maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
kibana/docs/discover/search-sessions.asciidoc
Kibana Machine 1959e30d79
background session limitation docs (#102050) (#102201) 
Co-authored-by: Joe Reuter <johannes.reuter@elastic.co>
2021-06-15 05:43:29 -07:00

86 lines
4.1 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[[search-sessions]]
== Run a search session in the background
Sometimes you might need to search through large amounts of data no matter
how long the search takes. While this might not happen often,
there are times that long-running queries are required.
Consider a threat hunting scenario, where you need to search through years of data.
If your query is running long, you can save your search session, which
allows {kib} to continue processing your request in the
background. Save your search session from *Discover* or *Dashboard*,
and when your session is complete, view and manage it in *Stack Management*.
[role="screenshot"]
image::images/search-session.png[Search Session indicator displaying the current state of the search, which you can click to stop or save a running Search Session ]
Search sessions are <<search-session-settings-kb,enabled by default>>.
[float]
==== Requirements
* To save a session, you must have permissions for *Discover* and *Dashboard*,
and the <<kibana-feature-privileges, search sessions subfeature>>.
* To view and restore a saved session, you must have access to *Stack Management*.
[float]
==== Example: Save a search session
Youre trying to understand a trend you see on a dashboard. You
need to look at several years of data, currently in
{ref}/data-tiers.html#cold-tier[cold storage],
but you dont have time to wait. You want {kib} to
continue working in the background, so tomorrow you can
open your browser and pick up where you left off.
. Load your dashboard.
+
Your search session begins automatically. The icon after the dashboard title
displays the current state of the search session. A clock indicates the search session is in progress.
A checkmark indicates that the search session is complete.
. To instruct {kib} to continue a search in the background, click the clock icon,
and then click *Save session*. Once you save a search session, you can start a new search,
navigate to a different application, or close the browser.
+
[role="screenshot"]
image::images/search-session-awhile.png[Search Session indicator displaying the current state of the search, which you can click to stop or save a running Search Session ]
. To view your saved searches, open the main menu, and then click
*Stack Management > Search Sessions*. You can also open this view from the search sessions popup for a saved or completed session.
+
[role="screenshot"]
image::images/search-sessions-menu.png[Search Sessions management view with actions for inspecting, extending, and deleting a session. ]
. Use the edit menu in *Search Sessions* to:
* *Inspect* the queries and filters that makeup the session.
* *Edit the name* of a session.
* *Extend* the expiration of a completed session.
* *Delete* a session.
. To restore a search session, click its name in the *Search Sessions* view.
+
You're returned to the place from where you started the search session. The data is the same, but
behaves differently:
+
* Relative dates are converted to absolute dates.
* Panning and zooming is disabled for maps.
* Changing a filter, query, or drilldown starts a new search session, which can be slow.
[float]
==== Limitations
Certain visualization features do not fully support background search sessions yet. If a dashboard using these features gets restored,
all panels using unsupported features won't load immediately, but instead send out additional data requests which can take a while to complete.
In this case a warning *Your search session is still running* will be shown.
You can either wait for these additional requests to complete or come back to the dashboard later when all data requests have been finished.
A panel on a dashboard can behave like this if one of the following features is used:
* *Lens* - A *top values* dimension with an enabled setting *Group other values as "Other"* (configurable in the *Advanced* section of the dimension)
* *Lens* - An *intervals* dimension is used
* *Aggregation based* visualizations - A *terms* aggregation is used with an enabled setting *Group other values in separate bucket*
* *Aggregation based* visualizations - A *histogram* aggregation is used
* *Maps* - Layers using joins, blended layers or tracks layers are used
Reference in a new issue View git blame Copy permalink