Discover

edit

Gain insight to your data.

Discover enables you to quickly search and filter your data, get information about structure of the fields, and visualize your data with Lens and Maps. You can customize and save your searches and place them on a dashboard.

Explore and query your data

edit

You have questions about your data. What pages on your website contain a specific word or phrase? What events were logged most recently? What processes take longer than 500 milliseconds to respond? This tutorial shows you how to use Discover to quickly search large amounts of data and understand what’s going on at any given time.

You’ll learn to:

  • Select data for your exploration, and then set a time range for that data, search it with the Kibana Query Language, and filter the results.
  • Explore the details of your data, view individual documents, and create tables that summarize the contents of the data.
  • Present your findings in a visualization.

At the end of this tutorial, you’ll be ready to start exploring with your own data in Discover.

Prerequisites

edit

Find your data

edit

Tell Kibana where to find the data you want to explore, and then specify the time range in which to view that data.

  1. Open the main menu, and select Discover.
  2. Select the data you want to work with.

    Kibana uses an index pattern to tell it where to find your Elasticsearch data. To view the ecommerce sample data, make sure the index pattern is set to kibana_sample_data_ecommerce.

    How to set the index pattern in Discover
  3. Adjust the time range to view data for the Last 7 days.

    The range selection is based on the default time field in your data. If you are using the sample data, this value was set when you added the data. If you are using your own data, and it does not have a time field, the range selection is not available.

  4. To view the count of documents for a given time in the specified range, click and drag the mouse over the histogram.

Explore the fields in your data

edit

Discover includes a table that shows all the documents that match your search. By default, the table includes columns for the time field and the document _source, which can be overwhelming. You’ll modify this table to display only your fields of interest.

  1. Scan through the list of Available fields to see what’s in your data. You can also search for a field by name.

    Fields list that displays the top five search results

  2. Find the manufacturer field, and then click it to view the five most popular values for that field.

    Discover fetches a maximum of 500 documents, which it uses to calculate the popular values.

    Fields list that displays the top five search results

  3. Click Add icon to toggle the field into the document table.
  4. Add day of week so your document table looks like this:

    Document table with fields for manufacturer

  5. To rearrange the table columns, hover the mouse over a column header, and then use the move and sort controls.

Search your data

edit

One of the unique capabilities of Discover is the ability to combine free text search with filtering based on structured data. To search all fields, enter a simple string in the Search field.

Search field in Discover

To search particular fields and build more complex queries, use the Kibana Query language. As you type, KQL prompts you with the fields you can search and the operators you can use to build a structured query.

Search the ecommerce data for documents where the country matches US:

  1. Enter g, and then select geoip.country_iso_code.
  2. Select equals some value and US, and then click Update.
  3. For a more complex search, try:

    geoip.country_iso_code : US and products.taxless_price >= 75

Filter your data

edit

Whereas the query defines the set of documents you are interested in, filters enable you to zero in on different subsets of those documents. You can filter results to include or exclude specific fields, filter for a value in a range, and more. The Add filter popup prompts you with the fields you can filter and the operators you can use.

Add filter dialog in Discover

Exclude documents where day of week is not Wednesday:

  1. Click Add filter.
  2. Set Field to day_of_week, Operator to is not, and Value to Wednesday.
  3. Save the filter.
  4. Continue your exploration by adding more filters.
  5. To remove a filter, click the close icon (x) next to its name in the filter bar.

Look inside a document

edit

Dive into an individual document to view its fields and the documents that occurred before and after it.

  1. In the document table, expand any document.

    Table view with document expanded

  2. Scan through the fields and their values. If you find a field of interest, hover of its name for filters and other controls.
  3. To view documents that occurred before or after the event you are looking at, click View surrounding documents.
  4. For direct access to a particular document, click View single document.

    You can bookmark this document and share the link.

Save your search for later use

edit

Save your search so you can repeat it later, generate a CSV report, or use it in visualizations, dashboards, and Canvas workpads. Saving a search saves the query and the filters.

  1. In the toolbar, click Save.
  2. Give your search a title, and then click Save.

    Save saved search in Discover

Visualize your findings

edit

If a field can be aggregated, you can quickly visualize it from Discover.

  1. From the Selected fields list, click day_of_week, and then click Visualize.

    Discover sidebar field popover with visualize button

    Kibana creates a visualization best suited for this field.

  2. Drag manufacturer.keyword from the field list and drop it on the visualization builder pane.

    Visualization that opens from Discover based on your data

  3. Save your visualization for use on a dashboard.

If your documents contain geo point fields (Geo point field icon), you can visualize them in Maps.

  1. Make sure the index pattern is set to kibana_sample_data_ecommerce and the configured time range contains data.
  2. From the Available fields list, click geoip.location, and then click Visualize.

    Map containing documents

  3. Save your map for use on a dashboard.

What’s next?

edit