9b2e8c94d3
* [DOCS] Adds a section on runtime fields to the Discover intro * [DOCS] Updates images * Adds link to runtime fields doc * [DOCS] Adds note about filtering, editing, and deleting runtime fields Co-authored-by: KOTungseth <kaarina.tungseth@elastic.co> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
285 lines
9.8 KiB
Text
285 lines
9.8 KiB
Text
[[discover]]
|
||
= Discover
|
||
|
||
[partintro]
|
||
--
|
||
**_Gain insight to your data._**
|
||
|
||
*Discover* enables you to quickly search and filter your data, get information
|
||
about the structure of the fields, and visualize your data with *Lens* and *Maps*.
|
||
You can customize and save your searches and place them on a dashboard.
|
||
|
||
++++
|
||
<script type="text/javascript" async src="https://play.vidyard.com/embed/v4.js">
|
||
</script>
|
||
<img
|
||
style="width: 100%; margin: auto; display: block;"
|
||
class="vidyard-player-embed"
|
||
src="https://play.vidyard.com/c2qBPz74BU16ncbvDWGvbz.jpg"
|
||
data-uuid="c2qBPz74BU16ncbvDWGvbz"
|
||
data-v="4"
|
||
data-type="inline"
|
||
/>
|
||
++++
|
||
|
||
[float]
|
||
=== Explore and query your data
|
||
|
||
You have questions about your data.
|
||
What pages on your website contain a
|
||
specific word or phrase? What events were logged most recently?
|
||
What processes take longer than 500 milliseconds to respond?
|
||
This tutorial shows you how to use *Discover* to quickly search large amounts of
|
||
data and understand what’s going on at any given time.
|
||
|
||
You’ll learn to:
|
||
|
||
- **Select** data for your exploration, set a time range for that data,
|
||
search it with the {kib} Query Language, and filter the results.
|
||
- **Explore** the details of your data, view individual documents, and create tables
|
||
that summarize the contents of the data.
|
||
- **Present** your findings in a visualization.
|
||
|
||
At the end of this tutorial, you’ll be ready to start exploring with your own
|
||
data in *Discover*.
|
||
|
||
|
||
[float]
|
||
=== Prerequisites
|
||
|
||
- If you don’t already have {kib}, set it up with https://www.elastic.co/cloud/elasticsearch-service/signup?baymax=docs-body&elektra=docs[our free trial].
|
||
- You must have data in {es}. This tutorial uses the
|
||
<<gs-get-data-into-kibana,ecommerce sample data set>>, but you can use your own data.
|
||
- You should have an understanding of {ref}/documents-indices.html[{es} documents and indices]
|
||
and <<kibana-concepts-analysts, {kib} concepts>>.
|
||
|
||
|
||
[float]
|
||
[[find-the-data-you-want-to-use]]
|
||
=== Find your data
|
||
|
||
Tell {kib} where to find the data you want to explore, and then specify the time range in which to view that data.
|
||
|
||
. Open the main menu, and select **Discover**.
|
||
|
||
. Select the data you want to work with.
|
||
+
|
||
{kib} uses an <<index-patterns,index pattern>> to tell it where to find
|
||
your {es} data.
|
||
To view the ecommerce sample data, make sure the index pattern is set to **kibana_sample_data_ecommerce**.
|
||
+
|
||
[role="screenshot"]
|
||
image::images/discover-index-pattern.png[How to set the index pattern in Discover, width=50%]
|
||
|
||
. Adjust the <<set-time-filter,time range>> to view data for the *Last 7 days*.
|
||
+
|
||
The range selection is based on the default time field in your data.
|
||
If you are using the sample data, this value was set when you added the data.
|
||
If you are using your own data, and it does not have a time field, the range selection is not available.
|
||
|
||
. To view the count of documents for a given time in the specified range,
|
||
click and drag the mouse over the histogram.
|
||
|
||
[float]
|
||
[[explore-fields-in-your-data]]
|
||
=== Explore the fields in your data
|
||
|
||
**Discover** includes a table that shows all the documents that match your search.
|
||
By default, the table includes columns for the time field and the document `_source`,
|
||
which can be overwhelming. You’ll modify this table to display only your fields of interest.
|
||
|
||
. Scan through the list of **Available fields** until you find the `manufacturer` field.
|
||
You can also search for the field by name.
|
||
+
|
||
[role="screenshot"]
|
||
image:images/discover-sidebar-available-fields.png[Fields list that displays the top five search results, width=50%]
|
||
|
||
. Click the `manufacturer` field to view its five most popular values.
|
||
+
|
||
[role="screenshot"]
|
||
image:images/find-manufacturer-field.png[Fields list that displays the top five search results, width=75%]
|
||
|
||
. Click image:images/add-icon.png[Add icon] to toggle the field into the document table.
|
||
|
||
. Find the `day of week` field and add it to your document table. Your table should look like this:
|
||
+
|
||
[role="screenshot"]
|
||
image:images/document-table.png[Document table with fields for manufacturer, geo.country_iso_code, and day_of_week]
|
||
|
||
|
||
. To rearrange the table columns, hover the mouse over a
|
||
column header, and then use the move and sort controls.
|
||
|
||
[float]
|
||
[[add-field-in-discover]]
|
||
=== Add a field
|
||
|
||
What happens if you forgot to define an important value as a separate field? Or, what if you
|
||
want to combine two fields and treat them as one?
|
||
You can add a field to your index pattern from inside of **Discover**,
|
||
and then use that field for analysis and visualizations,
|
||
the same way you do with other fields.
|
||
|
||
. Click the ellipsis icon (...), and then click *Add field to index pattern*.
|
||
+
|
||
[role="screenshot"]
|
||
image:images/add-field-to-pattern.png[Dropdown menu located next to index pattern field with item for adding a field to an index pattern, width=50%]
|
||
|
||
. In the *Create field* form, enter `hello` for the name.
|
||
|
||
. Turn on *Set value*.
|
||
|
||
. Use the Painless scripting language to define the field:
|
||
+
|
||
```ts
|
||
emit("Hello World!");
|
||
```
|
||
|
||
. Click *Save*.
|
||
|
||
. In the fields list, search for the *hello* field, and then click it.
|
||
+
|
||
You'll see the top values for the field. The pop-up also includes actions for filtering,
|
||
editing, and deleting the field.
|
||
+
|
||
[role="screenshot"]
|
||
image:images/hello-field.png[Top values for the hello field, width=50%]
|
||
|
||
For more information on adding fields and Painless scripting language examples, refer to <<runtime-fields, Explore your data with runtime fields>>.
|
||
|
||
|
||
[float]
|
||
[[search-in-discover]]
|
||
=== Search your data
|
||
|
||
One of the unique capabilities of **Discover** is the ability to combine
|
||
free text search with filtering based on structured data.
|
||
To search all fields, enter a simple string in the **Search** field.
|
||
|
||
[role="screenshot"]
|
||
image:images/discover-search-field.png[Search field in Discover]
|
||
|
||
|
||
To search particular fields and
|
||
build more complex queries, use the <<kuery-query,Kibana Query language>>.
|
||
As you type, KQL prompts you with the fields you can search and the operators
|
||
you can use to build a structured query.
|
||
|
||
Search the ecommerce data for documents where the country matches US:
|
||
|
||
. Enter `g`, and then select *geoip.country_iso_code*.
|
||
. Select *equals some value* and *US*, and then click *Update*.
|
||
. For a more complex search, try:
|
||
+
|
||
`geoip.country_iso_code : US and products.taxless_price >= 75`
|
||
|
||
[float]
|
||
[[filter-in-discover]]
|
||
=== Filter your data
|
||
|
||
Whereas the query defines the set of documents you are interested in,
|
||
filters enable you to zero in on different subsets of those documents.
|
||
You can filter results to include or exclude specific fields, filter for a value in a range,
|
||
and more.
|
||
|
||
Exclude documents where day of week is not Wednesday:
|
||
|
||
. Click **Add filter**.
|
||
. Set **Field** to *day_of_week*, **Operator** to *is not*, and **Value** to *Wednesday*.
|
||
+
|
||
[role="screenshot"]
|
||
image:images/discover-add-filter.png[Add filter dialog in Discover]
|
||
|
||
. Save the filter.
|
||
. Continue your exploration by adding more filters.
|
||
. To remove a filter,
|
||
click the close icon (x) next to its name in the filter bar.
|
||
|
||
[float]
|
||
[[look-inside-a-document]]
|
||
=== Look inside a document
|
||
|
||
Dive into an individual document to view its fields and the documents
|
||
that occurred before and after it.
|
||
|
||
. In the document table, expand any document. To view more of the document table, click *Hide chart*.
|
||
+
|
||
[role="screenshot"]
|
||
image:images/document-table-expanded.png[Table view with document expanded]
|
||
|
||
. Scan through the fields and their values. If you find a field of interest,
|
||
hover over its name for filters and other controls.
|
||
|
||
. To view documents that occurred before or after the event you are looking at, click
|
||
<<discover-view-surrounding-documents, View surrounding documents>>.
|
||
|
||
. For direct access to a particular document, click **<<discover-view-single-document,View single document>>**.
|
||
+
|
||
You can bookmark this document and share the link.
|
||
|
||
|
||
[float]
|
||
[[save-your-search]]
|
||
=== Save your search for later use
|
||
|
||
Save your search so you can repeat it later, generate a CSV report, or use it in visualizations, dashboards, and Canvas workpads.
|
||
Saving a search saves the query text, filters,
|
||
and current view of *Discover*—the columns selected in the document table, the sort order, and the index pattern.
|
||
|
||
. In the toolbar, click **Save**.
|
||
|
||
. Give your search a title, and then click **Save**.
|
||
+
|
||
[role="screenshot"]
|
||
image:images/discover-save-saved-search.png[Save saved search in Discover, width=50%]
|
||
|
||
[float]
|
||
=== Visualize your findings
|
||
If a field can be {ref}/search-aggregations.html[aggregated], you can quickly
|
||
visualize it from **Discover**.
|
||
|
||
. From the **Selected fields** list, click `day_of_week`, and then click **Visualize**.
|
||
+
|
||
[role="screenshot"]
|
||
image:images/discover-visualize.png[Discover sidebar field popover with visualize button, width=75%]
|
||
+
|
||
{kib} creates a visualization best suited for this field.
|
||
|
||
. Drag `manufacturer.keyword` from the field list and drop it on
|
||
the visualization builder pane.
|
||
+
|
||
[role="screenshot"]
|
||
image:images/discover-from-visualize.png[Visualization that opens from Discover based on your data]
|
||
|
||
. Save your visualization for use on a dashboard.
|
||
+
|
||
For geo point fields (image:images/geoip-icon.png[Geo point field icon, width=20px]),
|
||
if you click **Visualize**,
|
||
your data appears in a map.
|
||
+
|
||
[role="screenshot"]
|
||
image:images/discover-maps.png[Map containing documents]
|
||
|
||
|
||
[float]
|
||
=== What’s next?
|
||
|
||
* <<kuery-query, Learn more about the structure of a KQL query>>.
|
||
|
||
* <<discover-search-for-relevance, Search for relevance>>.
|
||
|
||
* <<reporting-getting-started, Present your findings in a report>>.
|
||
|
||
* <<kibana-discover-settings, Configure Discover>> to better meet your needs.
|
||
Go to **Advanced Settings** to configure the number of documents to show,
|
||
the table columns that display by default, and more.
|
||
|
||
--
|
||
|
||
include::{kib-repo-dir}/discover/view-document.asciidoc[]
|
||
|
||
include::{kib-repo-dir}/discover/search-for-relevance.asciidoc[]
|
||
|
||
include::{kib-repo-dir}/discover/save-search.asciidoc[]
|
||
|
||
include::{kib-repo-dir}/discover/search-sessions.asciidoc[]
|