To visualize and explore data in Kibana, you must create an index pattern. An index pattern tells Kibana which Elasticsearch indices contain the data that you want to work with. An index pattern can match a single index, multiple indices, and a rollup index.
If you have insufficient privileges to create or save index patterns, a read-only indicator appears in Kibana. The buttons to create new index patterns or save existing index patterns are not visible. For more information on granting access to Kibana see Granting access to Kibana.
Create an index patternedit
To get started, go to Management > Kibana > Index Patterns. You begin with an overview of your index patterns, including any that were added when you downloaded sample data sets.
You can create a standard index pattern, and if a rollup index is detected in the cluster, a rollup index pattern.
Standard index patternedit
Kibana makes it easy for you to create an index pattern by walking you through the process. Just start typing in the Index pattern field, and Kibana looks for the names of Elasticsearch indices that match your input. If you want to include system indices in your search, toggle the switch in the upper right.
Your index pattern can match multiple Elasticsearch indices.
Use a comma to separate the names, with no space after the comma. The notation for
*) and the ability to "exclude" (
-) also apply
When Kibana detects an index with a timestamp, you’re asked to choose a field to filter your data by time. If you don’t specify a field, you won’t be able to use the time filter.
Once you’ve created your index pattern, you can start working with your Elasticsearch data in Kibana. Here are some things to try:
For a walkthrough of creating an index pattern and visualizing the data, see Getting Started.
Rollup index patternedit
If a rollup index is detected in the cluster, clicking Create index pattern includes an item for creating a rollup index pattern. You create an index pattern for rolled up data the same way you do for any data.
You can match an index pattern to only rolled up data, or mix both rolled up and raw data to visualize all data together. An index pattern can match only one rollup index, not multiple. There is no restriction on the number of standard indices that an index pattern can match.
See Creating a visualization using rolled up data for more detailed information.
Manage your index patternedit
Once you’ve created an index pattern, you’re presented a table of all fields and associated data types in the index.
You can perform the following actions:
- Manage the index fields. Click a column header to sort the table by that column. Use the field dropdown menu to limit to display to a specific field. See Managing fields for more detailed information.
- Set the default index pattern. Kibana uses a badge to make users aware of which index pattern is the default. The first pattern you create is automatically designated as the default pattern. The default index pattern is loaded when you view the Discover tab.
- Reload the index fields list. You can reload the index fields list to pick up any newly-added fields. Doing so also resets Kibana’s popularity counters for the fields. The popularity counters keep track of the fields you’ve used most often in Kibana and are used to sort fields in lists.
Delete the index pattern. This action removes the pattern from the list of Saved Objects in Kibana. You will not be able to recover field formatters, scripted fields, source filters, and field popularity data associated with the index pattern.
Deleting an index pattern breaks all visualizations, saved searches, and other saved objects that reference the pattern. Deleting an index pattern does not remove any indices or data documents from Elasticsearch.