.