Once you’ve narrowed your search to a specific event in Discover, you can inspect the documents that occurred immediately before and after the event. To view the surrounding documents, your index pattern must contain time-based events.
- In the document table, click the expand icon (>).
Click View surrounding documents.
In the context view, documents are sorted by the time field specified in the index pattern and displayed using the same set of columns as the Discover view from which the context was opened. The anchor document is highlighted in blue.
The filters you applied in Discover are carried over to the context view. Pinned filters remain active, while normal filters are copied in a disabled state.
- To find the documents of interest, add filters.
To increase the number of documents that surround the anchor document, click Load. By default, five documents are added with each click.
Configure the context viewedit
Configure the appearance and behavior in Advanced Settings.
- Open the main menu, then click Stack Management > Advanced Settings.
context, then edit the settings.
The number of documents to display by default.
The default number of documents to load with each button click. The default is 5.
The field to use for tiebreaking in case of equal time field values. The default is the
You can enter a comma-separated list of field names, which is checked in sequence for suitability when a context is displayed. The first suitable field is used as the tiebreaking field. A field is suitable if the field exists and is sortable in the index pattern the context is based on.
Although not required, it is recommended to only use fields that have doc values enabled to achieve good performance and avoid unnecessary field data usage. Common examples for suitable fields include log line numbers, monotonically increasing counters and high-precision timestamps.