Kibana FAQ - Alibaba Cloud Elasticsearch - Elasticsearch

Answers common questions about the Kibana console for Alibaba Cloud Elasticsearch.

How do I log on to the Kibana console? What are the username and password?
What is the password for the elastic account in the Kibana console used for?
Why is the Modify Configuration button for Kibana grayed out?
Can I access services on the public network from the Kibana console?
How can I better manage permissions in the Kibana console?
Kibana fails to start and reports the "Kibana server is not ready yet" error. How do I resolve this?
Kibana reports the "Maximum call stack size exceeded" error. How do I resolve this?
What should I do if I cannot log on to Kibana but need to clear data?
I cannot access Dev Tools in Kibana. How do I resolve this?
How do I view shard and index information in the Kibana console?
Why do I receive a "You do not have permission to manage users" error when using the elastic account to create a sub-account in the Kibana console?
Does Kibana support custom plugins?
Which Kibana versions support changing the language?
Why is the IP address resolved from the private endpoint of a Kibana V7.16 instance not in my VPC?
Can I configure the data size when exporting log data as a CSV file from Kibana?
What do I do if I receive a 500 error when I access Kibana after I enable X-Pack?
What do I do if wildcards fail to match indexes when I create an index pattern?
What do I do if Kibana is inaccessible or becomes inaccessible after a certificate update?
How do I install Kibana plugins?
Why does the timestamp used for filtering in the Discover UI not match the timestamp stored in an Elasticsearch document?
I can no longer access Kibana, but Elasticsearch is still accessible. How do I resolve this?
What should I do if I cannot access Kibana through an Nginx proxy?
Why can't I access Kibana using a custom domain name with a CNAME record?
How do I exclude one or multiple IP addresses by using KQL on the Kibana log query page?

Log on to the Kibana console

Log on to the Kibana console. The default username is elastic. The password is the one you specified when you created the Elasticsearch instance. To reset a forgotten password, see Reset the access password of an instance.

Purpose of the elastic account password

Note

The elastic account is the Elasticsearch administrator account with full cluster management permissions.

The elastic account password is required to access an Elasticsearch instance through:

An API or SDK.
The Kibana console.

Modify Configuration button is grayed out

When an ES instance is not in a normal state, the Modify Configuration button in Kibana may be grayed out. Wait for the instance to return to normal, or investigate the cause.

Access public services from the Kibana console

No. The Kibana console can only access services within a VPC, not public network services such as Baidu Maps or Amap. The public IP address whitelist controls inbound access to Kibana, not outbound access from Kibana to the public network.

Permission management in the Kibana console

Create dedicated users and roles instead of using the elastic account for daily operations. Use Elasticsearch X-Pack to manage roles and control user permissions.
Do not use the elastic account for search services. A leaked elastic password exposes the entire cluster to security risks.
Change the elastic password with caution. If services use the elastic account, a password reset causes authentication failures and service interruptions.

"Kibana server is not ready yet" error

Possible cause	Solution
Multiple Kibana system indexes exist, or the data structure has changed.	Delete the indexes that start with `.kibana`, then restart the Kibana node or the Elasticsearch instance. Restart a cluster or node. Warning Deleting the `.kibana` index removes Kibana configurations such as spaces and patterns. Restore them from a snapshot. Restore the .kibana_1 index.
The `.kibana*` index does not exist in the system.	Run `GET _cluster/settings` to check whether automatic index creation is disabled for system indexes. If disabled, enable it. If already enabled, restart Kibana.
The Elasticsearch cluster is overloaded.	Check the cluster monitoring data. Possible causes and solutions: The cluster node specification is 1 vCPU and 2 GiB of memory: This specification is discontinued. Upgrade the cluster as soon as possible. Unnecessary indexes consume too much memory: Delete unnecessary indexes, especially `.monitor` indexes. Set a retention period for monitoring indexes. Configure Monitoring logs.
The Kibana node is overloaded.	If the error persists, the Kibana node may be overloaded. Restart the Kibana node or upgrade its specifications. Restart a cluster or node and Upgrade a cluster. Important A Kibana node with 1 vCPU and 2 GiB of memory is not suitable for production environments. Upgrade it as soon as possible.

"Maximum call stack size exceeded" error

Cause

The instance is in an abnormal state. High heap memory usage causes request timeouts.
Solution

Reduce the bulk request size or upgrade the cluster.

Clear data without Kibana access

Use an API to access the instance and clear data. Use a curl command to access and manage an Alibaba Cloud Elasticsearch cluster. For example, query all indexes, identify the target index, and delete it:

Query all indexes in the cluster

curl -u elastic:<yourEsPassword> -XGET 'http://es-cn-7pp2auqzk0023****.public.elasticsearch.aliyuncs.com:9200/_cat/indices?v'

Delete an index

curl -u elastic:<yourEsPassword> -XDELETE 'http://es-cn-7pp2auqzk0023****.public.elasticsearch.aliyuncs.com:9200/<yourIndex>'

Cannot access Dev Tools

Check whether the Kibana node specification is 1 vCPU and 2 GiB. This specification can be unstable and is suitable only for testing. Upgrade the cluster as soon as possible.

View shard and index information

Run the GET _cat/indices?v command to view index information, and GET _cat/shards?v to view shard information.
On the Monitoring page, you can view the sharding status of indexes on a specific node, including heap memory usage.

"You do not have permission to manage users" error

An error message is displayed, such as "You do not have permission to manage users. Please contact your administrator."

Troubleshoot as follows:

Run GET _license in the Kibana console to check whether the license has expired.
Run GET /_cat/indices?v to check for multiple .security-* indexes. If multiple exist (possibly from a full index migration or synchronization), delete the older .security-* indexes and keep only the most recent.

Support for custom plugins

No. Kibana versions earlier than 7.0 support only the default console plugins. Kibana 7.0 and later do not support any plugins.

Supported versions for language change

Only Kibana 6.7.0 and later support language switching. The console supports English and Chinese. Modify the Language setting to change the language. Configure the language of the Kibana console.

Kibana private IP is outside the VPC

The deployment architecture of Kibana V7.16 and some V7.10 clusters includes a Layer 7 agent service to prevent restarts during HTTPS certificate replacements. The IP address resolved from the private endpoint belongs to this agent service. This change has been security-reviewed by Alibaba Cloud and does not affect Kibana functionality.

Configure data size for CSV exports

The default CSV export size limit is 10,485,760 bytes (10 MB), which is controlled by the xpack.reporting.csv.maxSizeBytes parameter. Data beyond this limit is truncated. Additionally, the server.maxPayloadBytes parameter limits the maximum payload size for Kibana server requests. Alibaba Cloud Elasticsearch does not support custom modification of the xpack.reporting.csv.maxSizeBytes or server.maxPayloadBytes parameters. These settings are maintained at their default values to ensure cluster stability.

If you need to export data that exceeds the default limit, consider the following alternatives:

Export data in smaller batches by applying more specific filters or shorter time ranges in Kibana.
Use Logstash to export large datasets. Logstash supports configurable batch sizes and output destinations, which makes it suitable for large-scale data export scenarios.

Install Kibana plugins

Use a Kibana plugin to query data or add tags to data.

What do I do if I receive a 500 error when I access Kibana after I enable X-Pack?

After you enable X-Pack for your Elasticsearch cluster, you may receive a 500 error when you access Kibana.

Cause

After the X-Pack configuration is enabled, the cluster needs time to distribute the configuration to all nodes. During this period, Kibana cannot start properly and returns a 500 error. Kibana must be restarted for the X-Pack configuration to take effect.
Solution
1. Wait for the cluster to finish distributing the X-Pack configuration. This process typically takes a few minutes.
2. After the configuration distribution is complete, restart the Kibana node from the Elasticsearch console. On the cluster management page, find the Kibana node and restart it.

What do I do if wildcards fail to match indexes when I create an index pattern?

When you create an index pattern in Kibana, the wildcard pattern may fail to match any indexes.

Cause

The wildcard pattern does not match the actual prefix of the index names. For example, if the index name is owl_resell_20231001, the pattern resell_* does not match the index because the prefix does not align. You must use owl_resell* instead.
Solution
1. Check the actual names of your indexes. Run GET _cat/indices?v in the Kibana Dev Tools console to list all indexes.
2. Make sure that the wildcard pattern matches the actual prefix of the index names. For example, use owl_resell* to match indexes that are named owl_resell_20231001 and owl_resell_20231002. Do not use resell_* because this pattern does not match the full prefix.
3. After the pattern successfully matches the indexes, select the correct time field for the indexes in the next step to complete the index pattern creation.

What do I do if Kibana is inaccessible or becomes inaccessible after a certificate update?

If you cannot access Kibana, troubleshoot the issue based on the following scenarios:

Time synchronization issue on a private network

If the system time of your client device, such as a cloud desktop, is not synchronized with the server time, Kibana may be inaccessible over a private network. Check and correct the system time of the client device to make sure that it is synchronized with the server time.
Certificate update

After an HTTPS certificate update for the Elasticsearch cluster, Kibana may become inaccessible until the new certificate configuration takes effect. Restart the Kibana node from the Elasticsearch console to apply the new certificate.
General troubleshooting

If the issue persists, perform the following checks:
- Verify that the Elasticsearch instance is in a healthy state.
- Verify that the IP address whitelist is correctly configured and includes the IP address of your client.
- Clear the browser cache and try again.

Timestamp mismatch between Discover and Elasticsearch

The Kibana Discover UI displays the @timestamp field in UTC by default, while Elasticsearch documents store timestamps in local time. This mismatch can be resolved as follows:

- For new data: Change the dateFormat:tz setting on the Kibana Advanced Settings page.

- For existing data: Use the Reindex API to update timestamps.

Kibana is inaccessible but Elasticsearch is accessible

Restart the Kibana node. On the Basic Information page of your Elasticsearch instance, in the Node Visualization section, hover over the status light of the Kibana Node and click Restart.

Cannot access Kibana through an Nginx proxy

Improper network or proxy configurations can prevent Kibana access through an Nginx proxy.

If you cannot access Kibana through an Nginx proxy, troubleshoot as follows:

Check network connectivity.
- Check the IP address whitelist: Ensure the Nginx proxy or client ECS IP address is in the Kibana IP address whitelist. Configure based on your network environment. Connect to a cluster through Kibana.
- (Optional) Check security group rules: Perform this step if your Alibaba Cloud Elasticsearch instance is deployed with the Cloud-native Control Architecture (v3) architecture and you are accessing it from a private network.
  - In the Kibana security group: For inbound rules, ensure that traffic from the IP address of the Nginx server to the Kibana port (for example, 5601) is allowed. No specific settings are required for outbound rules.
  - In the security group for the Nginx server: For outbound rules, ensure that traffic to the IP address and port of the Kibana service (for example, 5601) is allowed.
Note
Configure the settings based on your network environment and the actual port numbers.
Check the proxy configuration.
- Verify that the proxy_pass directive in your Nginx configuration file points to the correct Kibana service address, including the protocol, domain name, and port number.
- Check if the Nginx configuration file rewrites the Host request header (for example, proxy_set_header Host XXX). If the Host header is modified, Kibana may fail to correctly identify the request source. You can resolve this issue in one of the following ways:
  - Method 1: Comment out or delete the proxy_set_header Host configuration.
  - Method 2: If you want to keep the Host configuration, set the Host header to the original domain name of Kibana.
Sample: Nginx configuration file.
Adjust the Kibana authentication method.

For cloud-native architecture instances accessed over a private network through a proxy, use only username and password authentication. Connect to a cluster through Kibana.
Restart the Nginx proxy.
1. After modifying the configuration, run the following command to check the Nginx configuration file for syntax errors:
```
sudo nginx -t
```
2. Run the following command to apply the changes by restarting the Nginx service:
```
sudo nginx -s reload
```

Cannot access Kibana by using a CNAME record

You cannot use a custom domain name with a CNAME record to access Kibana on an Elasticsearch instance with the Cloud-native Control Architecture (v3) architecture. To use a custom domain name, access Kibana through an Nginx proxy.

Note

View the instance Basic Information page to check its Control Architecture Type.

How do I exclude one or multiple IP addresses by using KQL on the Kibana log query page?

On the Discover page or log query page in Kibana, you can use the NOT keyword in KQL (Kibana Query Language) to exclude documents that match a specified field value. The keyword supports both single-value exclusion and multiple-value combinations.

To exclude a single IP address, use the format NOT <field>: "<IP>". For example:
```
NOT remote: "10.1.146.35"
```
To exclude multiple IP addresses, chain multiple NOT conditions with AND. For example:
```
NOT remote: "10.1.146.35" AND NOT remote: "10.1.150.19"
```

Note

Do not append port numbers to IP addresses, and connect multiple exclusion conditions with AND.

Warning

KQL does not support syntax like no <field>:. The token no is treated as a regular search term and does not exclude any documents. Always use the uppercase NOT keyword.

For more information about KQL syntax, see Kibana Query Language in the Kibana official documentation.