kibana/docs/discover/field-filter.asciidoc

[[field-filter]]
== Filtering by Field
You can filter the search results to display only those documents that contain
a particular value in a field. You can also create negative filters that
exclude documents that contain the specified field value.

You add field filters from the Fields list, the Documents table, or by manually
adding a filter. In addition to creating positive and negative filters, the
Documents table enables you to filter on whether or not a field is present. The
applied filters are shown below the Query bar. Negative filters are shown in red.

To add a filter from the Fields list:

. Click the name of the field you want to filter on. This displays the top
five values for that field.
+
image::images/filter-field.jpg[]
. To add a positive filter, click the *Positive Filter* button
image:images/PositiveFilter.jpg[Positive Filter].
This includes only those documents that contain that value in the field.
. To add a negative filter, click the *Negative Filter* button
image:images/NegativeFilter.jpg[Negative Filter].
This excludes documents that contain that value in the field.

To add a filter from the Documents table:

. Expand a document in the Documents table by clicking the *Expand* button
image:images/ExpandButton.jpg[Expand Button] to the left of the document's
table entry.
+
image::images/Expanded-Document.png[]
. To add a positive filter, click the *Positive Filter* button
image:images/PositiveFilter.jpg[Positive Filter Button] to the right of the
field name. This includes only those documents that contain that value in the
field.
. To add a negative filter, click the *Negative Filter* button
image:images/NegativeFilter.jpg[Negative Filter Button] to the right of the
field name. This excludes documents that contain that value in the field.
. To filter on whether or not documents contain the field, click the
*Exists* button image:images/ExistsButton.jpg[Exists Button] to the right of the
field name. This includes only those documents that contain the field.

To manually add a filter:

. Click *Add Filter*. A popup will be displayed for you to create the filter.
+
image::images/add_filter.png[]
. Choose a field to filter by. This list of fields will include fields from the
index pattern you are currently querying against.
+
image::images/add_filter_field.png[]
. Choose an operation for your filter.
+
image::images/add_filter_operator.png[]
The following operators can be selected:
[horizontal]
`is`:: Filter where the value for the field matches the given value.
`is not`:: Filter where the value for the field does not match the given value.
`is one of`:: Filter where the value for the field matches one of the specified values.
`is not one of`:: Filter where the value for the field does not match any of the specified values.
`is between`:: Filter where the value for the field is in the given range.
`is not between`:: Filter where the value for the field is not in the given range.
`exists`:: Filter where any value is present for the field.
`does not exist`:: Filter where no value is present for the field.
. Choose the value(s) for your filter. Values from your indices may be suggested
as selections if you are filtering against an aggregatable field.
+
image::images/add_filter_value.png[]
. (Optional) Specify a label for the filter. If you specify a label, it will be
displayed below the query bar instead of the filter definition.
. Click *Save*. The filter will be applied to your search and be displayed below
the query bar.

NOTE: If you are experiencing long-running queries as a result of the value suggestions, you can
turn off the suggestions by setting the advanced setting, `filterEditor:suggestValues`, to `false`.

[float]
[[filter-pinning]]
=== Managing Filters

To modify a filter, hover over it and click one of the action buttons.

image::images/filter-allbuttons.png[]

 

image:images/filter-enable.png[] Enable Filter :: Disable the filter without
removing it. Click again to reenable the filter. Diagonal stripes indicate
that a filter is disabled.
image:images/filter-pin.png[] Pin Filter :: Pin the filter. Pinned filters
persist when you switch contexts in Kibana. For example, you can pin a filter
in Discover and it remains in place when you switch to Visualize.
Note that a filter is based on a particular index field--if the indices being
searched don't contain the field in a pinned filter, it has no effect.
image:images/filter-toggle.png[] Invert Filter :: Switch from a positive
filter to a negative filter and vice-versa.
image:images/filter-delete.png[] Remove Filter :: Remove the filter.
image:images/filter-custom.png[] Edit Filter :: <<filter-edit, Edit the
filter>> definition.  Enables you to manually update the filter and
specify a label for the filter.

To apply a filter action to all of the applied filters,
click *Actions* and select the action.

[float]
[[filter-edit]]
=== Editing a Filter
You can edit a filter by changing the field, operator, or value associated
with the filter (see the Add Filter section above), or by directly modifying
the filter query that is performed to filter your search results. This
enables you to create more complex filters that are based on multiple fields.

. To edit the filter query, first click the edit button for the filter, then
click *Edit Query DSL*.
+
image::images/edit_filter_query.png[]
. You can then edit the query for the filter.
+
image::images/edit_filter_query_json.png[]

For example, you could use a
{ref}/query-dsl-bool-query.html[bool query] to create a filter for the
sample log data that displays the hits that originated from Canada or China that resulted in a 404 error:

==========
[source,json]
{
  "bool": {
    "should": [
      {
        "term": {
          "geoip.country_name.raw": "Canada"
        }
      },
      {
        "term": {
          "geoip.country_name.raw": "China"
        }
      }
    ],
    "must": [
      {
        "term": {
          "response": "404"
        }
      }
    ]
  }
}
==========