Index Patterns, Data Views, and Runtime Fields

Kibana queries data through Data Views (renamed from Index Patterns in 8.x). A Data View is a saved object that binds a glob of indices, a timestamp field, and a list of fields — including runtime fields that don't exist on disk.

The golden rule: one timestamp per Data View

If a pattern matches indices with different @timestamp semantics (for example, ingest time vs event time), your dashboards silently double-count or drop records during overlap windows. Keep timestamp fields consistent across the pattern.

Runtime fields — safe, but they cost CPU

A runtime field is a Painless script evaluated at query time. Great when you need a derived value once, or on historical data you can't reindex.

{
  "runtime_field_definitions": {
    "is_weekend": {
      "type": "boolean",
      "script": {
        "source": "def dow = doc['@timestamp'].value.getDayOfWeek().value; emit(dow > 5);"
      }
    }
  }
}

Use them to prototype. Promote to indexed fields once a dashboard depends on them — querying 90 days of logs with a runtime field is measurably slower than the same query over an indexed field.

Scripted fields are deprecated

Old Kibana scripted fields are still supported but shouldn't be added new. Runtime fields are the successor and are managed inside the Data View or inside the index mapping itself.

Field formats

Easy to miss: Data Views let you format a field (bytes, percent, duration) for display without touching storage. A raw long in bytes shows up as "1.2 GB" once you set the formatter. This is the fastest way to make dashboards readable without reindexing.

Where to draw the line

• Derived values used in one visualisation → runtime field.
• Derived values used across many dashboards → ingest pipeline or reindex.
• Presentation only → Data View field format.