Discover

The Discover page helps you to interactively explore data. It allows the user to interactively perform search queries, filter search results, and view document data. It also allows the user to save the search, or filter criteria so that it can be reused or used to create visualizations on top of the filtered results. Clicking on the third icon from the top-left takes you to the Discover page.

By default, the Discover page displays the events of the last 15 minutes. As the log events are from the period May 2014 to June 2014, set the appropriate date range in the time filter. Navigate to Time Filter | Absolute Time Range and set From as 2014-05-28 00:00:00.000 and >To to 2014-07-01 00:00:00.000. Click Update, as shown in the following screenshot:

The Discover page contains the sections shown in the following screenshot:

The numbers in the preceding screenshot, represent individual sections—Index Pattern (1), Fields List (2), Document Table (3), Query Bar (4), Hits (5), Histogram (6), Toolbar (7), Time Picker (8), Filters (9), and Expand/Collapse (10).

Let's look at each one of them:

  • Index Pattern: All the configured index patterns are shown here in a dropdown and the default one is selected automatically. The user can choose the appropriate index pattern for data exploration.
  • Fields List: All the fields that are part of the document are shown in this section. Clicking on the field shows Quick Count, that is, how many of the documents in the documents table contain a particular field, what the top five values are, and what percentage of documents contain each value, as shown in the following screenshot:

  • Document Table: This section shows the actual document data. The table shows the 500 most recent documents that match the user-entered query/filters, sorted by timestamp (if the field exists). By clicking the Expand button found to the left of the document's table entry, data can be visualized in table format or JSON format, as follows:

During data exploration, we are often interested in a subset of fields rather than the whole of a document. In order to add fields to the document table, either hover over the field on the fields list and click its add button, or expand the document and click the field's Toggle column in table button:

Added field columns replace the _source column in the Documents table. Field columns in the table can be shuffled by clicking the right or left arrows found when hovering over the column name. Similarly, by clicking the remove button, x, columns can be removed from the table, as follows:

  • Query Bar: Using the query bar/search bar, the user can enter queries to filter the search results. Submitting a search request results in the histogram being updated (if the time field is configured for the selected index pattern), and the documents table, fields lists, and hits being updated to reflect the search results. Matching search text is highlighted in the document table. To search your data, enter your search criteria in the query bar and press Enter, or click the search icon.

The query bar accepts three types of queries:

Let's explore the three options in detail.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
13.58.11.16