60 lines
2.5 KiB
Plaintext
60 lines
2.5 KiB
Plaintext
[[discover-document-context]]
|
|
== View surrounding documents
|
|
|
|
Once you've narrowed your search to a specific event in *Discover*,
|
|
you can inspect the documents that occurred
|
|
immediately before and after the event.
|
|
To view the surrounding documents, your index pattern must contain time-based events.
|
|
|
|
. In the document table, click the expand icon (>).
|
|
. Click *View surrounding documents.*
|
|
+
|
|
In the context view, documents are sorted by the time field specified in the index pattern
|
|
and displayed using the same set of columns as the *Discover* view from which
|
|
the context was opened. The anchor document is highlighted in blue.
|
|
+
|
|
[role="screenshot"]
|
|
image::images/discover-context.png[Image showing context view feature, with anchor documents highlighted in blue]
|
|
+
|
|
The filters you applied in *Discover* are carried over to the context view. Pinned
|
|
filters remain active, while normal filters are copied in a disabled state.
|
|
|
|
+
|
|
[role="screenshot"]
|
|
image::images/discover-context-filters-inactive.png[Filter in context view]
|
|
|
|
. To find the documents of interest, add filters.
|
|
|
|
. To increase the number of documents that surround the anchor document, click *Load*.
|
|
By default, five documents are added with each click.
|
|
+
|
|
[role="screenshot"]
|
|
image::images/discover-context-load-newer-documents.png[Load button and the number of documents to load]
|
|
|
|
|
|
[float]
|
|
[[configure-context-ContextView]]
|
|
=== Configure the context view
|
|
|
|
Configure the appearance and behavior in *Advanced Settings*.
|
|
|
|
. Open the main menu, then click *Stack Management > Advanced Settings*.
|
|
. Search for `context`, then edit the settings.
|
|
+
|
|
[horizontal]
|
|
`context:defaultSize`:: The number of documents to display by default.
|
|
`context:step`:: The default number of documents to load with each button click. The default is 5.
|
|
`context:tieBreakerFields`:: The field to use for tiebreaking in case of equal time field values.
|
|
The default is the `_doc` field.
|
|
+
|
|
You can enter a comma-separated list of field
|
|
names, which is checked in sequence for suitability when a context is
|
|
displayed. The first suitable field is used as the tiebreaking
|
|
field. A field is suitable if the field exists and is sortable in the index
|
|
pattern the context is based on.
|
|
+
|
|
Although not required, it is recommended to only
|
|
use fields that have {ref}/doc-values.html[doc values] enabled to achieve
|
|
good performance and avoid unnecessary {ref}/modules-fielddata.html[field
|
|
data] usage. Common examples for suitable fields include log line numbers,
|
|
monotonically increasing counters and high-precision timestamps. |