How to create a Kibana data view for Logstash indices

Creating a Kibana data view is required before Discover, visualizations, and dashboards can query Logstash-generated indices with reliable time-based filtering.

A data view (formerly an index pattern) is a Kibana saved object that points to one or more Elasticsearch indices via a wildcard such as logs-* and provides field metadata for search and aggregation features.

Field discovery works best after at least one document exists in the target indices, and the selected time field (commonly @timestamp) must be mapped as a date; deployments using TLS must use https endpoints and a trusted CA in curl.

Steps to create a Kibana data view for Logstash indices:

Confirm indices matching the Logstash pattern exist in Elasticsearch.

$ curl --silent --show-error --fail --cacert /etc/elasticsearch/certs/http-ca.crt --user elastic:password "https://localhost:9200/_cat/indices/logs-*?h=index,docs.count"
logs-2026.01.07   12
logs-2026.01.06 9118
logs-2026.01       1

Replace logs-* with the index name pattern produced by Logstash, such as logstash-*.

Confirm the intended time field exists as a date in the matching indices.

$ curl --silent --show-error --fail --cacert /etc/elasticsearch/certs/http-ca.crt --user elastic:password "https://localhost:9200/logs-*/_field_caps?fields=@timestamp&pretty"
{
  "indices" : [
    "logs-2026.01",
    "logs-2026.01.06",
    "logs-2026.01.07"
  ],
  "fields" : {
    "@timestamp" : {
      "date" : {
        "type" : "date",
        "metadata_field" : false,
        "searchable" : true,
        "aggregatable" : true
      }
    }
  }
}

The timeFieldName must be a date field for Kibana time filtering to work.

Create the data view for the Logstash index pattern.

$ curl --silent --show-error --fail --cacert /etc/kibana/certs/kibana-ca.crt --user elastic:password --request POST "https://localhost:5601/kibana/api/data_views/data_view" --header "kbn-xsrf: true" --header "Content-Type: application/json" --data '{
  "data_view": {
    "title": "logs-*",
    "name": "Logstash logs",
    "timeFieldName": "@timestamp"
  }
}'

Kibana Spaces require inserting /s/<space_id> before /api in the request URL.

Fetch the data view by id to confirm creation.

$ curl --silent --show-error --cacert /etc/kibana/certs/kibana-ca.crt --user elastic:password --header "kbn-xsrf: true" "https://localhost:5601/kibana/api/data_views/data_view/5b828c0a-e58e-48bb-848a-87da4f76f467" | jq '{data_view: {id: .data_view.id, name: .data_view.name, title: .data_view.title, timeFieldName: .data_view.timeFieldName}}'
{
  "data_view": {
    "id": "5b828c0a-e58e-48bb-848a-87da4f76f467",
    "name": "Logstash logs",
    "title": "logs-*",
    "timeFieldName": "@timestamp"
  }
}

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.