Kibana Dashboards and Visualizations

Overview

The Kibana dashboards and visualizations APIs provide a declarative, Git-friendly format for defining dashboards and visualizations. Definitions are minimal, diffable, and suitable for version control and LLM-assisted generation.

Key Benefits:

• Minimal payloads (no implementation details or derivable properties)

• Easy to diff in Git

• Consistent patterns for GitOps workflows

• Designed for LLM one-shot generation

• Robust validation via OpenAPI spec

Version Requirement: Kibana 9.4+ (SNAPSHOT)

Important Caveats

ES|QL Visualizations: ES|QL-based visualizations cannot be created via /api/visualizations . They must be created as inline panels within dashboards using the Dashboard API.

Inline vs Saved Object References: When embedding visualization panels in dashboards, prefer inline definitions over ref_id references. Inline definitions are more reliable and self-contained.

Quick Start

Environment Configuration

Kibana connection is configured via environment variables. Run node scripts/kibana-dashboards.js test to verify the connection. If the test fails, suggest these setup options to the user, then stop. Do not try to explore further until a successful connection test.

Option 1: Elastic Cloud (recommended for production)

export KIBANA_CLOUD_ID="deployment-name:base64encodedcloudid" export KIBANA_API_KEY="base64encodedapikey"

Option 2: Direct URL with API Key

export KIBANA_URL="https://your-kibana:5601" export KIBANA_API_KEY="base64encodedapikey"

Option 3: Basic Authentication

export KIBANA_URL="https://your-kibana:5601" export KIBANA_USERNAME="elastic" export KIBANA_PASSWORD="changeme"

Option 4: Local Development with start-local

Use start-local to spin up Elasticsearch/Kibana locally, then source the generated .env :

curl -fsSL https://elastic.co/start-local | sh source elastic-start-local/.env export KIBANA_URL="$KB_LOCAL_URL" export KIBANA_USERNAME="elastic" export KIBANA_PASSWORD="$ES_LOCAL_PASSWORD"

Then run node scripts/kibana-dashboards.js test to verify the connection.

Optional: Skip TLS verification (development only)

export KIBANA_INSECURE="true"

Basic Workflow

Test connection and API availability

node scripts/kibana-dashboards.js test

Dashboard operations

node scripts/kibana-dashboards.js dashboard get <id> echo '<json>' | node scripts/kibana-dashboards.js dashboard create - echo '<json>' | node scripts/kibana-dashboards.js dashboard update <id> - node scripts/kibana-dashboards.js dashboard delete <id> echo '<json>' | node scripts/kibana-dashboards.js dashboard upsert <id> -

Visualization operations (standalone saved objects)

node scripts/kibana-dashboards.js vis list node scripts/kibana-dashboards.js vis get <id> echo '<json>' | node scripts/kibana-dashboards.js vis create - echo '<json>' | node scripts/kibana-dashboards.js vis update <id> - node scripts/kibana-dashboards.js vis delete <id> echo '<json>' | node scripts/kibana-dashboards.js vis upsert <id> -

Dashboards API

Dashboard Definition Structure

The API expects a flat request body with title and panels at the root level. The response wraps these in a data

envelope alongside id , meta , and spaces .

{ "title": "My Dashboard", "panels": [ ... ], "time_range": { "from": "now-24h", "to": "now" } }

Note: Dashboard IDs are auto-generated by the API. The script also accepts the legacy wrapped format { id?, data: { title, panels }, spaces? } and unwraps it automatically.

Dashboard with Inline Visualization Panels (Recommended)

Use inline definitions (properties directly in config ) for self-contained, portable dashboards:

{ "title": "My Dashboard", "panels": [ { "type": "vis", "id": "metric-panel", "grid": { "x": 0, "y": 0, "w": 12, "h": 6 }, "config": { "title": "", "type": "metric", "data_source": { "type": "esql", "query": "FROM logs | STATS total = COUNT()" }, "metrics": [{ "type": "primary", "column": "total", "label": "Total Count" }] } }, { "type": "vis", "id": "chart-panel", "grid": { "x": 12, "y": 0, "w": 36, "h": 8 }, "config": { "title": "Events Over Time", "type": "xy", "axis": { "x": { "scale": "temporal", "domain": { "type": "fit", "rounding": false } } }, "layers": [ { "type": "area", "data_source": { "type": "esql", "query": "FROM logs | WHERE @timestamp <= ?_tend AND @timestamp > ?_tstart | STATS count = COUNT() BY BUCKET(@timestamp, 75, ?_tstart, ?_tend)" }, "x": { "column": "BUCKET(@timestamp, 75, ?_tstart, ?_tend)", "label": "@timestamp" }, "y": [{ "column": "count" }] } ] } } ], "time_range": { "from": "now-24h", "to": "now" } }

Dashboard Grid System

Dashboards use a 48-column, infinite-row grid. On 16:9 screens, approximately 20-24 rows are visible without scrolling. Design for density—place primary KPIs and key trends above the fold.

Width Columns Height Rows Use Case

Full 48 Large 14-16 Wide time series, tables

Half 24 Standard 10-12 Primary charts

Quarter 12 Compact 5-6 KPI metrics

Sixth 8 Minimal 4-5 Dense metric rows

Target: 8-12 panels above the fold. Use descriptive panel titles on the charts themselves instead of adding markdown headers.

Grid Packing Rules:

• Eliminate Dead Space: Always calculate the bottom edge (y + h ) of every panel. When starting a new row or placing a panel below another, its y coordinate must exactly match the y + h of the panel immediately above it.

• Align Row Heights: If multiple panels are placed side-by-side in a row (e.g., sharing the same y coordinate), they should generally have the exact same height (h ). If they do not, you must fill the resulting empty vertical space before placing the next full-width panel.

Panel Schema

{ "type": "vis", "id": "unique-panel-id", "grid": { "x": 0, "y": 0, "w": 24, "h": 15 }, "config": { ... } }

Property Type Required Description

type

string Yes Embeddable type (e.g., vis , markdown , map )

id

string No Unique panel ID (auto-generated if omitted)

grid

object Yes Position and size (x , y , w , h )

config

object Yes Panel-specific configuration

Visualizations API

Supported Chart Types

Type Description ES|QL Support

metric

Single metric value display Yes

xy

Line, area, bar charts Yes

gauge

Gauge visualizations Yes

heatmap

Heatmap charts Yes

tag_cloud

Tag/word cloud Yes

data_table

Data tables Yes

region_map

Region/choropleth maps Yes

pie , treemap , mosaic , waffle

Partition charts Yes

Note: To create donut charts, use pie with donut_hole set to "s" , "m" , or "l" (small, medium, large hole). Use "none" for a solid pie.

Dataset Types

There are three dataset types supported in the Visualizations API. Each uses different patterns for specifying metrics and dimensions.

Data View Dataset

Use data_view_reference with aggregation operations. Kibana performs the aggregations automatically.

{ "data_source": { "type": "data_view_reference", "ref_id": "90943e30-9a47-11e8-b64d-95841ca0b247" } }

Available operations: count , average , sum , max , min , unique_count , median , standard_deviation , percentile , percentile_rank , last_value , date_histogram , terms . See Chart Types Reference for details.

ES|QL Dataset

Use esql with a query string. Reference the output columns using { column: 'column_name' } .

{ "data_source": { "type": "esql", "query": "FROM logs | STATS count = COUNT(), avg_bytes = AVG(bytes) BY host" } }

ES|QL Column Reference Pattern:

{ "column": "count" }

Key Difference: With ES|QL, you write the aggregation in the query itself, then reference the resulting columns. With data view, you specify the aggregation operation and Kibana performs it.

Important: ES|QL visualizations cannot be created via /api/visualizations . They must be created as inline panels in dashboards via the Dashboard API.

Index Dataset

Use index for ad-hoc index patterns without a saved data view:

{ "data_source": { "type": "data_view_spec", "index_pattern": "logs-*", "time_field": "@timestamp" } }

Examples

For detailed schemas and all chart type options, see Chart Types Reference.

Metric (Data View):

{ "type": "metric", "data_source": { "type": "data_view_reference", "ref_id": "90943e30-9a47-11e8-b64d-95841ca0b247" }, "metrics": [{ "type": "primary", "operation": "count", "label": "Total Requests" }] }

Metric (ES|QL):

{ "type": "metric", "data_source": { "type": "esql", "query": "FROM logs | STATS count = COUNT()" }, "metrics": [{ "type": "primary", "column": "count", "label": "Total Requests" }] }

XY Bar Chart (Data View):

{ "title": "Top Hosts", "type": "xy", "axis": { "x": { "title": { "visible": false } }, "y": { "anchor": "start", "title": { "visible": false } } }, "layers": [ { "type": "bar_horizontal", "data_source": { "type": "data_view_reference", "ref_id": "90943e30-9a47-11e8-b64d-95841ca0b247" }, "x": { "operation": "terms", "fields": ["host.keyword"], "limit": 10 }, "y": [{ "operation": "count" }] } ] }

XY Time Series (ES|QL):

{ "title": "Requests Over Time", "type": "xy", "axis": { "x": { "title": { "visible": false }, "scale": "temporal", "domain": { "type": "fit", "rounding": false } }, "y": { "anchor": "start", "title": { "visible": false } } }, "layers": [ { "type": "line", "data_source": { "type": "esql", "query": "FROM logs | WHERE @timestamp <= ?_tend AND @timestamp > ?_tstart | STATS count = COUNT() BY BUCKET(@timestamp, 75, ?_tstart, ?_tend)" }, "x": { "column": "BUCKET(@timestamp, 75, ?_tstart, ?_tend)", "label": "@timestamp" }, "y": [{ "column": "count" }] } ] }

Tip: Always hide axis titles when the panel title is descriptive. Use bar_horizontal for categorical data with long labels. Use axis for axis configuration.

Full Documentation

• Dashboard API Reference — Dashboard endpoints and schemas

• Visualizations API Reference — Visualization endpoints

• Chart Types Reference — Detailed schemas for each chart type

• Example Definitions — Ready-to-use definitions

Key Example Files

See assets/ for ready-to-use definitions: demo-dashboard.json , dashboard-with-visualizations.json , metric-esql.json , bar-chart-esql.json , line-chart-timeseries.json .

Common Issues

Error Solution

"401 Unauthorized" Check KIBANA_USERNAME/PASSWORD or KIBANA_API_KEY

"404 Not Found" Verify dashboard/visualization ID exists

"409 Conflict" Dashboard/viz already exists; delete first or use update

Schema validation error Ensure column names match query output; use { column: 'name' } for ES|QL

Metric chart structure Requires metrics array: [{ type: 'primary', ... }]

XY chart fails Put data_source inside each layer, use axis (singular)

ref_id panels missing Prefer inline definitions (properties in config ) over ref_id

Guidelines

Design for density — Operational dashboards must show 8-12 panels above the fold (within the first 24 rows). Use compact panel heights: metrics MUST be h=4 to h=6 , and charts MUST be h=8 to h=12 .

Never use Markdown for titles/headers — Do NOT add markdown panels to act as dashboard titles or section dividers. This wastes critical vertical space. Use descriptive panel titles on the charts themselves.

Prioritize above the fold — Primary KPIs and key trends must be placed at y=0 . Deep-dives and data tables should be placed below the charts.

Use descriptive chart titles, hide axis titles — Write titles that explain what the chart shows (e.g., "Requests by Response Code"). A good panel title makes axis titles redundant. Always set axis.x.title.visible: false and axis.y.title.visible: false .

Choose the right dataset type — Use data_view_reference for simple aggregations, esql for complex queries

Inline definitions — Prefer inline properties in config over config.ref_id for portable dashboards

Test connection first — Run node scripts/kibana-dashboards.js test before creating resources

Get existing examples — Use vis get <id> to see the exact schema for different chart types (the CLI subcommand is vis )

Avoid redundant metric labels — For ES|QL metrics, avoid using both a panel title and an inner metric label, as it wastes space. Set the panel title to "" and configure the human-readable label by aliasing the ES|QL column name using backticks (e.g., STATS Total Requests = COUNT() and "column": "Total Requests" ).

Format numbers with units — Use the format property on metrics and y-axis columns to display proper units instead of raw numbers. Types: bytes , bits , number , percent , duration , custom . Example: "format": { "type": "bytes", "decimals": 0 } . See Chart Types Reference for the full format table.

Schema Differences: Data View vs ES|QL

Aspect Data View ES|QL

Dataset { type: 'data_view_reference', ref_id: '...' }

{ type: 'esql', query: '...' }

Metric chart metrics: [{ type: 'primary', operation: 'count' }]

metrics: [{ type: 'primary', column: 'col' }]

XY columns { operation: 'terms', fields: ['host'], limit: 10 }

{ column: 'host' }

Static values { operation: 'static_value', value: 100 }

Use EVAL in query (see below)

XY data_source Inside each layer Inside each layer

Tagcloud tag_by: { operation: 'terms', ... }

tag_by: { column: '...' }

Datatable props metrics , rows arrays metrics , rows arrays with { column: '...' }

Key Pattern: ES|QL uses { column: 'column_name' } to reference columns from the query result. The aggregation happens in the ES|QL query itself. Use data_source for all data source configuration.

Data source types: Use data_view_reference (with ref_id ) for saved data views, data_view_spec (with index_pattern ) for ad-hoc index patterns, and esql for ES|QL queries.

ES|QL: Time Bucketing

Use BUCKET(@timestamp, n, ?_tstart, ?_tend) for time series charts. The numeric argument is the target number of buckets. Kibana injects ?_tstart /?_tend automatically. Do not reassign the result — use the full expression BUCKET(@timestamp, 75, ?_tstart, ?_tend) as both the BY clause and the column reference. Set "label" to provide a friendly display name:

"x": { "column": "BUCKET(@timestamp, 75, ?_tstart, ?_tend)", "label": "@timestamp" }

Important: To get a proper multilevel time axis (e.g., "9th / April 2026 / 10th") instead of raw timestamp labels, you must set "scale": "temporal" on the x-axis:

"axis": { "x": { "scale": "temporal", "domain": { "type": "fit", "rounding": false } } }

Without "scale": "temporal" , Kibana treats the bucket column as categorical text and renders unsorted, verbose timestamp strings.

FROM logs | WHERE @timestamp <= ?_tend AND @timestamp > ?_tstart | STATS count = COUNT(*) BY BUCKET(@timestamp, 75, ?_tstart, ?_tend)

Note: BUCKET(@timestamp, n, ?_tstart, ?_tend) requires a WHERE clause with ?_tstart /?_tend bounds (Kibana injects these). Alternatively, use BUCKET(@timestamp, 1 hour) with a fixed duration — this does not require parameters but won't auto-scale.

ES|QL: Extracting Date Parts

Use DATE_EXTRACT(part, date) with ES|QL part names (not SQL keywords). The part string must be double-quoted. Common parts: "hour_of_day" , "day_of_week" , "day_of_month" , "month_of_year" , "year" , "day_of_year" .

FROM logs | STATS count = COUNT() BY hour = DATE_EXTRACT("hour_of_day", @timestamp), day = DATE_EXTRACT("day_of_week", @timestamp)

ES|QL: Creating Static/Constant Values

ES|QL does not support static_value operations. Instead, create constant columns using EVAL :

FROM logs | STATS count = COUNT() | EVAL max_value = 20000, goal = 15000

Then reference with { "column": "max_value" } . For dynamic reference values, use aggregation functions like PERCENTILE() or MAX() in the query.

Design Principles

The APIs follow these principles:

• Minimal definitions — Only required properties; defaults are injected

• No implementation details — No internal state or machine IDs

• Flat structure — Shallow nesting for easy diffing

• Semantic names — Clear, readable property names

• Git-friendly — Easy to track changes in version control

• LLM-optimized — Compact format suitable for one-shot generation