Master Kibana: Install, Configure, and Visualize Elasticsearch Data

1. Install Kibana

Kibana is an open‑source analytics and visualization platform designed to work with Elasticsearch. Install it by following the official package instructions; the article includes screenshots of the installation process.

2. Kibana configuration

Configuration details are available at the Elastic documentation: https://www.elastic.co/guide/en/kibana/current/settings.html

3. Access Kibana

Kibana runs as a web application accessible on port 5601, e.g., http://localhost:5601 or http://YOURDOMAIN.com:5601. When first opened, the Discover page loads the default index pattern with a time filter set to the last 15 minutes and a match‑all query.

3.1 Check Kibana status

Visit http://localhost:5601/status or http://192.168.101.5:5601/api/status to see JSON‑formatted status information.

4. Connect Elasticsearch to Kibana

Before using Kibana you must define an index pattern that matches one or more Elasticsearch indices. The first visit prompts you to create this pattern. To connect to a non‑local Elasticsearch instance, edit kibana.yml with the new URL and restart Kibana.

Steps:

Open Kibana UI (e.g., http://localhost:5601).

Specify an index pattern that matches your indices.

Click Next Step and choose whether to use the time filter.

Click Create index pattern to finalize. The first pattern becomes the default.

5. Discover

The Discover page lets you interactively explore your data, view each document, submit queries, filter results, and see document counts and field statistics. If the index pattern includes a time field, a histogram shows document distribution over time.

5.1 Set time filter

5.2 Search data

Enter queries in the search bar using either Kibana’s Lucene‑based query language or the full Elasticsearch DSL (JSON). The query language supports autocomplete and simplified syntax.

When a query is submitted, histograms, document tables, and field lists update to reflect the results. The total hit count appears in the toolbar, and the document table shows the first 500 hits, sorted by time descending by default.

5.2.1 Lucene query syntax

Simple text search: type a keyword, e.g., safari.

Field‑specific search: status:200 finds documents where status equals 200.

Range search: status:[400 TO 499] finds status codes in the 4xx range.

Boolean operators: AND, OR, NOT. Example: status:[400 TO 499] AND (extension:php OR extension:html).

5.2.2 Kibana query syntax enhancements

The newer syntax keeps the same principles but simplifies usage. Examples: response:200 matches documents where response is 200.

Phrase search with quotes: message:"Quick brown fox".

Boolean operators are case‑insensitive; response:200 AND extension:php is equivalent to response:200 and extension:php.

Parentheses change precedence, e.g., response:200 AND (extension:php OR extension:css).

Shorthand: response:(200 OR 404) or tags:(success AND info AND security).

Negation: NOT response:200 matches documents where response is not 200.

5.2.3 Refresh search results

Use the refresh button to re‑execute the current query and update visualizations.

5.3 Filter by field

Control which fields appear in the list via the field filter UI or the small book‑icon next to each document.

5.4 View document data

Open a document to see its full JSON source and field values.

5.5 View document context

Navigate to surrounding documents to understand the context of a selected record.

5.6 View field statistics

6. Visualize

Visualize lets you create charts based on Elasticsearch queries. Steps to create a visualization:

Click the Visualize button in the left navigation.

Select “Create new visualization” or the plus (+) button.

Choose a visualization type (e.g., bar, line, pie).

Specify a search query to retrieve data.

Configure the Y‑axis aggregation (sum, average, count, etc.).

Set the X‑axis (e.g., a date histogram).

For more details see the Elastic documentation links provided.

7. Dashboard

A dashboard is a collection of visualizations and saved searches. To build one:

Click the Dashboard button in the navigation bar.

Select “Create new dashboard” or the plus (+) button.

Click “Add” to insert visualizations or saved searches.

Arrange and resize components as needed.

Save the dashboard with a name.

Optionally switch to the dark theme via the options menu.

8. Monitoring

Elasticsearch控制台打印日志
[2018-08-15T14:48:26,874][INFO ][o.e.c.m.MetaDataCreateIndexService] [Px524Ts] [.monitoring-kibana-6-2018.08.15] creating index, cause [auto(bulk api)], templates [.monitoring-kibana], shards [1]/[0], mappings [doc]

Kibana控制台打印日志
log   [03:26:53.605] [info][license][xpack] Imported license information from Elasticsearch 
for the [monitoring] cluster: mode: basic | status: active

Further monitoring details are available at https://www.elastic.co/guide/en/kibana/current/elasticsearch-metrics.html.