Kibana
Your open source window into the Elastic Stack — query, visualize, and act on data stored in Elasticsearch with real-time dashboards, AI-assisted search, and automated alerting.
Kibana is the official open source interface for the Elastic Stack, providing a powerful browser-based environment for exploring, visualizing, and managing data stored in Elasticsearch. Built for DevOps engineers, security analysts, and data teams, it brings together observability, security threat detection, and enterprise search in a single, extensible platform. Kibana connects directly to Elasticsearch and reflects changes in near real time, making it suitable for operational monitoring, incident response, and business intelligence.
The platform is organized around a plugin-based architecture where capabilities like APM, Fleet, Security SIEM, and ML anomaly detection live as first-class plugins. This means teams can use only the features they need without carrying the weight of the full stack in every deployment. Dashboards are composable from reusable panel types, and every visualization or saved search can be embedded elsewhere in the UI without hardcoded layout dependencies.
Kibana ships with a built-in ES|QL editor backed by a full AST parser, autocomplete engine, and inline validation — meaning developers get IDE-quality query authoring inside a browser. The AI-powered assistant translates natural language into Elasticsearch and ES|QL queries, lowering the barrier for teams unfamiliar with query syntax. Machine learning anomaly detection jobs can be created and managed without writing code, and alerting rules can trigger automated responses to hundreds of external services.
Deployment is supported via downloadable packages for Linux, macOS, and Windows, as well as Docker images and Kubernetes manifests. Kibana must run against a matching-version Elasticsearch cluster; Elastic also offers a fully managed hosted version on Elastic Cloud for teams that prefer to skip the operational overhead.
What You Get
- Kibana Discover - Interactive data exploration with field-level summaries, intelligent ES|QL autocomplete, and natural language input that translates to structured Elasticsearch queries without manual syntax.
- Composable Dashboards - Build multi-panel visualizations using metric, XY chart, heatmap, Lens, and map panel types; panels are reusable across views and update in sync with shared time filters.
- ES|QL Query Editor - A full-featured in-browser editor for Elastic’s pipe-based query language, backed by a custom AST parser, hover documentation, function signature help, and inline validation.
- AI-Powered Assistant - Natural language interface that generates and explains Elasticsearch and ES|QL queries, summarizes log patterns, and surfaces root-cause suggestions for observability incidents.
- No-Code ML Anomaly Detection - Automated machine learning jobs that detect anomalies, score unusual events, and categorize log messages without writing code or training custom models.
- Geospatial Visualization - Multilayer maps with distance filters, shape overlays, and Elastic Maps Service tiles, including offline map support for air-gapped deployments.
- Alerting and Connectors - Rule engine supporting threshold, anomaly, and ES|QL-based conditions, with connectors for Slack, PagerDuty, ServiceNow, email, and webhooks to automate incident response.
- Security SIEM and Timeline - Dedicated security solution with detection rules mapped to MITRE ATT&CK, case management, entity analytics, and an interactive investigation timeline.
Common Use Cases
- Microservices observability - A DevOps engineer correlates distributed traces from APM, container metrics from the Infra plugin, and structured logs in Discover to diagnose a latency regression across ten services in a single Kibana session.
- Security threat hunting - A SOC analyst uses the Security SIEM timeline to pivot from a detection alert through related network events and process trees, then promotes the investigation to a case with attached evidence panels.
- Infrastructure capacity planning - An SRE team builds a Kibana dashboard combining metric forecasts from ML jobs and current resource usage to project when clusters will exhaust CPU or memory before an incident occurs.
- Business analytics on event data - A data analyst queries clickstream and transaction events stored in Elasticsearch using the Lens drag-and-drop interface, building segmented conversion funnels without writing any query code.
- Enterprise search relevance tuning - A product team uses Kibana’s search relevance tools to inspect scoring explanations for internal document search, adjusting field boosts and synonym rules through a UI rather than raw API calls.
Under The Hood
Architecture
Kibana is built on a layered, plugin-based monorepo where @kbn/core acts as the plugin host and service registry. Every major capability — Fleet, APM, Security SIEM, ML — is a first-class plugin that declares its dependencies in a manifest and receives typed service interfaces through lifecycle methods (setup, start, stop). This enforces hard boundaries between features at compile time and prevents circular dependencies. The frontend uses an embeddable system that allows any panel type to be dynamically composed into dashboards without compile-time coupling to a layout, making dashboards extensible without touching core code. The codebase is split into src/core (plugin framework), src/platform (shared UI and server services), and x-pack (Elastic License features), giving clear separation between open source and commercial functionality.
Tech Stack
The server runs on Node.js 24 with TypeScript across more than 96% of the codebase, using a custom Hapi.js-based HTTP layer with the official @elastic/elasticsearch client for backend communication. The frontend is built on React 18 and Elastic UI (EUI) for design-system consistency, with RxJS BehaviorSubjects and Redux slices for state management and React Query for data fetching. Build tooling centers on a custom @kbn/optimizer wrapping webpack, supplemented by ESBuild for fast server builds, Storybook for component development, and a suite of custom ESLint plugins enforcing import boundaries, i18n usage, and telemetry patterns unique to the project. End-to-end testing uses a custom Functional Test Runner (FTR) with Selenium and Cypress for UI scenarios, while Jest handles unit and integration coverage per package.
Code Quality
The testing infrastructure is extensive — each package carries its own jest.config.js, test files mirror the production directory structure, and shared test utilities provide page-object models and reusable service abstractions for functional tests. TypeScript strict mode is enforced globally, and multiple custom ESLint plugins enforce project-specific conventions beyond standard rules, including import ownership, mandatory i18n wrappers for user-facing strings, and consistent telemetry event schemas. Error handling uses typed HTTP response factories and structured error objects throughout, making error contracts machine-readable at the API boundary. The open issue count is high (reflecting a large active community and an enterprise-grade surface area), but release cadence is regular and well-maintained.
What Makes It Unique The ES|QL language package is the most technically distinctive component — it includes a full custom AST parser, a Walker API for tree traversal, AST mutators for query rewriting, and editor-support services (autocomplete, hover, signature help, inline validation) all implemented in TypeScript and running in the browser. This gives Kibana IDE-quality query authoring without a backend round-trip. The embeddable composition model allows third-party plugins to contribute panel types to dashboards with no changes to core, which is architecturally more open than most BI tools. Combining this with runtime plugin composition where server and client plugins share TypeScript type contracts through lifecycle interfaces makes Kibana’s extensibility model genuinely more sophisticated than typical plugin architectures.
Self-Hosting
Kibana’s source code is covered by a triple license: the GNU Affero General Public License v3.0 (AGPL-3.0), the Server Side Public License v1 (SSPL), and the Elastic License 2.0 (EL2). Code in the x-pack directory is licensed solely under the Elastic License 2.0. In practical terms this means the core open source features can be used freely for self-hosted deployments, but the AGPL and SSPL both carry strong copyleft obligations — if you modify and distribute Kibana or provide it as a service, you must release your modifications. The Elastic License 2.0 explicitly prohibits offering Kibana (or any substantially similar product) as a managed cloud service to third parties, which is why AWS, Google, and others cannot legally offer Elastic-licensed Kibana as a hosted SaaS. For internal self-hosting — running Kibana inside your own organization for your own teams — none of these restrictions apply.
Operationally, self-hosting Kibana means running it alongside a compatible Elasticsearch cluster at the same major and minor version; mismatched versions either log warnings or outright refuse to start. The resource footprint is significant: Kibana itself is a Node.js process with substantial memory needs (typically 2–4 GB JVM heap on the Elasticsearch side, plus RAM for the Kibana Node process), and enterprise-grade deployments add Logstash or Elastic Agent for ingestion, and dedicated coordination nodes. You are responsible for TLS certificate management, upgrades (which must be done in lockstep with Elasticsearch), snapshot/restore for saved objects, and horizontal scaling of the Kibana tier behind a load balancer. The dev_docs and CONTRIBUTING guide cover the architecture thoroughly, but production runbooks require following Elastic’s official upgrade guides carefully.
Elastic Cloud, the managed offering, adds significant operational conveniences that are difficult to replicate self-hosted: automated coordinated upgrades, built-in high availability across availability zones, managed snapshots with one-click restore, Elastic’s support SLA, and access to all x-pack features including advanced security, cross-cluster search, and Elastic’s AI features tied to the subscription tier. The free self-hosted “basic” license includes a meaningful feature set, but premium features — SAML/OIDC SSO, field-level security, audit logging, alerting connectors beyond email, and some ML capabilities — require an active Elastic subscription, either through Elastic Cloud or an on-premise license agreement with Elastic.
Related Apps
Uptime Kuma
Monitoring
Self-hosted monitoring for every service you run — 23 monitor types, 95 notification channels, live dashboards, and public status pages with no vendor lock-in.
Uptime Kuma
MITNetdata
Monitoring · Devops
Real-time per-second metrics, ML-powered anomaly detection, and zero-config observability for any infrastructure.
Netdata
GPL 3.0Grafana
Monitoring · Analytics
The open-source observability platform that unifies metrics, logs, and traces from any data source into dynamic, queryable dashboards.