diff --git a/explore-analyze/dashboards/using.md b/explore-analyze/dashboards/using.md index 68ed39e28d..7d59851889 100644 --- a/explore-analyze/dashboards/using.md +++ b/explore-analyze/dashboards/using.md @@ -1,6 +1,7 @@ --- mapped_pages: - https://www.elastic.co/guide/en/kibana/current/_use_and_filter_dashboards.html +description: Learn how to explore and interact with Kibana dashboards using filters, time ranges, and controls to uncover insights in your data. applies_to: stack: ga serverless: ga @@ -10,6 +11,11 @@ products: # Exploring dashboards [_use_and_filter_dashboards] +Kibana dashboards support filtering, time range adjustments, and interactive controls that let you focus on specific data segments or time periods. + +This page covers the main ways to explore dashboard data: using KQL queries, filter pills, time ranges, and dashboard controls. You'll also learn how to view underlying data and switch between different display modes. + + ## Search and filter your dashboard data [search-or-filter-your-data] @@ -23,6 +29,20 @@ products: This section shows the most common ways for you to filter dashboard data. For more information about {{kib}} and {{es}} filtering capabilities, refer to [](/explore-analyze/query-filter.md). +### Filter dashboards using the KQL query bar [_filter_dashboards_using_the_kql_query_bar] + +The query bar lets you build filters using [{{kib}} Query Language (KQL)](../query-filter/languages/kql.md). When typing, it dynamically suggests matching fields, operators, and values to help you get the exact results that you want. + +You can use KQL to create complex queries that filter your dashboard data. For example: +- `status:error` to show only error records +- `response_time > 1000` to display requests slower than 1 second +- `user.name:"john doe" AND status:active` to combine multiple conditions + +:::{tip} +:applies_to: {"stack": "preview 9.2", "serverless": "unavailable"} +When working with large datasets, complex KQL queries might cause dashboards to load slowly. In versions 9.2 and later, you can [send long-running searches to the background](../discover/background-search.md) and continue working on other tasks while the data loads. A notification will appear when the search completes. +::: + ### Use filter pills [_use_filter_pills] diff --git a/explore-analyze/discover/background-search.md b/explore-analyze/discover/background-search.md new file mode 100644 index 0000000000..5b1f870a50 --- /dev/null +++ b/explore-analyze/discover/background-search.md @@ -0,0 +1,111 @@ +--- +navigation_title: "Run queries in the background" +mapped_pages: + - https://www.elastic.co/guide/en/kibana/current/search-sessions.html +applies_to: + stack: preview 9.2 + serverless: unavailable +products: + - id: kibana +description: Send your long-running queries to run in the background with background searches and search sessions, and focus on your other tasks while they complete. +--- + +# Run Discover and Dashboards queries in the background + +::::{important} - Background search replaces Search sessions + +Background search is a feature introduced in version 9.2. It replaces the deprecated **Search sessions** feature. +If you have been using search sessions and upgrade to 9.2, your search sessions aren't lost and become background searches. +:::: + +Sometimes you might need to search through large amounts of data, no matter how long the search takes. Consider a threat hunting scenario, where you need to search through years of data. + +You can send your long-running searches to the background from **Discover** or **Dashboards** and let them run while you continue your work. + +A notification appears when a background search has completed, and allows you to open the list of background searches. You can also access that list at any time to check the status of your searches and interact with them from the {icon}`background_task` **Background searches** button in the toolbar. + +![Send search to background](https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/bltee31dcf0d3917c75/68ecf412e5bae49d65a286ff/background-search.gif " =75%") + + +## Enable background searches + +This feature is disabled by default. You can enable background searches in versions 9.2 and higher, or search sessions in versions 9.1 and lower, by setting [`data.search.sessions.enabled`](kibana://reference/configuration-reference/search-sessions-settings.md) to `true` in the [`kibana.yml`](/deploy-manage/stack-settings.md) configuration file. + +:::{note} - Exception for search sessions users +If you upgrade to version 9.2 or higher with search sessions enabled in the version you upgrade from, background searches are automatically enabled. +::: + +## Usage requirements [_requirements] + +The background searches that you run are personal and only visible by you. To be able to use this feature, you must have the following minimum permissions: + +:::::{tab-set} +:group: background search + +::::{tab-item} 9.2 and later +:sync: 92 +To send searches to the background, and to view and interact with the list of background searches from **Discover** and **Dashboards** apps, you must have permissions for **Discover** and **Dashboard**, and for the [Background search subfeature](../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges). +:::: + +::::{tab-item} 9.1 and earlier +:sync: 91 +In versions 9.1 and earlier, this feature is named **Search sessions**. +* To save a session, you must have permissions for **Discover** and **Dashboard**, and the [Search sessions subfeature](../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges). +* To view and restore a saved session, you must have access to **Stack Management**. +:::: + +::::: + +## Send a search to the background + +You can send a search to the background only after it starts running. Until then, the **Send to background** button is disabled. + +1. Write or edit the query. + +1. Select {icon}`play` **Run** (or {icon}`refresh` **Refresh** if you already ran the query at least once) to start executing the query. At this point, the {icon}`background_task` **Send to background** button becomes available. + +1. Select {icon}`background_task` **Send to background**. The search is sent to the background and added to the queue of background searches. + +You can resume your other tasks, for example start a new search, navigate to a different application, or close the browser. Once the search has completed, a notification informs you and lets you access the search to view its results. + +Background searches expire after 7 days. Beyond that period, you must run the search again. + +## Reopen or manage background searches + +From the list of background searches, you can reopen and edit any searches, but also extend their validity period or delete them to keep only searches that you care about. + +1. Open your list of background searches using one of the following methods: + - Once a background search has completed, a notification appears to inform you, with a link to open the list of background searches. + - If you miss the notification or need to access this list at any time, go to **Discover** or **Dashboards** and select the {icon}`background_task` **Background searches** button in the toolbar. This option is only available from version 9.2. + + :::{tip} + From **Discover**, you can only view Discover background searches. And from **Dashboards**, you can only see Dashboards background searches. + ::: + - Open the **Background Search** management page in {{kib}}. + +1. Find the background search that you want to interact with using the search or status filter options. + - To open it to view its results and continue your explorations, select its name. Relative dates are converted to absolute dates. + - To rename it, select the {icon}`boxes_horizontal` More actions button, then select {icon}`pencil` **Edit name**. By default, background searches get default names that indicate their execution date and time. + - To extend its current expiration date by another 7 days, select the {icon}`boxes_horizontal` More actions button, then select **Extend**. + - To delete it, select the {icon}`boxes_horizontal` More actions button, then select {icon}`trash` **Delete**. + + +## Background search limitations in dashboards [_limitations] + +Some visualization features do not fully support background searches. When you restore a dashboard, panels with unsupported features won’t load immediately, but instead send out additional data requests, which can take a while to complete. The **Your background search is still running** warning appears. You can either wait for these additional requests to complete or come back to the dashboard later when all data requests have finished. + +A panel on a dashboard can behave like this if one of the following features is used: + +**Lens** + +* A **top values** dimension with an enabled **Group other values as "Other"** setting. This is configurable in the **Advanced** section of the dimension. +* An **intervals** dimension. + +**Aggregation-based** visualizations + +* A **terms** aggregation with an enabled **Group other values in separate bucket** setting. +* A **histogram** aggregation. + +**Maps** + +* Layers using joins, blended layers, or tracks layers. \ No newline at end of file diff --git a/explore-analyze/discover/discover-get-started.md b/explore-analyze/discover/discover-get-started.md index 461114f1b1..5307bf49c0 100644 --- a/explore-analyze/discover/discover-get-started.md +++ b/explore-analyze/discover/discover-get-started.md @@ -308,6 +308,14 @@ Learn more about how to use ES|QL queries in [Using ES|QL](try-esql.md). :::{include} ../_snippets/inspect-request.md ::: +### Run long-running queries in the background +```{applies_to} +stack: ga 9.2 +serverless: unavailable +``` + +You can send your long-running KQL or {{esql}} queries to the background from **Discover** and let them run while you continue exploring your data. Refer to [Run queries in the background](/explore-analyze/discover/background-search.md). + ### Save your Discover session for later use [save-discover-search] diff --git a/explore-analyze/discover/search-sessions.md b/explore-analyze/discover/search-sessions.md deleted file mode 100644 index b7bf67c0d9..0000000000 --- a/explore-analyze/discover/search-sessions.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/kibana/current/search-sessions.html -applies_to: - stack: ga - serverless: ga -products: - - id: kibana ---- - -# Run a search session in the background [search-sessions] - -::::{admonition} Deprecated and disabled by default -Search Sessions are deprecated. They are disabled by default and will be removed in a future version. You can enable search sessions again by setting [`data.search.sessions.enabled`](kibana://reference/configuration-reference/search-sessions-settings.md) to `true` in the [`kibana.yml`](/deploy-manage/stack-settings.md) configuration file. -:::: - - -Sometimes you might need to search through large amounts of data, no matter how long the search takes. Consider a threat hunting scenario, where you need to search through years of data. You can save a long-running search, so {{kib}} processes your request in the background, and you can continue your work. - -Save your search session from **Discover** or **Dashboard**, and when your session is complete, view and manage it in **Stack Management**. Search sessions are [enabled by default](kibana://reference/configuration-reference/search-sessions-settings.md). - -:::{image} /explore-analyze/images/kibana-search-session.png -:alt: Search Session indicator displaying the current state of the search -:screenshot: -::: - - -## Requirements [_requirements] - -* To save a session, you must have permissions for **Discover** and **Dashboard**, and the [search sessions subfeature](../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges). -* To view and restore a saved session, you must have access to **Stack Management**. - - -## Example: Save a search session [_example_save_a_search_session] - -You’re trying to understand a trend you see on a dashboard. You need to look at several years of data, currently in [cold storage](../../manage-data/lifecycle/data-tiers.md#cold-tier), but you don’t have time to wait. You want {{kib}} to continue working in the background, so tomorrow you can open your browser and pick up where you left off. - -1. Load your dashboard. - Your search session begins automatically. The icon after the dashboard title displays the current state of the search session. A clock icon indicates the search session is in progress. A checkmark indicates that the search session is complete. - -2. To continue a search in the background, click the clock icon, and then click **Save session**. - - ![Search Session indicator displaying the current state of the search](/explore-analyze/images/kibana-search-session-awhile.png "title =50%") - - Once you save a search session, you can start a new search, navigate to a different application, or close the browser. - -3. To view your saved search sessions, go to the **Search Sessions** management page using the navigation menu or the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md). For a saved or completed session, you can also open this view from the search sessions popup. - ![Search Sessions management view with actions for inspecting](/explore-analyze/images/kibana-search-sessions-menu.png "") - -4. Use the edit menu in **Search Sessions** to: - - * **Inspect** the queries and filters that makeup the session. - * **Edit the name** of a session. - * **Extend** the expiration of a completed session. - * **Delete** a session. - -5. To restore a search session, click its name in the **Search Sessions** view. - - You’re returned to the place from where you started the search session. The data is the same, but behaves differently: - - * Relative dates are converted to absolute dates. - * Panning and zooming is disabled for maps. - * Changing a filter, query, or drilldown starts a new search session, which can be slow. - - - -## Limitations [_limitations] - -Some visualization features do not fully support background search sessions. When you restore a dashboard, panels with unsupported features won’t load immediately, but instead send out additional data requests, which can take a while to complete. The **Your search session is still running** warning appears. You can either wait for these additional requests to complete or come back to the dashboard later when all data requests have finished. - -A panel on a dashboard can behave like this if one of the following features is used: - -**Lens** - -* A **top values** dimension with an enabled **Group other values as "Other"** setting. This is configurable in the **Advanced** section of the dimension. -* An **intervals** dimension. - -**Aggregation-based** visualizations - -* A **terms** aggregation with an enabled **Group other values in separate bucket** setting. -* A **histogram** aggregation. - -**Maps** - -* Layers using joins, blended layers, or tracks layers. diff --git a/explore-analyze/images/kibana-search-session-awhile.png b/explore-analyze/images/kibana-search-session-awhile.png deleted file mode 100644 index 88a6f34e10..0000000000 Binary files a/explore-analyze/images/kibana-search-session-awhile.png and /dev/null differ diff --git a/explore-analyze/images/kibana-search-session.png b/explore-analyze/images/kibana-search-session.png deleted file mode 100644 index ded51feb29..0000000000 Binary files a/explore-analyze/images/kibana-search-session.png and /dev/null differ diff --git a/explore-analyze/images/kibana-search-sessions-menu.png b/explore-analyze/images/kibana-search-sessions-menu.png deleted file mode 100644 index 5ce8c680e9..0000000000 Binary files a/explore-analyze/images/kibana-search-sessions-menu.png and /dev/null differ diff --git a/explore-analyze/toc.yml b/explore-analyze/toc.yml index 794b0b5dff..5d0fd66949 100644 --- a/explore-analyze/toc.yml +++ b/explore-analyze/toc.yml @@ -161,7 +161,7 @@ toc: - file: discover/save-open-search.md - file: discover/show-field-statistics.md - file: discover/run-pattern-analysis-discover.md - - file: discover/search-sessions.md + - file: discover/background-search.md - file: discover/try-esql.md - file: dashboards.md children: diff --git a/redirects.yml b/redirects.yml index 4877634c3a..eb3e257f40 100644 --- a/redirects.yml +++ b/redirects.yml @@ -516,7 +516,8 @@ redirects: # Related to https://github.com/elastic/docs-content/pull/3318 'solutions/security/manage-elastic-defend/identify-antivirus-software-on-hosts.md': 'solutions/security/manage-elastic-defend/automatic-troubleshooting.md' - +# Search sessions becoming background search + 'explore-analyze/discover/search-sessions.md': 'explore-analyze/discover/background-search.md' diff --git a/reference/glossary/index.md b/reference/glossary/index.md index ad5d1a99b6..cff63bdb8f 100644 --- a/reference/glossary/index.md +++ b/reference/glossary/index.md @@ -74,6 +74,9 @@ $$$glossary-zone$$$ availability zone ## B [b-glos] +$$$glossary-background-search$$$ Background search +: A long-running query queued and executed while you perform other tasks. The results of the background search are stored for a period of time, so you can access it once it has completed. Background searches are user specific. Before {{stack}} 9.2, background searches are called ["search sessions"](#glossary-search-session). + $$$glossary-basemap$$$ basemap : The background detail necessary to orient the location of a map. @@ -668,7 +671,7 @@ $$$glossary-scripted-field$$$ scripted field : A field that computes data on the fly from the data in {{es}} indices. Scripted field data is shown in Discover and used in visualizations. $$$glossary-search-session$$$ search session -: A group of one or more queries that are executed asynchronously. The results of the session are stored for a period of time, so you can recall the query. Search sessions are user specific. +: A group of one or more queries that are executed asynchronously. The results of the session are stored for a period of time, so you can recall the query. Search sessions are user specific. From {{stack}} 9.2, search sessions are called ["background searches"](#glossary-background-search). $$$glossary-search-template$$$ search template : A stored search you can run with different variables. See [Search templates](/solutions/search/search-templates.md).