1625f64013
* Re-enable filter editor suggestions * Use search instead of include * Escape query * Show spinner * Use include rather than search * Add additional regex and explanation for parameters * Add suggestions API test * Make sure test actually runs * Use send instead of query * Fix suggestions API test
150 lines
5.9 KiB
Text
150 lines
5.9 KiB
Text
[[field-filter]]
|
|
== Filtering by Field
|
|
You can filter the search results to display only those documents that contain
|
|
a particular value in a field. You can also create negative filters that
|
|
exclude documents that contain the specified field value.
|
|
|
|
You add field filters from the Fields list, the Documents table, or by manually
|
|
adding a filter. In addition to creating positive and negative filters, the
|
|
Documents table enables you to filter on whether or not a field is present. The
|
|
applied filters are shown below the Query bar. Negative filters are shown in red.
|
|
|
|
To add a filter from the Fields list:
|
|
|
|
. Click the name of the field you want to filter on. This displays the top
|
|
five values for that field.
|
|
+
|
|
image::images/filter-field.jpg[]
|
|
. To add a positive filter, click the *Positive Filter* button
|
|
image:images/PositiveFilter.jpg[Positive Filter].
|
|
This includes only those documents that contain that value in the field.
|
|
. To add a negative filter, click the *Negative Filter* button
|
|
image:images/NegativeFilter.jpg[Negative Filter].
|
|
This excludes documents that contain that value in the field.
|
|
|
|
To add a filter from the Documents table:
|
|
|
|
. Expand a document in the Documents table by clicking the *Expand* button
|
|
image:images/ExpandButton.jpg[Expand Button] to the left of the document's
|
|
table entry.
|
|
+
|
|
image::images/Expanded-Document.png[]
|
|
. To add a positive filter, click the *Positive Filter* button
|
|
image:images/PositiveFilter.jpg[Positive Filter Button] to the right of the
|
|
field name. This includes only those documents that contain that value in the
|
|
field.
|
|
. To add a negative filter, click the *Negative Filter* button
|
|
image:images/NegativeFilter.jpg[Negative Filter Button] to the right of the
|
|
field name. This excludes documents that contain that value in the field.
|
|
. To filter on whether or not documents contain the field, click the
|
|
*Exists* button image:images/ExistsButton.jpg[Exists Button] to the right of the
|
|
field name. This includes only those documents that contain the field.
|
|
|
|
To manually add a filter:
|
|
|
|
. Click *Add Filter*. A popup will be displayed for you to create the filter.
|
|
+
|
|
image::images/add_filter.png[]
|
|
. Choose a field to filter by. This list of fields will include fields from the
|
|
index pattern you are currently querying against.
|
|
+
|
|
image::images/add_filter_field.png[]
|
|
. Choose an operation for your filter.
|
|
+
|
|
image::images/add_filter_operator.png[]
|
|
The following operators can be selected:
|
|
[horizontal]
|
|
`is`:: Filter where the value for the field matches the given value.
|
|
`is not`:: Filter where the value for the field does not match the given value.
|
|
`is one of`:: Filter where the value for the field matches one of the specified values.
|
|
`is not one of`:: Filter where the value for the field does not match any of the specified values.
|
|
`is between`:: Filter where the value for the field is in the given range.
|
|
`is not between`:: Filter where the value for the field is not in the given range.
|
|
`exists`:: Filter where any value is present for the field.
|
|
`does not exist`:: Filter where no value is present for the field.
|
|
. Choose the value(s) for your filter. Values from your indices may be suggested
|
|
as selections if you are filtering against an aggregatable field.
|
|
+
|
|
image::images/add_filter_value.png[]
|
|
. (Optional) Specify a label for the filter. If you specify a label, it will be
|
|
displayed below the query bar instead of the filter definition.
|
|
. Click *Save*. The filter will be applied to your search and be displayed below
|
|
the query bar.
|
|
|
|
NOTE: If you are experiencing long-running queries as a result of the value suggestions, you can
|
|
turn off the suggestions by setting the advanced setting, `filterEditor:suggestValues`, to `false`.
|
|
|
|
[float]
|
|
[[filter-pinning]]
|
|
=== Managing Filters
|
|
|
|
To modify a filter, hover over it and click one of the action buttons.
|
|
|
|
image::images/filter-allbuttons.png[]
|
|
|
|
|
|
|
|
image:images/filter-enable.png[] Enable Filter :: Disable the filter without
|
|
removing it. Click again to reenable the filter. Diagonal stripes indicate
|
|
that a filter is disabled.
|
|
image:images/filter-pin.png[] Pin Filter :: Pin the filter. Pinned filters
|
|
persist when you switch contexts in Kibana. For example, you can pin a filter
|
|
in Discover and it remains in place when you switch to Visualize.
|
|
Note that a filter is based on a particular index field--if the indices being
|
|
searched don't contain the field in a pinned filter, it has no effect.
|
|
image:images/filter-toggle.png[] Invert Filter :: Switch from a positive
|
|
filter to a negative filter and vice-versa.
|
|
image:images/filter-delete.png[] Remove Filter :: Remove the filter.
|
|
image:images/filter-custom.png[] Edit Filter :: <<filter-edit, Edit the
|
|
filter>> definition. Enables you to manually update the filter and
|
|
specify a label for the filter.
|
|
|
|
To apply a filter action to all of the applied filters,
|
|
click *Actions* and select the action.
|
|
|
|
[float]
|
|
[[filter-edit]]
|
|
=== Editing a Filter
|
|
You can edit a filter by changing the field, operator, or value associated
|
|
with the filter (see the Add Filter section above), or by directly modifying
|
|
the filter query that is performed to filter your search results. This
|
|
enables you to create more complex filters that are based on multiple fields.
|
|
|
|
. To edit the filter query, first click the edit button for the filter, then
|
|
click *Edit Query DSL*.
|
|
+
|
|
image::images/edit_filter_query.png[]
|
|
. You can then edit the query for the filter.
|
|
+
|
|
image::images/edit_filter_query_json.png[]
|
|
|
|
For example, you could use a
|
|
{ref}/query-dsl-bool-query.html[bool query] to create a filter for the
|
|
sample log data that displays the hits that originated from Canada or China that resulted in a 404 error:
|
|
|
|
==========
|
|
[source,json]
|
|
{
|
|
"bool": {
|
|
"should": [
|
|
{
|
|
"term": {
|
|
"geoip.country_name.raw": "Canada"
|
|
}
|
|
},
|
|
{
|
|
"term": {
|
|
"geoip.country_name.raw": "China"
|
|
}
|
|
}
|
|
],
|
|
"must": [
|
|
{
|
|
"term": {
|
|
"response": "404"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
==========
|