English for Kibana Log Analysis
Learn the English vocabulary developers and SREs need to search, filter, and visualize logs in Kibana, and to explain findings clearly to teammates.
Kibana turns a mountain of raw log lines into something searchable, but describing what you found in a dashboard — clearly enough that a teammate can reproduce it — takes a specific vocabulary. This set covers the terms that come up when you’re digging through logs during an incident or building a new visualization.
Key Vocabulary
Index pattern — a Kibana object that tells it which Elasticsearch indices to query and how to interpret their fields, acting as the bridge between raw stored data and a searchable view. “Make sure your index pattern includes today’s date-based index, or the new logs won’t show up in the discover view.”
KQL (Kibana Query Language) — the query syntax used in the search bar to filter documents by field values, ranges, and boolean combinations without writing full Elasticsearch DSL.
“You can filter this down with KQL — just type status_code >= 500 and service: "checkout" in the search bar.”
Discover view — the Kibana screen for browsing raw, individual log documents in a table, useful for confirming exactly what a single request or error looked like. “Before building a chart, I always check the Discover view first to make sure the raw log fields actually contain what I expect.”
Field mapping — the definition of a field’s data type in Elasticsearch (text, keyword, date, number), which determines whether it can be aggregated, sorted, or searched as an exact match.
“That aggregation is failing because the field is mapped as text, not keyword — we need the keyword sub-field for exact bucketing.”
Lens visualization — Kibana’s drag-and-drop chart builder for creating bar charts, line charts, and tables directly from index fields without writing a query by hand. “I built a quick Lens visualization showing error rate by service over the last hour — it took two minutes instead of writing a custom aggregation.”
Common Phrases
- “Can you narrow that down with a KQL filter on the service name?”
- “Let’s check the Discover view to confirm the raw log actually has that field.”
- “This field isn’t aggregating correctly — I think the mapping is wrong.”
- “I’ll throw together a quick Lens chart so we can see the trend at a glance.”
- “Which index pattern are you querying against? I don’t think it includes yesterday’s data.”
Example Sentences
Investigating an incident: “I filtered the logs with KQL down to just the 5xx responses from the payments service, and the spike lines up exactly with the deploy at 14:02.”
Explaining a dashboard to a teammate: “This Lens panel shows request latency bucketed by endpoint — click any bar and it’ll take you straight to the matching Discover query.”
Fixing a broken query:
“Your filter isn’t matching anything because user_id is mapped as text — use user_id.keyword if you need an exact match.”
Professional Tips
- Say KQL filter, not “search term,” when describing how you narrowed results — it signals you’re using Kibana’s actual query syntax rather than eyeballing results.
- Check the field mapping before assuming a query is broken — a huge share of “this filter doesn’t work” issues are actually mapping mismatches, not logic errors.
- When sharing a finding, mention whether you confirmed it in the Discover view first — it shows you validated the raw data before trusting an aggregated chart.
- Describe a new chart as a Lens visualization specifically if that’s the tool you used — it tells teammates they can edit it directly instead of hunting for a saved search.
Practice Exercise
- Write a KQL query filter (in English, as you’d say it aloud) for finding all logs from the
auth-servicewith a status code of 401 in the last 24 hours. - Explain in one sentence why a field mapped as
textmight not aggregate the way you expect. - Describe, in two sentences, how you would verify a spike you see in a Lens chart before reporting it as a real incident.