Kibana Data Analyst-6.5.0 PDF

Kibana Data Analyst
An Elastic Training Course
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju
6.5.0
elastic.co/training
6.x.x
Kibana Data Analyst
Course: Kibana Data Analyst
Version 6.5.0
© 2015-2019 Elasticsearch BV. All rights reserved. Decompiling, copying, publishing and/or distribution without written consent of Elasticsearch BV is
strictly prohibited.
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju
Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !2

distributing without written permission is strictly prohibited
Agenda and
Ju
lia
Introductions
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
About This Training
• Environment
• Introductions
• Agenda...
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Course Agenda
1 Kibana Fundamentals
2 Kibana Search
3 Kibana Visualization
4 Kibana Customized Dashboards
5 Kibana Time Series Visualization
a
or
6
H
Kibana Management
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

2 Kibana Search
6 Kibana Management
Lesson 1
a
Kibana
or
H
da
To
-A
Fundamentals
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Introduction to Kibana
The Elastic Stack
INGEST INDEX | QUERY | AGGREGATE VISUALIZE
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ingest: Logstash and Beats
• Logstash
‒ Server-side data processing
‒ Ingests data from multiple sources simultaneously (MongoDB,
PostgreSQL, Elasticsearch, ...)
‒ Parse, transform and prepare your data for ingestion
• Beats
a
or
H
‒ Single purpose data shippers
da
To
-A
9
‒ Many flavors: Filebeat, Metricbeat, Packetbeat, Winlogbeat, ...

01
-2
ar
M
6-
-2
‒ Lightweight agents that send data from a machine to

o
an
zc
Elasticsearch or Logstash
Li
n
lia
Ju

Index Query and Aggregations
• Elasticsearch is the heart of the Elastic Stack
• Elasticsearch is
‒ distributed: easy to scale
‒ RESTful: easy to communicate with using APIs
• It can be used to:
‒ search
a
or
H
da
To
‒ analyze 9
-A
01
-2
ar
‒ and store data

M
6-
-2
o
an
zc
Li
n
lia
Ju

Visualize
• Kibana is a graphical user interface for the Elastic Stack
• Kibana can be used to:
‒ manage the stack
‒ interact with the data
‒ store data
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Data Journey
1. Genesis
Beats
2. Ingest 3. Store
Kibana
Elasticsearch
a
Discovery 
or
Visualize
H
Dashboard 
da
Graph
To
-A
9
01
-2
ar
M
Logstash
6-
4. Search &
-2
o
Analyze
an
zc
Li
n
lia
Ju

Definition of a Document
• The same data can be represented differently:
title category date author_first_name author_last_name author_company
Fighting Ebola with User Emily Mosher

Elastic Stories
A row in a table
{ <?xml version="1.0" encoding="UTF-8"?>
"title": "Fighting Ebola with <root>
Elastic", <author>
a
"category": "User Stories", <first_name>Emily</first_name>
or
H
"author": {
da
<last_name>Mosher</last_name>
To
"first_name": "Emily", 9
-A
</author>
"last_name": "Mosher" <category>User Stories</category>
01
-2
ar
} <title>Fighting Ebola with Elastic</title>

M
6-
} </root>
-2
JSON XML
o
an
zc
Li
n
lia
Ju
• A document is a serialized JSON object that is stored in

Elasticsearch under a unique ID

A Simple Example: Spreadsheet
id user age country category

1 Bill 30 FR A
2 Marie 32 US A
3 Claire 32 US A
a
or
H
da
4 Tom 44 DE B
To
-A
9
01
5 John 40 US B
-2
ar
M
6-
6 Emma 26 US B
-2
o
an
zc
Li
n
lia
Ju

A Simple Example: Elasticsearch
Elasticsearch
{  {  {
"User": "Bill", "User": "Marie", "User": "Claire",
"Age": 30, "Age": 32, "Age": 32,
"Country": "FR", "Country": "US", "Country": "US",
"Category": "A" "Category": "B" "Category": "A"
} } }
a
or
H
da
To
-A
{ { { 
9
01
"User": "Tom", "User": "John", "User": "Emma",

-2
ar
M
"Age": 44, "Age": 40, "Age": 26,

6-
-2
"Country": "DE", "Country": "US", "Country": "US",

o
an
"Category": "B" "Category": "B"  "Category": "A" 

zc
Li
} } }
n
lia
Ju

Static Data vs. Time Series Data
• Data can be categorized into two groups:
‒ (relatively) static data: a large (or small) dataset that may grow
or change slowly
‒ time series data: event data associated with a moment in time
that typically grows rapidly
{
"cuisine": "French",
a
"ingredients": "Cheese, flour, butter, eggs, milk, nutmeg",
or
H
da
"time_in_min": 50,
To
"level": "easy" 9
-A
}
01
-2
Which category do these

ar
M
6-
documents belong to?

-2
o
an
zc
{
Li
n
lia
"tweet": "Wow Elasticsearch 7.0 seems awesome!",

Ju
"hashtags": ["elasticsearch", "kibana"]

"timestamp": September 1st 2017, 07:15:40.035
}

Documents Are Stored in an Index
• Indices are a way of grouping similar data together
• One common way to index data into different indices is to
use the timestamp value
Beats Elasticsearch
a
or
H
da
To
-A
9
01
-2
ar
M
tweets-2018-12-24 tweets-2018-12-23 tweets-2018-12-22

6-
-2
o
an
Logstash
zc
Li
n
lia
Ju
cooking_recipes

Index Patterns
• An index pattern identifies one or more Elasticsearch
indices that you want to explore with Kibana
Elasticsearch Kibana
a
or
H
da
To
9
-A tweets*
01
-2
ar
M
tweets-2018-12-24 tweets-2018-12-23 tweets-2018-12-22

6-
-2
o
an
zc
Li
n
lia
Ju
cooking_recipes
cooking_recipes Indices Index Patterns

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Datasets
Messages
#vacation
#dream
Elasticsearch
{
"message_id": 1,
"user.first_name": "John",
"user.last_name": "Smith",
a
"user.geo.country": "Germany",
or
H
da
"user.geo.city": "Berlin",
To
"user.nb_of_followers": 130, 9
-A
user_messages
01
"subjects": "#vacation #dream",

-2
ar
"number_of_subjects": 2,
M
6-
"likes": 32,
-2
o
an
"geo.country": "United Kingdom",

zc
Li
John Smith  "geo.city": "London"

n
lia
Ju
}
Germany
Berlin 
130 Followers

Users
John Smith
.....  John Smith
32 likes ..... 
Elasticsearch 123 likes
John Smith
..... 
18 likes
user_messages
a
or
{
H
da
"message_id": 41,
To
-A "first_name": "John",
9
01
"last_name": "Smith",
-2
ar
M
users "geo.country": "Germany",

6-
-2
"geo.city": "Berlin",
o
an
"nb_of_followers": 130,
zc
Li
n
"average_like": 87.45,
lia
Ju
"salary": 120000,
"occupation": "Sales"
}

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab Environment
Lab Environment
• Using the link that was shared with you, login to Strigo
• Click on "My Lab" on the left
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Lab Environment
• Click on the gear icon next to "My Lab" and select
"Machine Info"
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Lab Environment
• Copy the hostname that is shown under "Public DNS"
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Lab Environment
• From here you can access lab instructions and guides
‒ You also have them in your .zip file, but it is easier to access and
use the lab instructions from here:
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Accessing your Cluster
• Click on the Kibana link:
• Log in
‒ username: training
‒ password: kibana_management
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• Elasticsearch, Kibana, Logstash, and Beats are
components of the Elastic Stack
• Kibana can be used to analyze, search, interact with and
visualize the data in Elasticsearch
• Kibana can be used to manage the Elastic Stack
• Data is sent as JSON objects into Elasticsearch
a
or
• In Kibana, an index pattern can be created to target a
H
da
specific set of indices To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. What are the four main components of the Elastic Stack?
2. True or False: Data is stored inside Kibana.
3. What would be a suitable index pattern for accessing both
cooking_recipes and cooking_user indices?
4. What kind of dataset the two following documents belong to?
a
{
or
H
da
"heartbeat": 123,
To
"timestamp": "Mon, 24 Dec 2018 00:23:28 GMT"9
-A
}
01
-2
ar
M
6-
-2
{
o
an
zc
"first_name": "Bill",
Li
n
"last_name": "Smith",
lia
Ju
"age": 27,
"country": "Mongolia"
}

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 1
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Discover Interface
Overview
• Data in Elasticsearch can have different types:
‒ numeric
‒ text
‒ date
‒ keywords
‒ ...
a
or
H
da
To
• The discover interface allows you to explore documents in 9
-A
01
Elasticsearch
-2
ar
M
6-
-2
‒ and better understand the different aspects of the data

o
an
zc
Li
n
lia
Ju

The Discover Interface
Side navigation Tool bar Time picker
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

The Discover Interface
Query bar Index pattern Histogram Document table
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Search is Everywhere
• Elasticsearch is a search engine
‒ Kibana can be used to search documents in Elasticsearch
• A search is executed by sending a query to Elasticsearch
‒ A query can answer many different types of questions:
‒ who are the users that are called Melissa?
‒ what are the names of the people living in France?
a
or
H
da
To
‒ are there any messages about Netflix? 01
9
-A
-2
• In Kibana, a search can be executed from the query bar

ar
M
6-
-2
o
an
‒ Kibana supports multiple query languages

zc
Li
n
lia
Ju

Designing a Query
• Before using the search bar, the first thing to do is to
formalize the question:
What are the messages from John in the US?
• Then, the query can be written and is actually fairly simple:

john us
• Elasticsearch scans through all the dimensions of the data
a
or
H
for the queried values
da
To
-A
9
01

-2
ar
M
Bill
6-
1 30 FR A
-2
o
an
2 Marie 32 US A
zc
Li
n
3 Claire 32 US A
lia
Ju
4 John 40 DE B
5 John 44 US B
6 Emma 44 US B

Search a Specific Field
• By default, the query below will search all fields for all values
john AND us
‒ but often you want to be more specific

What are the messages in which the user is John in the US country?
• If that is the case, you can rewrite the query above
a
or
H
da
To
‒ so that Elasticsearch will only query the specified fields 9
-A
01
-2
ar
M
6-
-2
user:john country:us
o
an
zc
Li
n
lia
Ju

Boolean Operators
• By default, Kibana uses the OR logic
‒ so it matches any documents containing john OR us
• Kibana allows you to use the following boolean operators:
‒ AND, OR, and NOT
• Now, you can rewrite the query with the AND logic
user:john AND country:us
a
or
H
da
To
-A
9

01
-2
ar
M
1 Bill 30 FR A
6-
-2
o
2 Marie 32 US A
an
zc
Li
n
3 Claire 32 US A
lia
Ju
4 John 40 DE B
5 John 44 US B
6 Emma 44 US B

Querying Numeric Fields
• Let's add some complexity to the question:
What are the messages in which the user is John in the US country
whose age is over 40?
• Numbers are different than text
‒ instead of exact matches you often have relations:
‒ less than (<)
‒ less than or equal (<=)
a
or
H
da
To
‒ greater than (>) 9
-A
01
-2
ar
‒ greater than or equal (>=)

M
6-
-2
o
an
• Now, you can rewrite the query as:

zc
Li
n
lia
Ju
user:john AND country:us AND age:>40

Query "Context"
• There are two important factors to take into consideration:
‒ where are we looking for those documents? Index Pattern
‒ when are we looking for those documents? Time Picker
• Make sure to set the correct index pattern and timeframe:
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Demo
Instructor Demo
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• The discover interface allows you to explore the different
data dimensions
• The most common mistake in the discover interface is not
checking the index pattern and time picker
• The search bar can be used to search all the data inside
Elasticsearch
• The document table can be customized to display only
a
or
H
da
some of the fields
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. What are the first two settings someone should check when
using the discover interface?
2. What are the three different boolean operators?
3. Build the query: "Find the messages from Claire younger
than 30 years old that belong to the category A?"
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 2
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Aggregations
Overview
• Data is often complex and involves many dimensions
• Often, we want immediate insights about a dataset, such as:
‒ the average of a specific attribute
‒ slicing the data based on specific attributes
‒ ...
• Spreadsheets might fulfill this using a "pivot table"
a
or
H
da
To
• In the Elastic Stack we call the equivalent functionality a 9
-A
01
search aggregation
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

A Simple Example: Spreadsheet

1 Bill 30 FR A
2 Marie 32 US A
3 Claire 32 US A
a
or
H
da
4 Tom 44 DE B
To
-A
9
01
5 John 40 US B
-2
ar
M
6-
6 Emma 26 US B
-2
o
an
zc
Li
n
lia
Ju

A Simple Example: Elasticsearch
Elasticsearch
users
{  {  {
"Age": 30, "Age": 32, "Age": 32,
"Category": "A" "Category": "A" "Category": "A"
} } }
a
or
H
da
To
-A
9
01
-2
ar
{ { { 
M
6-

-2
o
"Age": 44, "Age": 40, "Age": 26,

an
zc

Li
n
lia
"Category": "B" "Category": "B"  "Category": "B" 

Ju
} } }

Metrics Aggregation
• In Elasticsearch metrics are calculated using aggregations
‒ similar to how values are summarized in a pivot table for a
specific field or column
• Metrics aggregations compute numeric values based on
your dataset
‒ they are mathematical operations that output a single value:
‒ avg, sum, min, max, unique count
a
or
H
da
To
-A
‒ or multiple values:
9
01
-2
ar
M
‒ percentiles, percentile_ranks
6-
-2
o
an
zc
Li
n
lia
Ju

A Simple Average Using Pivot Table

1 Bill 30 FR A
2 Marie 32 US A
3 Claire 32 US A
4 Tom 44 DE B
5 John 40 US B
6 Emma 26 US B
a
or
H
da
To
-A
9
01
-2
Pivot table definition Pivot table

ar
M
6-
-2
Rows Values
o
AVG of age
an
zc
Li
n
lia
Ju
AVG of age 34

A Simple Average Using Aggregations
Elasticsearch
{
"aggregations": {
"avg_of_age": {
"avg": {
{  {  { "field": "age"
"User": "Bill", "User": "Marie", "User": "Claire", }
"Age": 30, "Age": 32, "Age": 32, }
"Country": "FR", "Country": "US", "Country": "US", }
"Category": "A" "Category": "A" "Category": "A" }
} } }
a
or
H
da
To
-A
9
01
-2
ar
{ { { 
M
6-

-2
o
"Age": 44, "Age": 40, "Age": 26,

an
zc

Li
"aggregations" : {
n
lia
"Category": "B" "Category": "B"  "Category": "B"  "avg_of_age" : {

Ju
} } } "value" : 34.0
}
}

Buckets
• A bucket aggregation is a way of slicing the data
‒ in a pivot table it could be compared to rows or columns
• A bucket is simply a collection of documents that share a
common criterion
• Every bucket can have one or more metrics associated to it
‒ the default metric associated to a bucket is the number of
a
documents inside the bucket
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Simple Bucket Using a Pivot Table

1 Bill 30 FR A
2 Marie 32 US A
3 Claire 32 US A
4 Tom 44 DE B
5 John 40 US B
6 Emma 26 US B
a
or
H
da
To
-A
9
01
Pivot table definition Pivot table

-2
ar
M
6-
-2
Rows Values category COUNT of id

o
an
zc
Li
A 3
n
Order ASC by COUNT of id

lia
Ju
category B 3

Simple Bucket Aggregation
{
Elasticsearch "aggregations": {
"categories": {
"terms": {
"field": "category"
{  {  { }
"User": "Bill", "User": "Marie", "User": "Claire", }
"Age": 30, "Age": 32, "Age": 32, }
"Country": "FR", "Country": "US", "Country": "US", }
} } } "aggregations": {
"categories": {
Bucket: A
a
"buckets": [
or
Count: 3
H
da
{
To
9
-A "key": "A",
01
"doc_count": 3
-2
ar
},
M
{ { { 
6-
-2
{
o
an
"key": "B",
zc
"Age": 44, "Age": 40, "Age": 26,

Li
"doc_count": 3
n

lia
Ju
"Category": "B" "Category": "B"  "Category": "B"  }

} } } ]
}
Bucket: B }
Count: 3

Adding Metrics

1 Bill 30 FR A
2 Marie 32 US A
3 Claire 32 US A
4 Tom 44 DE B
5 John 40 US B
6 Emma 26 US B
a
or
H
da
To
-A
9
01
-2
ar
COUNT AVG of
M
6-
category
-2
Rows Values of age age

o
an
zc
Li
n
COUNT of age A 3 31.33

lia
Order ASC by
Ju
category AVG of age B 3 36.66

Adding Metrics "aggregations": {
"categories": {
"terms": {
"field": "category"
Elasticsearch },
"aggregations": {
"avg_age_per_category": {
"avg": {
{  {  { "field": "age"
}
} } } }
"Age": 30, "Age": 32, "Age": 32,
} } }
Bucket: A "aggregations": {
Count: 3 "categories": {
a
"buckets": [
or
Avg of age: 31.33
H
da
{
To
9
-A
"key": "A",
"doc_count": 3,
01
-2
"avg_age_per_category": {
ar
{ { { 
M
"value": 31.33
6-
-2
"User": "Tom", "User": "John", "User": "Emma", }

o
an
"Age": 44, "Age": 40, "Age": 26,

zc
},
Li

n
{
lia

Ju
"key": "B",
} } } "doc_count": 3,
Bucket: B "avg_age_per_category": {
Count: 3 "value": 36.66
Avg of age: 36.66 }
} ] } }
Nesting Rows/Columns in a Pivot Table
1 Bill 30 FR A
2 Marie 32 US A
3 Claire 32 US A
4 Tom 44 DE B
5 John 40 US B
6 Emma 26 US B
a
or
H
da
COUNT AVG of
To
-A category country
of age age
9
01
Rows Values
-2
ar
M
6-
A FR 1 30
-2
Order ASC by COUNT of age

o
an
zc
category
Li
US 2 32
n
lia
Ju
Order ASC by AVG of age

country B DE 1 44
US 2 33

Adding Sub-Bucket Aggregation
Elasticsearch
Bucket: A
Count: 3
Bucket: FR Bucket: US
Count: 1 Count: 2
Avg of age: 30 Avg of age: 32
{  {  {
"Age": 30, "Age": 32, "Age": 32,
} } }
a
or
Bucket: B
H
da
To
Count: 3
-A
9
01
Bucket: DE Bucket: US
-2
ar
M
Count: 1 Count: 2
6-
-2
Avg of age: 44 Avg of age: 33

o
{ { { 
an
zc

Li
n
lia
"Age": 44, "Age": 40, "Age": 26,

Ju

} } }

Metrics Aggregation
Metrics Aggregation 6
a
or
Count of Documents
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Bucket Aggregation
Metrics
2
Aggregation
a
or
H
da
To
1 01
9
-A
-2
ar
M
6-
-2
0
o
an
zc
Li
US FR DE
n
lia
Ju
Bucket Aggregation
Sub-bucket Aggregation
Sub-Bucket Aggregation
4
A
3 B
Metrics
2
Aggregation
a
or
H
da
To
1 01
9
-A
-2
ar
M
6-
-2
0
o
an
zc
Li
US FR DE
n
lia
Ju
Bucket Aggregation
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• Kibana renders visualizations using the results of
Elasticsearch aggregations
• There are two main types of aggregations:
‒ metrics
‒ bucket
• Metrics aggregations are used to compute numeric values
a
or
H
da
• Bucket aggregations are used to group data together
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. What are the two main types of aggregations?
2. True or False: Aggregations are used by Kibana to render
visualizations.
3. Explain which aggregations are used to build the following
visualization.
a
or
H
da
To
9
-A B
01
-2
ar
M
6-
US
-2
o
an
zc
Li
n
lia
FR
Ju
DE

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 3
2 Kibana Search
6 Kibana Management
Lesson 2
a
Kibana Search
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
The Query Bar
Improving Search
• Search is extremely important
‒ almost every page in Kibana will have a search bar
• But, search is not limited to searching for a specific word
‒ or searching over a specific interval
• Search may involve:
‒ fuzzy data
a
or
H
da
To
‒ using regex or wildcard to search over specific patterns 9
-A
01
-2
ar
‒ boosting specific fields over others

M
6-
-2
o
an
zc
Li
n
lia
Ju

Fuzzy Search
• In today’s world, we expect a search application to grant us
some leniency in terms of our spelling skills
• A known approach is to use edit distance:
‒ edit distance are functions that count the number of edits to go
from one word to another
‒ the Damereau-Levenshtein distance is one of the most used ones
a
or
H
da
Edit distance = 1 Edit distance = 2
To
-A
9
01
“Mario” “Eifele”
-2
ar
M
6-
-2
o
o e f
an
zc
Li
n
lia
Ju
Marie e
“Eiffel”

Fuzzy Search
• The edit distance can be defined per query term
‒ the allowed values are 0 (default), 1, 2, and auto
‒ auto will define the fuzziness based on the length of the word
Fuzziness
Searched Edit distance
word value
a
or
Marie
H
Mario~1
da
To
-A
...
9
01
-2
ar
M
6-
-2
Eiffel
o
Eifele~2
an
zc
Li
n
lia
...
Ju
Mario~auto Marie
...
Fuzzy Search
• Be aware that fuzzy search is expensive
‒ it will not be as fast as regular searches
‒ and it can crash your cluster
• Great for incident analysis
• Not so great for common queries
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Wildcard Overview
• Wildcard can be used to enhance searches
• In a lot of cases some data follow a certain pattern:
‒ var/lib/elasticsearch/conf/elasticsearch.yml  
var/lib/elasticsearch/conf/jvm.options 
var/lib/elasticsearch/conf/log4j2.properties
‒ jump, jumps, jumping, jumped
• There are two options when it comes to wildcard:
a
or
H
da
To
-A
‒ *, which matches any character sequence (including empty ones)
9
01
-2
ar
M
‒ ?, which matches any single character

6-
-2
o
an
zc
Li
n
lia
Ju

Wildcard Overview
• Both * and ? can be used at part of the string
• Let's search for every word that start with Mari
Mari
Marie
Mari* Maria
Marion
a
or
Marine
H
da
To
-A
• Let's search for every word that starts with Mar?a, in
9
01
-2
ar
which ? is any single character

M
6-
-2
o
an
zc
Marea
Li
n
lia
Ju
Mar?a Maria
Marya

Regexp Query
• The regexp query offers even more power to match patterns
‒ syntax is based on the Lucene regular expression engine 
 
https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-regexp-query.html#regexp-syntax
• For example, you can use it to find all the documents that
contain a phone number from France:
‒ starts with +33 followed by 9 numbers
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
my phone number: +33235151151

o
an
zc
/.*+33[0-9]{9}.*/
Li
n
Here: +33235151151 call me later

lia
Ju
...

Searching for Patterns is Expensive
• Both wildcard queries and regexp queries are expensive
‒ they will not be as fast as regular searches
‒ and they can crash your cluster
• Great for incident analysis
• Not so great for common queries
‒ If you need it, prefer trailing patterns
a
or
H
da
To
‒ Always avoid leading patterns 9
-A
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Boosting
• When searching on multiple fields, some fields can be more
important than others:
‒ for example, an email title is probably more relevant than the body
• In the search bar, it is possible to reflect this by boosting
specific fields:
‒ which impacts the order of the returned documents
a
or
H
da
subjects:instafood OR first_name:john^2
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
Searching on the subjects Boosting the score by 2

lia
Ju
and first_name fields on the field first_name

Kibana Query Language Enhancement
• In Kibana version 6.0 a new Kibana query language has
been introduced, Kuery
‒ it simplifies the Lucene syntax
‒ it is enabled when you turn on the autocomplete feature
‒ when enabled, the Lucene syntax cannot be use anymore
• The autocomplete feature suggests:
a
or
H
‒ field names
da
To
-A
9
01
‒ operators
-2
ar
M
6-
-2
‒ values
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• Fuzzy, Wildcard, and Regular Expression queries are
powerful and can help you find documents with partial
information
• However, they are expensive and should be used with care
• Boosting allows you to influence the order that documents
are returned
• Kuery is a new Kibana query language introduced in 6.0
a
or
H
da
that simplifies the Lucene query syntax
To
-A
9
01
-2
• Kuery has autocomplete

ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. True or False: Fuzzy, Wildcard, and Regular Expression
queries are powerful and cheap.
2. True or False: Kuery is enabled when you turn on the
autocomplete feature.
3. Explain the following query:
subjects:insta* AND user:maria~auto
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 4
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Search on Text
Text Subtleties
• Text is very interesting when it comes to search
‒ different people will always expect different behavior:
• Let's take a comment and a user ID as examples:
Wow! I love this city, Paris is beautiful! B6IAWRLOLb
• Both examples are text, but

‒ a search for "paris" should still find documents that contain "Paris"
a
or
H
da
To
‒ a search for "B6IAWRLOLB" should not find documents that -A
9
01
contain "B6IAWRLOLb"
-2
ar
M
6-
-2
o
• Why?
an
zc
Li
n
lia
Ju

Full Text Search vs Exact Match
• There are different use cases for text:
‒ full text search (where the text will be normalized)
‒ exact match (where the text will be kept as is)
• Let's dive more into those two use cases
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Document Analysis
• When there is a need for full text search, the data needs to
be normalized:
‒ this process is called text analysis and is done by an analyzer
‒ text analysis is customizable and can have operations like lower
casing, punctuation removal, tokenization, ...
• Let's index documents in Elasticsearch:
Tokens ID
a
or
H
da
wow 1
To
Wow! I love this city, -A
1 Paris is beautiful! i 1, 2
9
01
-2
ar
love 1, 2
M
6-
-2
this 1
o
an
2 I love Paris! Analysis

zc
Li
city 1
n
lia
Ju
paris 1, 2, 3
3 Paris is 1
so 1
beautiful 1
Query Analysis
• When querying an analyzed field, by default, the query will
also be analyzed
‒ and then compared to the tokens of the indexed documents
Query
Tokens ID
The city of Paris Analysis wow 1
i 1, 2
a
or
H
love 1, 2
da
To
-A this 1
9
01
-2
the city of paris city 1

ar
M
6-
-2
paris 1, 2
o
an
zc
Li
is 1
n
lia
Ju
so 1
1 2 beautiful 1
Response
Exact Match
• For exact matches, the data is not going to be analyzed
‒ no normalization will be done
• Let's index documents in Elasticsearch:
Tokens ID
Wow! I love this city,

1 Wow! I love this
a
Paris is beautiful!
or
H
da
city, Paris is 1
To
-A beautiful!
9
01
2 I love Paris!
-2
ar
M
6-
-2
I love Paris! 2
o
an
zc
Li
3 Paris
n
lia
Ju
Paris 3

Exact Match Query
• When querying a not analyzed field, by default, the query
will also not be analyzed
‒ but directly compared to the tokens of the indexed documents
• It should be used for strict values instead of sentences
Tokens ID
a
or
H
da
Paris Wow! I love this
To
-A
city, Paris is 1
9
3
01
beautiful!
-2
ar
M
6-
-2
o
an
zc
I love Paris! 2
Li
n
lia
Ju
paris
Paris 3

Index Patterns
• Index patterns summarize well what a field is designed for
• In the index pattern view, you will be able to see
‒ which fields you can use to build visualizations
‒ which fields you can user to search
• When the field is both aggregatable and searchable it
means that the field is designed for exact match
a
or
H
da
• When the field is only searchable it means that the field is
To
-A
designed for full text search
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• Text data has two main use cases: full-text search and
exact match
• In full-text search, the data needs to be normalized
• In exact match, the data is not normalized
• When querying, by default, the query will be analyzed or not
respectively
a
or
• In Kibana, the index patterns view shows this information
H
da
for each of the fields To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. What are the two main use cases for text data?
2. True or False: When querying, by default, the query will be
analyzed if the field is setup as an exact match.
3. In Kibana, how do you know if a field should be used for
search or for aggregations?
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 5
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Search with Query DSL
Search with Query DSL
• So far, we discussed two methods to search data in Kibana:
‒ Lucene syntax
‒ Kuery (has auto-completion)
• Another way is based on the Query DSL syntax:
‒ it is mostly used by developers to query Elasticsearch directly
‒ it offers a lot of flexibility and fine tuning
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

The Query DSL Syntax
• The Query DSL syntax relies on a simple JSON syntax to
write complex queries:
‒ JSON makes it easy to read and understand the query
‒ JSON works with a system of key/value
"Index Pattern"
Keys GET users*/_search

Values
a
or
GET users*/_search {
H
da
{ "query": {
To
"query": { -A "match": {
9
01
"TYPE_OF_QUERY": { "subjects": {
-2
ar
... "query": "#dogs"

M
6-
-2
} }
o
an
} }
zc
Li
} }
n
lia
Ju
}
Type of query

Match Query
• Imagine you want to search for "food", "dogs" or "chocolate"
on the subjects field
• Using the Lucene syntax, you would write the following:
subjects:(food dogs chocolate)
• Using the query DSL syntax, you would write the following:
GET user_messages*/_search
a
or
H
{
da
To
"query":{
-A
"match": {
9
01
-2
"subjects": {
ar
M
6-
"query": "food dogs chocolate"

-2
o
an
}
zc
Li
}
n
lia
Ju
}
}

Match Query Operator
• By default the match query is applying the OR operator
‒ food OR dogs OR chocolate
• You can change the behavior of the match query by
defining the operator
{
a
"query":{
or
H
"match": {
da
To
"subjects": { 9
-A
01
"query": "food dogs chocolate", 

-2
ar
"operator": "and"
M
6-
-2
}
o
an
zc
}
Li
n
lia
}
Ju

Minimum Should Match
• Searching for "food", "dogs" or "chocolate" may be too
permissive and give too many results
• Elasticsearch allows you to specify the minimum number of
terms that should match
‒ for example, at least 2 words out of 3 should match
‒ (food AND dogs) OR (food AND chocolate) OR (dogs AND chocolate)
a
or
H
da
To
{ -A
9
01
"query":{
-2
ar
M
"match": {
6-
-2
"subjects": {
o
an
"query": "food dogs chocolate", 

zc
Li
"minimum_should_match": 2
n
lia
Ju
}
}
}
}

Going Deeper
• The query DSL syntax may seem complex at first but is
very powerful
• there are many types of queries:
‒ match
‒ match_phrase
‒ range
a
or
H
‒ ...
da
To
-A
9
01
• The documentation will help you build queries:

-2
ar
M
6-
-2
o
‒ https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html
an
zc
Li
n
lia
• Engineer I and Engineer II trainings cover it in depth

Ju

Demo
Instructor Demo
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• The Query DSL is more complex to write
‒ but gives you full control to all query features in Elasticsearch
• The match query is the main query to match documents
• The match query uses an OR as the default operator, but it can be
easily changed to an AND
• If you have multiple terms in a match query, you can define the
minimum number of terms that should match
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. True or False: The Query DSL allows you to use every
search feature in Elasticsearch.
2. What is the default operator of the match query?
3. True or False: By default, the match query should match a
minimum of two terms.
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 6
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Filters
Query Bar Limitations
• Imagine you have multiple search criteria:
‒ age:>30
‒ subjects:"art"
‒ subjects:"fashion"
‒ subjects:"summer"
‒ first_name:"Claire"
a
or
H
da
To
• Often times, you don't want to apply all of them together 9
-A
01
-2
ar
‒ but, to analyze the data by enabling and disabling those searches

M
6-
-2
o
an
• It will require some manual work to do such a thing using the

zc
Li
n
lia
query bar
Ju
‒ this is where filters can be used...

Filters Overview
• A filter is equivalent to a search criteria and they work in a
very similar fashion
• Once defined a filter can be:
‒ enabled/disabled
‒ pinned
‒ negated/positivized
a
or
H
‒ dropped
da
To
-A
9
01
‒ edited
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Filters Customization
• Internally filters are transformed in a query DSL
• There are two ways of customizing a filter:
‒ adding a label to the filter to quickly identify it
‒ redefine the way the filter behave by editing the query DSL
• When editing the generated query DSL it will be possible to
change the behavior of the filter
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Discover Interface Navigation
• Filters can be used to navigate and explore the data:
1. create multiple relevant filters
2. type a query
3. use the filters for quick navigation
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Kibana Interface Navigation
• Filters can be used to navigate through multiple Kibana
interface
1. create filters in discover
2. pin the interesting filters
3. go to visualize
4. create a visualization
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Filter and Query Bar
• The filters and the query bar are complementary
• It is possible to have multiple search criteria in the query
bar but they will be all applied in the same time
• Filters allows for a better granularity, with some filters being
enable or disabled
• They will have similar performance
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Internals
• Internally the query inside the query bar will be transformed
into a query_string, which will parse the query:
‒ https://www.elastic.co/guide/en/elasticsearch/reference/current/
query-dsl-query-string-query.html
• Depending of the created filter, different kind of queries will
be generated:
‒ range: https://www.elastic.co/guide/en/elasticsearch/reference/
a
or
current/query-dsl-range-query.html
H
da
To
-A
‒ match_phrase: https://www.elastic.co/guide/en/elasticsearch/
9
01
-2
ar
reference/current/query-dsl-match-query-phrase.html
M
6-
-2
o
an
zc
‒ exists: https://www.elastic.co/guide/en/elasticsearch/reference/
Li
n
lia
current/query-dsl-exists-query.html
Ju
‒ ...

Demo
Instructor Demo
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• Kibana filters give you a lot of flexibility when exploring the
data, as they allow you to
‒ easily enable and disable different filters
‒ navigate through different pages with pinned filters
• You can customize filters using:
‒ pre-defined settings
a
or
H
‒ the query DSL
da
To
-A
9
01
• Kibana filters and the query bar are complementary

-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. True or False: Kibana only allows a single filter at a time.
2. Cite three actions that you can apply to a filter.
3. True or False: You should use either kibana filters or the
query bar.
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 7
2 Kibana Search
6 Kibana Management
Lesson 3
a
Kibana
or
H
da
To
-A
Visualization
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 8
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Pipeline Aggregations
A Simple Problem
• New users are referenced every months:
‒ How would you build the cumulative sum of this chart?
400
300
Number of users
a
or
H
da
To
200 -A
9
01
-2
ar
M
6-
-2
o
an
100
zc
Li
n
lia
Ju
0
June
April
Mai
January
September
July
August
November
December
October

A Simple Solution
• Stacking the different buckets will solve the issue...
400 2000
Cumulative sum of users

300 1500
Number of users
a
or
H
da
To
200 -A 1000
9
01
-2
ar
M
6-
-2
o
an
100 500
zc
Li
n
lia
Ju
0 0
June
April
Mai
January
September
July
August
November
December
October

Pipeline Aggregation Introduction
• ... But remember, aggregations normally work on
documents
• A pipeline aggregation, will actually works on the output
generated by another aggregation
• There are multiple pipeline aggregations available:
‒ avg, max, min, sum, cumulative sum, derivative, moving avg,
serial diff
a
or
H
da
To
• Let's dive into some of the most complex pipeline 9
-A
01
aggregations...
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Derivative
• The derivative is used to compare one bucket with the
previous one:
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Derivative
• No value can be computed for the first bucket as it require
at least 2 values
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Derivative
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Derivative
• The derivative help having an idea of the difference
between a bucket and its previous value
‒ the longer the bar is, the greater the difference from the previous
one
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Serial Differencing Aggregation
• The serial differencing aggregation will compute the
difference between two buckets separated by a defined lag
‒ the default lag has a value of one (which make this aggregation,
with the default setting, equivalent to the derivative)
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

• Let's apply the serial differencing with a lag of 9, since it
appear that there is a recurrent pattern of period 9:
‒ The 9 first buckets will then not have any values
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

• The serial differencing is a very powerful aggregation when
it comes to times series analysis as it will de-trend the time
series
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

The Moving Average
• Typically the moving average can be used to smooth
variations of a time series in order to highlight general
trends
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Window Based
• A window will be defined on top of the buckets
‒ The bucket falling into this window will be averaged
‒ It is possible to define how large the window will be
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Window Based
• Then the window is slided and a new average computed
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Window Based
• Until the end of all the buckets
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Window Based
• The end result is a smoother time series:
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Advanced JSON input
• The UI doesn't give access to all the parameters of an
aggregation (some aggregations have a lot of parameters
available!)
• Hopefully the advanced JSON input can be used to
customized certain parameters:
‒ changing the window size for a moving average
‒ changing the lag in a serial differencing aggregation
a
or
H
da
To
‒ ... 9
-A
01
-2
ar
• To customize the aggregation:

M
6-
-2
o
an
zc
‒ refer to the doc to find the parameters of the aggregations

Li
n
lia
Ju
‒ Add the parameter to the advanced JSON input

{ "window": "3"}

Demo
Instructor Demo
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• Pipeline aggregations are working on the output of another
aggregation instead of documents
• The default settings of the serial differencing aggregation
makes it equivalent to the derivative aggregation
• Pipeline aggregations have a lot of parameters that can be
added using Advanced JSON input
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. What parameter should be used to increase the window
interval of a moving average?
2. True or False Pipeline aggregations work on the documents
directly
3. What is the difference between the derivative and the serial
differencing aggregation?
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 9
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Visualization
More Types of
Pivot Table in Kibana
• Aggregations and pivot table are two concepts that are very
similar
• By using the table visualization it is possible to have a
"pivot table" directly in Kibana
• Let's generate the following:
‒ What aggregations are required here?
Category Country Count Average(age)
a
or
H
da
To
-A
9
01
Category A US 2 32
-2
ar
M
6-
-2
o
an
Category A FR 1 30
zc
Li
n
lia
Ju
Category B US 2 33
Category B DE 1 44
Pivot Table
• A bucket aggregation of type term need to be executed
on the category field first
• A sub-bucket aggregation of type term need to be
executed on the country field
• A metric aggregation of type count (default metric
aggregation) need to be applied on all generated buckets
• Another metric aggregation of type average on the age
a
or
H
da
field need to be applied on all the generated buckets
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Table Visualization
• By default Kibana table will have only one row (a count of
all the documents)
Count
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Table visualization
• The row need to be split by applying the first term
aggregation on the field category
Category Count
a
or
H
Category A 3
da
To
-A
9
01
-2
ar
M
6-
-2
o
Category B 3
an
zc
Li
n
lia
Ju

Table visualization
• The rows can be split again by applying another term
aggregation on the country field
Category Country Count
Category A US 2
a
or
H
da
To
Category A FR 9
-A 1
01
-2
ar
M
Category B US 2
6-
-2
o
an
zc
Li
n
Category B DE 1
lia
Ju

Table visualization
• A column can be added to the visualization by adding the
average metric aggregation on the field age:
Category Country Count Average(age)

Category A US 2 32
a
or
H
Category A FR 1 30
da
To
-A
9
01
Category B US 2 33
-2
ar
M
6-
-2
Category B DE 1 44
o
an
zc
Li
n
lia
Total 6 139
Ju

Table Customization
• Every rows in a table is the result of bucket aggregations
• The number of rows displayed in the visualization can be
customized in the options
• If all the rows are not displayed in the table then a system
of pagination can be used
• It is possible to apply the metric aggregations at the parent
level using the options of the table
a
or
H
da
• The total of all the metrics can be computed To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Heat Map Overview
• Heat map can be seen as a 2 dimensions matrix
visualization of your data
• When creating a heat map, 3 things need to be defined:
‒ the bucket aggregation on the x-axis
‒ the bucket aggregation on the y-axis
‒ the metric to use to compare the different values of the matrix
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Heat Map Overview
Metric Aggregation
Category A
a
or
H
da
To
-A
9
01
-2
ar
Category B
M
6-
-2
o
an
zc
Li
n
lia
Ju
Bucket Aggregations DE US FR

Heatmap Example
Country with high response time per bits downloaded
0k-10k
10k-20k
20k-30k
30k-40k
a
or
H
da
40k-50k
To
-A
9
01
-2
50k-60k
ar
M
6-
-2
o
an
60k-70k
zc
Li
n
lia
Ju
70k-80k
Haiti Jordan Mayotte Venezuela Lebanon Botswana

Tag Cloud Overview
• Tag cloud is a simple visualization allowing the display of
words in the documents
• There is only two bucket aggregations possible:
‒ terms aggregation
‒ significant term aggregation
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Tag Cloud
• Every word is the result of the bucket aggregation
• The size of a word is a function of the result of the metric
aggregation (default to count)
Marie
John
Bill
Tom
a
or
H
da
Emma
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Visualizing Geo Points
• The Coordinate map allows the visualization of geo points
on a map
• A grid is generated on top of a Mercator map
• The granularity of the grid will depend of the zoom level
‒ the more the user zoom on the map the higher the precision will
be
a
• The visualized points need to be geo point in Elasticsearch
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Low Precision
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Higher Precision
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Region Map Overview
• The coordinate map allows the visualization of geo points,
the region map on the other hand is helpful to visualize
regions:
‒ country
‒ states
‒ provinces
• By default Kibana is shipped with multiple vectors maps:
a
or
H
da
https://maps.elastic.co/v2/index.html#
To
-A
9
01
-2
ar
• The Elastic Map Service have a zoom level up to 10 (18 if

M
6-
-2
the basic license is used)

o
an
zc
Li
n
lia
Ju
• It is possible to use other base maps: https://

www.elastic.co/blog/custom-basemaps-for-region-and-
coordinate-maps-in-kibana
Region Map Creation
• To create a region map it is important to make sure that the
documents inside Elasticsearch contain the join field
• For instance to visualize the countries of the world the
documents need to contain a join field, that could be:
‒ 2 letters country code: FR, US, DE, NL
‒ 3 letters country code: FRA, USA, DEU, NLD
a
‒ the country name: France, United States, Germany, Netherlands
or
H
da
To
-A
• It is possible to define the join field that is going to be used
9
01
-2
ar
in the options
M
6-
-2
o
an
zc
• A terms aggregation is then run on the join field

Li
n
lia
Ju
• The defined metric aggregation is going to define the color

intensity of the regions

Region Map
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Demo
Instructor Demo
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• Kibana is providing a lot of ways of displaying data, but it all
rely on the concept of aggregations and where they are
used in the visualization
• When building a Heat map the x and y axis are used for the
buckets aggregation and the metric aggregation will define
the color intensity of the cells
• When displaying data on a map, there is two solutions,
a
using the coordinate map (documents should have a field
or
H
da
To
with latitude and longitude) or using the region map 9
-A
01
(documents should have a field containing a region)

-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. What is the maximum value of Elastic Map Service zoom?
2. How would you create the following table: 
 
Name  Count Average Like
 
Smith   321 25.4
 
Goodwill   219 193.4
a
 
or
H
da
To
De   Bourraine 200 149.4 9
-A
01
 
-2
ar
M
Schwartz 143 123.8

6-
 
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 10
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Improving
Visualizations
Comparing Multiple Metrics
Bucket Aggregation
?
4 40
a
or
3
H
30
da
Document count
To
-A
Average age
9
01
Metrics
-2
ar
M
2 20
6-
Aggregation
-2
o
an
zc
Li
n
lia
1
Ju
10
0 0
US FR DE
Multi Metrics Visualization
• Multiple metrics can be displayed side by side in a
visualization
• Having multiple metrics can make the visualization hard to
read for the following reasons:
- the metrics have different scale
- the metrics are stacked (or not, depending of the purpose of the
visualization)
a
or
H
da
- the metrics have the same representations when they are
To
-A
comparing different things (bars, lines, area)
9
01
-2
ar
M
6-
-2
- poor color choice

o
an
zc
Li
n
• Hopefully each metrics can have their own style, axes,

lia
Ju
color, chart type, ....

Multi Metrics Visualization
• Metrics can be customized with their own style:
- colors
- axes
- properties
• Each metrics can be displayed differently:
- lines
a
or
H
da
To
- bars 9
-A
01
-2
ar
- areas
M
6-
-2
o
an
zc
Li
n
lia
Ju

Multi Metric Visualization
Two different Y axes
Different chart 
types
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Bubble Chart
• Building a bubble chart can be done by defining a new
metric:
1. define the X-axis
2. define the Y-axis
3. define the dot size
4. change the visualization to display a line
a
or
H
5. uncheck "show line"
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Bubble Chart
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Multi Charts
• Having multiple buckets or sub-buckets on a single
visualization is sometime not interesting:
‒ buckets or sub-buckets are maybe not related
‒ too many metrics on the same visualization can make it hard to
read
• In Kibana it is possible to display multiple charts in the
same visualization by using split chart
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Single Chart
Count Average
4 40
a
or
H
3
da
30
To
Document count
-A
9
Average age
01
-2
ar
M
2
6-
20
-2
o
an
zc
Li
n
lia
Ju
1 10
0 0
US FR DE
Multi Charts
2 40
Document count
Average age
Category A 1 20
0 0
US FR
a
or
H
da
To
-A
2 40
9
01
count
-2
ar
M
6-
Average age
-2
Category B
o
an
1
Document
20
zc
Li
n
lia
Ju
0 0
US DE

Demo
Instructor Demo
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• Multiple metrics can be displayed in a single visualization
• Every metrics can be customized, having a dedicated axis,
color, style, ...
• It is possible to create multiple chart inside a single
visualization by using a bucket aggregation to divide the
data
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. What is the minimum number of metrics required for a bubble
chart?
2. True or False: Splitting a chart relies on the same concept as
a bucket aggregation
3. True or False: It is possible to display 2 metrics that have
very different scales on the same visualization
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 11
2 Kibana Search
6 Kibana Management
Lesson 4
a
Kibana
or
H
da
To
-A
Customized
9
01
-2
ar
M
6-
Dashboards
-2
o
an
zc
Li
n
lia
Ju
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Dashboard
Introduction to
Limitations
• Visualizations are interactive, it is possible:
‒ to filter out some values
‒ apply searches
‒ select a time window
• But there is still a lot of things that are not possible to do
with visualizations:
a
or
H
‒ how does other visualizations behave for the same specific time
da
To
-A
window
9
01
-2
ar
M
‒ which documents are used in the visualization

6-
-2
o
an
zc
Li
‒ analyzing the current visualization using different criteria like a

n
lia
Ju
part of the world, specifics terms, etc...

Dashboards
• When there is a will, there is a way and the way is called:
dashboard:
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Dashboards Overview
• To create a dashboard it is required to have at least one
visualization (or search) as a dashboard is a collection of
visualizations and searches
‒ create a new dashboard
‒ add visualizations and searches
‒ organize the dashboard
‒ save the dashboard
a
or
H
da
To
-A
‒ ... analyze?
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Filters and Dashboards
• One of the main advantage of dashboards is the ability to
dynamically create filters using multiple visualizations
• Filters can be generated by using different visualizations
directly from the dashboard interface:
‒ filter on values using some buckets present in the different
visualizations
‒ define filters by drawing areas on the map
a
or
H
da
‒ filter by using input control (this will be covered later on)
To
-A
9
01
-2
‒ using searches in the dashboard

ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Sharing Dashboard
• Once a dashboard is built it there is the possibility to share
it with with someone else
• There are multiple options to share a dashboard (or a
visualization):
‒ using a permalink
‒ using an Iframe (embedded)
a
‒ generating a report
or
H
da
To
-A
• The person with whom the dashboard is shared need to
9
01
-2
ar
have access to Kibana

M
6-
-2
o
an
zc
Li
n
lia
Ju

Inline Frame (Iframe) and Permalink
• Iframes allow a kibana dashboard (or visualization) to be
embedded in an HTML document
‒ when copying the Iframe the iframe tag will already be present
• Permalinks are links that point directly to a Kibana
dashboard or a Kibana visualization
• As Kibana URL contains the state of the application they
are often quiet long
a
or
H
da
To
‒ permalink will clean the URLs 9
-A
01
-2
ar
‒ it is possible to shorten the URL as well

M
6-
-2
o
an
zc
• When sharing a dashboard there are two options:

Li
n
lia
Ju
‒ share a snapshot
‒ share the latest saved object
Snapshot of a Dashboard
• What would happen if while an email containing a permalink
is sent, the visualizations in the dashboard are changed?
‒ if a snapshot was used then the visualizations that are going to
be seen in the dashboard using the link (or iframe) will not
changed
‒ if a saved object was used then the visualizations are going to
changed
a
• Take a snapshot of the visualization/dashboard in order to
or
H
da
To
have it "frozen" and then share it with someone else 9
-A
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Kibana Access
• The person with whom the dashboard is shared need to
have access to Kibana:
‒ be aware of the permissions that the user is going to have
‒ is a user allowed to remove visualizations, or allowed to update a
dashboard?
• Elastic security can help configuring different users and
different roles with different permissions
a
or
H
da
• Security will be covered more in depth in another lesson
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Iframe and Kibana Security
• Using security may seems troublesome when it comes to
iframe as the user will have to authenticate two times
‒ once in the web app that display the iframe
‒ a second time in the Kibana iframe
• But there are solutions to this issue:
‒ defining a dashboard only user in Kibana
a
or
H
‒ using a reverse proxy to pass the authentication of the
da
To
-A
dashboard only user
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Demo
Instructor Demo
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• Dashboards group visualizations and searches in a single
place to facilitate analysis
• Dashboards can be be shared in multiple ways with other
users
• Sharing a dashboard imply security considerations:
‒ has the person access to Kibana?
a
or
‒ has the person access to the shared data?
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. True or False One of the limitations of visualizations is their
inability to have filters
2. What is the difference between sharing a saved dashboard
and a snapshot of a dashboard?
3. What should someone be careful about when sharing a
dashboard with someone else?
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 12
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Input
Markdown and User
Markdown Overview
• Markdown is a simple markup language that allows a text to
be annotated and then formatted accordingly
• It is not designed to do advanced formatting but it can do
things like:
‒ defining links
‒ add images
a
‒ defining titles
or
H
da
To
-A
‒ ...
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Markdown Examples
# This is a big title
## ... and a smaller one
-----
* A list can be useful

* ... to display links to _dashboards_
* ... for __instance__
a
or
H
da
To
-A
This is a big title
9
01
-2
ar
M
... and a smaller one

6-
-2
o
_________________
an
zc
Li
n
lia
• A list can be useful

Ju
• ... to display links to dashboards

• ... for instance

Markdown Visualization
• It is possible to create in Kibana markdown visualizations
• Such visualization can be used to:
‒ describe specific visualizations
‒ add complementary information about what to expect from the
behavior of a visualization
‒ add links to other dashboards (that may be related)
a
or
H
‒ ...
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Dashboards and Filters
• In a dashboard it is possible to manually create filters
• But a user with whom the dashboard have been shared
may not be familiar with Kibana and the concept of filters
• There is a visualization that can be used to intuitively create
filters, the controls visualization
• In the controls visualization, it is possible to define:
a
or
‒ a slider for numeric values
H
da
To
-A
9
‒ an option list to find keywords

01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Demo
Instructor Demo
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• There is a dedicated markdown visualization to add textual
information to your dashboard
• Inside a markdown visualization it is possible to add links
that point to other source of information
• Controls visualization can be used to generate filters
directly inside the dashboards
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. True or False It is possible to have dynamic text in a
markdown visualization
2. Which text will be the biggest:
1. # Title1
2. ## Title 2
3. True or False The filter generated by the controls
a
or
visualization are different than the one that you can generate
H
da
To
manually 9
-A
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 13
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Anomaly Hunt
Demo
Instructor Demo
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• To hunt for an anomaly, use the different visualizations
present inside the dashboard to dive into a specific anomaly
• Once an anomaly is detected, it is possible to remove the
anomaly by creating the corresponding filter
• A filter can be pinned in order to navigate through multiple
dashboards while hunting an anomaly
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. True or False: An anomaly is always shaped by a high value
on a visualization
2. How can an anomaly be removed from the visualizations?
3. Is that always advantageous to remove anomalies in a
dashboard?
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 14
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Canvas
What is Canvas?
• Canvas is a rich live infographic system
• By using Canvas you will be able to create:
‒ dashboards
‒ reports
‒ anything to present data...
• Canvas started as a Kibana plugin, it is now shipped with
a
or
H
Kibana directly
da
To
-A
9
01
• Canvas is Beta since 6.5

-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

A Dashboard with Metrics
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Demo Data
• The best way to get started with canvas is to look at canvas
that are already created
• It is possible to load sample data from Kibana, it will
include:
‒ data
‒ index pattern
a
‒ visualizations
or
H
da
To
-A
‒ dashboards
9
01
-2
ar
M
6-
‒ canvas
-2
o
an
zc
Li
n
lia
Ju

The Elements Behind a Canvas
The Canvas Markdown Images Visualization
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Internal of an Element
Creating an
Element
Element
Data Source Styling
Type
Elasticsearch  Colors
Image
SQL
a
or
H
da
To
-A
Pie Chart Timelion Fonts
9
01
-2
ar
M
6-
-2
o
an
zc
... Demodata ...

Li
n
lia
Ju
Elasticsearch
Markdown Size
Documents

Demo
Instructor Demo
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• Canvas is a rich live infographic system that can be used to
display anything
• Plenty of different elements can be added to a canvas,
each element being independent of each other
• Canvas is relying on a strong expression language and to
master canvas someone need to understand the
expression language
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. True or False: It is possible to display the canvas in full
screen?
2. What are the different data inputs that can be used in an
element?
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 15
2 Kibana Search
5 Kibana Time Series 

Visualization
6 Kibana Management
Lesson 5
a
Kibana Time
or
H
da
To
-A
Series 
9
01
-2
ar
M
6-
Visualization
-2
o
an
zc
Li
n
lia
Ju
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Builder
Time Series Visual
Introduction
• Combine an infinite number of aggregations and pipeline
aggregations to display complex data in a meaningful way
• Allows a lot more customization in how the chart are
displayed:
‒ background colors
‒ axis
a
‒ ...
or
H
da
To
-A
• There is the possibility of combining multiple index patterns
9
01
-2
ar
in the same visualization and adding annotations.

M
6-
-2
o
an
zc
Li
n
lia
Ju

More Aggregations and Flexibility
• Time Series Visual Builder (TSVB) is having more
aggregations available to users:
‒ math (to apply mathematic operations to the data)
‒ static values
‒ overall maximum and minimum
‒ and many more ....
a
or
H
• TSVB has more flexibility:
da
To
-A
9
01
‒ shifting the time series

-2
ar
M
6-
-2
‒ cloning series
o
an
zc
Li
n
lia
‒ styling
Ju
‒ multiple index patterns

Demo
Instructor Demo
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• Time Series Visual Builder is a powerful tool that give a lot
of flexibility when working with aggregations
• TSVB has more flexibility than pre-built visualization, styling
options, crossing index patterns, metrics manipulation, ...
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. Give 3 advantages that Time Series Visual Builder has over
pre-built visualization
2. True or False: It is possible to define static value using Time
Series Visual Builder
3. True or False: It is possible to define an offset on a time
series to align patterns
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 16
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Visualizations
TSVB and Other
Other Visualizations
• TSVB is not limited to visualizing time series analysis data,
if can also be used for
‒ metrics
‒ gauges
‒ top N
‒ markdown
a
or
H
‒ tables
da
To
-A
9
01
• Those visualizations allow the addition of conditional to

-2
ar
M
change the color of the visualization based on certain

6-
-2
o
an
criterion
zc
Li
n
lia
Ju
• Visualizations do not work on the whole time series but only

on the last bucket of the time series

Demo
Instructor Demo
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• TSVB can be used to create more than time series
visualizations, but metrics, gauges, tables and markdown
visualizations
• When using none time series visualizations, the data
displayed are the one from the last bucket of the time series
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. What are the 6 types of visualization that TSVB is
supporting?
2. True or False: When creating a metric in TSVB the number
displayed is the number of documents inside the index
pattern
3. True or False: It is possible to add dynamic elements to a
markdown visualization using TSVB
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 17
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Timelion
Introduction
• Instead of building visualizations using the mouse, Timelion
uses an expression language
• When using Timelion's expression language everything is a
function that start by a "."
• It is very practical to use Timelion if the user is familiar with
programming
• When working with Timelion for the first time, it is best to
a
or
H
da
use the auto-completion feature
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Everything is a Function
A group of functions The first function is the Functions can be

define a time series data source chained
.data_source_function(parameter=value).function(),
.data_source_function(parameter=value).function()
a
or
H
da
To
-A
9
Multiple time series

01
-2
A function can have

ar
can be defined using a

M
6-
parameters
-2
coma
o
an
zc
Li
n
lia
Ju

The Different Functions
• Data sources: es(), worldbank(), quandl(), static(), value()
• Single-number math: abs(), min(), max(), log(), range(),
scale_interval(), precision()
• Time-series math: sum(), add(), plus(), subtract(),
multiply(), divide(), derivative(), cusum(),
• Trending functions: movingaverage(), trend(), holt(),
movingstd()
a
or
H
da
• Conditions: condition(), if() To
-A
9
01
-2
ar
M
• UI functions: bars(), lines(), points(), color(), label(),

6-
-2
o
an
legend(), title()
zc
Li
n
lia
Ju
• Fit function (for filling null values): fit()

A Simple Example
The query used,

The time series is
Elasticsearch is used selects all the
divided by another
as a datasource documents that
time series
contain FR
.es(index=apachelogs-*).divide(.es(index=apachelogs-*, q=FR)),
.es(index=apachelogs-*).divide(.es(index=apachelogs-*, q=DE))
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
The index pattern used to

o
an
zc
represent the time series

Li
n
lia
Ju

Demo
Instructor Demo
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• TSVB can be used to create more than time series
visualizations, but metrics, gauges, tables and markdown
visualizations
• When using time series visualizations, the data displayed
are the one from the last bucket of the time series
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. Write a Timelion expression that: uses any index starting
with apachelogs* queries the field geoip.country_code2
for the value DE and has the time field @timestamp.
2. True or False: Timelion can be used to divide 2 different time
series
3. What is the expression below computing?
a
or
H
.es(index=apachelogs*, q=geoip.country_code2:FR,
da
To
metric=sum:bytes).divide(.es(index=apachelogs*,metric=sum:by 9
-A
tes)).multiply(100)
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 18
2 Kibana Search
6 Kibana Management
Lesson 6
a
Kibana
or
H
da
To
-A
Management
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Advanced Settings
Scripted Fields
• Scripted fields compute values on the fly from the data in your
Elasticsearch indices
‒ scripted field values are computed at query time so they aren’t
indexed
‒ scripted fields can be very resource intensive and can have a direct
impact on Kibana’s performance
‒ there is no validation! Buggy scripts will generate exceptions when
viewing visualization containing them
a
or
H
da
To
• Scripted fields by default use the "Painless" or "Lucene 9
-A
01
Expressions" scripting languages

-2
ar
M
6-
-2
o
an
zc
Li
modules-scripting-painless.html
n
lia
Ju
modules-scripting-expression.html

Scripted Fields
• Scripted fields are created directly in the index patterns
management view
• The list of all the scripted fields can be seen in the same
view
• Once a scripted fields has been created it can be used like
any other regular fields:
‒ while building visualizations
a
or
H
da
To
‒ while searching (only if the Kibana Query Language 9
-A
01
Enhancement is used)
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quick Range
• The default 15 minutes value of the time picker can be
misleading
• That can be changed in the advanced settings:
‒ using the setting: timepicker:timeDefaults
• It is possible to define the default picker using the 3
following option:
a
or
‒ quick
H
da
To
-A
‒ absolute
9
01
-2
ar
M
6-
‒ relative
-2
o
an
zc
Li
n
• The from and to parameters need to be defined

lia
Ju
accordingly

Timezone
• Kibana by default is using the timezone of the browser to
define the value of the timestamps selected in the index
pattern
• The timezone can be changed by explicitly defining it in the
parameter dateFormat:tz
• If the documents does not contain timezone in the time field
used, then the documents won't be changed by Kibana
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Format
• Number can be formatted differently depending of what
they are representing:
‒ bytes
‒ duration
‒ percentage
‒ color
a
or
H
‒ ...
da
To
-A
9
01
• It can be defined at the field level in the index pattern view

-2
ar
M
or for all the fields directly in the advanced settings

6-
-2
o
an
zc
Li
n
lia
Ju

Locale Number
• Number from country to country are not represented the
same way, for instance, the number 30,000:
‒ in French comma are used to represent the decimal so this
number will be read as thirty
‒ in English speaking country this number will be read as thirty
thousand
• It is possible to specify a locale representation of the
a
or
number in Kibana by changing the parameter
H
da
To
format:number:defaultLocale to a specific country 9
-A
01
-2
ar
M
• Once done 3,000.01 will be displayed as:

6-
-2
o
an
zc
Li
‒ 3 000,01 in French
n
lia
Ju
‒ 3,000.01 in English

Displayed Documents
• By default only the first 500 documents are displayed in the
discover interface, it is possible to increase this number:
‒ updating the parameter discover:sampleSize to a bigger value
allows the display of more documents
‒ be careful displaying too many document may have negative
effects on the user experience
• Meta-fields can be removed from the discover interface:
a
or
H
da
‒ keep only the _source in the metafields
To
-A
9
01
-2
‒ the _source field is the original document that was provided to

ar
M
6-
Elasticsearch
-2
o
an
zc
Li
n
lia
Ju

Search
• Remember the Lucene syntax and the autocompletion
feature?
‒ it can be used to search with wildcards ....
‒ ... but it is more expensive than a regular search
‒ especially leading wildcards are very expensive
• Leading wildcards can be disabled with two parameters:
a
or
H
‒ query:allowLeadingWildcards for the autocompletion
da
To
-A
9
01
‒ query:queryString:options for the Lucene syntax

-2
ar
M
6-
-2
• Inside the query:queryString:options parameter a default

o
an
zc
Li
field for search can be set as well:

n
lia
Ju
‒ by default the search bar is searching on all the fields

Demo
Instructor Demo
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• The time picker can be customized by adding pre-defined
time intervals
• Scripted field is a way to create a new field that is not
initially present in your data:
‒ scripted fields have a significant computing cost
‒ if used a lot, that should be mentioned to the person indexing te
data inside Elasticsearch
a
or
H
da
• Numbers can be formatted to reflect local representation of
To
-A
9
numbers
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. True or False: Currencies representation are linked to the
local?
2. True or False: It is not possible to search over scripted fields
3. What are 3 things to be aware of when using field scripting?
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 19
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Objects
Reporting and Saved
Generating Report
• One of the many feature that the Elastic license is coming
with is the ability for Kibana to generate reports by simply
clicking on a button.
• Reports can be generated using:
‒ the discovery interface, to generate a CSV that will contains the
documents that your search is retrieving. It limits the results to
the columns you defined.
a
or
‒ the dashboard interface to generate a pdf of the dashboard
H
da
To
-A
• Once a report has been generated it is possible to retrieve it
9
01
-2
ar
M
in Management -> Reporting

6-
-2
o
an
zc
Li
n
lia
Ju

Reporting Automation
• When it comes to reporting, automation is always
appreciable
• Using watcher it is possible to generate report
automatically:
‒ be careful, the interval of the generation of reports need to be
higher than the time it takes for a report to be generated
• Watcher can be technical, but using the following example
a
or
H
make it easier to set it up:
da
To
-A
9
01
‒ https://www.elastic.co/guide/en/kibana/current/automating-report-
-2
ar
M
generation.html
6-
-2
o
an
zc
Li
n
lia
Ju

Saved Objects
• A lot of things that are going to be created in Kibana are
objects:
‒ index pattern
‒ visualization
‒ dashboard
‒ search
a
or
H
• Once those objects are saved they will be appearing in
da
To
-A
Management -> Saved Objects
9
01
-2
ar
M
6-
• Those saved objects are extremely important because it is

-2
o
an
possible to export them and import others into our current

zc
Li
n
lia
Kibana
Ju
• Internally saved objects are stored inside an Elasticsearch

index
Saved Objects Relationship
• Saved objects have relationships between each other for
instance a saved object (dashboard) will contains other
saved objects (visualizations)
• Those relationships can be seen in the UI
• Seeing the relationship helps when taking decisions like
removing one saved object. It will give a warning that
deleting a specific saved object may impact other saved
a
objects
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Demo
Instructor Demo
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• Dashboards, searches and canvas have reporting options.
They can be downloaded as a PDF or as a CSV
• Saved objects are stored inside an index in Elasticsearch
• Using watcher it is possible to automate the creation of
report
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. True or False: Saved objects are stored inside Kibana
2. True or False: Alerting can be used to automate the report
generation
3. True or False: Kibana can be used to look at the
dependencies between saved objects
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 20
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Security
Security Considerations
• The Elastic Stack does not offer authentication or
authorization by default
• Make sure your stack is secure before going live:
‒ Elastic Security
• With Elastic Security it is possible to define authorization for
specific users using the following concepts:
a
or
‒ ressources
H
da
To
-A
‒ privilege
9
01
-2
ar
M
6-
‒ permissions
-2
o
an
zc
Li
n
‒ role
lia
Ju
‒ user

Elastic Security
• Enables Security (Gold/Platinum):
Gold Platinum
Encrypted communications
Role-based access control
Audit Logging
IP filtering
a
or
H
Native, LDAP, PKI, Active Directory
da
To
authentication 9
-A
01
SAML authentication
-2
ar
M
6-
-2
Attribute-based access control

o
an
zc
Li
n
Field and document level security

lia
Ju
Third-party authentication
Encryption at rest support

Ressource, Privilege and Permission
• A resource is an entity for which the access will be
restricted, it can be for example a document or an index for
instance
• Privileges are a groups representing one or more actions
that a user may execute against one of the above defined
resources
• For instance:
a
or
H
‒ being able to read the data from a specific twitter index
da
To
-A
9
01
-2
ar
M
6-
Privilege Ressource
-2
o
an
zc
Li
n
lia
Ju
• A permission is a set of one or more privileges applied on

one or more resources

Privileges
• There is two different kind of privileges that can be given to
a user:
‒ cluster privileges
‒ indices privileges
• The cluster privileges are given when a user need to do
operation at the cluster level, for instance monitoring a
cluster, managing users, etc ....
a
or
H
da
To
• The indices privileges are given to users that will need to 9
-A
01
perform operation on specific indices, will a user be able to

-2
ar
M
6-
read data from a specific index? Write data?

-2
o
an
zc
Li
n
lia
Ju

User and Role
• Both roles and users can be defined directly in Kibana:
‒ a role will be a named set of permission
‒ there is multiple built-in roles
• A user will be defined by different characteristics:
‒ username
‒ full name
a
or
H
da
To
‒ email address 9
-A
01
-2
ar
‒ ... and a set of roles

M
6-
-2
o
an
zc
Li
n
lia
Ju

Built-in Users
• There are already many built-in user
• The kibana_dashboard_only_user is a role that restrict a
specific user:
‒ to only have access to the dashboard tab
‒ all edit option will be hidden
• The kibana_dashboard_only_user is a role and that
a
means that the resources that the user should be able to
or
H
da
To
access still need to be defined 9
-A
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Demo
Instructor Demo
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• Users and roles can be defined through the Kibana
interface
• Kibana shipped with default users and roles including
kibana_dashboard_only_user
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. True or False: The role kibana_dashboard_only_user allows
a user to see all the data in all the dashboards
2. How do you create a user that will be able to see only the
dashboard tab and the data from the index *ecommerce*?
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 21
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Spaces
Concept
• Spaces is a feature that has been added in the 6.5 release
• Spaces are enabled by default, it is possible to disable
them by defining in the configuration file:
‒ xpack.spaces.enabled: false
• Spaces are a way of grouping visualization, dashboards
and other saved objects into meaningful categories
a
or
• All the objects created inside a specific space will only be
H
da
To
accessible through this space 9
-A
01
-2
ar
M
• When security is enabled it is possible to define which

6-
-2
o
an
spaces a user will be able to access

zc
Li
n
lia
Ju
• Saved objects from a specific space will labeled as such

inside the saved object.

Space Creation
• Kibana is creating a default space called Default
• If upgrading from a version < 6.5 to > 6.5 all the
visualizations will be stored in this default space
• Spaces only require a name to be created
• A URL will be generated base on the name of the space to
it is possible to customize his URL
a
or
• Every space must have a unique space identifier (the part
H
da
that will be added to the Kibana URL) To
-A
9
01
-2
ar
M
• A description can be added to the space to explain what is

6-
-2
o
an
the purpose this space

zc
Li
n
lia
Ju

Spaces and Roles
• Spaces coupled well with security as they can be combined
together to define multiple tenants:
‒ roles can be defined in way that limit their access only to certain
spaces
‒ because there is a space differentiator inside the saved objects,
spaces can be used to limit what visualizations a user is having
access to
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Demo
Instructor Demo
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lesson Review
Summary
• Spaces allows the separation of saved objects
• Spaces and security can be used together to avoid
unauthorized people to see the data from another group
• A role can have access to one or more spaces
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Quiz
1. Yes or No: If a user A with the role R1 is having read access
to the space S1, can this user create new visualization in that
space?
2. Yes or No: If a user A with the role R1 is having all
permission access to the space S1, can this user see all the
data inside the space S1?
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Lab 22
Conclusions
Ju
lia
n
Li
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Elastic Training
Empowering Your People
FOUNDATION
Immersive Learning
Lab-based exercises and knowledge
checks to help master new skills
Solution-based Curriculum
Real-world examples and common use
cases
a
or
H
da
To
Experienced Instructors 9
-A
01
Expertly trained and deeply rooted in

-2
ar
M
6-
everything Elastic
-2
o
an
SPECIALIZATIONS
zc
Li
LOGGING METRICS APM

n
lia
Performance-based Certification
Ju
Apply practical knowledge to real-world

‹#› use cases, in real-time
ADVANCED SECURITY DATA
SEARCH ANALYTICS SCIENCE
Thank you!
a
or
H
Please complete the online survey
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju
Ju
lia
n
Li
Quiz Answers
zc
an
o
-2
6-
M
ar
-2
01
9
-A
To
da
H
or
a
Unit 1 Quiz Answers
1. Elasticsearch, Kibana, Beats, Logstash
2. False
3. * c* co* coo* cook* cooki* cookin* cooking* cooking_*
4. Left: Time series dataset Right: Static dataset
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Unit 2 Quiz Answers
1. The time picker and the index pattern
2. AND, OR, NOT
3. user:claire AND age:<30 AND category:a
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Unit 3 Quiz Answers
1. Metrics and bucket
2. True
3. Categories A and B are generated using a bucket
aggregation, countries US, FR, DE are generated using a
sub-bucket aggregation and the size of the slices of the pie
are generated using a metrics aggregation.
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju

Kibana Data Analyst
Course: Kibana Data Analyst
Version 6.5.0
© 2015-2019 Elasticsearch BV. All rights reserved. Decompiling, copying, publishing and/or distribution without written consent of Elasticsearch BV is
strictly prohibited.
a
or
H
da
To
-A
9
01
-2
ar
M
6-
-2
o
an
zc
Li
n
lia
Ju


Kibana Data Analyst-6.5.0 PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Kibana Data Analyst-6.5.0 PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Kibana Data Analyst

An Elastic Training Course

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !2

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !4

4 Kibana Customized Dashboards

5 Kibana Time Series Visualization

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !5

4 Kibana Customized Dashboards

5 Kibana Time Series Visualization

INGEST INDEX | QUERY | AGGREGATE VISUALIZE

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !8

‒ Many flavors: Filebeat, Metricbeat, Packetbeat, Winlogbeat, ...

‒ Lightweight agents that send data from a machine to

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !9

‒ and store data

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !10

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !11

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !12

title category date author_first_name author_last_name author_company

Fighting Ebola with User Emily Mosher

} <title>Fighting Ebola with Elastic</title>

• A document is a serialized JSON object that is stored in

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !13

id user age country category

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !14

"User": "Tom", "User": "John", "User": "Emma",

"Age": 44, "Age": 40, "Age": 26,

"Country": "DE", "Country": "US", "Country": "US",

"Category": "B" "Category": "B" "Category": "A"

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !15

Which category do these

documents belong to?

"tweet": "Wow Elasticsearch 7.0 seems awesome!",

"hashtags": ["elasticsearch", "kibana"]

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !16

tweets-2018-12-24 tweets-2018-12-23 tweets-2018-12-22

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !17

tweets-2018-12-24 tweets-2018-12-23 tweets-2018-12-22

cooking_recipes Indices Index Patterns

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !18

"subjects": "#vacation #dream",

"geo.country": "United Kingdom",

John Smith "geo.city": "London"

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !20

users "geo.country": "Germany",

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !21

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !23

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !24

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !25

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !26

Copyright Elasticsearch BV 2015-2018 Copying, publishing and/or !27

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !29

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !30

‒ and better understand the different aspects of the data

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !33

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !34

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !35

• In Kibana, a search can be executed from the query bar

‒ Kibana supports multiple query languages

Copyright Elasticsearch BV 2015-2019 Copying, publishing and/or !36

• Then, the query can be written and is actually fairly simple:

• Elasticsearch scans through all the dimensions of the data

id user age country category

"Category": "B" "Category": "B"  "Category": "A" 

John Smith  "geo.city": "London"

"Category": "B" "Category": "B"  "Category": "B" 

"Category": "B" "Category": "B"  "Category": "B"  "avg_of_age" : {

"Category": "B" "Category": "B"  "Category": "B"  }

"Category": "B" "Category": "B"  "Category": "B" 