1. Introduction
Your Spring Boot Product API is running, but users are reporting errors. Instead of SSHing into servers and grepping through log files, you can visually search, filter, and analyze your logs in Kibana. This guide will show you how to turn Kibana into a powerful debugging dashboard for your Java application. We’ll use a typical Spring Boot Application as our example to find errors, trace requests, and understand application behavior.
2. Prerequisites
To follow along with this tutorial, you will need:
- A running ELK Stack (Elasticsearch, Logstash, Kibana). Need setup help? Refer to our guide on Centralized Logging for Java applications with ELK.
- Your Java application is configured to send logs to Elasticsearch.
3. Configure Kibana: Home Screen
Kibana is usually available at http://{servername}:5601, assuming you used the default port number during the installation. The first time you navigate to the Kibana URL, you will see the following screen if there is already some data in the Elasticsearch indices:
If no data exists in Elasticsearch indices, you might see a different screen inviting you to add Elastic integrations. We assume here that you have already populated some data into your Elasticsearch indices using a tool like Logstash or any other tool.
4. Create a DataView
A Dataview is a quick way to visualize the data in specific Elasticsearch indices. Without a Dataview, Kibana will display the data in all Elasticsearch indices, which might be very difficult to explore.
The objective of this section is to create a Dataview for our Spring Boot application logs. We will name it “logstash-*” to consider all logstash indices.
There are two ways to create a Dataview. The first way is by clicking the Create dataview button on the welcome page, as shown here:
You may also create a Dataview by navigating to the Discover page using the Burger menu:
From the Discover page, click Create a new Dataview as shown below:
Either way, you must provide a name, an index pattern to your Dataview. You must also select the timestamp field to use for filtering. Once you type in an index pattern, Kibana will automatically detect the number of Elasticsearch indices matching the pattern.
Once you have filled everything in, click Save. The Dataview is then automatically selected and its content is displayed:
5. Set a Time Range
The first thing you need to do after creating a dataview is to adjust the time filter setting. This will ensure you are looking for data in the correct time frame.
Access the time filter field from the top right as shown here:
Adjust the time setting by selecting a value from the following zones:
- Quick select: Offers more customization options
- Commonly used
- Recently used
- Refreshing delay: By default, it’s 60 seconds.
6. Kibana Query Language (KQL)
By default, Kibana loads all the content of a data view and uses pagination if there are multiple rows. Kibana Query Language(KQL) is a text-based query language that will help you filter the content of a dataview. It can be very helpful to look for specific text in an Elasticsearch index.
Here are a few ways of using KQL:
6.1. Find all ERROR logs
- Query:
log.level : "ERROR" - Why: This is your first step when something is broken. It filters out all noise and shows only critical failures.
6.2. Find logs for a specific product ID
- Query:
message : "12345" - Why: A user reports an issue with product ID 12345. This query finds every log entry related to that product, tracing its journey through your app.
6.3. Find all successful GET requests
- Query:
http_status : 200 and message : "Request received for product ID" - Why: To understand normal traffic patterns or confirm that a specific endpoint is working.
Pro-tip: If you are not seeing any data in the search result, ensure you have selected the correct time frame in the time filter field (top right).
Saving a Query
Whenever you create a query and would like to be able to reuse it later on, there is an option to save the query.
7. Elasticsearch Query Language (ES|QL)
Unlike KQL which is simply a text-filtering language, Elasticsearch Query Language (ES|QL) is a powerful language that allows you to filter, transform, and analyze data stored in Elasticsearch indices.
There are two ways of running an ES|QL query:
- Using DevTools: This approach utilizes the ES|QL query API.
- Using Discover: This is the simplest way from an end-user point of view.
We will be using the last option in this tutorial. To access it, go to Discover, and from the Dataview menu, select ES|QL as shown below:
You can then start typing your queries as shown below.
Scenario 1: Display all logs in the logstash index, limit to 10
FROM logstash | 10
Scenario 2: Calculate the rate of errors vs. total requests.
FROM logstash*
| WHERE @timestamp >= NOW() - 1 HOUR
| STATS total_requests = COUNT(*), error_requests = COUNT(log.level == "ERROR")
| EVAL error_rate = ROUND(((error_requests * 1.0) / total_requests) * 100, 2)
| KEEP total_requests, error_requests, error_rate
Why: This gives you a high-level health metric for your API over the last hour, which is more valuable than just looking at raw error counts.
ES|QL uses pipes (|) to manipulate and transform the data. To learn more about the language, read the official documentation.
8. Conclusion
You’ve now moved from passively collecting logs to actively using Kibana to debug and understand your Spring Boot application. By creating targeted KQL queries, you can instantly find errors, trace user journeys, and validate application behavior. For broader operational insights, ES|QL allows you to perform advanced analysis on your log data.
