Articles

Build Elasticsearch Dashboards with Kibana Lens (2026)

April 16, 2026 4 min read

Kibana Lens is the easiest way to build visualizations and dashboards in Kibana, letting you explore your data visually and drag-and-drop your way to insights.

Let’s say you’ve got some web server logs flowing into Elasticsearch, and you want to see how many requests your server is handling over time.

Here’s how you’d do it with Lens:

  1. Navigate to Kibana’s Visualize Library: In Kibana, click the "Visualize Library" icon in the left-hand navigation.
  2. Create New Visualization: Click the "Create visualization" button.
  3. Choose Lens: Select "Lens" from the list of visualization types.

Now you’re in the Lens interface. On the left, you’ll see your available index patterns (your data sources). On the right, you have a blank canvas for your visualization and a panel to configure it.

To visualize the request count over time:

  1. Select your Index Pattern: Make sure your web server logs index pattern is selected.
  2. Drag "timestamp" to the X-axis: Find the timestamp field (or whatever your log event’s primary time field is named) in the left-hand field list and drag it onto the "Drop fields here" area under "X-axis." Lens will automatically recognize it as a time-based field and set it to "Date Histogram" aggregation.
  3. Drag "bytes" (or any metric) to the Y-axis: Find a field that represents a metric, like bytes (total bytes transferred) or response_code if you’re counting specific responses. Drag it onto the "Drop fields here" area under "Y-axis." Lens will default to Count aggregation for bytes if it’s a numeric field. If you want to count events (requests), drag any field (even a non-numeric one like clientip) to the Y-axis and ensure the aggregation is set to Count.
  4. Observe the Chart: You’ll immediately see a time-series chart appear on the right, showing the number of requests per time interval (e.g., per minute, hour, day, depending on the zoom level).

The magic here is that Lens dynamically figures out the best way to represent your data based on what you drag. If you drag a time field to the X-axis and a numeric field to the Y-axis, it assumes you want a time-series chart. If you drag two numeric fields, it might suggest a scatter plot.

Let’s add more detail. Suppose you want to see the average response time for each request, broken down by the HTTP status code.

  1. Keep the X-axis as "timestamp" (Date Histogram).
  2. Change the Y-axis aggregation: Click on the Count aggregation for your Y-axis field. A dropdown will appear. Select Average and then choose your response_time field (assuming you have one).
  3. Add "response_code" to "Break down by": Find your response_code field in the left-hand list and drag it to the "Break down by" area.

Now, your chart will show the average response time over time, with separate lines for each unique response_code (e.g., 200, 404, 500).

Lens is powerful because it abstracts away much of the underlying Elasticsearch query DSL and Kibana charting configuration. You’re interacting with your data conceptually, and Lens translates that into efficient Elasticsearch queries. The "Break down by" functionality is particularly useful for segmenting your metrics by categorical fields like clientip, url, user_agent, etc.

When you drag a field to the "Break down by" section, Lens adds a terms aggregation to your Elasticsearch query. For example, if you break down by response_code, Lens generates a query that looks something like this (simplified):

GET /your-index-*/_search
{
  "size": 0,
  "query": { ... },
  "aggs": {
    "2": {
      "date_histogram": { ... },
      "aggs": {
        "3": {
          "terms": { "field": "response_code.keyword", "size": 10 }, // .keyword for exact string matching
          "aggs": {
            "4": {
              "avg": { "field": "response_time" }
            }
          }
        }
      }
    }
  }
}

This nested aggregation structure allows Kibana to render multiple series on a single chart, each representing a distinct value from the response_code field. The .keyword suffix is often used for string fields to ensure you’re aggregating on the exact string value, not a tokenized version.

Once you’re happy with your visualization, click the "Save" button in the top right. You can then choose to "Save and return" or "Save and add to dashboard." If you save and add to a dashboard, you can then arrange this visualization alongside others to create a comprehensive overview of your data.

The most surprising thing about Lens is how it handles data type inference and aggregation suggestions. It doesn’t just present fields; it tries to understand your intent. If you drag a field that looks like a date, it defaults to date histogram. If you drag a numeric field, it defaults to count or sum. This proactive suggestion engine dramatically speeds up the exploration process.

When you drag a field into the "Break down by" area, Lens automatically adds a terms aggregation. However, if that field is a date or a numeric range, Lens might instead suggest a date_histogram or histogram aggregation for the breakdown, allowing you to see how your primary metric changes across different time buckets or numerical ranges, rather than just discrete values.

After you’ve built your dashboard and are happy with the visualizations, the next logical step is to explore alerting on specific conditions within your data.

Want structured learning?

Take the full Elasticsearch course →