The most useful Kibana dashboards solve a specific job: triage an incident, watch infrastructure, monitor an application, hunt threats, or follow business KPIs. Below are concrete dashboard templates by use case - what to show, what to filter on, and who uses them. Each is a layout most teams converge on after a few iterations, so they're good starting points to clone and adapt rather than build from zero.
Quick Comparison: Dashboards by Use Case
| Dashboard | Primary user | Refresh cadence | Time range default |
|---|---|---|---|
| Log triage / incident | SRE, on-call | 30s auto | Last 1h |
| Infrastructure (Kubernetes/host) | Platform team | 1m auto | Last 24h |
| APM (latency, errors, throughput) | App engineers | 1m auto | Last 4h |
| Security operations (SOC) | Security team | 1m auto | Last 24h |
| Business intelligence (e-commerce) | Product / marketing | Manual | Last 7d |
| Elasticsearch cluster health | Search team / SRE | 30s auto | Last 1h |
Log Triage Dashboard (the highest-leverage one)
The dashboard most SREs open first when something breaks. Built on log data ingested by Filebeat, Elastic Agent, or Fluent Bit.
Panels:
- Log volume by service (stacked area,
service.namebreakdown). Spikes signal incidents. - Error volume by service (line chart, filtered to
log.level: error). - Top error messages (data table on
message.keyword, sorted by count, top 10). - Recent error logs (saved Discover search, last 50 entries with
log.level: error). - Host filter (Controls:
host.nameoptions list). - Service filter (Controls:
service.nameoptions list). - Environment filter (Controls:
service.environmentoptions list). - Markdown panel: runbook links and on-call rotation.
Default time: last 1 hour. Auto-refresh: 30 seconds.
Infrastructure Monitoring Dashboard
For Kubernetes, hosts, or VMs. Built on metrics from Metricbeat, Elastic Agent, or Prometheus exporters.
Panels:
- CPU usage by host (line chart over time, breakdown by
host.name). - Memory usage (gauges per host, threshold lines at 75% and 90%).
- Disk usage by mount (data table with sort, color-by-percentage).
- Disk I/O (multi-line: read/write throughput).
- Network throughput (in/out by interface).
- Top processes by CPU/memory (data table).
- Filters:
host.name,cloud.region,cloud.availability_zone.
For Kubernetes, swap host.name for kubernetes.pod.name and add kubernetes.namespace, kubernetes.deployment.name as controls.
Default time: last 24 hours. Auto-refresh: 1 minute.
APM Dashboard
Latency, throughput, and error rate per service. If you're using Elastic APM, the curated dashboards that ship with the integration are a faster starting point - clone one and modify.
Panels:
- Latency p50, p95, p99 (multi-line; use Lens percentile metrics).
- Throughput (transactions per minute, line chart).
- Error rate (line chart, calculated as
transaction.result: failure/ total). - Apdex score (metric visualization with target threshold).
- Slowest transactions (data table on
transaction.name, sorted by p95 latency). - Error distribution by type (pie or bar chart on
error.exception.type). - Filters:
service.name,service.environment,transaction.type.
Default time: last 4 hours. Auto-refresh: 1 minute.
Security Operations Dashboard
For SOC analysts watching authentication events, failed logins, and threat indicators. Often built on Elastic Common Schema (ECS) data.
Panels:
- Failed login attempts (line chart over time, filtered
event.outcome: failure and event.category: authentication). - Failed logins by source IP (data table top 20).
- Geographic map of authentication failures (Maps with
source.geo.location). - Privileged user activity (data table filtered to admin users).
- Alerts by severity (bar chart on Elastic Security alert index).
- Firewall blocked connections (line chart on network event index).
- Filters: severity, event type, source IP range, time.
Elastic Security has dedicated UIs for most of this, but custom dashboards remain useful for overlaying business context onto security signals.
Default time: last 24 hours. Auto-refresh: 1 minute.
Business Intelligence Dashboard (E-commerce)
For product, marketing, and ops teams. Built on indexed order or event data.
Panels:
- Revenue over time (line chart, summed
order.total). - Conversion rate (metric with trend arrow vs previous period).
- Top-selling products (bar chart on
product.name, sorted by revenue). - Average order value (metric).
- Cart abandonment (metric calculated from cart events).
- Customer geographic distribution (Maps panel).
- Filters:
product.category,customer.segment,geo.country_iso_code.
Default time: last 7 days. Manual refresh (analytical exploration, not live ops).
Elasticsearch Cluster Health Dashboard
For search/SRE teams operating the cluster itself. Built on Stack Monitoring indices (metrics-elasticsearch.stack_monitoring.*) or Metricbeat's elasticsearch module.
Panels:
- Cluster status (metric: green/yellow/red).
- Active vs unassigned shards (line chart).
- JVM heap usage (line chart per node, with 75% and 90% threshold lines).
- Indexing rate (docs/sec, breakdown by index).
- Search rate and latency (multi-line).
- GC time (line chart per node - sustained high values mean trouble).
- Disk usage per data node (gauge or line with high-watermark line).
- Filters:
cluster_uuid,node.name.
Default time: last 1 hour. Auto-refresh: 30 seconds.
This dashboard is exactly the kind of thing Pulse provides out of the box, with the addition of automated root-cause analysis when any of these signals go bad. Building cluster-health dashboards manually works for small clusters; for production at scale, agentic monitoring (Pulse) catches what static thresholds miss - the slow drift toward GC pressure, the shard imbalance that produces a hot node, the mapping explosion in a corner index.
Dashboard Design Patterns That Work
- KPI strip at the top: 4-6 single-metric panels showing headline numbers (errors, p95, throughput, cluster status).
- Trends in the middle: time-series line/area charts at the same time range.
- Detail tables at the bottom: top-N tables, recent logs, slow transactions.
- Controls in a panel together, top-left, so users filter the whole dashboard from one place.
- Markdown header with the dashboard's purpose, owner, and runbook link.
These layouts hold up because they put the most important information at the top, support drill-down by region, and answer "is anything wrong?" within 3 seconds of opening.
Where to Find Pre-Built Dashboards
| Source | What's there |
|---|---|
| Elastic integrations | Curated dashboards for ~400 data sources (Filebeat modules, Metricbeat modules, Elastic Agent integrations) - install the integration and dashboards appear |
| Kibana Sample Data | Three sample datasets (web logs, ecommerce, flights) with example dashboards. Stack Management -> Kibana Sample Data |
| Elastic Solutions | Observability, Security, Search built-in solutions, each with dedicated dashboards |
| GitHub | Search "kibana dashboard ndjson" for community templates |
| Elastic Demo Gallery | demo.elastic.co - live demos to model from |
Common Mistakes in Dashboard Examples
- Copying a 30-panel "everything" dashboard instead of building a focused one. Performance and signal-to-noise both suffer.
- No filters or controls - users can't slice the data themselves.
- Wrong time range default - last 15 minutes on a BI dashboard, last 7 days on an ops dashboard.
- Mixing dashboards from different ECS versions without remapping field names.
- Saving every visualization only inside the dashboard, not to the library, so reuse is impossible.
Frequently Asked Questions
Q: What are the most useful Kibana dashboards to build first?
A: For ops teams, the log triage dashboard (log volume, error volume, top errors, recent error logs with host/service filters) returns the most value the fastest. For application teams, the APM dashboard (latency, throughput, error rate per service). Both take a few hours to build and pay back daily.
Q: How do I find pre-built Kibana dashboard examples?
A: Install the Elastic integration for your data source (Filebeat module, Metricbeat module, or Elastic Agent integration) - curated dashboards ship with the integration. Or load Kibana Sample Data (Stack Management -> Kibana Sample Data) for three example dashboards.
Q: How many panels should a Kibana dashboard have?
A: 8-12 is the sweet spot. Beyond 15 panels the dashboard slows down and becomes hard to scan. If you want more, build multiple focused dashboards and link between them via drill-downs.
Q: Can I share Kibana dashboard templates between teams?
A: Yes. Export the dashboard as NDJSON via Stack Management -> Saved Objects, then import on the target Kibana. Include related objects to bring along visualizations and data views. See Exporting Kibana Dashboard.
Q: Are these Kibana dashboards suitable for real-time monitoring?
A: Yes, all the ops dashboards (log triage, infrastructure, APM, cluster health) work with 30s-1m auto-refresh. Tighter refresh raises load on Elasticsearch and rarely improves operator experience, so 30s is the practical floor.
Q: How do I customize a pre-built Kibana dashboard?
A: Open the dashboard, click Clone from the Actions menu. The clone is independent. Edit panels, add filters, change the time range, and save with a new name.
Q: What permissions does a user need to view these dashboards?
A: Read access on the Kibana feature in the relevant Space, plus read access on the underlying indices the panels query. The most common "empty dashboard" cause is having Kibana access but missing index-level privileges - check _security/has_privileges.
Related Reading
- What is a Kibana Dashboard: concepts, components, performance
- How to Create a Kibana Dashboard: build from scratch
- Exporting Kibana Dashboard: PDF, NDJSON, CSV, embeds
- Kibana Query Language: KQL syntax for filters
- Kibana Request Timeout After 30000ms: when dashboards time out
- What is Elasticsearch Index: underlying data layout
