099ec54c72
* [DOCS] Updates View in Context doc in Discover * [DOCS] Updates Discover docs on viewing document data * [DOCS] Adds workflow to Discover docs * [DOCS] Updates Discover docs intro page * [DOCS] More updates to Discover docs * [DOCS] More updates to Discover docs * [DOCS] Incorporates review comments in Discover docs * [DOCS] Edits to discover intro * [DOCS] Edits to Discover docs * [DOCS] Incorporates edits in Discover docs
156 lines
4.3 KiB
Plaintext
156 lines
4.3 KiB
Plaintext
[[field-filter]]
|
|
== Filtering by field
|
|
|
|
*Discover* offers
|
|
various types of filters, so you can restrict your documents to the exact data you want.
|
|
For example, you might look at the results for a
|
|
particular period of time. Or, you might include—or exclude—
|
|
all HTTP redirects that come from a specific IP and port.
|
|
|
|
[float]
|
|
=== Add a filter
|
|
|
|
A quick way to add a filter is from the fields list.
|
|
|
|
. Click the field to filter on.
|
|
+
|
|
You'll see the number of documents that contain
|
|
the field, the top 5 values for the field, and the percentage of documents
|
|
that contain each value.
|
|
+
|
|
[role="screenshot"]
|
|
image::images/filter-field.png[height=317]
|
|
|
|
. Use the image:images/PositiveFilter.jpg[Positive Filter] icon to
|
|
show only documents that contain that value,
|
|
or image:images/NegativeFilter.jpg[Negative Filter] to exclude all documents with that value.
|
|
+
|
|
If there is no data to display, you might need to set a <<set-time-filter, date time filter>>.
|
|
You can choose a time from the quick filter or choose your
|
|
own using absolute or relative times.
|
|
|
|
. Try also these filtering options:
|
|
+
|
|
* To limit the field
|
|
list to a particular data type, click *Filter by type*.
|
|
You can also filter for whether that type is
|
|
aggregatable or searchable.
|
|
+
|
|
* To filter for whether a field is present, expand the document in
|
|
the document table, hover over the field, and click the *Filter for field present* icon.
|
|
|
|
[float]
|
|
=== Filter by condition
|
|
|
|
You can filter using advanced criteria,
|
|
such as if a value is equal to or in between certain values.
|
|
|
|
. Click *Add Filter*.
|
|
|
|
. Select a field.
|
|
|
|
. Select an operation for your filter:
|
|
+
|
|
[horizontal]
|
|
`is`:: The value for the field matches the given value.
|
|
`is not`:: The value for the field does not match the given value.
|
|
`is one of`:: The field matches one of the specified values.
|
|
`is not one of`:: The value for the field does not match any of the specified values.
|
|
`is between`:: The value for the field is in the given range.
|
|
`is not between`:: The value for the field is not in the given range.
|
|
`exists`:: Any value is present for the field.
|
|
`does not exist`:: No value is present for the field.
|
|
. Choose values for your filter.
|
|
+
|
|
Values from your indices may be suggested
|
|
as selections if you are filtering against an aggregatable field.
|
|
|
|
. (Optional) Specify a label for the filter.
|
|
|
|
. Click *Save* to apply the filter to your search.
|
|
+
|
|
NOTE: If you are experiencing long-running queries as a result of the value suggestions, you can
|
|
turn off the suggestions by setting `filterEditor:suggestValues` to `false`
|
|
in <<advanced-options,
|
|
Advanced Settings>>.
|
|
|
|
[float]
|
|
[[filter-pinning]]
|
|
=== Edit, disable, and delete filters
|
|
|
|
To modify a filter, click its tag, and then select one of the following actions.
|
|
|
|
*Pin across all apps*::
|
|
Persist the filter
|
|
when you switch contexts in Kibana. For example, you can pin a filter
|
|
in *Discover* and it remains in place when you switch to *Visualize*.
|
|
A filter is based on a particular index field—if the indices being
|
|
searched do not contain the field in a pinned filter, it has no effect.
|
|
|
|
*Edit filter*::
|
|
Edit the
|
|
filter definition and label.
|
|
|
|
*Exclude results*::
|
|
Switch from a positive
|
|
filter to a negative filter, and vice versa.
|
|
|
|
*Temporarily disable*::
|
|
Disable the filter without
|
|
removing it. Click again to reenable the filter.
|
|
|
|
*Delete*::
|
|
Delete the filter.
|
|
|
|
To apply an action to all filters,
|
|
click the *Actions* icon, and then select the action.
|
|
|
|
|
|
|
|
[float]
|
|
[[filter-edit]]
|
|
=== Modify the filter query
|
|
|
|
You can directly modify
|
|
the query that filters your search results. This enables you
|
|
to create more complex filters using multiple fields.
|
|
|
|
. Click the filter tag, and then select *Edit > Edit Query DSL*.
|
|
|
|
. Edit the query for the filter.
|
|
+
|
|
////
|
|
image::images/edit_filter_query_json.png[]
|
|
+
|
|
////
|
|
For example, if you are using the sample log data, you can use the
|
|
{ref}/query-dsl-bool-query.html[bool query] to create a filter
|
|
that displays the hits that originated from Canada or China that resulted in a 404 error:
|
|
+
|
|
==========
|
|
[source,json]
|
|
{
|
|
"bool": {
|
|
"should": [
|
|
{
|
|
"term": {
|
|
"geoip.country_name.raw": "Canada"
|
|
}
|
|
},
|
|
{
|
|
"term": {
|
|
"geoip.country_name.raw": "China"
|
|
}
|
|
}
|
|
],
|
|
"must": [
|
|
{
|
|
"term": {
|
|
"response": "404"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
}
|
|
==========
|