- Kibana Guide: other versions:
- What is Kibana?
- What’s new in 8.4
- Kibana concepts
- Quick start
- Set up
- Install Kibana
- Configure Kibana
- Alerting and action settings
- APM settings
- Banners settings
- Enterprise Search settings
- Fleet settings
- i18n settings
- Logging settings
- Logs settings
- Metrics settings
- Monitoring settings
- Reporting settings
- Search sessions settings
- Secure settings
- Security settings
- Spaces settings
- Task Manager settings
- Telemetry settings
- URL drilldown settings
- Start and stop Kibana
- Access Kibana
- Securing access to Kibana
- Add data
- Upgrade Kibana
- Configure security
- Configure reporting
- Configure logging
- Configure monitoring
- Command line tools
- Production considerations
- Discover
- Dashboard and visualizations
- Canvas
- Maps
- Build a map to compare metrics by country or region
- Track, visualize, and alert on assets in real time
- Map custom regions with reverse geocoding
- Heat map layer
- Tile layer
- Vector layer
- Plot big data
- Search geographic data
- Configure map settings
- Connect to Elastic Maps Service
- Import geospatial data
- Troubleshoot
- Reporting and sharing
- Machine learning
- Graph
- Alerting
- Observability
- APM
- Security
- Dev Tools
- Fleet
- Osquery
- Stack Monitoring
- Stack Management
- REST API
- Get features API
- Kibana spaces APIs
- Kibana role management APIs
- User session management APIs
- Saved objects APIs
- Data views API
- Index patterns APIs
- Alerting APIs
- Action and connector APIs
- Cases APIs
- Import and export dashboard APIs
- Logstash configuration management APIs
- Machine learning APIs
- Osquery manager API
- Short URLs APIs
- Get Task Manager health
- Upgrade assistant APIs
- Kibana plugins
- Troubleshooting
- Accessibility
- Release notes
- Developer guide
Create a data view
editCreate a data view
editKibana requires a data view to access the Elasticsearch data that you want to explore. A data view selects the data to use and allows you to define properties of the fields.
A data view can point to one or more indices, data streams, or index aliases. For example, a data view can point to your log data from yesterday, or all indices that contain your data.
Required permissions
edit-
Access to Data Views requires the Kibana privilege
Data View Management
. -
To create a data view, you must have the Elasticsearch privilege
view_index_metadata
. - If a read-only indicator appears in Kibana, you have insufficient privileges to create or save data views. The buttons to create data views or save existing data views are not visible. For more information, refer to Granting access to Kibana.
Create a data view
editIf you collected data using one of the Kibana ingest options, uploaded a file, or added sample data, you get a data view for free, and can start exploring your data. If you loaded your own data, follow these steps to create a data view.
- Open the main menu, then click Stack Management > Data Views.
- Click Create data view.
-
Start typing in the name field, and Kibana looks for the names of indices, data streams, and aliases that match your input.
-
To match multiple sources, use a wildcard (*). For example,
filebeat-*
matchesfilebeat-apache-a
,filebeat-apache-b
, and so on. -
To match multiple single sources, enter their names,
separated by a comma. Do not include a space after the comma.
filebeat-a,filebeat-b
matches two indices, but does not matchfilebeat-c
. -
To exclude a source, use a minus sign (-), for example,
-test3
.
-
To match multiple sources, use a wildcard (*). For example,
-
If Kibana detects an index with a timestamp, expand the Timestamp field menu, and then select the default field for filtering your data by time.
- If your index doesn’t have time-based data, choose I don’t want to use the time filter.
- If you don’t set a default time field, you can’t use global time filters on your dashboards. This is useful if you have multiple time fields and want to create dashboards that combine visualizations based on different timestamps.
- To display all indices, click Show advanced settings, then select Allow hidden and system indices.
- To specify your own data view name, click Show advanced settings, then enter the name in the Custom data view ID field. For example, enter your Elasticsearch index alias name.
-
Click Save data view to Kibana.
Kibana is now configured to use your Elasticsearch data. When a new field is added to an index, the data view field list is updated the next time the data view is loaded, for example, when you load the page or move between Kibana apps.
- Select this data view when you search and visualize your data.
Create a data view for rolled up data
editA data view can match one rollup index. For a combination rollup data view with both raw and rolled up data, use the standard notation:
rollup_logstash,kibana_sample_data_logs
For an example, refer to Create and visualize rolled up data.
Create a data view that searches across clusters
editIf your Elasticsearch clusters are configured for cross-cluster search, you can create a data view to search across the clusters of your choosing. You specify data streams, indices, and aliases in a remote cluster using the following syntax:
<remote_cluster_name>:<target>
To query Logstash indices across two Elasticsearch clusters
that you set up for cross-cluster search, named cluster_one
and cluster_two
:
cluster_one:logstash-*,cluster_two:logstash-*
Use wildcards in your cluster names
to match any number of clusters. To search Logstash indices across
clusters named cluster_foo
, cluster_bar
, and so on:
cluster_*:logstash-*
To query across all Elasticsearch clusters that have been configured for cross-cluster search, use a standalone wildcard for your cluster name:
*:logstash-*
To match indices starting with logstash-
, but exclude those starting with logstash-old
, from
all clusters having a name starting with cluster_
:
`cluster_*:logstash-*,cluster_*:-logstash-old*`
To exclude a cluster having a name starting with cluster_
:
`cluster_*:logstash-*,cluster_one:-*`
Once you configure a data view to use the cross-cluster search syntax, all searches and aggregations using that data view in Kibana take advantage of cross-cluster search.
Delete data views
editWhen you delete a data view, you cannot recover the associated field formatters, runtime fields, source filters, and field popularity data. Deleting a data view does not remove any indices or data documents from Elasticsearch.
Deleting a data view breaks all visualizations, saved searches, and other saved objects that reference the data view.
- Open the main menu, then click Stack Management > Data Views.
- Find the data view that you want to delete, and then click in the Actions column.
On this page
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now