- Kibana Guide: other versions:
- What is Kibana?
- What’s new in 8.3
- Kibana concepts
- Quick start
- Set up
- Install Kibana
- Configure Kibana
- Alerting and action settings
- APM settings
- Banners settings
- Enterprise Search settings
- Fleet settings
- i18n settings
- Logging settings
- Logs settings
- Metrics settings
- Monitoring settings
- Reporting settings
- Search sessions settings
- Secure settings
- Security settings
- Spaces settings
- Task Manager settings
- Telemetry settings
- URL drilldown settings
- Start and stop Kibana
- Access Kibana
- Securing access to Kibana
- Add data
- Upgrade Kibana
- Configure security
- Configure reporting
- Configure logging
- Configure monitoring
- Command line tools
- Production considerations
- Discover
- Dashboard and visualizations
- Canvas
- Maps
- Build a map to compare metrics by country or region
- Track, visualize, and alert on assets in real time
- Map custom regions with reverse geocoding
- Heat map layer
- Tile layer
- Vector layer
- Plot big data
- Search geographic data
- Configure map settings
- Connect to Elastic Maps Service
- Import geospatial data
- Troubleshoot
- Reporting and sharing
- Machine learning
- Graph
- Alerting
- Observability
- APM
- Security
- Dev Tools
- Fleet
- Osquery
- Stack Monitoring
- Stack Management
- REST API
- Get features API
- Kibana spaces APIs
- Kibana role management APIs
- User session management APIs
- Saved objects APIs
- Data views API
- Index patterns APIs
- Alerting APIs
- Action and connector APIs
- Cases APIs
- Import and export dashboard APIs
- Logstash configuration management APIs
- Machine learning APIs
- Short URLs APIs
- Get Task Manager health
- Upgrade assistant APIs
- Kibana plugins
- Troubleshooting
- Accessibility
- Release notes
- Developer guide
Search across multiple indices
editSearch across multiple indices
editYour map might contain multiple Elasticsearch indices. This can occur when your map contains two or more layers with Elasticsearch sources from different indices. This can also occur with a single layer with an Elasticsearch source and a Term join.
Searching across multiple indices might sometimes result in empty layers. The most common cause for empty layers are searches for a field that exists in one index, but does not exist in other indices.
Disable global search for a layer
editOne strategy for eliminating unintentional empty layers from a cross index search is to disable global search for a layer.
Use _index in a search
editAdd _index to your search to include documents from indices that do not contain a search field.
For example, suppose you have a vector layer showing the kibana_sample_data_logs
documents
and another vector layer with kibana_sample_data_flights
documents.
(See adding sample data
to install the kibana_sample_data_logs
and kibana_sample_data_flights
indices.)
If you query for
machine.os.keyword : "osx"
the kibana_sample_data_flights
layer is empty because the index
kibana_sample_data_flights
does not contain the field machine.os.keyword
and no documents match the query.
data:image/s3,"s3://crabby-images/3c13d/3c13d39df7c2fe3b4e24fe7742ec3b387859f2ed" alt="global search multiple indices query1"
If you instead query for
machine.os.keyword : "osx" or _index : "kibana_sample_data_flights"
the kibana_sample_data_flights
layer includes data.
data:image/s3,"s3://crabby-images/3c11e/3c11e7a73e1666e8baa7634f30d4a1f1721b88a5" alt="global search multiple indices query2"