-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Docs: Cleaning up Discover to match UI. (#8849)
- Loading branch information
Showing
27 changed files
with
251 additions
and
230 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,61 +1,68 @@ | ||
| [[document-data]] | ||
| == Viewing Document Data | ||
|
|
||
| When you submit a search query, the 500 most recent documents that match the query are listed in the Documents table. | ||
| You can configure the number of documents shown in the table by setting the `discover:sampleSize` property in | ||
| <<advanced-options,Advanced Settings>>. By default, the table shows the localized version of the time field specified | ||
| in the selected index pattern and the document `_source`. You can <<adding-columns, add fields to the Documents table>> | ||
| from the Fields list. You can <<sorting, sort the listed documents>> by any indexed field that's included in the table. | ||
| When you submit a search query, the 500 most recent documents that match the query | ||
| are listed in the Documents table. You can configure the number of documents shown | ||
| in the table by setting the `discover:sampleSize` property in <<advanced-options, | ||
| Advanced Settings>>. By default, the table shows the localized version of the time | ||
| field configured for the selected index pattern and the document `_source`. You can | ||
| <<adding-columns, add fields to the Documents table>> from the Fields list. | ||
| You can <<sorting, sort the listed documents>> by any indexed field that's included | ||
| in the table. | ||
|
|
||
| To view a document's field data, click the *Expand* button image:images/ExpandButton.jpg[Expand Button] to the left of | ||
| the document's entry in the first column (the first column is usually Time). Kibana reads the document data from | ||
| Elasticsearch and displays the document fields in a table. The table contains a row for each field that contains the | ||
| name of the field, add filter buttons, and the field value. | ||
| To view a document's field data, click the *Expand* button | ||
| image:images/ExpandButton.jpg[Expand Button] to the left of the document's table | ||
| entry. | ||
|
|
||
| image::images/Expanded-Document.png[] | ||
|
|
||
| . To view the original JSON document (pretty-printed), click the *JSON* tab. | ||
| . To view the document data as a separate page, click the link. You can bookmark and share this link to provide direct | ||
| access to a particular document. | ||
| . To collapse the document details, click the *Collapse* button image:images/CollapseButton.jpg[Collapse Button]. | ||
| . To toggle a particular field's column in the Documents table, click the | ||
| To view the original JSON document (pretty-printed), click the *JSON* tab. | ||
|
|
||
| To view the document data as a separate page, click the document link. You can | ||
| bookmark and share this link to provide direct access to a particular document. | ||
|
|
||
| To display or hide a field's column in the Documents table, click the | ||
| image:images/add-column-button.png[Add Column] *Toggle column in table* button. | ||
|
|
||
| To collapse the document details, click the *Collapse* button | ||
| image:images/CollapseButton.jpg[Collapse Button]. | ||
|
|
||
| [float] | ||
| [[sorting]] | ||
| === Sorting the Document List | ||
| You can sort the documents in the Documents table by the values in any indexed field. Documents in index patterns that | ||
| are configured with time fields are sorted in reverse chronological order by default. | ||
| You can sort the documents in the Documents table by the values in any indexed | ||
| field. If a time field is configured for the current index pattern, the | ||
| documents are sorted in reverse chronological order by default. | ||
|
|
||
| To change the sort order, click the name of the field you want to sort by. The fields you can use for sorting have a | ||
| sort button to the right of the field name. Clicking the field name a second time reverses the sort order. | ||
| To change the sort order, hover over the name of the field you want to sort by | ||
| and click the sort button. Click again to reverse the sort order. | ||
|
|
||
| [float] | ||
| [[adding-columns]] | ||
| === Adding Field Columns to the Documents Table | ||
| By default, the Documents table shows the localized version of the time field specified in the selected index pattern | ||
| and the document `_source`. You can add fields to the table from the Fields list or from a document's expanded view. | ||
| By default, the Documents table shows the localized version of the time field | ||
| that's configured for the selected index pattern and the document `_source`. | ||
| You can add fields to the table from the Fields list or from a document's | ||
| field data. | ||
|
|
||
| To add field columns to the Documents table: | ||
| To add a field column from the Fields list, hover over the field and click its | ||
| *add* button. | ||
|
|
||
| . Mouse over a field in the Fields list and click its *add* button image:images/AddFieldButton.jpg[Add Field Button]. | ||
| . Repeat until you've added all the fields you want to display in the Documents table. | ||
| . Alternately, add a field column directly from a document's expanded view by clicking the | ||
| To add a field column from a document's field data, expand the document | ||
| and click the field's | ||
| image:images/add-column-button.png[Add Column] *Toggle column in table* button. | ||
|
|
||
| The added field columns replace the `_source` column in the Documents table. The added fields are also | ||
| listed in the *Selected Fields* section at the top of the field list. | ||
| Added field columns replace the `_source` column in the Documents table. The added | ||
| fields are also added to the *Selected Fields* list. | ||
|
|
||
| To rearrange the field columns in the table, mouse over the header of the column you want to move and click the *Move* | ||
| button. | ||
| To rearrange the field columns, hover over the header of the column you want to move | ||
| and click the *Move left* or *Move right* button. | ||
|
|
||
| image:images/Discover-MoveColumn.jpg[Move Column] | ||
|
|
||
| [float] | ||
| [[removing-columns]] | ||
| === Removing Field Columns from the Documents Table | ||
| To remove field columns from the Documents table: | ||
|
|
||
| . Mouse over the field you want to remove in the *Selected Fields* section of the Fields list and click its *remove* | ||
| button image:images/RemoveFieldButton.jpg[Remove Field Button]. | ||
| . Repeat until you've removed all the fields you want to drop from the Documents table. | ||
| To remove a field column from the Documents table, hover over the header of the | ||
| column you want to remove and click the *Remove* button | ||
| image:images/RemoveFieldButton.jpg[Remove Field Button]. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,36 +1,111 @@ | ||
| [[field-filter]] | ||
| == Filtering by Field | ||
| You can filter the search results to display only those documents that contain a particular value in a field. You can | ||
| also create negative filters that exclude documents that contain the specified field value. | ||
| You can filter the search results to display only those documents that contain | ||
| a particular value in a field. You can also create negative filters that | ||
| exclude documents that contain the specified field value. | ||
|
|
||
| You can add filters from the Fields list or from the Documents table. When you add a filter, it is displayed in the | ||
| filter bar below the search query. From the filter bar, you can enable or disable a filter, invert the filter (change | ||
| it from a positive filter to a negative filter and vice-versa), toggle the filter on or off, or remove it entirely. | ||
| Click the small left-facing arrow to the right of the index pattern selection drop-down to collapse the Fields list. | ||
| You add field filters from the Fields list or the Documents table. In addition | ||
| to creating positive and negative filters, the Documents table enables you to | ||
| filter on whether or not a field is present. The applied | ||
| filters are shown below the Query bar. Negative filters are shown in red. | ||
|
|
||
| To add a filter from the Fields list: | ||
|
|
||
| . Click the name of the field you want to filter on. This displays the top five values for that field. To the right of | ||
| each value, there are two magnifying glass buttons--one for adding a regular (positive) filter, and | ||
| one for adding a negative filter. | ||
| . To add a positive filter, click the *Positive Filter* button image:images/PositiveFilter.jpg[Positive Filter Button]. | ||
| This filters out documents that don't contain that value in the field. | ||
| . To add a negative filter, click the *Negative Filter* button image:images/NegativeFilter.jpg[Negative Filter Button]. | ||
| . Click the name of the field you want to filter on. This displays the top | ||
| five values for that field. | ||
| + | ||
| image::images/filter-field.jpg[] | ||
| . To add a positive filter, click the *Positive Filter* button | ||
| image:images/PositiveFilter.jpg[Positive Filter]. | ||
| This includes only those documents that contain that value in the field. | ||
| . To add a negative filter, click the *Negative Filter* button | ||
| image:images/NegativeFilter.jpg[Negative Filter]. | ||
| This excludes documents that contain that value in the field. | ||
|
|
||
| To add a filter from the Documents table: | ||
|
|
||
| . Expand a document in the Documents table by clicking the *Expand* button image:images/ExpandButton.jpg[Expand Button] | ||
| to the left of the document's entry in the first column (the first column is usually Time). To the right of each field | ||
| name, there are two magnifying glass buttons--one for adding a regular (positive) filter, and one for adding a negative | ||
| filter. | ||
| . To add a positive filter based on the document's value in a field, click the | ||
| *Positive Filter* button image:images/PositiveFilter.jpg[Positive Filter Button]. This filters out documents that don't | ||
| contain the specified value in that field. | ||
| . To add a negative filter based on the document's value in a field, click the | ||
| *Negative Filter* button image:images/NegativeFilter.jpg[Negative Filter Button]. This excludes documents that contain | ||
| the specified value in that field. | ||
| . Expand a document in the Documents table by clicking the *Expand* button | ||
| image:images/ExpandButton.jpg[Expand Button] to the left of the document's | ||
| table entry. | ||
| + | ||
| image::images/Expanded-Document.png[] | ||
| . To add a positive filter, click the *Positive Filter* button | ||
| image:images/PositiveFilter.jpg[Positive Filter Button] to the right of the | ||
| field name. This includes only those documents that contain that value in the | ||
| field. | ||
| . To add a negative filter, click the *Negative Filter* button | ||
| image:images/NegativeFilter.jpg[Negative Filter Button] to the right of the | ||
| field name. This excludes documents that contain that value in the field. | ||
| . To filter on whether or not documents contain the field, click the | ||
| *Exists* button image:images/ExistsButton.jpg[Exists Button] to the right of the | ||
| field name. This includes only those documents that contain the field. | ||
|
|
||
| [float] | ||
| [[discover-filters]] | ||
| include::filter-pinning.asciidoc[] | ||
| [[filter-pinning]] | ||
| === Managing Filters | ||
|
|
||
| To modify a filter, hover over it and click one of the action buttons. | ||
|
|
||
| image::images/filter-allbuttons.png[] | ||
|
|
||
| | ||
|
|
||
| image:images/filter-enable.png[] Enable Filter :: Disable the filter without | ||
| removing it. Click again to reenable the filter. Diagonal stripes indicate | ||
| that a filter is disabled. | ||
| image:images/filter-pin.png[] Pin Filter :: Pin the filter. Pinned filters | ||
| persist when you switch contexts in Kibana. For example, you can pin a filter | ||
| in Discover and it remains in place when you switch to Visualize. | ||
| Note that a filter is based on a particular index field--if the indices being | ||
| searched don't contain the field in a pinned filter, it has no effect. | ||
| image:images/filter-toggle.png[] Toggle Filter :: Switch from a positive | ||
| filter to a negative filter and vice-versa. | ||
| image:images/filter-delete.png[] Remove Filter :: Remove the filter. | ||
| image:images/filter-custom.png[] Edit Filter :: <<filter-edit, Edit the | ||
| filter>> definition. Enables you to manually update the filter query and | ||
| specify a label for the filter. | ||
|
|
||
| To apply a filter action to all of the applied filters, | ||
| click *Actions* and select the action. | ||
|
|
||
| [float] | ||
| [[filter-edit]] | ||
| === Editing a Filter | ||
| You can edit a filter to directly modify the filter query that is performed | ||
| to filter your search results. This enables you to create more complex | ||
| filters that are based on multiple fields. | ||
|
|
||
| image::images/filter-custom-json.png[] | ||
|
|
||
| | ||
|
|
||
| For example, you could use a {es-ref}/query-dsl-bool-query.html[bool query] | ||
| to create a filter for the sample log data that displays the hits that | ||
| originated from Canada or China that resulted in a 404 error: | ||
|
|
||
| ========== | ||
| [source,json] | ||
| { | ||
| "bool": { | ||
| "should": [ | ||
| { | ||
| "term": { | ||
| "geoip.country_name.raw": "Canada" | ||
| } | ||
| }, | ||
| { | ||
| "term": { | ||
| "geoip.country_name.raw": "China" | ||
| } | ||
| } | ||
| ], | ||
| "must": [ | ||
| { | ||
| "term": { | ||
| "response": "404" | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| } | ||
| ========== |
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.