kibana/docs/management/index-patterns.asciidoc

[[index-patterns]]
== Creating an index pattern

To explore and visualize data in {kib}, you must create an index pattern.
An index pattern tells {kib} which {es} indices contain the data that
you want to work with.
Once you create an index pattern, you're ready to:

* Interactively explore your data in <<discover, Discover>>.
* Analyze your data in charts, tables, gauges, tag clouds, and more in <<visualize, Visualize>>.
* Show off your data in a <<canvas, Canvas>> workpad.
* If your data includes geo data, visualize it with <<maps, Maps>>.

[float]
[[index-patterns-read-only-access]]
=== [xpack]#Read-only access#
If you have insufficient privileges to create or save index patterns, a read-only
indicator appears in Kibana. The buttons to create new index patterns or save
existing index patterns are not visible. For more information, see <<xpack-security-authorization>>.

[role="screenshot"]
image::images/management-index-read-only-badge.png[Example of Index Pattern Management's read only access indicator in Kibana's header]

[float]
[[settings-create-pattern]]
=== Create an index pattern

If you are in an app that requires an index pattern, and you don't have one yet,
{kib} prompts you to create one.  Or, you can go directly to
*Management > Kibana > Index Patterns*.

[role="screenshot"]
image:management/index-patterns/images/rollup-index-pattern.png["Menu with rollup index pattern"]

[float]
==== Standard index pattern

Just start typing in the *Index pattern* field, and {kib} looks for
the names of {es} indices that match your input. Make sure that the name of the
index pattern is unique.
To include system indices in your search, toggle the switch in the upper right.

[role="screenshot"]
image:management/index-patterns/images/create-index-pattern.png["Create index pattern"]

Your index pattern can match multiple {es} indices.
Use a comma to separate the names, with no space after the comma. The notation for
wildcards (`*`) and the ability to "exclude" (`-`) also apply
(for example, `test*,-test3`).

If {kib} detects an index with a timestamp, you’re asked to choose a field to
filter your data by time. If you don’t specify a field, you won’t be able
to use the time filter.



[float]
==== Rollup index pattern

If a rollup index is detected in the cluster, clicking *Create index pattern*
includes an item for creating a rollup index pattern.
You can match an index pattern to only rolled up data, or mix both rolled
up and raw data to explore and visualize all data together.
An index pattern can match
only one rollup index.

[float]
[[management-cross-cluster-search]]
==== {ccs-cap} index pattern

If your {es} clusters are configured for {ref}/modules-cross-cluster-search.html[{ccs}], you can create
index patterns to search across the clusters of your choosing. Using the
same syntax that you'd use in a raw {ccs} request in {es}, create your
index pattern with the convention `<cluster-names>:<pattern>`.

For example, to query {ls} indices across two {es} clusters
that you set up for {ccs}, which are named `cluster_one` and `cluster_two`,
you would use `cluster_one:logstash-*,cluster_two:logstash-*` as your index pattern.

You can use wildcards in your cluster names
to match any number of clusters, so if you want to search {ls} indices across
clusters named `cluster_foo`, `cluster_bar`, and so on, you would use `cluster_*:logstash-*`
as your index pattern.

To query across all {es} clusters that have been configured for {ccs},
use a standalone wildcard for your cluster name in your index
pattern: `*:logstash-*`.

Once an index pattern is configured using the {ccs} syntax, all searches and
aggregations using that index pattern in {kib} take advantage of {ccs}.

[float]
=== Manage your index pattern

Once you create an index pattern, manually or with a sample data set,
you can look at its fields and associated data types.
You can also perform housekeeping tasks, such as making the
index pattern the default or deleting it when you longer need it.
To drill down into the details of an index pattern, click its name in
the *Index patterns* overview.

[role="screenshot"]
image:management/index-patterns/images/new-index-pattern.png["Index files and data types"]

From the detailed view, you can perform the following actions:

* *Manage the index fields.* You can add formatters to format values and create
scripted fields.
See <<managing-fields, Managing fields>> for more information.

* [[set-default-pattern]]*Set the default index pattern.* {kib} uses a badge to make users
aware of which index pattern is the default. The first pattern
you create is automatically designated as the default pattern. The default
index pattern is loaded when you open *Discover*.

* [[reload-fields]]*Refresh the index fields list.* You can refresh the index fields list to
pick up any newly-added fields. Doing so also resets Kibana’s popularity counters
for the fields. The popularity counters are used in *Discover* to sort fields in lists.

* [[delete-pattern]]*Delete the index pattern.* This action removes the pattern from the list of
Saved Objects in {kib}. You will not be able to recover field formatters,
scripted fields, source filters, and field popularity data associated with the index pattern.
Deleting an index pattern does
not remove any indices or data documents from {es}.
+
WARNING: Deleting an index pattern breaks all visualizations, saved searches, and
other saved objects that reference the pattern.