Filter by field
editFilter by field
editDiscover offers various types of filters, so you can restrict your documents to the exact data you want. For example, you might look at the results for a particular period of time. Or, you might include—or exclude— all HTTP redirects that come from a specific IP and port.
Add a filter
editA quick way to add a filter is from the fields list.
-
Click the field to filter on.
You’ll see the number of documents that contain the field, the top 5 values for the field, and the percentage of documents that contain each value.
-
Use the icon to show only documents that contain that value, or to exclude all documents with that value.
If there is no data to display, you might need to set a date time filter. You can choose a time from the quick filter or choose your own using absolute or relative times.
-
Try also these filtering options:
- To limit the field list to a particular data type, click Filter by type. You can also filter for whether that type is aggregatable or searchable.
- To filter for whether a field is present, expand the document in the document table, hover over the field, and click the Filter for field present icon.
Filter by condition
editYou can filter using advanced criteria, such as if a value is equal to or in between certain values.
- Click Add Filter.
- Select a field.
-
Select an operation for your filter:
is
The value for the field matches the given value.
is not
The value for the field does not match the given value.
is one of
The field matches one of the specified values.
is not one of
The value for the field does not match any of the specified values.
is between
The value for the field is in the given range.
is not between
The value for the field is not in the given range.
exists
Any value is present for the field.
does not exist
No value is present for the field.
-
Choose values for your filter.
Values from your indices may be suggested as selections if you are filtering against an aggregatable field.
- (Optional) Specify a label for the filter.
-
Click Save to apply the filter to your search.
If you are experiencing long-running queries as a result of the value suggestions, you can turn off the suggestions by setting
filterEditor:suggestValues
tofalse
in Advanced Settings.
Edit, disable, and delete filters
editTo modify a filter, click its tag, and then select one of the following actions.
- Pin across all apps
- Persist the filter when you switch contexts in Kibana. For example, you can pin a filter in Discover and it remains in place when you switch to Visualize. A filter is based on a particular index field—if the indices being searched do not contain the field in a pinned filter, it has no effect.
- Edit filter
- Edit the filter definition and label.
- Exclude results
- Switch from a positive filter to a negative filter, and vice versa.
- Temporarily disable
- Disable the filter without removing it. Click again to reenable the filter.
- Delete
- Delete the filter.
To apply an action to all filters, click the Actions icon, and then select the action.
Modify the filter query
editYou can directly modify the query that filters your search results. This enables you to create more complex filters using multiple fields.
- Click the filter tag, and then select Edit > Edit Query DSL.
-
Edit the query for the filter.
For example, if you are using the sample log data, you can use the bool query to create a filter that displays the hits that originated from Canada or China that resulted in a 404 error:
{ "bool": { "should": [ { "term": { "geoip.country_name.raw": "Canada" } }, { "term": { "geoip.country_name.raw": "China" } } ], "must": [ { "term": { "response": "404" } } ] } }