image

Hi Habrausers!

As you may know Kibana is a visualization instrument, part of ELK (Elastic, Logstash, Kibana) stack. With the help of Kibana you may analyze and visualize your data, build different charts and combine them on the dashboard to present data in the most beautiful way.
People who use Kibana in our company have different background — some of them are technical who process data, some are managers who simply want to monitor some KPIs. And all have various questions. In spite of Kibana is rather popular in IT companies, there are not many articles or courses about it. To fill the gap I have created Kibana Tips & Tricks — weekly letters with frequently asked questions or themes. Such letters help our users to become more familiar with Kibana. There are no secrets — just detailed description of how you may work with your data.
I would like to share the first part of 'Kibana Tips & Tricks' with you — series of simple how-to articles for people who would like to know more about data analysis and visualization in Kibana. Today we will see how to view events in Kibana.

The simplest an quickest way to see events in Kibana is to use Discover view.

The Discover view presents all the data in your index as a table of documents and allows you to see the number of events for selected time period.

To access discover mode click on Discover on the left Kibana panel:

image

Discover view consists of several parts:

  • Top panel with the ability to save a search or share it
  • Search panel — where you may put specific filters, search for event and change the time range
  • Index choice — to change the index you want to view the data from
  • Index fields list which lists all available fields for this index
  • Events histogram — total number of events per time bucket over a time range
  • Event pane — list of individual events

image
Let's analyze discover view and see what we can do with specific index and event.

Top Panel


On the Top panel you see buttons: New, Save, Open, Share and Inspect.

To save the data inside discover click on the Save button on top right corner as shown below:

image

After saving you will be able to open it — just click on Open button and input your saved search name:

image

If you want to share the data with others use Share button:

image

Choose Permalink.

image

The Snapshot option will give a Kibana link which will display data available in the search currently.

The Saved object option will give a Kibana link which will display the recent data available in your search.

If you turn on Short URL option — new short url will be generated for your search (this option depends on access level).

Search Panel


You can use Search Panel to look for data inside the index. Examples are below:

To see data for specific time range you need to click on Show dates in the top right corner and than on calendar icon. 

image

You can choose between Quick select, Commonly used, Recently used date ranges and Auto-refresh options.

image

With Quick select option you may choose last or future period, define seconds, minutes, hours, months or years and than put preferable range in numbers.

Commonly used allows you to choose the time range from predefined options

In Refresh every section you can set time interval in Kibana will auto-refresh the screen and get fresh data according to interval you set.

If you want to search by specific field in the list (event.module in our case), put event.module: «kafka» in the search pane end push "Update" button.

image

Writing search query is rather simple as it provides autocomplete — I only put «modu» and received the list of available fields to filter by:

image

Index select


By default for demo Kibana you will see page for filebeat-* index.

To choose another index press an arrow.

image

Also you may see such picture with message “No results match your search criteria”:

image

That means you have no events matching the defined time period or filters. Adjust filters and the time range — it should fix the problem.

Events histogram


You can see the number of events per time interval on the histogram in the center of the screen.

By default the number of events is shown using «auto» time granularity, but you may change it.

image

Hourly:

image

Weekly:

image

Index fields list


All available fields are located on the left side of the screen:

image

You can select the fields from available and add them to tabular mode. To do it just click on add button on the right:

image

On the screenshot below 2 fields were added — event.module and host.os.name:

image

Event panel


All events are shown in row format.

image

Click the arrow to expand the row and it will give you details in Table format or JSON format.

Table mode:

image

JSON mode:

image

That's all for today! I hope that you now have a basic understanding of how to use Kibana and view events in Discover mode.

If you have any questions regading Kibana that may be covered in «Tips & Tricks» feel free to share your ideas in comments.

Useful links


  • For those who would like to try Kibana you may use demo here
  • In case of other questions please read Kibana documentation
  • Initial picture of elk was taken here