So we've been looking at moving to Kibana4.x lately but have noticed that simple 15min duration Discover queries take a long time (10 -60 seconds). Upon investigation it seems that Kibana4.1.7 does a msearch where it specifies the indices with a wildcard index (e.g. logstash-*) as opposed to using the actual date(s) (e.g. logstash-2016.03.25).
This is causing a huge performance hit. Why was this change made and is there any way to have the indices specified in a similar way to kibana3? It seems silly to search all indices for the last 15 minutes of data if you know that will be in a specific index with today's date.
OK, so I discovered how to do this. When you specify the index initially (Configure an index pattern) you also must check the Use event times to create index names checkbox.
Sorry I didn't respond sooner! Yes, this is the correct setting to use.
For future versions of Kibana, we've optimized this so you can still use a wildcard index (e.g. logstash-*) without having to specify name-based indices. (See https://github.com/elastic/kibana/issues/4342.)
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.