To explore and visualize data in Kibana, you must create an index pattern. An index pattern tells Kibana which Elasticsearch indices contain the data that you want to work with. Once you create an index pattern, you’re ready to:
If you have insufficient privileges to create or save index patterns, a read-only indicator appears in Kibana. The buttons to create new index patterns or save existing index patterns are not visible. For more information, see Granting access to Kibana.
Create an index patternedit
When you don’t have an index pattern, Kibana prompts you to create one. Or, you can open the menu, then go to Stack Management > Kibana > Index Patterns to go directly to the Index Patterns UI.
Standard index patternedit
Just start typing in the Index pattern field, and Kibana looks for the names of Elasticsearch indices that match your input. Make sure that the name of the index pattern is unique.
Your index pattern can match multiple Elasticsearch indices.
Use a comma to separate the names, with no space after the comma. The notation for
*) and the ability to "exclude" (
-) also apply
If Kibana detects an index with a timestamp, you’re asked to choose a field to filter your data by time. If you don’t specify a field, you won’t be able to use the time filter.
Rollup index patternedit
If a rollup index is detected in the cluster, clicking Create index pattern includes an item for creating a rollup index pattern. You can match an index pattern to only rolled up data, or mix both rolled up and raw data to explore and visualize all data together. An index pattern can match only one rollup index. When matching multiple indices, use a comma to separate the names, with no space after the comma.
For specific fields, the data in a rollup index includes only summarized metrics. From the original raw data, you are unable to search any other field.
Cross-cluster search index patternedit
If your Elasticsearch clusters are configured for cross-cluster search, you can create
index patterns to search across the clusters of your choosing. Using the
same syntax that you’d use in a raw cross-cluster search request in Elasticsearch, create your
index pattern with the convention
For example, to query Logstash indices across two Elasticsearch clusters
that you set up for cross-cluster search, which are named
you would use
cluster_one:logstash-*,cluster_two:logstash-* as your index pattern.
You can use wildcards in your cluster names
to match any number of clusters, so if you want to search Logstash indices across
cluster_bar, and so on, you would use
as your index pattern.
To query across all Elasticsearch clusters that have been configured for cross-cluster search,
use a standalone wildcard for your cluster name in your index
You can use exclusions to exclude indices that might contain mapping errors.
To match indices starting with
logstash-, and exclude those starting with
all clusters having a name starting with
cluster_, you can use
To exclude a cluster, use
Once an index pattern is configured using the cross-cluster search syntax, all searches and aggregations using that index pattern in Kibana take advantage of cross-cluster search.
Manage your index patternedit
To drill down into the fields and associated data types in an index pattern, click its name in the Index patterns overview page. For more information, refer to Index Patterns and Fields.