Using Kibana Discover for Time Series Data Visualization

Scenario

Solution Architecture

Discover serves as Kibana's primary interface for interactive data exploration. It directly interacts with the underlying Elasticsearch cluster.

1. User requests: Users set filters, rank data, and select time ranges on the Discover page.
2. Kibana: Converts user requests into Elasticsearch query DSL.
3. Elasticsearch: Executes queries and returns the results.
4. Kibana: Visualizes the results using charts and tables (for example, showing document counts using a horizontal bar chart).

For more information, see Discover.

Highlights

• Easy to use: An intuitive GUI enables quick data query and browsing without complex settings.
• Flexible: Kibana's intuitive KQL (Kibana Query Language) syntax and flexible filters enable precise, real-time data discovery across your Elasticsearch indexes.
• Real-time: Data is updated in real time. You can set time fields to query the latest data.

Prerequisites

• A CSS Elasticsearch cluster has been created. For a security-mode cluster, make sure its username and password have been obtained.
• The target data for query or analytics (such as logs and monitoring metrics) has been ingested into your Elasticsearch cluster. The data must contain a time field (for example, @timestamp).

Procedure

This section uses Kibana 7.10.2 as an example to describe how to use Discover for time-series data visualization. The Kibana UI varies slightly depending on the Kibana version.

1. Log in to Kibana and go to the command execution page.
   1. Log in to the CSS management consoleCSS management console.
   2. In the navigation pane on the left, choose Clusters > Elasticsearch.
   3. In the cluster list, find the target cluster, and click Kibana in the Operation column to log in to the Kibana console.
   4. In the left navigation pane, choose Dev Tools.

2. Create an index pattern.
   1. On the Kibana console, click the menu icon in the upper-left corner and choose Management > Stack Management.
   2. On the Stack Management page, choose Index Patterns and click Create index pattern.
   3. In the Index pattern name text box, enter an index name prefix (for example, kibana_sample_data*).
   4. Click Next step.
   5. Select a time field (for example, @timestamp) from the Time field drop-down list.
   6. Click Create index pattern to create an index pattern.
      Figure 1 Creating an index pattern
      

3. Go to the Discover page.
   1. On the Kibana console, click the menu icon in the upper-left corner, and choose Kibana > Discover.
   2. Select the index pattern created in the previous step (for example, kibana_sample_data*) from the Index patterns drop-down list.
      Figure 2 Selecting an index pattern
      

4. Browse data.
   • Bar chart: shows document counts in chronological order (aggregated every 15 minutes by default).
   • Document list: shows 500 matched documents by default (you can scroll down to load more).
   Figure 3 Browsing data
   

5. Search for data.
   • Add filters: In the Add filter area, select a field and enter a value (for example, status: 200) to filter the data.
   • Use KQL to query data: Enter a Kuery query statement (for example, response.keyword: "OK") in the search box and press Enter. For more information, see Kibana Query Language.
   Figure 4 Searching for data
   

6. Set a time filter.
   1. Adjust the time range. Click the time filter in the upper-right corner and select one of the following:
      • Absolute: Specify the start time and end time (for example, from 2024-03-01 00:00 to 2024-03-02 00:00).
      • Relative: Set an offset from the current time (for example, Last 1 hour or Last 7 days).
      • Now: Always update to the latest refresh time.
      Figure 5 Time filter
      
   2. Perform an interactive query on a histogram. Click a time range in the bar chart to quickly locate documents that fall into this range.