Title: πŸ“œ Kibana Group: System & Logs Icon: πŸ“œ Order: 5 # Kibana Sysadmin Cheatsheet > **Context:** Kibana is a data visualization and exploration tool used for log and time-series analytics, application monitoring, and operational intelligence. / Kibana - инструмСнт Π²ΠΈΠ·ΡƒΠ°Π»ΠΈΠ·Π°Ρ†ΠΈΠΈ ΠΈ исслСдования Π΄Π°Π½Π½Ρ‹Ρ… для Π°Π½Π°Π»ΠΈΡ‚ΠΈΠΊΠΈ Π»ΠΎΠ³ΠΎΠ², ΠΌΠΎΠ½ΠΈΡ‚ΠΎΡ€ΠΈΠ½Π³Π° ΠΏΡ€ΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΉ ΠΈ ΠΎΠΏΠ΅Ρ€Π°Ρ†ΠΈΠΎΠ½Π½ΠΎΠΉ Π°Π½Π°Π»ΠΈΡ‚ΠΈΠΊΠΈ. > **Role:** Sysadmin / DevOps > **Stack:** ELK (Elasticsearch, Logstash, Kibana) --- ## πŸ“š Table of Contents / Π‘ΠΎΠ΄Π΅Ρ€ΠΆΠ°Π½ΠΈΠ΅ 1. [Discovery & Search](#discovery--search--исслСдованиС-ΠΈ-поиск) 2. [Management](#management--ΡƒΠΏΡ€Π°Π²Π»Π΅Π½ΠΈΠ΅) 3. [Sysadmin Operations](#sysadmin-operations--ΠΎΠΏΠ΅Ρ€Π°Ρ†ΠΈΠΈ-сисадмина) 4. [Troubleshooting](#troubleshooting--устранСниС-Π½Π΅ΠΏΠΎΠ»Π°Π΄ΠΎΠΊ) --- ## 1. Discovery & Search / ИсслСдованиС ΠΈ поиск ### KQL (Kibana Query Language) / Π―Π·Ρ‹ΠΊ запросов KQL Used in the "Search" bar. / Π˜ΡΠΏΠΎΠ»ΡŒΠ·ΡƒΠ΅Ρ‚ΡΡ Π² строкС "Search". ```text # Exact match / Π’ΠΎΡ‡Π½ΠΎΠ΅ совпадСниС status: 200 # Text search / ВСкстовый поиск message: "error" # Boolean logic / Π›ΠΎΠ³ΠΈΠΊΠ° status: 500 AND method: "POST" status: 404 OR status: 503 NOT status: 200 # Range / Π”ΠΈΠ°ΠΏΠ°Π·ΠΎΠ½ bytes > 1000 response_time >= 500 # Wildcard / Маска host: web* machinename: *"prod"* # Exist check (Field is present) / ΠŸΡ€ΠΎΠ²Π΅Ρ€ΠΊΠ° Π½Π° сущСствованиС _exists_: "user_id" # Nested fields / Π’Π»ΠΎΠΆΠ΅Π½Π½Ρ‹Π΅ поля http.response.status_code: 404 ``` ### Time Filter / Π€ΠΈΠ»ΡŒΡ‚Ρ€ Π²Ρ€Π΅ΠΌΠ΅Π½ΠΈ Always verify the time picker in the top right corner! / ВсСгда провСряйтС Π²Ρ‹Π±ΠΎΡ€ Π²Ρ€Π΅ΠΌΠ΅Π½ΠΈ Π² Π²Π΅Ρ€Ρ…Π½Π΅ΠΌ ΠΏΡ€Π°Π²ΠΎΠΌ ΡƒΠ³Π»Ρƒ! * `Last 15 minutes` (Default) * `Last 24 hours` * `Absolute` (Specific range) --- ## 2. Management / Π£ΠΏΡ€Π°Π²Π»Π΅Π½ΠΈΠ΅ ### Index Patterns / Π¨Π°Π±Π»ΠΎΠ½Ρ‹ индСксов **Stack Management > Index Patterns** Define how Kibana accesses indices. / ΠžΠΏΡ€Π΅Π΄Π΅Π»ΡΠ΅Ρ‚, ΠΊΠ°ΠΊ Kibana обращаСтся ΠΊ индСксам. * Pattern: `logstash-*` (Matches `logstash-2023.10.01`, etc.) * Time field: `@timestamp` ### Saved Objects / Π‘ΠΎΡ…Ρ€Π°Π½Π΅Π½Π½Ρ‹Π΅ ΠΎΠ±ΡŠΠ΅ΠΊΡ‚Ρ‹ **Stack Management > Saved Objects** * Export Dashboards/Visualizations to JSON (Backup). / Экспорт Π”Π°ΡˆΠ±ΠΎΡ€Π΄ΠΎΠ²/Π’ΠΈΠ·ΡƒΠ°Π»ΠΈΠ·Π°Ρ†ΠΈΠΉ Π² JSON (Бэкап). * Import JSON to restore or migrate. / Π˜ΠΌΠΏΠΎΡ€Ρ‚ JSON для восстановлСния ΠΈΠ»ΠΈ ΠΌΠΈΠ³Ρ€Π°Ρ†ΠΈΠΈ. --- ## 3. Sysadmin Operations / ΠžΠΏΠ΅Ρ€Π°Ρ†ΠΈΠΈ сисадмина ### Config File / Π€Π°ΠΉΠ» ΠΊΠΎΠ½Ρ„ΠΈΠ³ΡƒΡ€Π°Ρ†ΠΈΠΈ File: `/etc/kibana/kibana.yml` ```yaml server.port: 5601 server.host: "0.0.0.0" # Listen on all interfaces / Π‘Π»ΡƒΡˆΠ°Ρ‚ΡŒ Π½Π° всСх интСрфСйсах # Elasticsearch connection / ΠŸΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π΅Π½ΠΈΠ΅ ΠΊ Elasticsearch elasticsearch.hosts: ["http://:9200"] elasticsearch.username: "kibana_system" elasticsearch.password: "" ``` ### Service Management / Π£ΠΏΡ€Π°Π²Π»Π΅Π½ΠΈΠ΅ сСрвисом ```bash systemctl start kibana systemctl status kibana journalctl -u kibana -f ``` --- ## 4. Troubleshooting / УстранСниС Π½Π΅ΠΏΠΎΠ»Π°Π΄ΠΎΠΊ ### Status Page / Π‘Ρ‚Ρ€Π°Π½ΠΈΡ†Π° статуса UI: `http://:5601/status` Checks plugin status and Elasticsearch connectivity. / ΠŸΡ€ΠΎΠ²Π΅Ρ€ΡΠ΅Ρ‚ статус ΠΏΠ»Π°Π³ΠΈΠ½ΠΎΠ² ΠΈ связь с Elasticsearch. ### Common Errors / ЧастыС ошибки 1. **"Kibana server is not ready yet"** * Elasticsearch is down or initializing. / Elasticsearch ΡƒΠΏΠ°Π» ΠΈΠ»ΠΈ инициализируСтся. * Check `kibana.yml` credentials. / ΠŸΡ€ΠΎΠ²Π΅Ρ€ΡŒΡ‚Π΅ Π΄Π°Π½Π½Ρ‹Π΅ Π² `kibana.yml`. 2. **Date Format Issues / ΠŸΡ€ΠΎΠ±Π»Π΅ΠΌΡ‹ с Ρ„ΠΎΡ€ΠΌΠ°Ρ‚ΠΎΠΌ Π΄Π°Ρ‚** * Check mappings in Elasticsearch (`GET _mapping`). / ΠŸΡ€ΠΎΠ²Π΅Ρ€ΡŒΡ‚Π΅ ΠΌΠ°ΠΏΠΏΠΈΠ½Π³ Π² ES. * Ensure Index Pattern time field matches data. / Π£Π±Π΅Π΄ΠΈΡ‚Π΅ΡΡŒ, Ρ‡Ρ‚ΠΎ ΠΏΠΎΠ»Π΅ Π²Ρ€Π΅ΠΌΠ΅Π½ΠΈ Π² Index Pattern совпадаСт с Π΄Π°Π½Π½Ρ‹ΠΌΠΈ. 3. **Heap Memory / ΠŸΠ°ΠΌΡΡ‚ΡŒ Heap** * Node.js options via `NODE_OPTIONS="--max-old-space-size=4096"` in environment/systemd if crashing.