OpenSearch Dashboards enables you to interactively explore, visualize, and share insights into your network flow data, as well as manage and monitor OpenSearch.
The OpenSearch dashboards and related configuration artifacts can be easily imported. You must first download the relevant import file, depending on the configuration of your environment.
|1.0.x - 1.2.x||CODEX||dark||dashboards-1.0.x-codex-dark.ndjson|
|1.0.x - 1.2.x||CODEX||light||dashboards-1.0.x-codex-light.ndjson|
|1.0.x - 1.2.x||ECS||dark||dashboards-1.0.x-ecs-dark.ndjson|
|1.0.x - 1.2.x||ECS||light||dashboards-1.0.x-ecs-light.ndjson|
|1.12.x - 1.13.x||CODEX||dark||kibana-7.10.x-codex-dark.ndjson|
|1.12.x - 1.13.x||CODEX||light||kibana-7.10.x-codex-light.ndjson|
To import the configuration, in OpenSearch Dashboards go to Stack Management --> Saved Objects and click Import in the upper right corner.
When the OpenSearch Dashboards import fails neither the import UI nor the OpenSearch Dashboards logs will provide any useful information. However attempting to import via
curl will usually provide more detail.
The most common issue is related to the relative large size of the OpenSearch Dashboards Saved Objects file. This can cause the import to fail unless the maximum allowed payload size is increased. The OpenSearch Dashboards setting is
SERVER_MAXPAYLOADBYTES if using Docker), which should also be set to
If you have a reverse proxy in front of OpenSearch Dashboards, you may have to modify your proxy settings as well. Many reverse proxies also have relatively low values for the maximum body size. For example the NGiNX default is only 1MB. This can be increased by setting
8388608. Refer to the documentation for your proxy software to similarly modify its behavior.
You may find that modifying a few of the OpenSearch Dashboards advanced settings will produce a more user-friendly experience while using ElastiFlow™. These settings are made in OpenSearch Dashboards, under
Stack Management -> Advanced Settings.
|Advanced Setting||Value||Why make the change?|
|filters:pinnedByDefault||Pinning a filter allows it to persist when you are changing dashbaords. This is very useful when drilling-down into something of interest and you want to change dashboards for a different perspective of the same data. This is the #1 setting we recommend changing.|
|defaultRoute||see description||If your primary or only use-case for OpenSearch Dashboards is ElastiFlow, set this the URL path for the dashboard to which you which to load immediately after logging in, or when returning to "home". The format of this value is |
|doc_table:highlight||There be a query performance penalty that comes with using the highlighting feature. As it isn't very useful for this use-case, it is better to just turn it off.|
|state:storeInSessionStorage||OpenSearch Dashboards URLs can get pretty large. Especially when working with Vega visualizations. This will likely result in error messages for users of Internet Explorer. Using in-session storage will fix this issue for these users.|
|theme:darkMode||Enable dark mode for the OpenSearch Dashboards UI. This setting should match the |
|timepicker:timeDefaults||see below||The Time Picker Quick Range to use when OpenSearch Dashboards is started without one.|
|timepicker:quickRanges||see below||The default options in the Time Picker are less than optimal, for most logging and monitoring use-cases. Fortunately OpenSearch Dashboards now allows you to customize the time picker. Our recommended settings can be found below.|
|format:number:defaultPattern||Default numeral format for the "number" format.|
|format:percent:defaultPattern||Default numeral format for the "percent" format.|
We find that the following Time Picker Time Default provides more useful views of the data for network flow related use-cases.
We find that the following set of Time Picker Quick Ranges provides more useful views of the data for network flow related use-cases.