896b9cddbc
* [DOCS] Updates for navigation redesign * Getting started * Set up text * Discover * Dashboard, Graph, ML, Maps, APM, SIEM, Dev tools * Dev Tools, Stack Monitoring, Management * Management * Final changes * [DOCS] Updates for navigation redesign * [DOCS] Updates CCR monitoring screenshots * updates SIEM screenshot and Cases overview text * Added Brandon's APM image * [DOCS] Refines CCR shard screenshot * Removed merge conflict image file Co-authored-by: lcawl <lcawley@elastic.co> Co-authored-by: Ben Skelker <ben.skelker@elastic.co>
193 lines
8.3 KiB
Plaintext
193 lines
8.3 KiB
Plaintext
[[search]]
|
|
== Search data
|
|
Many Kibana apps embed a query bar for real-time search, including
|
|
*Discover*, *Visualize*, and *Dashboard*.
|
|
|
|
[float]
|
|
=== Search your data
|
|
|
|
To search the indices that match the current <<index-patterns, index pattern>>,
|
|
enter your search criteria in the query bar. By default, you'll use
|
|
{kib}'s <<kuery-query, standard query language>> (KQL), which
|
|
features autocomplete and a simple, easy-to-use syntax. If you prefer to use
|
|
{kib}'s legacy query
|
|
language, based on the
|
|
Lucene https://lucene.apache.org/core/2_9_4/queryparsersyntax.html[query syntax],
|
|
you can switch to it from the KQL popup in the query bar. When you enable the
|
|
legacy query language, you can use the full
|
|
JSON-based {ref}/query-dsl.html[Elasticsearch Query DSL].
|
|
|
|
|
|
[float]
|
|
[[autorefresh]]
|
|
=== Refresh search results
|
|
As more documents are added to the indices you're searching, the search results
|
|
shown in *Discover*, and used to display visualizations, get stale. Using the
|
|
time filter, you can
|
|
configure a refresh interval to periodically resubmit your searches to
|
|
retrieve the latest results.
|
|
|
|
[role="screenshot"]
|
|
image::images/autorefresh-interval.png[]
|
|
|
|
You can also manually refresh the search results by
|
|
clicking the *Refresh* button.
|
|
|
|
[float]
|
|
=== Searching large amounts of data
|
|
|
|
Sometimes you want to search through large amounts of data no matter how long
|
|
the search takes. While this might not happen often, there are times
|
|
that long-running queries are required. Consider a threat hunting scenario
|
|
where you need to search through years of data.
|
|
|
|
If you run a query, and the run time gets close to the
|
|
timeout, you're presented the option to ignore the timeout. This enables you to
|
|
run queries with large amounts of data to completion.
|
|
|
|
By default, a query times out after 30 seconds.
|
|
The timeout is in place to avoid unintentional load on the cluster.
|
|
|
|
|
|
include::kuery.asciidoc[]
|
|
|
|
[[lucene-query]]
|
|
=== Lucene query syntax
|
|
Kibana's legacy query language was based on the Lucene query syntax. For the time being this syntax
|
|
is still available under the options menu in the Query Bar and in Advanced Settings. The following
|
|
are some tips that can help get you started.
|
|
|
|
* To perform a free text search, simply enter a text string. For example, if
|
|
you're searching web server logs, you could enter `safari` to search all
|
|
fields for the term `safari`.
|
|
|
|
* To search for a value in a specific field, prefix the value with the name
|
|
of the field. For example, you could enter `status:200` to find all of
|
|
the entries that contain the value `200` in the `status` field.
|
|
|
|
* To search for a range of values, you can use the bracketed range syntax,
|
|
`[START_VALUE TO END_VALUE]`. For example, to find entries that have 4xx
|
|
status codes, you could enter `status:[400 TO 499]`.
|
|
|
|
* To specify more complex search criteria, you can use the Boolean operators
|
|
`AND`, `OR`, and `NOT`. For example, to find entries that have 4xx status
|
|
codes and have an extension of `php` or `html`, you could enter `status:[400 TO
|
|
499] AND (extension:php OR extension:html)`.
|
|
|
|
For more detailed information about the Lucene query syntax, see the
|
|
{ref}/query-dsl-query-string-query.html#query-string-syntax[Query String Query]
|
|
docs.
|
|
|
|
NOTE: These examples use the Lucene query syntax. When lucene is selected as your
|
|
query language you can also submit queries using the {ref}/query-dsl.html[Elasticsearch Query DSL].
|
|
|
|
|
|
[[save-open-search]]
|
|
=== Save a search
|
|
A saved search persists your current view of Discover for later retrieval and reuse. You can reload a saved search into Discover, add it to a dashboard, and use it as the basis for a <<visualize, visualization>>.
|
|
|
|
A saved search includes the query text, filters, and optionally, the time filter. A saved search also includes the selected columns in the document table, the sort order, and the current index pattern.
|
|
|
|
[role="xpack"]
|
|
[[discover-read-only-access]]
|
|
==== Read-only access
|
|
When you have insufficient privileges to save searches, the following indicator in Kibana will be
|
|
displayed and the *Save* button won't be visible. For more information on granting access to
|
|
Kibana see <<xpack-security-authorization>>.
|
|
|
|
[role="screenshot"]
|
|
image::discover/images/read-only-badge.png[Example of Discover's read only access indicator in Kibana's header]
|
|
|
|
==== Save a search
|
|
To save the current search:
|
|
|
|
. Click *Save* in the Kibana toolbar.
|
|
. Enter a name for the search and click *Save*.
|
|
|
|
To import, export and delete saved searches:
|
|
. Open the menu, then click *Stack Management.
|
|
. From the {kib} menu, click *Saved Ojbects*.
|
|
|
|
==== Open a saved search
|
|
To load a saved search into Discover:
|
|
|
|
. Click *Open* in the Kibana toolbar.
|
|
. Select the search you want to open.
|
|
|
|
If the saved search is associated with a different index pattern than is currently
|
|
selected, opening the saved search changes the selected index pattern. The query language
|
|
used for the saved search will also be automatically selected.
|
|
|
|
[[save-load-delete-query]]
|
|
=== Save a query
|
|
A saved query is a portable collection of query text and filters that you can reuse in <<discover, Discover>>, <<visualize, Visualize>>, and <<dashboard, Dashboard>>. Save a query when you want to:
|
|
|
|
* Retrieve results from the same query at a later time without having to reenter the query text, add the filters or set the time filter
|
|
* View the results of the same query in multiple apps
|
|
* Share your query
|
|
|
|
Saved queries don't include information specific to Discover, such as the currently selected columns in the document table, the sort order, and the index pattern. If you want to save your current view of Discover for later retrieval and reuse, create a <<save-open-search, saved search>> instead.
|
|
|
|
[role="xpack"]
|
|
==== Read-only access
|
|
If you have insufficient privileges to save queries, the *Save current query* button isn't visible in the saved query management popover. For more information, see <<xpack-security-authorization, Granting access to Kibana>>
|
|
|
|
==== Save a query
|
|
To save the current query text, filters, and time filter:
|
|
|
|
. Click *#* in the search bar, next to the query text input.
|
|
. Click *Save current query* in the popover.
|
|
+
|
|
[role="screenshot"]
|
|
image::discover/images/saved-query-management-component-all-privileges.png["Example of the saved query management popover with a list of saved queries with write access",width="80%"]
|
|
+
|
|
. Enter a name, a description, and then select the filter options that you want to include. By default, filters are automatically included, but the time filter is not.
|
|
+
|
|
[role="screenshot"]
|
|
image::discover/images/saved-query-save-form-default-filters.png["Example of the saved query management save form with the filters option included and the time filter option excluded",width="80%"]
|
|
. Click *Save*.
|
|
|
|
==== Load a query
|
|
To load a saved query into Discover, Dashboard, or Visualize:
|
|
|
|
. Click *#* in the search bar, next to the query text input.
|
|
. Select the query you want to load. You might need to scroll down to find the query you are looking for.
|
|
|
|
==== Save changes to a query
|
|
If you load a query and then make changes to the query text, the filters, or the time filter, you can save the changes as a new query or update the existing query.
|
|
|
|
To save the changes as a new query:
|
|
|
|
. Click *#* in the search bar, next to the query text input.
|
|
. Click *Save as new* in the popover.
|
|
. Enter a name and a description, and then select the filter options that you want to include.
|
|
. Click *Save*.
|
|
+
|
|
[role="screenshot"]
|
|
image::discover/images/saved-query-management-component-save-as-new-query.png["Example of the saved query management popover when a query is loaded and we have made changes to the query",width="80%"]
|
|
|
|
To save the changes to the current query:
|
|
|
|
. Click *#* in the search bar.
|
|
. Click *Save changes* in the popover.
|
|
. Enter a description, and then select the filter options that you want to include.
|
|
. Click *Save*.
|
|
|
|
==== Clear a query
|
|
To clear a query that is currently loaded in an application:
|
|
|
|
. Click *#* in the search bar.
|
|
. Click *Clear* in the popover.
|
|
|
|
==== Delete a query
|
|
To completely delete a query:
|
|
|
|
. Click *#* in the search bar, next to the query text input.
|
|
. Hover over the query you want to delete.
|
|
. Click the trash can icon.
|
|
+
|
|
[role="screenshot"]
|
|
image::discover/images/saved-query-management-component-delete-query-button.png["Example of the saved query management popover when a query is hovered over and we are about to delete a query",width="80%"]
|
|
|
|
You can import, export, and delete saved queries from <<managing-saved-objects, Saved Objects in Management>>.
|