Part 4: Kibana - Visualization and Exploration
Part of the ELK Stack 101 Series
The Dashboard That Saved Production
3 AM. Production is on fire. Error rates spiking. Users complaining.
Before Kibana: SSH into 20 servers, grep log files, piece together what's happening, 30+ minutes to understand the issue.
With Kibana: Open dashboard, see error spike correlated with deployment at 2:47 AM, identify failing service, find exact error in 90 seconds.
We rolled back in 5 minutes. Incident resolved.
That's the power of Kibana - turning raw logs into actionable insights through visualizations, dashboards, and powerful search tools.
In this article, I'll show you everything I use in Kibana - from basic searches to building production monitoring dashboards.
What is Kibana?
Kibana is the visualization and exploration layer for Elasticsearch. It's:
Search UI: Query and explore data
Visualization tool: Charts, graphs, maps
Dashboard platform: Combine visualizations
Management interface: Configure Elasticsearch, ILM, index patterns
Written in Node.js, runs as a web application, connects to Elasticsearch.
Installing Kibana
Method 1: Docker
Access: http://localhost:5601
Method 2: Linux Installation
On Ubuntu/Debian:
kibana.yml:
Start service:
Method 3: Docker Compose (Full Stack)
docker-compose.yml:
Access Kibana: http://localhost:5601
First Time Setup
1. Index Patterns
Index patterns tell Kibana which Elasticsearch indices to use.
Create index pattern:
Navigate to Stack Management β Data Views
Click Create data view
Name:
logs-*Index pattern:
logs-*Timestamp field:
@timestampClick Create data view
Now Kibana can query all logs-* indices.
2. Sample Data (Optional)
For testing, load sample data:
Home β Add sample data
Choose "Sample web logs" or "Sample flight data"
Click Add data
Great for exploring Kibana features.
Discover - Searching Logs
Discover is where I spend 80% of my time - searching and exploring logs.
Basic Search
Navigate to Discover
Select data view:
logs-*Set time range (top right): Last 15 minutes, Last 24 hours, etc.
You'll see:
Histogram of log volume over time
Table of recent logs
Field list on left
KQL (Kibana Query Language)
My preferred search syntax:
Basic queries:
Complex queries:
Lucene Query Syntax (Alternative)
Toggle to Lucene for advanced queries:
I use KQL 90% of the time - simpler syntax.
Filtering
Click field values to filter:
Find field in left sidebar
Click value to add filter
Click
+to include,-to exclude
Edit filters:
Click filter to edit
Toggle enable/disable
Pin across views
Time Filtering
Time picker (top right):
Quick select:
Last 15 minutes
Last 1 hour
Last 24 hours
Last 7 days
Relative:
now-15m to now
now-1h to now
Absolute:
Select start and end dates
Refresh:
Set auto-refresh interval (10s, 30s, 1m)
Saved Searches
Save frequently used queries:
Build query + filters
Click Save (top right)
Name: "Payment Service Errors"
Click Save
Reload anytime from Discover sidebar.
Visualizations
Kibana supports many visualization types. Let me show you the ones I use most.
Creating a Visualization
Two ways:
Method 1: From Discover
Build search
Click Visualize
Method 2: From Visualize
Navigate to Visualize Library
Click Create visualization
Choose type
Visualization Types
1. Metric (Single Number)
Show total error count:
Configuration:
Data view:
logs-*Aggregation: Count
Filter:
level: ERROR
Result: Big number showing total errors
Use case: KPI tiles on dashboards
2. Line Chart (Time Series)
Logs over time by level:
Configuration:
X-axis: Date histogram on
@timestamp(interval: auto)Y-axis: Count
Split series: Terms on
levelfield
Result: Line chart showing ERROR, WARN, INFO trends
This is my most-used visualization.
3. Bar Chart
Top 10 services by error count:
Configuration:
X-axis: Terms on
service(size: 10, order by count desc)Y-axis: Count
Filter:
level: ERROR
Result: Bar chart ranking services by errors
4. Pie Chart
Error distribution by service:
Configuration:
Slice by: Terms on
serviceMetrics: Count
Result: Pie chart showing proportional error counts
I use for quick overviews.
5. Data Table
Top error messages:
Configuration:
Rows: Terms on
message.keyword(size: 20)Metrics: Count
Columns: Terms on
service
Result: Table of most common errors
Great for drilling into specifics.
6. Area Chart
Stacked logs by level:
Configuration:
X-axis: Date histogram on
@timestampY-axis: Count
Split series: Terms on
levelChart type: Area (stacked)
Result: Stacked area showing log volume composition
7. Heat Map
Response time by hour and service:
Configuration:
X-axis: Date histogram on
@timestamp(interval: 1 hour)Y-axis: Terms on
serviceCell value: Average
response_time
Result: Heat map showing when/where slowdowns occur
Perfect for identifying patterns.
8. Maps (with GeoIP)
User locations:
Configuration:
Map type: Coordinate map
Geo coordinates:
geoip.locationMetrics: Count
Result: World map with user activity dots
Requires GeoIP enrichment in Logstash.
Lens - Modern Visualization Builder
Lens is the new drag-and-drop visualization tool.
Create visualization:
Go to Visualize Library β Create β Lens
Drag fields to workspace
Kibana suggests visualization types
Customize as needed
Example: Drag @timestamp to X-axis, Kibana creates time series chart automatically.
I use Lens for 90% of new visualizations - it's intuitive.
Dashboards
Dashboards combine multiple visualizations into a single view.
Creating a Dashboard
Navigate to Dashboard
Click Create dashboard
Click Add from library or Create visualization
Arrange visualizations
Save
My Production Monitoring Dashboard
"Microservices Health Dashboard":
Layout:
Visualizations:
1. Metrics (top row):
Total log count
Error count (1 hour)
Warning count (1 hour)
Average response time
2. Time series:
Line chart: Logs over time split by level
3. Analysis:
Bar chart: Top services by error count
Heat map: Error rate by service and time
4. Details:
Data table: Recent error messages with service, timestamp
Dashboard Filters
Apply filters to entire dashboard:
Click Add filter
Field:
environmentValue:
productionApply
All visualizations update to show only production logs.
Time Controls
Set time range for entire dashboard:
Use time picker (top right)
All visualizations sync to same time range
Dashboard Drilldown
Click on visualization to filter:
Click on "payment-service" in bar chart
Entire dashboard filters to payment-service
See related errors, time series, etc.
Clear filter to return to full view.
Saving and Sharing
Save dashboard:
Click Save
Name: "Microservices Health"
Description (optional)
Save
Share dashboard:
Click Share
Copy link (includes filters and time range)
Send to team
Export PDF (with X-Pack):
Share β PDF Reports
Generate report
Download or email
Canvas - Custom Infographics
Canvas is for pixel-perfect, presentation-ready dashboards.
Use cases:
Executive dashboards
NOC displays
Custom branding
Example: Create a "war room" display with:
Real-time metrics
Alert status
Service topology diagram
Custom graphics and logos
I use for high-visibility displays, not day-to-day monitoring.
Alerts and Actions
Monitor data and trigger actions (requires X-Pack Basic+).
Creating an Alert
Navigate to Stack Management β Rules and Connectors
Click Create rule
Choose rule type: Elasticsearch query
Example alert: "High Error Rate"
Configuration:
Name: High Error Rate Alert
Check every: 1 minute
Index: logs-*
Time field: @timestamp
Query:
level: ERRORThreshold: Count > 100 in last 5 minutes
Action: Send email / Slack / PagerDuty
When triggered, alert sends notification.
Connectors
Integrate with external services:
Email: SMTP
Slack: Webhook
PagerDuty: API
Webhook: Custom HTTP endpoint
Microsoft Teams: Webhook
Configure in Stack Management β Connectors.
Watcher (Advanced Alerting)
For complex alerting logic, use Watcher (X-Pack):
Dev Tools Console
Dev Tools is where I interact directly with Elasticsearch REST API.
Using Console
Navigate to Dev Tools
Type query in left pane
Click green play button or Ctrl+Enter
See response in right pane
Example queries:
I use Dev Tools constantly for testing queries before adding to dashboards.
Stack Management
Centralized configuration for Elasticsearch and Kibana.
Key Sections
Index Management:
View indices
Delete indices
Adjust settings
Manage ILM policies
Data Views:
Create/edit index patterns
Manage field formatters
Advanced Settings:
Configure Kibana behavior
Default index pattern
Date formats
Saved Objects:
Import/export dashboards, visualizations, searches
Share configurations between environments
My Daily Kibana Workflows
Workflow 1: Investigating Production Issues
Open main dashboard - see current state
Notice error spike at specific time
Click on spike to drill down
Filter by service showing errors
Switch to Discover to see actual error messages
Search for specific error pattern using KQL
Expand log entry to see full details (trace ID, stack trace)
Follow trace ID to related logs across services
Identify root cause
Time: 2-5 minutes
Workflow 2: Building New Dashboard
Identify metrics needed (error rate, response time, etc.)
Create visualizations in Lens
Test queries in Discover
Combine into dashboard
Add filters and time controls
Test with team
Save and share
Workflow 3: Analyzing Trends
Open historical dashboard
Set time range to last 7 days
Look for patterns (daily peaks, weekly trends)
Create visualizations for anomalies
Export insights to share with team
Kibana Spaces
Organize dashboards by team or use case (requires X-Pack).
Creating a Space
Stack Management β Spaces
Create space
Name: "platform-team" or "prod-monitoring"
Choose which features to enable
Each space has separate:
Dashboards
Visualizations
Searches
Index patterns
Use for multi-team environments.
Security (X-Pack)
Control access to Kibana and data.
Users and Roles
Create role:
Stack Management β Roles
Create role:
log_viewerCluster privileges:
monitorIndex privileges:
Indices:
logs-*Privileges:
read,view_index_metadata
Kibana privileges: Read access to Discover, Dashboard
Create user:
Stack Management β Users
Create user:
john.doeAssign role:
log_viewer
Now user can view logs but not modify cluster.
Performance Tips
1. Limit Time Ranges
Searching all data is slow:
Default to last 24 hours
Use relative time ranges
Avoid "Last 90 days" unless needed
2. Use Filters, Not Queries
Filters are cached, queries are not:
Use KQL for free-text search
Use filters for exact matches
3. Limit Visualization Buckets
Too many buckets slow down visualizations:
Terms aggregation: Limit to 10-20 terms
Date histogram: Use appropriate intervals (auto, 1h, 1d)
4. Disable Auto-Refresh in Production
Auto-refresh hits Elasticsearch repeatedly:
Use manual refresh
Enable auto-refresh only when actively monitoring
Common Issues
Issue 1: "No results found"
Check:
Time range (are logs in this range?)
Index pattern (does it match indices?)
Filters (are they too restrictive?)
Field name (case-sensitive)
Issue 2: Visualization shows no data
Check:
Time range
Filters
Aggregation field (is it mapped correctly?)
Data actually exists in Elasticsearch
Issue 3: Kibana slow
Solutions:
Limit time range
Reduce visualization complexity
Check Elasticsearch cluster health
Increase Kibana memory
Conclusion
Kibana turns raw logs into insights through powerful search, visualizations, and dashboards. Key takeaways:
Discovery:
KQL for searching logs
Filters for drilling down
Saved searches for common queries
Visualizations:
Line charts for time series
Bar charts for rankings
Tables for details
Lens for easy creation
Dashboards:
Combine multiple visualizations
Filter entire dashboard
Share with team
Export reports
Advanced:
Alerts for proactive monitoring
Dev Tools for direct Elasticsearch access
Canvas for custom displays
Spaces for organization
In the next article, we'll cover production best practices - security, scaling, backup, and running ELK at scale.
Previous: Part 3 - Logstash Pipeline Next: Part 5 - Production Best Practices
This article is part of the ELK Stack 101 series. Check out the series overview for more content.
Last updated