Creating an index pattern

edit

Creating an index pattern

edit

To explore and visualize data in Kibana, you must create an index pattern. An index pattern tells Kibana which Elasticsearch indices contain the data that you want to work with. Once you create an index pattern, you’re ready to:

  • Interactively explore your data in Discover.
  • Analyze your data in charts, tables, gauges, tag clouds, and more in Visualize.
  • Show off your data in a Canvas workpad.
  • If your data includes geo data, visualize it with Maps.

Read-only access

edit

If you have insufficient privileges to create or save index patterns, a read-only indicator appears in Kibana. The buttons to create new index patterns or save existing index patterns are not visible. For more information, see Granting access to Kibana.

Example of Index Pattern Management’s read only access indicator in Kibana’s header

Create an index pattern

edit

If you are in an app that requires an index pattern, and you don’t have one yet, Kibana prompts you to create one. Or, you can go directly to Management > Kibana > Index Patterns.

Menu with rollup index pattern

Standard index pattern

edit

Just start typing in the Index pattern field, and Kibana looks for the names of Elasticsearch indices that match your input. Make sure that the name of the index pattern is unique. To include system indices in your search, toggle the switch in the upper right.

Create index pattern

Your index pattern can match multiple Elasticsearch indices. Use a comma to separate the names, with no space after the comma. The notation for wildcards (*) and the ability to "exclude" (-) also apply (for example, test*,-test3).

If Kibana detects an index with a timestamp, you’re asked to choose a field to filter your data by time. If you don’t specify a field, you won’t be able to use the time filter.

Rollup index pattern

edit

If a rollup index is detected in the cluster, clicking Create index pattern includes an item for creating a rollup index pattern. You can match an index pattern to only rolled up data, or mix both rolled up and raw data to explore and visualize all data together. An index pattern can match only one rollup index. When matching multiple indices, use a comma to separate the names, with no space after the comma.

For specific fields, the data in a rollup index includes only summarized metrics. From the original raw data, you are unable to search any other field.

Cross-cluster search index pattern

edit

If your Elasticsearch clusters are configured for cross-cluster search, you can create index patterns to search across the clusters of your choosing. Using the same syntax that you’d use in a raw cross-cluster search request in Elasticsearch, create your index pattern with the convention <cluster-names>:<pattern>.

For example, to query Logstash indices across two Elasticsearch clusters that you set up for cross-cluster search, which are named cluster_one and cluster_two, you would use cluster_one:logstash-*,cluster_two:logstash-* as your index pattern.

You can use wildcards in your cluster names to match any number of clusters, so if you want to search Logstash indices across clusters named cluster_foo, cluster_bar, and so on, you would use cluster_*:logstash-* as your index pattern.

To query across all Elasticsearch clusters that have been configured for cross-cluster search, use a standalone wildcard for your cluster name in your index pattern: *:logstash-*.

Once an index pattern is configured using the cross-cluster search syntax, all searches and aggregations using that index pattern in Kibana take advantage of cross-cluster search.

Manage your index pattern

edit

Once you create an index pattern, manually or with a sample data set, you can look at its fields and associated data types. You can also perform housekeeping tasks, such as making the index pattern the default or deleting it when you longer need it. To drill down into the details of an index pattern, click its name in the Index patterns overview.

Index files and data types

From the detailed view, you can perform the following actions:

  • Manage the index fields. You can add formatters to format values and create scripted fields. See Managing fields for more information.
  • Set the default index pattern. Kibana uses a badge to make users aware of which index pattern is the default. The first pattern you create is automatically designated as the default pattern. The default index pattern is loaded when you open Discover.
  • Refresh the index fields list. You can refresh the index fields list to pick up any newly-added fields. Doing so also resets Kibana’s popularity counters for the fields. The popularity counters are used in Discover to sort fields in lists.
  • Delete the index pattern. This action removes the pattern from the list of Saved Objects in Kibana. You will not be able to recover field formatters, scripted fields, source filters, and field popularity data associated with the index pattern. Deleting an index pattern does not remove any indices or data documents from Elasticsearch.

    Deleting an index pattern breaks all visualizations, saved searches, and other saved objects that reference the pattern.