Master Kibana: Install, Configure, and Visualize Elasticsearch Data Step‑by‑Step

Installation

Download the Kibana package that matches your operating system from the Elastic download site and extract it. Start Kibana with the provided bin/kibana script (or the Windows equivalent). By default Kibana listens on port 5601.

Configuration

Edit kibana.yml (found in the config directory) and set the Elasticsearch endpoint, for example: elasticsearch.hosts: ["http://localhost:9200"] Adjust any additional settings as required, then restart Kibana.

Access and health check

Open a browser and navigate to http://localhost:5601. The Kibana UI loads. To verify the service is healthy, request one of the following URLs:

http://localhost:5601/status

http://localhost:5601/api/status

(JSON response)

Connecting Kibana to Elasticsearch

When Kibana is opened for the first time it prompts you to create an index pattern that matches one or more Elasticsearch indices.

Open the Kibana UI (e.g., http://localhost:5601).

Enter an index pattern, such as log-*, that matches the desired indices.

If the indices contain a timestamp field, select it; otherwise choose “I don’t want to use the Time Filter”.

Click **Create index pattern**. The first pattern becomes the default; additional patterns can be managed under **Management → Index Patterns**.

Discover

The Discover page lets you explore documents in the selected index pattern.

Time filter

Use the time picker at the top to restrict results to a specific interval.

Search syntax

Kibana supports two query modes:

Lucene‑based syntax – simple field/value expressions, range queries, and boolean operators.

Enhanced Kibana syntax – requires explicit boolean operators and supports parentheses, wildcards, existence checks, and shorthand lists.

Common examples:

# Field equality
status:200

# Range query
status:[400 TO 499]

# Boolean AND/OR with parentheses
response:200 AND (extension:php OR extension:css)

# Shorthand list
response:(200 OR 404)

tag:(success AND info AND security)

# Negation
NOT response:200

# Wildcard
machine.os:win*

# Existence
response:*

Field filtering

In the document table, click a column filter icon to include or exclude specific field values.

Document view

Click a document row to see the full JSON source. Use the “view surrounding documents” icon to navigate to related records.

Field statistics

The field list shows aggregated statistics (min, max, count) for each field in the index pattern.

Visualize

Visualizations are built on Elasticsearch aggregations.

Navigate to **Visualize** in the left menu.

Click **Create new visualization** (or the plus + button).

Select a visualization type (e.g., bar, line, pie).

Define a search query that retrieves the data you want to plot.

Configure the Y‑axis aggregation (e.g., sum, avg, count).

Configure the X‑axis (date histogram, terms, etc.).

Reference documentation: https://www.elastic.co/guide/en/kibana/current/createvis.html

Dashboard

Dashboards combine multiple visualizations and saved searches.

Open **Dashboard** from the navigation bar.

Click **Create new dashboard** (or the plus + button).

Use **Add** to insert existing visualizations or create new ones.

Optionally add saved searches.

Arrange, resize, and rename panels as needed.

Save the dashboard with a descriptive name.

To enable the dark theme by default, set the advanced setting dashboard:defaultDarkTheme: On (Management → Advanced Settings).

Monitoring

Kibana and Elasticsearch emit logs that can be used to verify monitoring data ingestion and license status.

[2018-08-15T14:48:26,874][INFO][o.e.c.m.MetaDataCreateIndexService] [Px524Ts] [.monitoring‑kibana‑6‑2018.08.15] creating index, cause [auto(bulk api)], templates [.monitoring‑kibana], shards [1]/[0], mappings [doc]

log   [03:26:53.605] [info][license][xpack] Imported license information from Elasticsearch for the [monitoring] cluster: mode: basic | status: active