Sometimes you might need to search through large amounts of data no matter how long the search takes. While this might not happen often, there are times that long-running queries are required. Consider a threat hunting scenario, where you need to search through years of data.
If your query is running long, you can save your search session, which allows Kibana to continue processing your request in the background. Save your search session from Discover or Dashboard, and when your session is complete, view and manage it in Stack Management.
- To save a session, you must have permissions for Discover and Dashboard, and the search sessions subfeature.
- To view and restore a saved session, you must have access to Stack Management.
Example: Save a search sessionedit
You’re trying to understand a trend you see on a dashboard. You need to look at several years of data, currently in cold storage, but you don’t have time to wait. You want Kibana to continue working in the background, so tomorrow you can open your browser and pick up where you left off.
Load your dashboard.
Your search session begins automatically. The icon after the dashboard title displays the current state of the search session. A clock indicates the search session is in progress. A checkmark indicates that the search session is complete.
To instruct Kibana to continue a search in the background, click the clock icon, and then click Save session. Once you save a search session, you can start a new search, navigate to a different application, or close the browser.
To view your saved searches, open the main menu, and then click Stack Management > Search Sessions. You can also open this view from the search sessions popup for a saved or completed session.
Use the edit menu in Search Sessions to:
- Inspect the queries and filters that makeup the session.
- Extend the expiration of a completed session.
- Delete a session.
To restore a search session, click its name in the Search Sessions view.
You’re returned to the place from where you started the search session. The data is the same, but behaves differently:
- Relative dates are converted to absolute dates.
- Panning and zooming is disabled for maps.
- Changing a filter, query, or drilldown starts a new search session, which can be slow.