Hi habrausers!

As you may know Kibana is a visualization instrument, part of ELK (Elastic, Logstash, Kibana) stack. With the help of Kibana you may analyze and visualize your data, build different grpahs and combine them on the dashboard to present data in the most beautiful way.

People who use Kibana in our company have different background — some of them are technical who process data, some are managers who simply want to monitor some KPIs. And all have various questions. In spite of Kibana is rather popular in IT companies, there is no much articles or courses about it. To fill the gap I have created Kibana Tips & Tricks — weekly letters with frequently asked questions.

Today I would like to introduce you 'Kibana Tips & Tricks' — series of short and simple how-to articles for people who would like to know more about data analysis and visualization in Kibana. Today we will see how to analyze events in Kibana.



The simplest an quickest way to see events in Kibana is to use Discover view.

The Discover view presents all the data in your index as a table of documents and allows you to see the number of events for selected time period.

To access discover mode click on Discover on the left Kibana panel:

Discover view consists of several parts:

• Top panel with the # of events, ability to save search, share it and change the time range
• Search panel — where you may put specific filters and search for event
• Index choose. To change the index you want to see the data from, you can press grey arrow
• Index fields list where you may see all available fields for this index
• Events histogram — total # of events per time range
• Event pane — detailed info about event

Let's analyze discover view and see what we can do with specific index and event.

Top Panel
On the Top panel you see buttons: New, Save, Open, Share, Inspect and Auto-refresh.

If you click Auto-refresh, it will display the screen as shown below:

You can set the auto-refresh interval by clicking on the seconds, minutes or hour from above. Kibana will auto-refresh the screen and get fresh data after every interval timer you set.

To save the data inside discover click on the Save button on top right corner as shown below:

After saving you will be able to open it — just click on Open button and out your saved search name:

If you want to share the data with others use Share button:

Choose Permalinks.

The Snapshot option will give a Kibana link which will display data available in the search currently.

The Saved object option will give a Kibana link which will display the recent data available in your search.

If you turn on Short URL option — new short url will be generated for your search.

Search Panel
You can use Search Panel to look for data inside the index. Examples are below:

If you want to search by specific field in the list (country in our case), put location.country: RU in the search pane end push «Update» button.

If you click on options pane and turn on query features you will turn on helper for filtering.

So writing search query will be simplified — I have only put «cou» and received the list of available fields to filter by:

Index and time range choose
By default you will see page for elastic-cluster-1:events-frontend-service index.

If you have no rights to see the events from this index, please change it or send the request for joining.

To choose another index press grey arrow.

Also you may see such picture with message “No results match your search criteria”:

To see data you need to change click on «Last 15 minutes» button in the top right corner and change the time range. You can choose between Quick, Relative, Absolute and Recent:

Events histogram
You can see the number of events by time on the histogram in the center of screen.

By default the number of events is shown by auto time granularity, but you may change it.

Hourly:

Weekly:

Index fields list
All available fields are located on left side of the screen:

You can select the fields from available fields and add them to see this field into tabular mode. To to it just click on add button on the right:

On the screenshot below 2 fields were added — eventName and parameters.errorString:

Event pane
All the fields with the data are shown in row format.

Click the arrow to expand the row and it will give you details in Table format or JSON format.

Table mode:

JSON mode: