maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
kibana/docs/discover/search.asciidoc
Wylie Conlon 5f2a326d89 [Docs] Update and improve docs for Visualize and Discover (#49810) 
* [Docs] Update and improve docs for Visualize and Discover

* Create a new section for default editor docs

* Fix significant terms link

* Writer changes

* Remove pages that aren't helpful to users

* More writer changes
2019-11-21 13:57:21 -06:00

194 lines
8.9 KiB
Plaintext
Raw Blame History

[[search]]
== Searching your data
You can search the indices that match the current <<index-patterns, index pattern>> by entering
your search criteria in the Query bar. By default you can use Kibana's <<kuery-query, standard query language>>
which features autocomplete and a simple, easy to use syntax. Kibana's legacy query
language (based on Lucene https://lucene.apache.org/core/2_9_4/queryparsersyntax.html[query syntax])
is still available for the time being under the options menu in the Query Bar. When this
legacy query language is selected, the full JSON-based {ref}/query-dsl.html[Elasticsearch Query DSL]
can also be used.
When you submit a search request, the histogram, Documents table, and Fields
list are updated to reflect the search results. The total number of hits
(matching documents) is shown in the toolbar. The Documents table shows the
first five hundred hits. By default, the hits are listed in reverse
chronological order, with the newest documents shown first. You can reverse
the sort order by clicking the Time column header. You can also sort the table
by the values in any indexed field. For more information, see <<sorting,
Sorting the Documents Table>>.
To search your data, enter your search criteria in the Query bar and
press *Enter* or click *Search* image:images/search-button.jpg[] to submit
the request to Elasticsearch.
include::kuery.asciidoc[]
[[lucene-query]]
=== Lucene query syntax
Kibana's legacy query language was based on the Lucene query syntax. For the time being this syntax
is still available under the options menu in the Query Bar and in Advanced Settings. The following
are some tips that can help get you started.
* To perform a free text search, simply enter a text string. For example, if
you're searching web server logs, you could enter `safari` to search all
fields for the term `safari`.
* To search for a value in a specific field, prefix the value with the name
of the field. For example, you could enter `status:200` to find all of
the entries that contain the value `200` in the `status` field.
* To search for a range of values, you can use the bracketed range syntax,
`[START_VALUE TO END_VALUE]`. For example, to find entries that have 4xx
status codes, you could enter `status:[400 TO 499]`.
* To specify more complex search criteria, you can use the Boolean operators
`AND`, `OR`, and `NOT`. For example, to find entries that have 4xx status
codes and have an extension of `php` or `html`, you could enter `status:[400 TO
499] AND (extension:php OR extension:html)`.
For more detailed information about the Lucene query syntax, see the
{ref}/query-dsl-query-string-query.html#query-string-syntax[Query String Query]
docs.
NOTE: These examples use the Lucene query syntax. When lucene is selected as your
query language you can also submit queries using the {ref}/query-dsl.html[Elasticsearch Query DSL].
[[save-open-search]]
=== Saving searches
A saved search persists your current view of Discover for later retrieval and reuse. You can reload a saved search into Discover, add it to a dashboard, and use it as the basis for a <<visualize, visualization>>.
A saved search includes the query text, filters, and optionally, the time filter. A saved search also includes the selected columns in the document table, the sort order, and the current index pattern.
[role="xpack"]
[[discover-read-only-access]]
==== Read only access
When you have insufficient privileges to save searches, the following indicator in Kibana will be
displayed and the *Save* button won't be visible. For more information on granting access to
Kibana see <<xpack-security-authorization>>.
[role="screenshot"]
image::discover/images/read-only-badge.png[Example of Discover's read only access indicator in Kibana's header]
==== Save a search
To save the current search:
. Click *Save* in the Kibana toolbar.
. Enter a name for the search and click *Save*.
You can import, export and delete saved searches from *Management/Kibana/Saved Objects*.
==== Open a saved search
To load a saved search into Discover:
. Click *Open* in the Kibana toolbar.
. Select the search you want to open.
If the saved search is associated with a different index pattern than is currently
selected, opening the saved search changes the selected index pattern. The query language
used for the saved search will also be automatically selected.
[[save-load-delete-query]]
=== Saving queries
A saved query is a portable collection of query text and filters that you can reuse in <<discover, Discover>>, <<visualize, Visualize>>, and <<dashboard, Dashboard>>. Save a query when you want to:
* Retrieve results from the same query at a later time without having to reenter the query text, add the filters or set the time filter
* View the results of the same query in multiple apps
* Share your query
Saved queries don't include information specific to Discover, such as the currently selected columns in the document table, the sort order, and the index pattern. If you want to save your current view of Discover for later retrieval and reuse, create a <<save-open-search, saved search>> instead.
[role="xpack"]
==== Read only access
If you have insufficient privileges to save queries, the *Save current query* button isn't visible in the saved query management popover. For more information, see <<xpack-security-authorization, Granting access to Kibana>>
==== Save a query
To save the current query text, filters, and time filter:
. Click *#* in the search bar, next to the query text input.
. Click *Save current query* in the popover.
+
[role="screenshot"]
image::discover/images/saved-query-management-component-all-privileges.png["Example of the saved query management popover with a list of saved queries with write access",width="80%"]
+
. Enter a name, a description, and then select the filter options that you want to include. By default, filters are automatically included, but the time filter is not.
+
[role="screenshot"]
image::discover/images/saved-query-save-form-default-filters.png["Example of the saved query management save form with the filters option included and the time filter option excluded",width="80%"]
. Click *Save*.
==== Load a query
To load a saved query into Discover, Dashboard, or Visualize:
. Click *#* in the search bar, next to the query text input.
. Select the query you want to load. You might need to scroll down to find the query you are looking for.
==== Save changes to a query
If you load a query and then make changes to the query text, the filters, or the time filter, you can save the changes as a new query or update the existing query.
To save the changes as a new query:
. Click *#* in the search bar, next to the query text input.
. Click *Save as new* in the popover.
. Enter a name and a description, and then select the filter options that you want to include.
. Click *Save*.
+
[role="screenshot"]
image::discover/images/saved-query-management-component-save-as-new-query.png["Example of the saved query management popover when a query is loaded and we have made changes to the query",width="80%"]
To save the changes to the current query:
. Click *#* in the search bar.
. Click *Save changes* in the popover.
. Enter a description, and then select the filter options that you want to include.
. Click *Save*.
==== Clear a query
To clear a query that is currently loaded in an application:
. Click *#* in the search bar.
. Click *Clear* in the popover.
==== Delete a query
To completely delete a query:
. Click *#* in the search bar, next to the query text input.
. Hover over the query you want to delete.
. Click the trash can icon.
+
[role="screenshot"]
image::discover/images/saved-query-management-component-delete-query-button.png["Example of the saved query management popover when a query is hovered over and we are about to delete a query",width="80%"]
You can import, export, and delete saved queries from <<managing-saved-objects, Saved Objects in Management>>.
[[select-pattern]]
=== Change the indices you're searching
When you submit a search request, the indices that match the currently-selected
index pattern are searched. The current index pattern is shown below the toolbar.
To change which indices you are searching, click the index pattern and select a
different index pattern.
For more information about index patterns, see <<settings-create-pattern,
Creating an Index Pattern>>.
[[autorefresh]]
=== Refresh the search results
As more documents are added to the indices you're searching, the search results
shown in Discover and used to display visualizations get stale. You can
configure a refresh interval to periodically resubmit your searches to
retrieve the latest results.
. Click image:images/time-filter-calendar.png[].
. In the *Refresh every* field, enter the refresh rate, then select the interval
from the dropdown.
. Click *Start*.
+
image::images/autorefresh-intervals.png[]
To disable auto refresh, click *Stop*.
If auto refresh is not enabled, click *Refresh* to manually refresh the search
results.
Reference in a new issue View git blame Copy permalink