The toolbar is one of the most crucial components of the Discover page, which helps with powerful analysis of data based on search queries and filters as applied. It is used for specifying the search query that is used for analyzing the data. Whenever a search query is specified, it checks in all documents and returns results of the matching search query. The toolbar consists of a search bar along with option buttons such as new search, save search, and load saved search.
Let's understand the usage of different options of the toolbar in detail.
The search bar is used to search for a particular word, for example, a term either contained in all the documents or for searching for a particular term in a specific field in all the documents. Whenever a search query is submitted, it matches the documents of the selected index and returns the results. For searching a query, you can specify basic simple strings or use Apache Lucene query syntax. As Kibana leverages the functionality of Elasticsearch, Lucene query provides a way to use simple and complex queries, providing powerful search capabilities for playing with data.
Whenever a search query is submitted, corresponding hits, histogram, document data, and fields get updated as per the search results obtained. Hits indicate the total number of documents matching the search results. It is displayed in the top-right corner, just above the histogram. Document data displays the initial 500 documents as per the default settings. Also, the search results are highlighted in Kibana 4, which provides an elegant way to view the search result.
The different ways of searching data are as follows:
- To search data (term) that is contained in any field in all the documents, just type the data that you would like to search.
For example, if you want to search for Windows, enter
windowsto search within all fields in all documents:
In the previous figure, Windows was searched for and was found in 643 documents as specified by 643 hits. In this example, it will search within all the fields contained in the document and give corresponding results. As per the search results, hits, histogram, document data, and fields get updated.
- To search for data (term) in a specific field, you have to specify the field name followed by a colon, followed by the search term.
For example, if you want to search for Windows in the text field, enter
text:windows, which would provide you with all the documents matching the term windows in the text field:
In the previous figure, searching for
windowsin the text field provided 51 matching documents. In this example it searched only within the text field of all the documents. As per the search results, hits, histogram, document data and fields get updated. - To search for an exact data phrase (a string containing multiple words), enclose the data within double quotes (
""). It will search for exactly that data phrase within all the documents.For example, if you want to search for Windows 10, enter
"windows 10", which would provide you with all the documents matching the term windows 10 in the documents:
In the previous figure, searching for
"windows 10"provided 25 hits (matching documents). In this example, it searched for documents containing the exact phrase windows 10, which were displayed in the search results. - To search data for a particular range, you can specify it using the brackets (
[]) containing a starting value to ending value as [starting value TO ending value]. In the range, the data can be specified as multiple data types such as date, integer, or string.For example, if you want to search data within a specified date range, just enter the date field name followed by the date range. Enter
created_at:[2015-06-02 TO 2015-06-03]in the search bar, which would provide you with all the documents occurring in the specified date range. The date format is being followed as per the Elasticsearch format, which was mentioned earlier in this chapter while explaining the Absolute time filter:
In the previous figure, searching for a date range provided all the documents occurring in the specified date range.
- To search data for a particular range containing string values, it will follow the same syntax of range as specified previously.
For example, if you want to search data for a range of string, enter
text:[ubuntu TO windows]and it will provide search results containing words lying between Ubuntu and Windows in the text field:
In the previous figure, the search results highlighted all the matching documents containing words between Ubuntu and Windows following alphabetical order. Vente, vendre, and voyager all lie between the words Ubuntu and Windows.
- To search for more complex queries, make use of Boolean operators that consist of
OR,AND,NOT,+, or-. All the Boolean operators have to be specified in capital letters otherwise it will treat it as a simple word:- The
ORoperator is used to combine multiple words and if either of the words is found in any of the documents, it will show the matching documents. Its analogy is similar to union in sets. To use this operator we can specifyORor||(double pipe) symbol.For example, if you want to search for Windows or Mac within all documents, enter
windows OR mac, which would provide all the matching documents containing either the terms Windows or Mac:
In the previous figure, the search results highlighted all the documents containing either the terms Windows or Mac.
- The
ANDoperator is used to combine multiple words and if both of the words exist in any document, it will show the matching documents. Its analogy is similar to intersections in sets. To use this operator we can specifyANDor&&(double ampersand) symbol.For example, if you want to search for Windows and Mac within all documents, enter
windows AND mac, which would provide all the matching documents containing the terms Windows and Mac:
In the previous figure, the search results highlighted all the documents containing both the terms Windows and Mac.
- The
NOToperator is used for excluding searching in documents containing any term occurring after theNOToperator. Its analogy is similar to difference in sets. To use this operator we can specify theNOT(exclamation) symbol.For example, if you want to search for Windows but not for Mac within all documents, enter
windows NOT mac, which would provide all the matching documents containing the term Windows but not the term Mac:
In the previous figure, the search results highlighted all the documents containing the word Windows but not the word Mac.
- The
+operator is also known as a required operator. It is used to include words that must exist in any document occurring after the+operator. This operator is similar to combiningNOTalong with theANDoperator.For example, if you want to search for Windows and maybe Mac within all documents, enter
+windows mac, which would provide all the matching documents containing the word Windows and may contain the word Mac.
In the previous figure, the matching document is equal to 643 hits, meaning an equivalent of 642 hits (
windows NOT mac) and 1 hit (windows AND mac).
In the previous figure, the search results highlighted all the documents that must have the word Windows and may or may not contain the word Mac.
- The
-operator is also known as the prohibit operator. It is used for excluding searching in documents containing any word occurring after the-operator. This operator is similar to theNOToperator.For example, if you want to search for Windows but not for Mac within all documents, enter
"windows"-"mac", which would provide all the matching documents containing the term Windows and not the term Mac:
In the previous figure, the search results highlighted all the documents containing the word Windows but not the word Mac.
- The
- Grouping is used for performing more complex queries by combining multiple Boolean operators. It uses parenthesis
()for grouping Boolean operators.For example, if you want to search for either Mac or Linux and Windows, enter
(mac OR linux) AND windows. To simplify, all the documents must have the term Windows and contain either the terms Mac or Linux. It is similar to combining(mac AND windows)along with(linux AND windows):
In the previous figure, the search results highlighted all the documents containing the term Windows with a combination of either Linux or Mac.
- Wildcard searches are supported by Apache Lucene, which is the underlying layer of Kibana that is abstracted by Elasticsearch. It provides single character and multiple character searches. The single character searches are done using the
?(question mark) symbol whereas multiple character searches are done using the*(asterisk) symbol. For a single character wildcard search, it looks for terms that match with the single character that has to be replaced.For example, if you want to search for terms, such as mac or sac or pac, enter the search as
?ac. It will match all the documents to give results matching this wildcard expression. It would be any initial letter followed by ac and would consist of three characters only:
In the previous figure, the search results highlighted all the documents matching the wildcard expression
?ac, matching with words such as sac, mac, and tac.For a multiple characters wildcard search, it looks for terms that match 0 or more than 0 characters.
For example, if you want to search for terms such as Mac, Macintosh, machine, and so on, enter the search as
mac*. It will match all documents to give results matching this wildcard expression. It would contain results following a pattern starting with mac and followed by 0 or more characters:
In the previous figure, the search results highlighted all the documents matching the wildcard expression
mac*, matching with words such as macht, mac, macam, and so on. - Proximity searches are used to find terms that are within a definite distance apart from each other, for example to match documents containing two terms that are at a definite distance apart from each other. It uses the
~(tilde) symbol for performing a proximity search, which appears at the end of a phrase/multiple words.For example, if you want to search for documents containing the terms Linux and Mac within seven words of each other, enter
"linux mac"~7. It will match all documents to show results of documents containing both terms within a distance of seven words:
In the previous figure, the search results highlighted all the documents matching a proximity search of having both terms linux and mac appear within seven words of each other.
- Regular expressions are used to find terms that follow a specified pattern. It can be used on words, phrases, or specific fields. It helps to form complex queries allowing it to be used with multiple words as well. It overcomes the limitation of a wildcard search and allows it to be used even with phrases. It uses
/(slash) along with[](square brackets) in which different characters are specified to search for a given pattern.For example, if you want to search for phrases containing words such as mac, mat, mag, combined with words such as it, in, enter
/ma[ctg]/ AND /i[tn]/. It will match all documents containing both sets of words:
In the previous figure, the search results highlighted all the documents containing words like mac, mat combined with it and in.
New Search provides the option to start a new search. It erases the present search query and creates a new search to play around with data. It is done by clicking on the New Search button 
, which is situated in the toolbar beside the search bar:
In the previous figure, notice the New Search option, which is accessible from the toolbar.
Save Search provides the option of saving a search query. It is used to save the current entered search query along with the selected index information. This option is situated beside the New Search button in the toolbar.
To save a search, perform the following steps:
Load Saved Search provides the option of loading the saved search query. It is used to load a saved search with a specified index. If loading a saved search included a different index, then on loading it the selected index also gets updated. This option is situated beside the Save Search button in the toolbar.
To load a saved search, perform the following steps:
