diff --git a/explore-analyze/discover/discover-get-started.md b/explore-analyze/discover/discover-get-started.md index 095ce25d0e..92d604e3bf 100644 --- a/explore-analyze/discover/discover-get-started.md +++ b/explore-analyze/discover/discover-get-started.md @@ -24,21 +24,19 @@ Select the data you want to explore, and then specify the time range in which to 1. Find **Discover** in the navigation menu or by using the [global search field](../../get-started/the-stack.md#kibana-navigation-search). 2. Select the data view that contains the data you want to explore. - - ::::{tip} - {{kib}} requires a [{{data-source}}](../find-and-organize/data-views.md) to access your Elasticsearch data. A {{data-source}} can point to one or more indices, [data streams](../../manage-data/data-store/index-types/data-streams.md), or [index aliases](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html). When adding data to {{es}} using one of the many integrations available, sometimes data views are created automatically, but you can also create your own. - :::: - - - If you’re using sample data, data views are automatically created and are ready to use. - - :::{image} ../../images/kibana-discover-data-view.png - :alt: How to set the {{data-source}} in Discover - :class: screenshot - ::: + ::::{tip} + By default, {{kib}} requires a [{{data-source}}](../find-and-organize/data-views.md) to access your Elasticsearch data. A {{data-source}} can point to one or more indices, [data streams](../../manage-data/data-store/index-types/data-streams.md), or [index aliases](https://www.elastic.co/guide/en/elasticsearch/reference/current/alias.html). When adding data to {{es}} using one of the many integrations available, sometimes data views are created automatically, but you can also create your own. + + You can also [try {{esql}}](try-esql.md), that let's you query any data you have in {{es}} without specifying a {{data-source}} first. + :::: + If you’re using sample data, data views are automatically created and are ready to use. + :::{image} ../../images/kibana-discover-data-view.png + :alt: How to set the {{data-source}} in Discover + :class: screenshot + :width: 300px + ::: 3. If needed, adjust the [time range](../query-filter/filtering.md), for example by setting it to the **Last 7 days**. - The range selection is based on the default time field in your data view. If you are using the sample data, this value was set when the data view was created. If you are using your own data view, and it does not have a time field, the range selection is not available. @@ -56,29 +54,19 @@ You can later filter the data that shows in the chart and in the table by specif **Discover** provides utilities designed to help you make sense of your data: 1. In the sidebar, check the available fields. It’s very common to have hundreds of fields. Use the search at the top of that sidebar to look for specific terms in the field names. - - In this example, we’ve entered `ma` in the search field to find the `manufacturer` field. - - ![Fields list that displays the top five search results](../../images/kibana-discover-sidebar-available-fields.png "") - - ::::{tip} - You can combine multiple keywords or characters. For example, `geo dest` finds `geo.dest` and `geo.src.dest`. - :::: + In this example, we’ve entered `ma` in the search field to find the `manufacturer` field. + ![Fields list that displays the top five search results](../../images/kibana-discover-sidebar-available-fields.png "title =40%") + ::::{tip} + You can combine multiple keywords or characters. For example, `geo dest` finds `geo.dest` and `geo.src.dest`. + :::: 2. Select a field to view its most frequent values. - - **Discover** shows the top 10 values and the number of records used to calculate those values. + **Discover** shows the top 10 values and the number of records used to calculate those values. 3. Select the **Plus** icon to add fields to the results table. You can also drag them from the list into the table. - - :::{image} ../../images/kibana-discover-add-icon.png - :alt: How to add a field as a column in the table - :class: screenshot - ::: - - When you add fields to the table, the **Summary** column is replaced. - - ![Document table with fields for manufacturer](../../images/kibana-document-table.png "") + ![How to add a field as a column in the table](../../images/kibana-discover-add-field.png "title =50%") + When you add fields to the table, the **Summary** column is replaced. + ![Document table with fields for manufacturer](../../images/kibana-document-table.png "") 4. Arrange the view to your liking to display the fields and data you care most about using the various display options of **Discover**. For example, you can change the order and size of columns, expand the table to be in full screen or collapse the chart and the list of fields. Check [Customize the Discover view](document-explorer.md). 5. **Save** your changes to be able to open the same view later on and explore your data further. @@ -92,9 +80,8 @@ What happens if you forgot to define an important value as a separate field? Or, 2. Select the **Type** of the new field. 3. **Name** the field. Name it in a way that corresponds to the way other fields of the data view are named. You can set a custom label and description for the field to make it more recognizable in your data view. 4. Define the value that you want the field to show. By default, the field value is retrieved from the source data if it already contains a field with the same name. You can customize this with the following options: - - * **Set value**: Define a script that will determine the value to show for the field. For more information on adding fields and Painless scripting language examples, refer to [Explore your data with runtime fields](../find-and-organize/data-views.md#runtime-fields). - * **Set format**: Set your preferred format for displaying the value. Changing the format can affect the value and prevent highlighting in Discover. + - **Set value**: Define a script that will determine the value to show for the field. For more information on adding fields and Painless scripting language examples, refer to [Explore your data with runtime fields](../find-and-organize/data-views.md#runtime-fields). + - **Set format**: Set your preferred format for displaying the value. Changing the format can affect the value and prevent highlighting in Discover. 5. In the advanced settings, you can adjust the field popularity to make it appear higher or lower in the fields list. By default, Discover orders popular fields from most selected to least selected. 6. **Save** your new field. @@ -135,16 +122,13 @@ In the following example, we’re adding 2 fields: A simple "Hello world" field, If a field can be [aggregated](../aggregations.md), you can quickly visualize it in detail by opening it in **Lens** from **Discover**. **Lens** is the default visualization editor in {{kib}}. 1. In the list of fields, find an aggregatable field. For example, with the sample data, you can look for `day_of_week`. - - ![Top values for the day_of_week field](../../images/kibana-discover-day-of-week.png "") + ![Top values for the day_of_week field](../../images/kibana-discover-day-of-week.png "title =60%") 2. In the popup, click **Visualize**. - - {{kib}} creates a **Lens** visualization best suited for this field. + {{kib}} creates a **Lens** visualization best suited for this field. 3. In **Lens**, from the **Available fields** list, drag and drop more fields to refine the visualization. In this example, we’re adding the `manufacturer.keyword` field onto the workspace, which automatically adds a breakdown of the top values to the visualization. - - ![Visualization that opens from Discover based on your data](../../images/kibana-discover-from-visualize.png "") + ![Visualization that opens from Discover based on your data](../../images/kibana-discover-from-visualize.png "") 4. Save the visualization if you’d like to add it to a dashboard or keep it in the Visualize library for later use. @@ -160,13 +144,12 @@ You can use **Discover** to compare and diff the field values of multiple result 1. Select the results you want to compare from the Documents or Results tab in Discover. 2. From the **Selected** menu in the table toolbar, choose **Compare selected**. The comparison view opens and shows the selected results next to each other. 3. Compare the values of each field. By default the first result selected shows as the reference for displaying differences in the other results. When the value remains the same for a given field, it’s displayed in green. When the value differs, it’s displayed in red. - - ::::{tip} - You can change the result used as reference by selecting **Pin for comparison** in the contextual menu of any other result. - :::: + ::::{tip} + You can change the result used as reference by selecting **Pin for comparison** in the contextual menu of any other result. + :::: - ![Comparison view in Discover](../../images/kibana-discover-compare-rows.png "") + ![Comparison view in Discover](../../images/kibana-discover-compare-rows.png "") 4. Optionally, customize the **Comparison settings** to your liking. You can for example choose to not highlight the differences, to show them more granularly at the line, word, or character level, or even to hide fields where the value matches for all results. 5. Exit the comparison view at any time using the **Exit comparison mode** button. @@ -193,15 +176,15 @@ Dive into an individual document to view its fields and the documents that occur 2. Scan through the fields and their values. You can filter the table in several ways: - * If you find a field of interest, hover your mouse over the **Field** or **Value** columns for filters and additional options. - * Use the search above the table to filter for specific fields or values, or filter by field type using the options to the right of the search field. - * You can pin some fields by clicking the left column to keep them displayed even if you filter the table. + * If you find a field of interest, hover your mouse over the **Field** or **Value** columns for filters and additional options. + * Use the search above the table to filter for specific fields or values, or filter by field type using the options to the right of the search field. + * You can pin some fields by clicking the left column to keep them displayed even if you filter the table. - ::::{tip} - You can restrict the fields listed in the detailed view to just the fields that you explicitly added to the **Discover** table, using the **Selected only** toggle. In ES|QL mode, you also have an option to hide fields with null values. - :::: + ::::{tip} + You can restrict the fields listed in the detailed view to just the fields that you explicitly added to the **Discover** table, using the **Selected only** toggle. In ES|QL mode, you also have an option to hide fields with null values. + :::: -3. To navigate to a view of the document that you can bookmark and share, select ** View single document**. +3. To navigate to a view of the document that you can bookmark and share, select **View single document**. 4. To view documents that occurred before or after the event you are looking at, select **View surrounding documents**. diff --git a/explore-analyze/discover/discover-search-for-relevance.md b/explore-analyze/discover/discover-search-for-relevance.md index 93a4e2740b..ec51da7b49 100644 --- a/explore-analyze/discover/discover-search-for-relevance.md +++ b/explore-analyze/discover/discover-search-for-relevance.md @@ -28,17 +28,11 @@ This example shows how to use **Discover** to list your documents from most rele 6. To turn off sorting by the `timestamp` field, click the **field sorted** option, and then click **Clear sorting.** 7. Open the **Pick fields to sort by** menu, and then click **_score**. 8. Select **High-Low**. - - :::{image} ../../images/kibana-field-sorting-popover.png - :alt: Field sorting popover - :class: screenshot - ::: - - Your table now sorts documents from most to least relevant. - - :::{image} ../../images/kibana-discover-search-for-relevance.png - :alt: Documents are sorted from most relevant to least relevant. - :class: screenshot - ::: + ![Field sorting popover](../../images/kibana-field-sorting-popover.png "title =50%") + Your table now sorts documents from most to least relevant. + :::{image} ../../images/kibana-discover-search-for-relevance.png + :alt: Documents are sorted from most relevant to least relevant. + :class: screenshot + ::: diff --git a/explore-analyze/discover/document-explorer.md b/explore-analyze/discover/document-explorer.md index 5d637b21ed..1d9eaa5278 100644 --- a/explore-analyze/discover/document-explorer.md +++ b/explore-analyze/discover/document-explorer.md @@ -31,9 +31,9 @@ Customize the appearance of the document table and its contents to your liking. * To move a single column, drag its header and drop it to the position you want. You can also open the column’s contextual options, and select **Move left** or **Move right** in the available options. * To move multiple columns, click **Columns**. In the pop-up, drag the column names to their new order. * To resize a column, drag the right edge of the column header until the column is the width that you want. - - Column widths are stored with a Discover session. When you add a Discover session as a dashboard panel, it appears the same as in **Discover**. - + ::::{tip} + Column widths are stored with a Discover session. When you add a Discover session as a dashboard panel, it appears the same as in **Discover**. + :::: ### Customize the table density [document-explorer-density] @@ -54,7 +54,7 @@ When the number of results returned by your search query (displayed at the top o On the last page of the table, a message indicates that you’ve reached the end of the loaded search results. From that message, you can choose to load more results to continue exploring. -![Limit sample size in Discover](../../images/kibana-discover-limit-sample-size.png "") +![Limit sample size in Discover](../../images/kibana-discover-limit-sample-size.png "title =50%") ### Sort the fields [document-explorer-sort-data] @@ -66,20 +66,15 @@ To add or remove a sort on a single field, click the column header, and then sel To sort by multiple fields: 1. Click the **Sort fields** option. - - :::{image} ../../images/kibana-document-explorer-sort-data.png - :alt: Pop-up in document table for sorting columns - :class: screenshot - ::: + ![Pop-up in document table for sorting columns](../../images/kibana-document-explorer-sort-data.png "title =50%") 2. To add fields to the sort, select their names from the dropdown menu. - - By default, columns are sorted in the order they are added. - - :::{image} ../../images/kibana-document-explorer-multi-field.png - :alt: Multi field sort in the document table - :class: screenshot - ::: + By default, columns are sorted in the order they are added. + :::{image} ../../images/kibana-document-explorer-multi-field.png + :alt: Multi field sort in the document table + :class: screenshot + :width: 50% + ::: 3. To change the sort order, select a field in the pop-up, and then drag it to the new location. @@ -90,8 +85,7 @@ Change how {{kib}} displays a field. 1. Click the column header for the field, and then select **Edit data view field.** 2. In the **Edit field** form, change the field name and format. - - For detailed information on formatting options, refer to [Format data fields](../find-and-organize/data-views.md#managing-fields). + For detailed information on formatting options, refer to [Format data fields](../find-and-organize/data-views.md#managing-fields). @@ -101,11 +95,11 @@ Narrow your results to a subset of documents so you’re comparing just the data 1. Select the documents you want to compare. 2. Click the **Selected** option, and then select **Show selected documents only**. - - :::{image} ../../images/kibana-document-explorer-compare-data.png - :alt: Compare data in the document table - :class: screenshot - ::: + :::{image} ../../images/kibana-document-explorer-compare-data.png + :alt: Compare data in the document table + :class: screenshot + :width: 50% + ::: You can also compare individual field values using the [**Compare selected** option](discover-get-started.md#compare-documents-in-discover). diff --git a/explore-analyze/discover/run-pattern-analysis-discover.md b/explore-analyze/discover/run-pattern-analysis-discover.md index 3cefd5df17..ee5e0d1985 100644 --- a/explore-analyze/discover/run-pattern-analysis-discover.md +++ b/explore-analyze/discover/run-pattern-analysis-discover.md @@ -21,5 +21,5 @@ This example uses the [sample web logs data](../overview/kibana-quickstart.md#gs :class: screenshot ::: -1. (optional) Apply filters to one or more patterns. **Discover** only displays documents that match the selected patterns. Additionally, you can remove selected patterns from **Discover**, resulting in the display of only those documents that don’t match the selected pattern. These options enable you to remove unimportant messages and focus on the more important, actionable data during troubleshooting. You can also create a categorization {{anomaly-job}} directly from the **Patterns** tab to find anomalous behavior in the selected pattern. +5. (optional) Apply filters to one or more patterns. **Discover** only displays documents that match the selected patterns. Additionally, you can remove selected patterns from **Discover**, resulting in the display of only those documents that don’t match the selected pattern. These options enable you to remove unimportant messages and focus on the more important, actionable data during troubleshooting. You can also create a categorization {{anomaly-job}} directly from the **Patterns** tab to find anomalous behavior in the selected pattern. diff --git a/explore-analyze/discover/save-open-search.md b/explore-analyze/discover/save-open-search.md index b3ce0dcd58..35191f2a98 100644 --- a/explore-analyze/discover/save-open-search.md +++ b/explore-analyze/discover/save-open-search.md @@ -1,9 +1,10 @@ --- +navigation_title: Save a search for reuse mapped_pages: - https://www.elastic.co/guide/en/kibana/current/save-open-search.html --- -# Save a search for reuse [save-open-search] +# Discover sessions: Save a search for reuse [save-open-search] A saved Discover session is a convenient way to reuse a search that you’ve created in **Discover**. Discover sessions are good for saving a configured view of Discover to use later or adding search results to a dashboard, and can also serve as a foundation for building visualizations. @@ -28,7 +29,7 @@ By default, a Discover session stores the query text, filters, and current view 4. Click **Save**. 5. To reload your search results in **Discover**, click **Open** in the toolbar, and select the saved Discover session. - If the saved Discover session is associated with a different {{data-source}} than is currently selected, opening the saved Discover session changes the selected {{data-source}}. The query language used for the saved Discover session is also automatically selected. +If the saved Discover session is associated with a different {{data-source}} than is currently selected, opening the saved Discover session changes the selected {{data-source}}. The query language used for the saved Discover session is also automatically selected. diff --git a/explore-analyze/discover/search-sessions.md b/explore-analyze/discover/search-sessions.md index 68189b360b..ca24ecfe7a 100644 --- a/explore-analyze/discover/search-sessions.md +++ b/explore-analyze/discover/search-sessions.md @@ -33,24 +33,14 @@ Save your search session from **Discover** or **Dashboard**, and when your sessi You’re trying to understand a trend you see on a dashboard. You need to look at several years of data, currently in [cold storage](../../manage-data/lifecycle/data-tiers.md#cold-tier), but you don’t have time to wait. You want {{kib}} to continue working in the background, so tomorrow you can open your browser and pick up where you left off. 1. Load your dashboard. - - Your search session begins automatically. The icon after the dashboard title displays the current state of the search session. A clock icon indicates the search session is in progress. A checkmark indicates that the search session is complete. + Your search session begins automatically. The icon after the dashboard title displays the current state of the search session. A clock icon indicates the search session is in progress. A checkmark indicates that the search session is complete. 2. To continue a search in the background, click the clock icon, and then click **Save session**. - - :::{image} ../../images/kibana-search-session-awhile.png - :alt: Search Session indicator displaying the current state of the search - :class: screenshot - ::: - - Once you save a search session, you can start a new search, navigate to a different application, or close the browser. + ![Search Session indicator displaying the current state of the search](../../images/kibana-search-session-awhile.png "title =50%") + Once you save a search session, you can start a new search, navigate to a different application, or close the browser. 3. To view your saved search sessions, go to the **Search Sessions** management page using the navigation menu or the [global search field](../../get-started/the-stack.md#kibana-navigation-search). For a saved or completed session, you can also open this view from the search sessions popup. - - :::{image} ../../images/kibana-search-sessions-menu.png - :alt: Search Sessions management view with actions for inspecting - :class: screenshot - ::: + ![Search Sessions management view with actions for inspecting](../../images/kibana-search-sessions-menu.png "") 4. Use the edit menu in **Search Sessions** to: diff --git a/explore-analyze/discover/show-field-statistics.md b/explore-analyze/discover/show-field-statistics.md index a54cd55dd4..1be92ebdf5 100644 --- a/explore-analyze/discover/show-field-statistics.md +++ b/explore-analyze/discover/show-field-statistics.md @@ -16,31 +16,29 @@ This example explores the fields in the [sample web logs data](../overview/kiban 2. Expand the {{data-source}} dropdown, and select **Kibana Sample Data Logs**. 3. If you don’t see any results, expand the time range, for example, to **Last 7 days**. 4. Click **Field statistics**. + The table summarizes how many documents in the sample contain each field for the selected time period the number of distinct values, and the distribution. - The table summarizes how many documents in the sample contain each field for the selected time period the number of distinct values, and the distribution. - - :::{image} ../../images/kibana-field-statistics-view.png - :alt: Field statistics view in Discover showing a summary of document data. - :class: screenshot - ::: + :::{image} ../../images/kibana-field-statistics-view.png + :alt: Field statistics view in Discover showing a summary of document data. + :class: screenshot + ::: 5. Expand the `hour_of_day` field. + For numeric fields, **Discover** provides the document statistics, minimum, median, and maximum values, a list of top values, and a distribution chart. Use this chart to get a better idea of how the values in the data are clustered. - For numeric fields, **Discover** provides the document statistics, minimum, median, and maximum values, a list of top values, and a distribution chart. Use this chart to get a better idea of how the values in the data are clustered. - - :::{image} ../../images/kibana-field-statistics-numeric.png - :alt: Field statistics for a numeric field. - :class: screenshot - ::: + :::{image} ../../images/kibana-field-statistics-numeric.png + :alt: Field statistics for a numeric field. + :class: screenshot + ::: 6. Expand the `geo.coordinates` field. - For geo fields, **Discover** provides the document statistics, examples, and a map of the coordinates. + For geo fields, **Discover** provides the document statistics, examples, and a map of the coordinates. - :::{image} ../../images/kibana-field-statistics-geo.png - :alt: Field statistics for a geo field. - :class: screenshot - ::: + :::{image} ../../images/kibana-field-statistics-geo.png + :alt: Field statistics for a geo field. + :class: screenshot + ::: 7. Explore additional field types to see the statistics that **Discover** provides. 8. To create a visualization of the field data, click ![Click the magnifying glass icon to create a visualization of the data in Lens](../../images/kibana-visualization-icon.png "") or ![Click the Maps icon to explore the data in a map](../../images/kibana-map-icon.png "") in the **Actions** column. diff --git a/explore-analyze/discover/try-esql.md b/explore-analyze/discover/try-esql.md index 0fe49d71f5..1ef61c3c90 100644 --- a/explore-analyze/discover/try-esql.md +++ b/explore-analyze/discover/try-esql.md @@ -10,7 +10,7 @@ The Elasticsearch Query Language, {{esql}}, makes it easier to explore your data In this tutorial we’ll use the {{kib}} sample web logs in Discover and Lens to explore the data and create visualizations. ::::{tip} -For the complete {{esql}} documentation, including tutorials, examples and the full syntax reference, refer to the [{{es}} documentation](../query-filter/languages/esql.md). For a more detailed overview of {{esql}} in {{kib}}, refer to [Use {{esql}} in Kibana](../query-filter/languages/esql-kibana.md). +For the complete {{esql}} documentation, refer to the [{{esql}} documentation](../query-filter/languages/esql.md). For a more detailed overview of {{esql}} in {{kib}}, refer to [Use {{esql}} in Kibana](../query-filter/languages/esql-kibana.md). :::: @@ -42,19 +42,15 @@ Let’s say we want to find out what operating system users have and how much RA 1. We’re specifically looking for data from the sample web logs we just installed. 2. We’re only keeping the `machine.os` and `machine.ram` fields in the results table. - - ::::{tip} - Put each processing command on a new line for better readability. - :::: + ::::{tip} + Put each processing command on a new line for better readability. + :::: 3. Click **▶Run**. - - ![An image of the query result](../../images/kibana-esql-machine-os-ram.png "") - - ::::{note} - {{esql}} keywords are not case sensitive. - - :::: + ![An image of the query result](../../images/kibana-esql-machine-os-ram.png "") + ::::{note} + {{esql}} keywords are not case sensitive. + :::: Let’s add `geo.dest` to our query, to find out the geographical destination of the visits, and limit the results. @@ -68,13 +64,10 @@ Let’s add `geo.dest` to our query, to find out the geographical destination of ``` 2. Click **▶Run** again. You can notice that the table is now limited to 10 results. The visualization also updated automatically based on the query, and broke down the data for you. - - ::::{note} - When you don’t specify any specific fields to retain using `KEEP`, the visualization isn’t broken down automatically. Instead, an additional option appears above the visualization and lets you select a field manually. - :::: - - - ![An image of the extended query result](../../images/kibana-esql-limit.png "") + ::::{note} + When you don’t specify any specific fields to retain using `KEEP`, the visualization isn’t broken down automatically. Instead, an additional option appears above the visualization and lets you select a field manually. + :::: + ![An image of the extended query result](../../images/kibana-esql-limit.png "") We will now take it a step further to sort the data by machine ram and filter out the `GB` destination. diff --git a/explore-analyze/query-filter/tools/console.md b/explore-analyze/query-filter/tools/console.md index 180b3b1969..718fe11a3d 100644 --- a/explore-analyze/query-filter/tools/console.md +++ b/explore-analyze/query-filter/tools/console.md @@ -218,9 +218,9 @@ You can export requests: * **to a TXT file**, by using the **Export requests** button. When using this method, all content of the input panel is copied, including comments, requests, and payloads. All of the formatting is preserved and allows you to re-import the file later, or to a different environment, using the **Import requests** button. - ::::{tip} - When importing a TXT file containing Console requests, the current content of the input panel is replaced. Export it first if you don’t want to lose it, or find it in the **History** tab if you already ran the requests. - :::: + ::::{tip} + When importing a TXT file containing Console requests, the current content of the input panel is replaced. Export it first if you don’t want to lose it, or find it in the **History** tab if you already ran the requests. + :::: * by copying them individually as **curl**, **JavaScript**, or **Python**. To do this, select a request, then open the contextual menu and select **Copy as**. When using this action, requests are copied individually to your clipboard. You can save your favorite language to make the copy action faster the next time you use it. diff --git a/images/kibana-discover-add-icon.png b/images/kibana-discover-add-field.png similarity index 100% rename from images/kibana-discover-add-icon.png rename to images/kibana-discover-add-field.png