Master Kibana: From Installation to Advanced Data Visualization

What is Kibana

Kibana is an open‑source analytics and visualization platform that works directly with Elasticsearch. It provides a browser‑based UI for searching, viewing, and interacting with data stored in Elasticsearch indices, and can render charts, tables, maps, and other visualizations.

Installation

Download the Kibana package that matches your operating system from the official distribution site, extract the archive, and start the Kibana service. By default Kibana listens on TCP port 5601.

Configuration

Edit the kibana.yml configuration file to point Kibana at your Elasticsearch cluster. Set the elasticsearch.hosts property to the HTTP URL of the Elasticsearch node(s), for example:

elasticsearch.hosts: ["http://es-node1:9200", "http://es-node2:9200"]

After saving the file, restart the Kibana service for the changes to take effect. Detailed configuration options are documented at https://www.elastic.co/guide/en/kibana/current/settings.html.

Accessing Kibana

Open a web browser and navigate to http://localhost:5601 (or replace localhost with the host name or IP address of the Kibana server). The UI loads the Discover page with a default index pattern, a time filter set to the last 15 minutes, and a match‑all query.

Checking Kibana status

Visit http://localhost:5601/status for a human‑readable status page, or request http://localhost:5601/api/status to obtain JSON‑formatted health information.

Connecting Elasticsearch to Kibana – defining an index pattern

Open the Kibana UI (e.g., http://localhost:5601).

When prompted, enter an index pattern that matches one or more Elasticsearch indices. Wildcards such as logstash-* are allowed.

Click “Next step” and indicate whether the index contains a timestamp field for time‑based analysis. Choose “I don’t want to use the Time Filter” if the data is not time‑series.

Click “Create index pattern”. The first pattern becomes the default; additional patterns can be managed under Management → Index Patterns.

Discover: interactive data exploration

The Discover page lets you browse documents from the selected index pattern, run free‑text or field‑specific queries, apply filters, and view field statistics. If the index pattern includes a time field, a histogram of document distribution appears at the top.

Lucene query syntax

Simple text search: "safari" Field‑specific search: status:200 Range query: status:[400 TO 499] Boolean logic:

status:[400 TO 499] AND (extension:php OR extension:html)

Enhanced (KQL) query syntax

Exact match: response:200 Phrase search: message:"Quick brown fox" Implicit AND: response:200 extension:php Explicit OR: response:200 OR extension:php Parentheses for precedence: response:200 AND (extension:php OR extension:css) Negation:

NOT response:200

, >=, <, <= are all valid operators.

Wildcard queries are supported, e.g., machine.os:win* matches any machine.os value that starts with “win”.

Refreshing search results

After submitting a query, the histogram, document table, and field list update automatically. The total hit count appears in the toolbar, and the table shows the first 500 hits sorted by time descending.

Visualize: building visualizations

Click the “Visualize” navigation button.

Select “Create new visualization” (or the + icon).

Choose a visualization type (e.g., bar, line, pie).

Define a search query that retrieves the data to be visualized.

Select an aggregation for the Y‑axis (e.g., sum, average, count).

Configure the X‑axis as needed (e.g., date histogram, terms aggregation).

Saved visualizations can be reused in dashboards.

Dashboard: assembling visualizations

Click “Dashboard” in the navigation bar.

Choose “Create new dashboard” or press the + button.

Click “Add” and select an existing visualization, or create a new one on the fly.

Optionally add saved searches as dashboard panels.

Arrange the panels by dragging, then click “Save” and provide a dashboard name.

The UI supports light and dark themes. To make the dark theme the default, set dashboard:defaultDarkTheme to On in Management → Advanced Settings.

Monitoring Kibana and Elasticsearch

Kibana’s console can display Elasticsearch and Kibana logs that help verify monitoring indices and license information. Example log entries:

[2018-08-15T14:48:26,874][INFO ][o.e.c.m.MetaDataCreateIndexService] [Px524Ts] [.monitoring-kibana-6-2018.08.15] creating index, cause [auto(bulk api)], templates [.monitoring-kibana], shards [1]/[0], mappings [doc]

log   [03:26:53.605] [info][license][xpack] Imported license information from Elasticsearch for the [monitoring] cluster: mode: basic | status: active