44{kib} requires an index pattern to access the {es} data that you want to explore.
55An index pattern selects the data to use and allows you to define properties of the fields.
66
7- An index pattern can point to a specific index, for example, your log data from yesterday,
8- or all indices that contain your data. It can also point to a
9- {ref}/data-streams.html[data stream] or {ref}/indices-aliases.html[index alias].
10-
11- You’ll learn how to:
12-
13- * Create index patterns
14- * Set the default index pattern
15- * Delete index patterns
7+ An index pattern can point to one or more indices, {ref}/data-streams.html[data stream], or {ref}/alias.html[index aliases].
8+ For example, an index pattern can point to your log data from yesterday,
9+ or all indices that contain your data.
1610
1711[float]
1812[[index-patterns-read-only-access]]
19- === Before you begin
13+ === Required permissions
14+
15+ * Access to *Index Patterns* requires the <<xpack-security-authorization, {kib} privilege>>
16+ `Index Pattern Management`.
2017
21- * To access the *Index Patterns* view, you must have the {kib} privilege
22- `Index Pattern Management`. To create an index pattern, you must have the {es} privilege
23- `view_index_metadata`. To add the privileges, open the main menu, then click *Stack Management > Roles*.
18+ * To create an index pattern, you must have the <<xpack-security-authorization,{es} privilege>>
19+ `view_index_metadata`.
2420
2521* If a read-only indicator appears in {kib}, you have insufficient privileges
2622to create or save index patterns. The buttons to create new index patterns or
@@ -31,7 +27,8 @@ refer to <<xpack-security-authorization,Granting access to {kib}>>.
3127[[settings-create-pattern]]
3228=== Create an index pattern
3329
34- If you collected data using one of the {kib} <<connect-to-elasticsearch,ingest options>>, uploaded a file, or added sample data,
30+ If you collected data using one of the {kib} <<connect-to-elasticsearch,ingest options>>,
31+ uploaded a file, or added sample data,
3532you get an index pattern for free, and can start exploring your data.
3633If you loaded your own data, follow these steps to create an index pattern.
3734
@@ -43,36 +40,33 @@ If you loaded your own data, follow these steps to create an index pattern.
4340image:management/index-patterns/images/create-index-pattern.png["Create index pattern"]
4441
4542. Start typing in the *Index pattern* field, and {kib} looks for the names of
46- {es} indices that match your input.
47- ** Use a wildcard (*) to match multiple indices.
48- For example, suppose your system creates indices for Apache data
49- using the naming scheme `filebeat-apache-a`, `filebeat-apache-b`, and so on.
50- An index pattern named `filebeat-a` matches a single source, and `filebeat-*` matches multiple data sources.
51- Using a wildcard is the most popular approach.
52-
53- ** Select multiple indices by entering multiple strings,
54- separated with a comma. Make sure there is no space after the comma.
55- For example, `filebeat-a,filebeat-b` matches two indices, but not other indices
56- you might have afterwards (filebeat-c).
57-
58- ** Use a minus sign (-) to exclude an index, for example, test*,-test3.
59-
60- . Click *Next step*.
43+ indices, data streams, and aliases that match your input.
44+ +
45+ ** To match multiple sources, use a wildcard (*). For example, `filebeat-*` matches
46+ `filebeat-apache-a`, `filebeat-apache-b`, and so on.
47+ +
48+ ** To match multiple single sources, enter their names,
49+ separated with a comma. Do not include a space after the comma.
50+ `filebeat-a,filebeat-b` matches two indices, but not match `filebeat-c`.
51+ +
52+ ** To exclude a source, use a minus sign (-), for example, `-test3`.
6153
62- . If {kib} detects an index with a timestamp, expand the *Time field* menu,
63- and then specify the default field for filtering your data by time.
54+ . If {kib} detects an index with a timestamp, expand the *Timestamp field* menu,
55+ and then select the default field for filtering your data by time.
6456+
65- If your index doesn’t have time-based data, or if you don’t want to select
66- the default timestamp field, choose *I don’t want to use the Time Filter*.
57+ ** If your index doesn’t have time-based data, choose *I don’t want to use the time filter*.
6758+
68- NOTE: If you don’t set a default time field, you will not be able to use
59+ ** If you don’t set a default time field, you can't use
6960global time filters on your dashboards. This is useful if
7061you have multiple time fields and want to create dashboards that combine visualizations
7162based on different timestamps.
7263
7364. Click *Create index pattern*.
7465+
75- {kib} is now configured to use your {es} data.
66+ [[reload-fields]] {kib} is now configured to use your {es} data. When a new field is added to an index,
67+ the index pattern field list is updated
68+ the next time the index pattern is loaded, for example, when you load the page or
69+ move between {kib} apps.
7670
7771. Select this index pattern when you search and visualize your data.
7872
@@ -94,61 +88,61 @@ For an example, refer to <<rollup-data-tutorial,Create and visualize rolled up d
9488
9589If your {es} clusters are configured for {ref}/modules-cross-cluster-search.html[{ccs}],
9690you can create an index pattern to search across the clusters of your choosing. Use the
97- same syntax that you'd use in a raw {ccs} request in {es}:
91+ same syntax that you use in a raw {ccs} request in {es}:
9892
9993```ts
10094<cluster-names>:<pattern>
10195```
10296
103- For example, to query {ls} indices across two {es} clusters
104- that you set up for {ccs}, named `cluster_one` and `cluster_two`,
105- use this for your index pattern:
97+ To query {ls} indices across two {es} clusters
98+ that you set up for {ccs}, named `cluster_one` and `cluster_two`:
10699
107100```ts
108101 cluster_one:logstash-*,cluster_two:logstash-*
109102```
110103
111- You can use wildcards in your cluster names
112- to match any number of clusters. For example, to search {ls} indices across
113- clusters named `cluster_foo`, `cluster_bar`, and so on, create this index pattern :
104+ Use wildcards in your cluster names
105+ to match any number of clusters. To search {ls} indices across
106+ clusters named `cluster_foo`, `cluster_bar`, and so on:
114107
115108```ts
116109cluster_*:logstash-*
117110```
118111
119112To query across all {es} clusters that have been configured for {ccs},
120- use a standalone wildcard for your cluster name in your index
121- pattern:
113+ use a standalone wildcard for your cluster name:
122114
123115```ts
124116*:logstash-*
125117```
126118
127- You can use exclusions to exclude indices that might contain mapping errors.
128- To match indices starting with `logstash-`, and exclude those starting with `logstash-old` from
129- all clusters having a name starting with `cluster_`, you can use `cluster_*:logstash-*,cluster*:logstash-old*`.
130- To exclude a cluster, use `cluster_*:logstash-*,cluster_one:-*`.
119+ To match indices starting with `logstash-`, but exclude those starting with `logstash-old`, from
120+ all clusters having a name starting with `cluster_`:
131121
132- Once an index pattern is configured using the {ccs} syntax, all searches and
122+ ```ts
123+ `cluster_*:logstash-*,cluster_*:-logstash-old*`
124+ ```
125+
126+ To exclude a cluster having a name starting with `cluster_`:
127+
128+ ```ts
129+ `cluster_*:logstash-*,cluster_one:-*`
130+ ```
131+
132+ Once you configure an index pattern to use the {ccs} syntax, all searches and
133133aggregations using that index pattern in {kib} take advantage of {ccs}.
134134
135135[float]
136136[[delete-index-pattern]]
137137=== Delete index patterns
138138
139- When you delete an index pattern, you are unable to recover the associated field formatters, scripted fields, source filters,
139+ When you delete an index pattern, you cannot recover the associated field formatters, runtime fields, source filters,
140140and field popularity data. Deleting an index pattern does not remove any indices or data documents from {es}.
141141
142142WARNING: Deleting an index pattern breaks all visualizations, saved searches, and other saved objects that reference the index pattern.
143143
144144. Open the main menu, then click *Stack Management > Index Patterns*.
145145
146- . Click the index pattern you want to delete.
146+ . Click the index pattern to delete.
147147
148148. Delete (image:management/index-patterns/images/delete.png[Delete icon]) the index pattern.
149-
150- [float]
151- [[reload-fields]]
152- === What’s next
153-
154- Learn how to <<managing-index-patterns,manage the data fields>> in your index patterns.
0 commit comments