When you know what your data includes, you can create visualizations that best display that data and build better dashboards. Discover enables you to explore your data, find hidden insights and relationships, and get answers to your questions.
With Discover, you can:
- Access every document in every index that matches your selected index pattern
- Search your data and filter the search results
- Get field-level details about the documents that match your search
- View the events that occurred just before and after a document
The first thing to do in Discover is to select an index pattern, which defines the data you want to explore and visualize. The current index pattern is in the upper left. If you haven’t yet created an index pattern, you can add a sample data set, which has a pre-built index pattern.
By default, Discover shows data for the last 15 minutes. If you have a time-based index, and no data displays, you might need to increase the time range. Using the time filter in the upper right, you can specify a common or recently-used time range, a relative time from now, or an absolute time range.
Now that you have your data and set the time span, you can start asking your questions.
You can search your data using the Kibana Query language,
which offers a simplified query syntax.
For example, if
you search for
day_of_week : Friday, you’ll get a list of all documents
day_of_week is set to
Friday. If you prefer
Lucene query syntax, you can access it from the KQL menu.
Next, you’ll want narrow your search results to a more manageable data set. When you click on a name in the field list, you’ll see the top five values for the field, the number of documents that contain the field, and the percentage of documents that contain each value. From this view, you can use the (+) magnifier icon to quickly find all documents that have that value, or (-) to exclude all documents with that value. For more filter options, see filtering by field.
The sortable documents table
lists the documents that match your search.
By default, the table includes columns for the time field and the document
To zero in on a specific field, click add next to the field name in the left sidebar.
For example, if you add the
the document table includes columns for those three fields.
From the documents table, you can expand a document to examine its field data in either table or JSON format. The table view provides yet another filtering option—filtering for whether the field is present. See Viewing document data for details.
Suppose you’re troubleshooting your data, and you’ve narrowed down your results to a single document. Now you want to to see the events that occurred just before and after the document that you are looking at. You can do that by expanding the document and clicking View surrounding documents.
Finally, its time to save and share your data. You can export your data as a CSV file or create a direct link to share. The Save and Share actions are in the menu bar.