25 Mar How to Implement Kibana Index Creation and Mapping

Case 1: When the data is sent using logstash, an index name is given in the output section of the logstash.conf file. Whereas in the Kibana without creating an index pattern we can’t search.  

1. In the Management tab in the Kibana, choose Index Patterns and it will get displayed. 

1. Select Add New to display Configure an Index Pattern section. 

1. Mention an index pattern that suits the name of any of the Elasticsearch indices. The Kibana guesses by default that you work with log data that is fed by Logstash into Elasticsearch. Hence it proposes “logstash-*”. 

 Note: The index name is right only when the Create button in green is displayed.

1. Enter the index name. The name of the index pattern will by default be “default*”. 

  5. If the index consists of a timestamp field that you need to execute time-based comparisons, choose the Index that consists of time-based events option. Continue by choosing the index field that has the timestamp. The Kibana will read the index map to list down all the fields that possess a timestamp.      6. Ensure they don’t broaden the index pattern when the searching option is not chosen. The Kibana by default hinders wildcard extension of index patterns that are time-based to indices with data inside the currently chosen time range.      7. Place @timeStamp as the name for the time-field.      8. Select Create to add an index pattern. 

Case 2: At times, an index has to be generated on the fly, as in the below case where the placing of the first document promotes the formation of a new index. The index template drives in and gives a suitable template for the index while forming the new index. This assists in building indices in a regulated way, that is, with required defaults such as the number of shards and type mappings for the various types inside them. An index can be created and specified with the number of shards and replicas to produce: 

It is also feasible to mention a mapping for a specific type during the index creation time. The below-mentioned command creates an index named as a catalog with two replicas and five shards. Besides it also explains a type called my_type with a text type field and a keyword type field. 

 “Note: If the mapping is not done by us then When the first document is indexed within a type that doesn’t yet exist, Elasticsearch tries to infer the datatypes of all the fields. This feature is called the dynamic mapping of types. By default, the dynamic mapping of types is enabled in Elasticsearch.”  If you still have issues related to this topic don’t hesitate to mention your queries in the comment box below and follow us on 👍 Social Networks 😉 You can also visit our CyberChasse Website for Cybersecurity related queries