For certain applications it can be useful to inspect a window of documents surrounding a specific event. The context view enables you to do just that for index patterns that are configured to contain time-based events.
To show the context surrounding an anchor document, click the Expand button to the left of the document’s table entry and then click the View surrounding documents link.
The context view displays a number of documents before and after the anchor document. The anchor document itself is highlighted in blue. The view is sorted by the time field specified in the index pattern configuration and uses the same set of columns as the Discover view the context was opened from. If there are multiple documents with the same time field value, the internal document order is used as a secondary sorting criterion by default.
The field used for tiebreaking in case of equal time field values can be
configured using the advanced setting
Management > Advanced Settings, which defaults to the
_doc field. The value of this setting can be a comma-separated list of field
names, which will be checked in sequence for suitability when a context is
about to be displayed. The first suitable field is then used as the tiebreaking
field. A field is suitable if the field exists and is sortable in the index
pattern the context is based on.
While not required, it is recommended to only use fields which have doc values enabled to achieve good performance and avoid unnecessary field data usage. Common examples for suitable fields include log line numbers, monotonically increasing counters and high-precision timestamps.
The number of documents displayed by default can be configured
context:defaultSize setting in Management > Advanced Options.