- Kibana Guide: other versions:
- What is Kibana?
- What’s new in 8.17
- Kibana concepts
- Quick start
- Set up
- Install Kibana
- Configure Kibana
- AI Assistant settings
- Alerting and action settings
- APM settings
- Banners settings
- Cases settings
- Enterprise Search settings
- Fleet settings
- i18n settings
- Logging settings
- Logs settings
- Metrics settings
- Monitoring settings
- Reporting settings
- Search sessions settings
- Secure settings
- Security settings
- Spaces settings
- Task Manager settings
- Telemetry settings
- URL drilldown settings
- Start and stop Kibana
- Access Kibana
- Securing access to Kibana
- Add data
- Upgrade Kibana
- Configure security
- Configure reporting
- Configure logging
- Configure monitoring
- Command line tools
- Production considerations
- Discover
- Dashboards
- Canvas
- Maps
- Build a map to compare metrics by country or region
- Track, visualize, and alert on assets in real time
- Map custom regions with reverse geocoding
- Heat map layer
- Tile layer
- Vector layer
- Plot big data
- Search geographic data
- Configure map settings
- Connect to Elastic Maps Service
- Import geospatial data
- Troubleshoot
- Reporting and sharing
- Machine learning
- Graph
- Alerting
- Observability
- Search
- Security
- Dev Tools
- Fleet
- Osquery
- Stack Monitoring
- Stack Management
- Cases
- Connectors
- Amazon Bedrock
- Cases
- CrowdStrike
- D3 Security
- Google Gemini
- IBM Resilient
- Index
- Jira
- Microsoft Teams
- Observability AI Assistant
- OpenAI
- Opsgenie
- PagerDuty
- SentinelOne
- Server log
- ServiceNow ITSM
- ServiceNow SecOps
- ServiceNow ITOM
- Swimlane
- Slack
- TheHive
- Tines
- Torq
- Webhook
- Webhook - Case Management
- xMatters
- Preconfigured connectors
- License Management
- Maintenance windows
- Manage data views
- Numeral Formatting
- Rollup Jobs
- Manage saved objects
- Security
- Spaces
- Advanced Settings
- Tags
- Upgrade Assistant
- Watcher
- REST API
- Get features API
- Kibana spaces APIs
- Kibana role management APIs
- User session management APIs
- Saved objects APIs
- Data views API
- Index patterns APIs
- Alerting APIs
- Action and connector APIs
- Cases APIs
- Import and export dashboard APIs
- Logstash configuration management APIs
- Machine learning APIs
- Osquery manager API
- Short URLs APIs
- Get Task Manager health
- Upgrade assistant APIs
- Synthetics APIs
- Uptime APIs
- Kibana plugins
- Troubleshooting
- Accessibility
- Release notes
- Upgrade notes
- Kibana 8.17.1
- Kibana 8.17.0
- Kibana 8.16.3
- Kibana 8.16.2
- Kibana 8.16.1
- Kibana 8.16.0
- Kibana 8.15.5
- Kibana 8.15.4
- Kibana 8.15.3
- Kibana 8.15.2
- Kibana 8.15.1
- Kibana 8.15.0
- Kibana 8.14.3
- Kibana 8.14.2
- Kibana 8.14.1
- Kibana 8.14.0
- Kibana 8.13.4
- Kibana 8.13.3
- Kibana 8.13.2
- Kibana 8.13.1
- Kibana 8.13.0
- Kibana 8.12.2
- Kibana 8.12.1
- Kibana 8.12.0
- Kibana 8.11.4
- Kibana 8.11.3
- Kibana 8.11.2
- Kibana 8.11.1
- Kibana 8.11.0
- Kibana 8.10.4
- Kibana 8.10.3
- Kibana 8.10.2
- Kibana 8.10.1
- Kibana 8.10.0
- Kibana 8.9.2
- Kibana 8.9.1
- Kibana 8.9.0
- Kibana 8.8.2
- Kibana 8.8.1
- Kibana 8.8.0
- Kibana 8.7.1
- Kibana 8.7.0
- Kibana 8.6.1
- Kibana 8.6.0
- Kibana 8.5.2
- Kibana 8.5.1
- Kibana 8.5.0
- Kibana 8.4.3
- Kibana 8.4.2
- Kibana 8.4.1
- Kibana 8.4.0
- Kibana 8.3.3
- Kibana 8.3.2
- Kibana 8.3.1
- Kibana 8.3.0
- Kibana 8.2.3
- Kibana 8.2.2
- Kibana 8.2.1
- Kibana 8.2.0
- Kibana 8.1.3
- Kibana 8.1.2
- Kibana 8.1.1
- Kibana 8.1.0
- Kibana 8.0.0
- Kibana 8.0.0-rc2
- Kibana 8.0.0-rc1
- Kibana 8.0.0-beta1
- Kibana 8.0.0-alpha2
- Kibana 8.0.0-alpha1
- Developer guide
Event log index
editEvent log index
editThis functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
Use the event log index to determine:
- Whether a rule ran successfully but its associated actions did not
- Whether a rule was ever activated
- Additional information about errors when the rule ran
- Run durations for the rules and actions
Example event log queries
editThe following event log query looks at all events related to a specific rule id:
GET /.kibana-event-log*/_search { "sort": [ { "@timestamp": { "order": "desc" } } ], "query": { "bool": { "filter": [ { "term": { "event.provider": { "value": "alerting" } } }, // optionally filter by specific action event { "term": { "event.action": "active-instance" | "execute-action" | "new-instance" | "recovered-instance" | "execute" } }, // filter by specific rule id { "nested": { "path": "kibana.saved_objects", "query": { "bool": { "filter": [ { "term": { "kibana.saved_objects.id": { "value": "b541b690-bfc4-11eb-bf08-05a30cefd1fc" } } }, { "term": { "kibana.saved_objects.type": "alert" } } ] } } } } ] } } }
The following event log query looks at all events related to running a rule or action. These events include duration:
GET /.kibana-event-log*/_search { "sort": [ { "@timestamp": { "order": "desc" } } ], "query": { "bool": { "filter": [ { "term": { "event.action": { "value": "execute" } } }, // optionally filter by specific rule or action id { "nested": { "path": "kibana.saved_objects", "query": { "bool": { "filter": [ { "term": { "kibana.saved_objects.id": { "value": "b541b690-bfc4-11eb-bf08-05a30cefd1fc" } } } ] } } } } ] } } }
The following event log query looks at the errors. You should see an
error.message
property in that event, with a message that might provide more
details about why the action encountered an error:
{ "event": { "provider": "actions", "action": "execute", "start": "2020-03-31T04:27:30.392Z", "end": "2020-03-31T04:27:30.393Z", "duration": 1000000 }, "kibana": { "namespace": "default", "saved_objects": [ { "type": "action", "id": "7a6fd3c6-72b9-44a0-8767-0432b3c70910" } ], }, "message": "action executed: .server-log:7a6fd3c6-72b9-44a0-8767-0432b3c70910: server-log", "@timestamp": "2020-03-31T04:27:30.393Z", }
You might also see the errors for the rules, which can use in the next search query. For example:
{ "event": { "provider": "alerting", "start": "2020-03-31T04:27:30.392Z", "end": "2020-03-31T04:27:30.393Z", "duration": 1000000 }, "kibana": { "namespace": "default", "saved_objects": [ { "rel" : "primary", "type" : "alert", "id" : "30d856c0-b14b-11eb-9a7c-9df284da9f99" } ], }, "message": "rule executed: .index-threshold:30d856c0-b14b-11eb-9a7c-9df284da9f99: 'test'", "error" : { "message" : "Saved object [action/ef0e2530-b14a-11eb-9a7c-9df284da9f99] not found" }, }
You can also query the event log for failures, which should return more specific details about rules which failed by targeting the event.outcome:
GET .kibana-event-log-*/_search { "query": { "bool": { "must": [ { "match": { "event.outcome": "failure" }} ] } } }
Here’s an example of what failed credentials from Google SMTP might look like from the response:
"error" : { "message" : """error sending email: Invalid login: 535-5.7.8 Username and Password not accepted. Learn more at 535 5.7.8 https://support.google.com/mail/?p=BadCredentials e207sm3359731pfh.171 - gsmtp""" },
On this page