ELK
Data Flow in ELK Stack: Logstash (Collect & Transform) → Elasticsearch (Store & Search) → Kibana (Visualize)
Elasticsearch
Explore Elasticsearch Query DSL
What is Elasticsearch?
Elastic (formerly Elasticsearch) is a suite of open-source tools for search, analytics, and data visualization, built around the core Elasticsearch engine. It's widely used for:
- Full-text search: like Google for your data.
- Log and metric analysis: centralized logging with the ELK Stack.
- Business analytics: dashboard, trends, machine learning.
Elasticsearch enables you to build powerful search experiences for websites, applications, and enterprise data using Elastic's unified platform.
How to use Elasticsearch?
sql
GET /_search
{
"query": {
"bool": {
"must": [
{ "match": { "title": "Search" }},
{ "match": { "content": "Elasticsearch" }}
],
"filter": [
{ "term": { "status": "published" }},
{ "range": { "publish_date": { "gte": "2015-01-01" }}}
]
}
}
}- Elasticsearch's native interface is HTTP-based, and requests/responses are typically in JSON.
- Elasticsearch provides official clients for multiple languages, which handle JSON internally.
- Tools with non-json interfaces: Kibana query language(KQL), SQL(not natively) interface, command line tools.
- Graphical interfaces: Kibana dev tools, elastic search head(plugin).
- ETL tools: Logstash, beats.
Logstash
What is Logstash?
Logstash is an open-source data processing pipeline tool developed by Elastic. It ingests, transforms, and ships data from various sources (logs, databases, APIs) to destinations like Elasticsearch, databases, or cloud storage.
How to use Logstashs?
A Logstashs pipeline has 3 stages: Input → Filter → Output.
Example config file (logstash.conf):
ruby
input {
file {
path => "/var/log/nginx/access.log" # Read Nginx logs
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" } # Parse log format
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] # Fix timestamp
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"] # Send to Elasticsearch
index => "nginx-logs-%{+YYYY.MM.dd}"
}
}Kibana
- Experiment with KQL for faster searches
- Try the Kibana Demo (preloaded with sample data).
What is Kibana?
Kibana is the visualization and management UI for the Elastic Stack.
Kibana vs. Kusto
- Kusto KQL: Used in Microsoft's ecosystem (Azure). Kusto is a cloud-based data analytics engine by MS (Azure Data Explorer).
- Kibana KQL: Used in Elastic's ecosystem (Kibana). Kibana is a visualization/dashboard tool for Elasticsearch (part for ELK stack).
How to use Kibana?
Grafana
Explore Grafana Labs Tutorials
What is Grafana?
Grafana is an open-source dashboard and visualization tool designed for monitor and analyzing time-series data. It connect to multiple data sources (like Elasticsearsh, MySQL, stc.) and lets you to create interactive dashboards with charts, graphs, and alerts.
Grafana vs. Kibana
-
Grafana is better for time-series metrics. e.g. infrastructure monitoring (CPU, network)
-
Kibana excels at log exploration.
Logs → Logstash/Beats → Elasticsearch → Kibana (logs)
Metrics → Prometheus → Grafana (metrics)
How to use Grafana?
Try the Grafana Playground (pre-built demos).