- Kibana Guide: other versions:
- What is Kibana?
- What’s new in 8.4
- Kibana concepts
- Quick start
- Set up
- Install Kibana
- Configure Kibana
- Alerting and action settings
- APM settings
- Banners settings
- Enterprise Search settings
- Fleet settings
- i18n settings
- Logging settings
- Logs settings
- Metrics settings
- Monitoring settings
- Reporting settings
- Search sessions settings
- Secure settings
- Security settings
- Spaces settings
- Task Manager settings
- Telemetry settings
- URL drilldown settings
- Start and stop Kibana
- Access Kibana
- Securing access to Kibana
- Add data
- Upgrade Kibana
- Configure security
- Configure reporting
- Configure logging
- Configure monitoring
- Command line tools
- Production considerations
- Discover
- Dashboard and visualizations
- Canvas
- Maps
- Build a map to compare metrics by country or region
- Track, visualize, and alert on assets in real time
- Map custom regions with reverse geocoding
- Heat map layer
- Tile layer
- Vector layer
- Plot big data
- Search geographic data
- Configure map settings
- Connect to Elastic Maps Service
- Import geospatial data
- Troubleshoot
- Reporting and sharing
- Machine learning
- Graph
- Alerting
- Observability
- APM
- Security
- Dev Tools
- Fleet
- Osquery
- Stack Monitoring
- Stack Management
- REST API
- Get features API
- Kibana spaces APIs
- Kibana role management APIs
- User session management APIs
- Saved objects APIs
- Data views API
- Index patterns APIs
- Alerting APIs
- Action and connector APIs
- Cases APIs
- Import and export dashboard APIs
- Logstash configuration management APIs
- Machine learning APIs
- Osquery manager API
- Short URLs APIs
- Get Task Manager health
- Upgrade assistant APIs
- Kibana plugins
- Troubleshooting
- Accessibility
- Release notes
- Developer guide
Query your data
editQuery your data
editQuerying your APM data is an essential tool that can make finding bottlenecks in your code even more straightforward.
Using the query bar, a powerful data query feature, you can pass advanced queries on your data to filter on specific pieces of information you’re interested in.
The query bar comes with a handy autocomplete that helps find the fields and even provides suggestions to the data they include. You can select the query bar and hit the down arrow on your keyboard to begin scanning recommendations.
Querying in the APM app
editWhen querying in the APM app, you’re merely searching and selecting data from fields in Elasticsearch documents. Queries entered into the query bar are also added as parameters to the URL, so it’s easy to share a specific query or view with others.
When you type, you can begin to see some of the transaction fields available for filtering:
data:image/s3,"s3://crabby-images/cb370/cb3709867b447eedac641725c4316db254f00eae" alt="Example of the Kibana Query bar in APM app in Kibana"
To learn more about the Kibana query language capabilities, see the Kibana Query Language Enhancements documentation.
APM app queries
editAPM queries can be handy for removing noise from your data in the Services, Transactions, Errors, Metrics, and Traces views.
For example, in the Services view, you can quickly view a list of all the instrumented services running on your production
environment: service.environment : production
. Or filter the list by including the APM agent’s name and the host it’s running on:
service.environment : "production" and agent.name : "java" and host.name : "prod-server1"
.
On the Traces view, you might want to view failed transaction results from any of your running containers:
transaction.result :"FAILURE" and container.id : *
.
On the Transactions view, you may want to list only the slower transactions than a specified time threshold: transaction.duration.us > 2000000
.
Or filter the list by including the service version and the Kubernetes pod it’s running on:
transaction.duration.us > 2000000 and service.version : "7.12.0" and kubernetes.pod.name : "pod-5468b47f57-pqk2m"
.
Querying in Discover
editAlternatively, you can query your APM documents in Discover. Querying documents in Discover works the same way as queries in the APM app, and Discover supports all of the example APM app queries shown on this page.
Discover queries
editOne example where you may want to make use of Discover, is to view all transactions for an endpoint instead of just a sample.
Starting in v7.6, you can view ten samples per bucket in the APM app, instead of just one.
Use the APM app to find a transaction name and time bucket that you’re interested in learning more about. Then, switch to Discover and make a search:
processor.event: "transaction" AND transaction.name: "<TRANSACTION_NAME_HERE>" and transaction.duration.us > 13000 and transaction.duration.us < 14000`
In this example, we’re interested in viewing all of the APIRestController#customers
transactions
that took between 13 and 14 milliseconds. Here’s what Discover returns:
data:image/s3,"s3://crabby-images/16cfe/16cfe9682da5e57915506a7a98863df4a346a6d8" alt="View all transactions in bucket"
You can now explore the data until you find a specific transaction that you’re interested in.
Copy that transaction’s transaction.id
, and paste it into the APM app to view the data in the context of the APM app:
data:image/s3,"s3://crabby-images/277e7/277e7295d897464a30237ef98d2f2d87a24cc8b8" alt="View specific transaction in apm app"
data:image/s3,"s3://crabby-images/e2995/e2995aa0d1cf58bf8e280879c7bf9c802d6eba63" alt="View specific transaction in apm app"