Docs For AI
Elk

Kibana

Visualization and exploration platform for Elasticsearch data - dashboards, alerting, and log analysis

Kibana

Kibana is the visualization and management UI for Elasticsearch. It provides real-time dashboards, log exploration (Discover), alerting, and administrative tools for managing the ELK Stack.

Core Features

FeatureDescription
DiscoverExplore and search raw log data with KQL or Lucene syntax
DashboardBuild visualizations and arrange them into interactive dashboards
LensDrag-and-drop visualization builder
AlertingRule-based alerts with integrations (email, Slack, PagerDuty)
Dev ToolsConsole for direct Elasticsearch API requests
Index ManagementManage indices, ILM policies, and data streams

Configuration

# kibana.yml
server.host: "0.0.0.0"
server.port: 5601
server.name: "kibana"

elasticsearch.hosts: ["https://elasticsearch:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "${KIBANA_PASSWORD}"
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/certs/ca.crt"]

# Security
xpack.security.enabled: true
xpack.encryptedSavedObjects.encryptionKey: "min-32-byte-encryption-key-here!!"

# Logging
logging.root.level: info

# Alerting
xpack.actions.allowedHosts: ["*"]

Kibana Query Language (KQL)

KQL is the default query language in Kibana's search bar.

Basic Syntax

# Field:value match
level: ERROR

# Wildcard
message: *timeout*

# Logical operators
level: ERROR AND service: api-gateway
level: ERROR OR level: FATAL
NOT level: DEBUG

# Range
duration_ms >= 1000
@timestamp >= "2024-03-15" AND @timestamp < "2024-03-16"

# Nested fields
host.name: "prod-api-01"

# Existence check
response_code: *

Common Search Patterns

# Find all errors in the last hour
level: ERROR AND @timestamp >= now-1h

# Search specific service with slow response
service: "payment-api" AND duration_ms > 2000

# Find 5xx errors in access logs
status >= 500 AND status < 600

# Multi-field search
(level: ERROR OR level: FATAL) AND service: "order-*"

# Exclude specific hosts
level: ERROR AND NOT host.name: "staging-*"

Dashboard Building

Visualization Types

TypeUse Case
Line / Area ChartMetrics over time (error rates, latency trends)
Bar ChartCategorical comparisons (errors per service)
Pie / DonutProportions (traffic by region, error distribution)
MetricSingle number (total errors, uptime percentage)
Data TableDetailed tabular data (top errors, slowest endpoints)
Heat MapDensity patterns (requests per hour/day)
MapGeographic data (requests by region)
MarkdownText annotations and documentation within dashboards
TSVBTime-series data with advanced math and annotations

Example Dashboard Layout

┌─────────────────────────────────────────────────────────┐
│                   Application Health                      │
├──────────┬──────────┬──────────┬──────────┬──────────────┤
│ Total    │ Error    │ Avg      │ P99      │ Active       │
│ Requests │ Rate     │ Latency  │ Latency  │ Services     │
│ 1.2M     │ 0.3%    │ 45ms    │ 890ms   │ 12          │
├──────────┴──────────┴──────────┴──────────┴──────────────┤
│         Request Volume Over Time (Area Chart)            │
│  ████████████████████████████████████████████            │
├─────────────────────────────┬────────────────────────────┤
│   Errors by Service         │   Response Time Distribution│
│   (Horizontal Bar)          │   (Histogram)               │
│   api-gateway    ████ 45    │   0-100ms  ██████████ 80%  │
│   payment-svc    ███  32    │   100-500ms ███      15%   │
│   user-svc       ██   18    │   500ms+    █         5%   │
├─────────────────────────────┴────────────────────────────┤
│              Top Errors (Data Table)                      │
│  Message                  | Count | Service | Last Seen   │
│  Connection timeout       |   45  | api-gw  | 2min ago    │
│  Rate limit exceeded      |   32  | payment | 5min ago    │
│  DB query timeout         |   18  | user    | 8min ago    │
└──────────────────────────────────────────────────────────┘

Alerting

Alerting Rule Types

Rule TypeDescription
Elasticsearch queryAlert when a search query matches above a threshold
Index thresholdAlert based on aggregation values exceeding thresholds
Log thresholdAlert when log count exceeds a threshold in a time window
Metric thresholdAlert on infrastructure metric conditions
Anomaly detectionAlert on ML-detected anomalies

Alert Configuration Example

{
  "name": "High Error Rate Alert",
  "rule_type_id": ".es-query",
  "schedule": { "interval": "1m" },
  "params": {
    "index": ["logs-*"],
    "timeField": "@timestamp",
    "esQuery": "{\"bool\": {\"filter\": [{\"term\": {\"level\": \"ERROR\"}}]}}",
    "threshold": [50],
    "thresholdComparator": ">",
    "timeWindowSize": 5,
    "timeWindowUnit": "m"
  },
  "actions": [
    {
      "group": "query matched",
      "id": "slack-connector-id",
      "params": {
        "message": "🚨 High error rate detected: {{context.hits}} errors in the last 5 minutes.\nTop errors:\n{{#context.hits}}\n- {{_source.message}} ({{_source.service}})\n{{/context.hits}}"
      }
    }
  ]
}

Alert Connectors

ConnectorUse Case
SlackTeam notification channel
EmailOn-call notifications
PagerDutyIncident escalation
WebhookCustom integrations
JiraAuto-create tickets for recurring issues
Microsoft TeamsTeam collaboration notifications

Saved Objects & Spaces

Spaces

Spaces allow you to organize dashboards, visualizations, and saved searches by team or environment.

SpacePurposeAccess
ProductionProduction monitoring dashboardsSRE, On-call
DevelopmentDev environment logs and metricsDevelopers
SecuritySecurity event analysisSecurity team
BusinessBusiness metrics and KPIsProduct, Management

Export / Import

# Export saved objects
curl -X POST "localhost:5601/api/saved_objects/_export" \
  -H "kbn-xsrf: true" \
  -H "Content-Type: application/json" \
  -d '{"type": ["dashboard", "visualization", "search"]}' \
  -o exported-objects.ndjson

# Import saved objects
curl -X POST "localhost:5601/api/saved_objects/_import" \
  -H "kbn-xsrf: true" \
  --form file=@exported-objects.ndjson

Security Configuration

Role-Based Access Control

{
  "role_name": "log_viewer",
  "elasticsearch": {
    "indices": [
      {
        "names": ["logs-*"],
        "privileges": ["read", "view_index_metadata"]
      }
    ]
  },
  "kibana": [
    {
      "spaces": ["production"],
      "base": [],
      "feature": {
        "discover": ["read"],
        "dashboard": ["read"],
        "visualize": ["read"]
      }
    }
  ]
}

Best Practices

Kibana Usage Guidelines

  1. Data Views: Create separate data views per log type (app logs, access logs, metrics)
  2. Dashboard Design: Keep dashboards focused on a single service or use case
  3. Saved Searches: Save common search queries for reuse and sharing
  4. Alerting: Set alerts on business-critical errors, not every log line
  5. Spaces: Use spaces to separate environments and teams
  6. Caching: Enable Kibana caching for frequently accessed dashboards
  7. Index Patterns: Use time-based index patterns (logs-*) for efficient time range queries

Logstash

Server-side data processing pipeline for collecting, parsing, transforming, and forwarding data

Containerization

Docker and Kubernetes for building, shipping, and orchestrating containerized applications

On this page

KibanaCore FeaturesConfigurationKibana Query Language (KQL)Basic SyntaxCommon Search PatternsDashboard BuildingVisualization TypesExample Dashboard LayoutAlertingAlerting Rule TypesAlert Configuration ExampleAlert ConnectorsSaved Objects & SpacesSpacesExport / ImportSecurity ConfigurationRole-Based Access ControlBest Practices