View document data

When you submit a search query in Discover, the most recent documents that match the query are listed in the documents table. By default, the table includes columns for the time field and the document _source, which shows all fields and values in the document.

Modify the document table

Use the following commands to tailor the documents table to suit your needs.

Add a field column

Hover over the list of Available fields and then click add next to each field you want to include as a column in the table. The first field you add replaces the _source column.

Change sort order

By default, columns are sorted by the values in the field. If a time field is configured for the current index pattern, the documents are sorted in reverse chronological order.

To change the sort order, hover over the column and click sort icon. The first click sorts by ascending order, the second click sorts by descending order, and the third click removes the field from the sorted fields.

Move a field column

Hover over the column header and click the (<<) or (>>) icons.

Remove a field column 

Hover over the list of Specified fields and then click remove. Or, use the (x) control in the column header.

Drill down into field-level details

To view the document data in either table or JSON format, click the expand icon (>). The expanded view provides these options for viewing your document:

  • View the events that surround your document. For example, you might want to see the 10 documents that occurred immediately before and after your event.
  • View the document data as a separate page. You can bookmark and share the link for direct access to a particular document.
Expanded Document

Configure the number of documents to show

By default, the documents table includes the 500 most recent documents that match the query. To change this number, set the discover:sampleSize property in Advanced Settings.