kibana/docs/concepts/index.asciidoc

[[kibana-concepts-analysts]]
== {kib} concepts
**_Learn the shared concepts for analyzing and visualizing your data_**

As an analyst, you will use a combination of {kib} apps to analyze and
visualize your data. {kib} contains both general-purpose apps and apps for the
https://www.elastic.co/guide/en/enterprise-search/current/index.html[*Enterprise Search*],
{observability-guide}/observability-introduction.html[*Elastic Observability*],
and {security-guide}/es-overview.html[*Elastic Security*] solutions.
These apps share a common set of concepts.

[float]
=== Three things to know about {es}

You don't need to know everything about {es} to use {kib}, but the most important concepts follow:

* *{es} makes JSON documents searchable and aggregatable.* The documents are
stored in an {ref}/documents-indices.html[index] or {ref}/data-streams.html[data stream], which represent one type of data.

* **_Searchable_ means that you can filter the documents for conditions.**
For example, you can filter for data "within the last 7 days" or data that "contains the word {kib}".
{kib} provides many ways for you to construct filters, which are also called queries or search terms.

* **_Aggregatable_ means that you can extract summaries from matching documents.**
The simplest aggregation is *count*, and it is frequently used in combination
with the *date histogram*, to see count over time. The *terms* aggregation shows the most frequent values.

[float]
=== Finding your apps and objects

{kib} offers a <<kibana-navigation-search,global search bar>> on every page that you can use to find any app or saved object.
Open the search bar using the keyboard shortcut Ctrl+/ on Windows and Linux, Command+/ on MacOS.

[role="screenshot"]
image:concepts/images/global-search.png["Global search showing matches to apps and saved objects for the word visualize"]

[float]
=== Accessing data with index patterns

{kib} requires an index pattern to tell it which {es} data you want to access,
and whether the data is time-based. An index pattern can point to one or more {es}
data streams, indices, or index aliases by name.
For example, `logs-elasticsearch-prod-*` is an index pattern,
and it is time-based with a time field of `@timestamp`. The time field is not editable.

Index patterns are typically created by an administrator when sending data to {es}.
You can <<index-patterns,create or update index patterns>> in *Stack Management*, or by using a script
that accesses the {kib} API.

{kib} uses the index pattern to show you a list of fields, such as
`event.duration`. You can customize the display name and format for each field.
For example, you can tell {kib} to display `event.duration` in seconds.
{kib} has <<managing-fields,field formatters>> for strings,
dates, geopoints, and numbers.

[float]
[[kibana-concepts-searching-your-data]]
=== Searching your data

{kib} provides you several ways to build search queries,
which will reduce the number of document matches that you get from {es}.
Each app in {kib} provides a time filter, and most apps also include semi-structured search and extra filters.

[role="screenshot"]
image:concepts/images/top-bar.png["Time filter, semi-structured search, and filters in a {kib} app"]

If you frequently use any of the search options, you can click the
save query icon
image:concepts/images/save-icon.png["save icon"] next to the
semi-structured search to save or load a previously saved query.
The saved query will always contain the semi-structured search query,
and can optionally contain the time filter and extra filters.

[float]
==== Time filter

The <<set-time-filter, global time filter>> limits the time range of data displayed.
In most cases, the time filter applies to the time field in the index pattern,
but some apps allow you to use a different time field.

Using the time filter, you can configure a refresh rate to periodically
resubmit your searches. You can also click *Refresh* to resubmit the search.
This might be useful if you use {kib} to monitor the underlying data.

[role="screenshot"]
image:concepts/images/refresh-every.png["section of time filter where you can configure a refresh rate", width=75%]


[float]
[[semi-structured-search]]
==== Semi-structured search

Combine free text search with field-based search using the Kibana Query Language (KQL).
Type a search term to match across all fields, or start typing a field name to
get suggestions for field names and operators that you can use to build a structured query.
The semi-structured search will filter documents for matches, and only return matching documents.

Following are some example KQL queries.  For more detailed examples, refer to <<kuery-query,Kibana Query Language>>.

[cols=2*]
|===
| Exact phrase query
| `http.response.body.content.text:"quick brown fox"`

| Terms query
| http.response.status_code:400 401 404

| Boolean query
| `response:200 or extension:php`

| Range query
| `account_number >= 100 and items_sold <= 200`

| Wildcard query
| `machine.os:win*`
|===

[float]
[[autocomplete-suggestions]]
==== Suggestions for autocomplete

Beginning in 7.14, {kib} uses the {ref}/search-terms-enum.html[terms enum API] for autocomplete. {kib} returns results faster, but suggestions are approximate, sorted alphabetically, and can be outside the selected time range, even if `autocomplete:useTimeFilter` is enabled (as the terms enum API applies time filtering on an index-level, rather than document-level).

Previously, {kib} used the {ref}/search-aggregations-bucket-terms-aggregation.html[terms aggregation API], which is slower, but suggestions included all values that matched your query, and optionally, your time range, and were sorted by popularity. To revert to using the terms aggregation API, go to <<advanced-options, Advanced Settings>>, and set `autocomplete:valueSuggestionMethod` to `terms_agg`.

[float]
==== Additional filters with AND

Structured filters are a more interactive way to create {es} queries,
and are commonly used when building dashboards that are shared by multiple analysts.
Each filter can be disabled, inverted, or pinned across all apps.
The structured filters are the only way to use the {es} Query DSL in JSON form,
or to target a specific index pattern for filtering. Each of the structured
filters is combined with AND logic on the rest of the query.

[role="screenshot"]
image:concepts/images/add-filter-popup.png["Add filter popup"]


[float]
=== Saving objects
{kib} lets you save objects for your own future use or for sharing with others.
Each <<managing-saved-objects,saved object>> type has different abilities. For example, you can save
your search queries made with *Discover*, which lets you:

* Share a link to your search
* Download the full search results in CSV form
* Start an aggregated visualization using the same search query
* Embed the *Discover* search results into a dashboard
* Embed the *Discover* search results into a Canvas workpad

For organization, every saved object can have a name, <<kibana-navigation-search,tags>>, and type.
Use the global search to quickly open a saved object.

[float]
=== What's next?

* Try the {kib} <<get-started,Quick start>>, which shows you how to put these concepts into action.
* Go to <<discover, Discover>> for instructions on searching your data.


include::index-patterns.asciidoc[]

include::set-time-filter.asciidoc[]

include::kuery.asciidoc[]

include::lucene.asciidoc[]

include::save-query.asciidoc[]