You are viewing docs on Elastic's new documentation system, currently in technical preview. For all other Elastic docs, visit elastic.co/guide.

Discover your data

Learn how to use Discover to gain insights into your data.

With Discover, you can quickly search and filter your data, get information about the structure of the fields, and display your findings in a visualization. You can also customize and save your searches and place them on a dashboard.

Explore and query your data

This tutorial shows you how to use Discover to search large amounts of data and understand what’s going on at any given time. This tutorial uses the book sample data set from the Get started page.

You’ll learn to:

  • Select data for your exploration, set a time range for that data, search it with the Kibana Query Language, and filter the results.
  • Explore the details of your data, view individual documents, and create tables that summarize the contents of the data.
  • Present your findings in a visualization.

At the end of this tutorial, you’ll be ready to start exploring with your own data in Discover.

Find your data

Tell Kibana where to find the data you want to explore, and then specify the time range in which to view that data.

  1. Once the book sample data has been ingested, navigate to Explore → Discover and click Create data view.

  2. Give your data view a name.

  1. Start typing in the Index pattern field, and the names of indices, data streams, and aliases that match your input will be displayed.
  • To match multiple sources, use a wildcard (*), for example, b* and any indices starting with the letter b display.

  • To match multiple sources, enter their names separated by a comma. Do not include a space after the comma. For example books,magazines would match two indices: books and magazines.

  • To exclude a source, use a minus sign (-), for example -books.

  1. In the Timestamp field dropdown, and then select release_date.
  • If you don't set a time field, you can't use global time filters on your dashboards. Leaving the time field unset might be useful if you have multiple time fields and want to create dashboards that combine visualizations based on different timestamps.

  • If your index doesn't have time-based data, choose I don't want to use the time filter.

  1. Click Show advanced settings to:
  • Display hidden and system indices.
  • Specify your own data view name. For example, enter your Elasticsearch index alias name.
  1. Click Save data view to Kibana.

  2. Adjust the time range to view data for the Last 40 years to view all your book data.

Explore the fields in your data

Discover includes a table that shows all the documents that match your search. By default, the document table includes a column for the time field and a column that lists all other fields in the document. You’ll modify the document table to display your fields of interest.

  1. In the sidebar, enter au in the search field to find the author field.

  2. In the Available fields list, click author to view its most popular values.

Discover shows the top 10 values and the number of records used to calculate those values.

  1. Click to toggle the field into the document table. You can also drag the field from the Available fields list into the document table.

Add a field to your data view

What happens if you forgot to define an important value as a separate field? Or, what if you want to combine two fields and treat them as one? This is where runtime fields come into play. You can add a runtime field to your data view from inside of Discover, and then use that field for analysis and visualizations, the same way you do with other fields.

  1. In the sidebar, click Add a field.

  2. In the Create field form, enter hello for the name.

  3. Turn on Set value.

  4. Define the script using the Painless scripting language. Runtime fields require an emit().

    emit("Hello World!");
  5. Click Save.

  6. In the sidebar, search for the hello field, and then add it to the document table.

  7. Create a second field named authorabbrev that combines the authors last name and first initial.

    String str = doc['author.keyword'].value;
    char ch1 = str.charAt(0);
    emit(doc['author.keyword'].value + ", " + ch1);
  8. Add authorabbrev to the document table.

Search your data

One of the unique capabilities of Discover is the ability to combine free text search with filtering based on structured data. To search all fields, enter a simple string in the query bar.

To search particular fields and build more complex queries, use the Kibana Query language. As you type, KQL prompts you with the fields you can search and the operators you can use to build a structured query.

Search the book data to find out which books have more than 500 pages:

  1. Enter p, and then select page_count.
  2. Select > for greater than and enter 500, then click the refresh button or press the Enter key to see which books have more than 500 pages.

Filter your data

Whereas the query defines the set of documents you are interested in, filters enable you to zero in on subsets of those documents. You can filter results to include or exclude specific fields, filter for a value in a range, and more.

Exclude documents where the author is not Terry Pratchett:

  1. Click next to the query bar.
  2. In the Add filter pop-up, set the field to author, the operator to is not, and the value to Terry Pratchett.
  3. Click Add filter.
  4. Continue your exploration by adding more filters.
  5. To remove a filter, click the close icon (x) next to its name in the filter bar.

Look inside a document

Dive into an individual document to view its fields and the documents that occurred before and after it.

  1. In the document table, click the expand icon to show document details.

  2. Scan through the fields and their values. If you find a field of interest, hover your mouse over the Actions column for filters and other options.

  3. To create a view of the document that you can bookmark and share, click Single document.

  4. To view documents that occurred before or after the event you are looking at, click Surrounding documents.

Save your search for later use

Save your search so you can use it later to generate a CSV report, create visualizations and Dashboards. Saving a search saves the query text, filters, and current view of Discover, including the columns selected in the document table, the sort order, and the data view.

  1. In the upper right toolbar, click Save.

  2. Give your search a title.

  3. Optionally store tags and the time range with the search.

  4. Click Save.

Visualize your findings

If a field can be aggregated, you can quickly visualize it from Discover.

  1. In the sidebar, find and then click release_date.

  2. In the popup, click Visualize.

Note

Kibana creates a visualization best suited for this field.

  1. From the Available fields list, drag and drop page_count onto the workspace.

  2. Save your visualization for use on a dashboard.

For geographical point fields, if you click Visualize, your data appears in a map.

Share your findings

To share your findings with a larger audience, click Share in the upper right toolbar.

Generate alerts

From Discover, you can create a rule to periodically check when data goes above or below a certain threshold within a given time interval.

  1. Ensure that your data view, query, and filters fetch the data for which you want an alert.

  2. In the toolbar, click Alerts → Create search threshold rule.

    The Create rule form is pre-filled with the latest query sent to Elasticsearch.

  3. Configure your Elasticsearch query and select a connector type.

  4. Click Save.

For more about this and other rules provided in alerting features, go to Alerting.

On this page