Visualize
A visualization can be based on one of the following data source types:
- A new interactive search
- A saved search
- An existing saved visualization
Visualizations are based on the aggregation feature introduced in Elasticsearch 1.x.
Create a New Visualization
- Click the Visualize
icon on the Kibana sidebar. - To start the New Visualization wizard, click Create new visualization. The wizard guides you through the following steps:
Step 1: Choose the Visualization Type
Choose a visualization type when you start the New Visualization wizard. You can choose from the following visualizations:
- Area
- Controls
- Coordinate Map
- Data Table
- Gauge
- Goal
- Heat Map
- Horizontal Bar
- Line
- Markdown
- Metric
- Network
- Pie
- Region Map
- Tag Cloud
- Timelion
- Vega
- Vertical Bar
- Visual Builder
For more information about these Kibana visualizations, please see https://www.elastic.co/guide/en/kibana/7.2/visualize.html.
You can also load a saved visualization that you created earlier. The saved visualization selector includes a text field to filter by visualization name and a link to the Object Editor, accessible through the Settings page, to manage your saved visualizations.
If your new visualization is a Markdown widget, selecting that type takes you to a text entry field where you enter the text to display in the widget. For all other types of visualization, selecting the type takes you to data source selection.
Step 2: Choose a Data Source
You can choose a new or saved search to serve as the data source for your visualization. When you create a visualization from a saved search and save the visualization, the search is tied to the visualization. When you make changes to the search that is linked to the visualization, the visualization updates automatically.
Step 3: The Visualization Editor
The visualization editor enables you to configure and edit visualizations. The visualization editor has the following main elements:
Automatically Refresh the Page
You can configure a refresh interval to automatically refresh the page with the latest index data. This periodically resubmits the search query.
When a refresh interval is set, it appears in the time filter.
To set the refresh interval:
- Click the Time Filter
icon. - Under the Quick select header, set a refresh interval.
- Click Apply.
To automatically refresh the data:
- Under the Refresh every header, select an auto-refresh interval.
- Click Start.
When auto-refresh is enabled, the time filter icon changes to a clock:
- To stop auto-refresh, click Stop.
Toolbar
The toolbar has a search field for interactive data searches, as well as controls to manage saving and loading visualizations. You can edit the search in the search bar.
The toolbar above the search bar has buttons for saving, sharing, inspecting, and refreshing the current visualization.
Aggregation Builder
Use the aggregation builder on the left of the page to configure the metric and bucket aggregations used in your visualization. Buckets are analogous to SQL GROUP BY statements. For more information on aggregations, see the main Elasticsearch aggregations reference.
Bar, line, or area chart visualizations use metrics for the Y-axis and buckets for the X-axis, segment bar colors, and row/column splits. For pie charts, use the metric for the slice size and the bucket for the number of slices.
Choose the metric aggregation for your visualization’s Y-axis, such as count, average, sum, min, max, or cardinality (unique count). Use bucket aggregations for the visualization’s X-axis, color slices, and row/column splits. Common bucket aggregations include date histogram, range, terms, filters, and significant terms.
You can set the order in which buckets execute. In Elasticsearch, the first aggregation determines the data set for any subsequent aggregations. The following example involves a date bar chart of Web page hits for the top five file extensions.
To use the same extension across all hits, set this order:
- Color: Terms aggregation of extensions
- X-Axis: Date bar chart of @timestamp
Elasticsearch collects the records for the top five extensions, then creates a date bar chart for each extension.
To chart the top five extensions for each hour, use the following order:
- X-Axis: Date bar chart of @timestamp (with one-hour interval)
- Color: Terms aggregation of extensions
For these requests, Elasticsearch creates a date bar chart from all the records, then groups the top five extensions inside each bucket, which in this example is a one-hour interval.
To render the visualization on the preview canvas, click the green Apply Changes button at the top right of the Aggregation Builder.
You can learn more about aggregation and how altering the order of aggregations affects your visualizations here.
Work with Filters
When you create a filter anywhere in NetMon, the filter conditions display in a box under the search bar. The number of active filters appears on the right side of the Filters box.
Clicking on a filter box displays the following options:
Pin across all apps
Click this option to pin the filter across all tabs in NetMon, ensuring they remain in place for different visualizations and dashboards. You can unpin the filter by clicking the icon (which now says "Unpin") again.
Edit filter
Click this option to edit a filter. For more information, see Filter by Field.
Exclude results
Click this option to exclude results from the current view. You can toggle this setting back to include by clicking the icon (which now says "Include filters") again.
Temporarily disable
Click this option to disable the filter without removing it. You can enable a disabled filter by clicking the icon (which now says "Re-enable") again.
Delete
Click this option to remove a filter entirely.
Preview Canvas
The preview canvas displays a preview of the visualization you’ve defined in the aggregation builder. To refresh the visualization preview, click the Refresh button on the toolbar.