-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into alerting/interval-to-schedule
- Loading branch information
Showing
633 changed files
with
15,477 additions
and
7,791 deletions.
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
10.15.2 | ||
10.18.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
10.15.2 | ||
10.18.0 |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,90 +1,66 @@ | ||
[[document-context]] | ||
== Viewing Document Context | ||
== Viewing a document in context | ||
|
||
For certain applications it can be useful to inspect a window of documents | ||
surrounding a specific event. The context view enables you to do just that for | ||
<<index-patterns, index patterns>> that are configured to contain time-based events. | ||
Once you've narrowed your search to a specific event, | ||
you might want to inspect the documents that occurred | ||
immediately before and after the event. With the Context view, | ||
you can do just that for index patterns that contain time-based events. | ||
|
||
To show the context surrounding an anchor document, click the *Expand* button | ||
image:images/ExpandButton.jpg[Expand Button] to the left of the document's | ||
table entry and then click the *View surrounding documents* link. | ||
To open the Context view, click the expand icon (<) in the document table, and then click | ||
*View surrounding documents.* | ||
|
||
image::images/Expanded-Document.png[Expanded Document] | ||
{nbsp} | ||
The documents are sorted | ||
by the time field specified in the index pattern and displayed using the | ||
same set of columns as the *Discover* view from which the context was opened. | ||
The anchor document is highlighted in blue. | ||
|
||
The context view displays a number of documents before and after the anchor | ||
document. The anchor document itself is highlighted in blue. The view is sorted | ||
by the time field specified in the index pattern configuration and uses the | ||
same set of columns as the Discover view the context was opened from. If there | ||
are multiple documents with the same time field value, the internal document | ||
order is used as a secondary sorting criterion by default. | ||
|
||
[NOTE] | ||
-- | ||
The field used for tiebreaking in case of equal time field values can be | ||
configured using the advanced setting `context:tieBreakerFields` in | ||
<<advanced-options, *Management > Advanced Settings*>>, which defaults to the | ||
`_doc` field. The value of this setting can be a comma-separated list of field | ||
names, which will be checked in sequence for suitability when a context is | ||
about to be displayed. The first suitable field is then used as the tiebreaking | ||
field. A field is suitable if the field exists and is sortable in the index | ||
pattern the context is based on. | ||
|
||
While not required, it is recommended to only | ||
use fields which have {ref}/doc-values.html[doc values] enabled to achieve | ||
good performance and avoid unnecessary {ref}/modules-fielddata.html[field | ||
data] usage. Common examples for suitable fields include log line numbers, | ||
monotonically increasing counters and high-precision timestamps. | ||
-- | ||
|
||
[role="screenshot"] | ||
image::images/Discover-ContextView.png[Context View] | ||
|
||
NOTE: The number of documents displayed by default can be configured | ||
via the `context:defaultSize` setting in <<advanced-options, *Management > | ||
Advanced Settings*>>. | ||
|
||
[float] | ||
[[change-context-size]] | ||
=== Changing the Context Size | ||
|
||
You can change the number documents displayed before and after the anchor | ||
document independently. | ||
|
||
To increase the number of displayed documents that are newer than the anchor | ||
document, click the *Load 5 more* button above the document list or enter the | ||
desired number into the input box right of the button. | ||
|
||
image::images/Discover-ContextView-SizePicker-Newer.png[] | ||
{nbsp} | ||
|
||
To increase the number of displayed documents that are older than the anchor | ||
document, click the *Load 5 more* button below the document list or enter the | ||
desired number into the input box right of the button. | ||
[[filter-context]] | ||
=== Filter the context | ||
|
||
image::images/Discover-ContextView-SizePicker-Older.png[] | ||
{nbsp} | ||
The | ||
filters you applied in *Discover* are carried over to the Context view. Pinned filters remain active, while normal | ||
filters are copied in a disabled state. You can re-enable these filters to | ||
refine your context view. | ||
|
||
NOTE: The default number of documents loaded with each button click can be | ||
configured via the `context:step` setting in <<advanced-options, *Management > | ||
Advanced Settings*>>. | ||
If the Context view contains a large number of documents not related to the event under | ||
investigation, you can use filters to restrict the documents to | ||
display. | ||
|
||
[float] | ||
[[filter-context]] | ||
=== Filtering the Context | ||
|
||
Depending on how the documents are partitioned into index patterns, the context | ||
view might contain a large number of documents not related to the event under | ||
investigation. In order to adapt the focus of the context view to the task at | ||
hand, you can use filters to restrict the documents considered by Kibana for | ||
display in the context view. | ||
|
||
When switching from the discover view to the context view, the previously | ||
applied filters are carried over. Pinned filters remain active while normal | ||
filters are copied in a disabled state. You can selectively re-enabled them to | ||
refine your context view. | ||
[[change-context-size]] | ||
=== Change the number of surrounding documents | ||
|
||
New filters can be added via the *Add a filter* link in the filter bar, by | ||
clicking the filter icons appearing when hovering a field, or by expanding | ||
documents and clicking the filter icons in the table. | ||
By default, the five newest and oldest | ||
documents are listed. To increase the number of documents that surround the anchor document, | ||
click *Load*. Five documents are added with each click. | ||
|
||
image::images/Discover-ContextView-FilterMontage.png[] | ||
[float] | ||
[[configure-context-ContextView]] | ||
=== Configure the context view | ||
|
||
To configure the Context view, use these settings in <<advanced-options, | ||
Advanced Settings>>. | ||
|
||
[horizontal] | ||
`context:defaultSize`:: The number of documents to display by default. | ||
`context:step`:: The default number of documents to load with each button click. | ||
`context:tieBreakerFields`:: The field to use for tiebreaking in case of equal time field values. | ||
The default is the | ||
`_doc` field. | ||
+ | ||
You can enter a comma-separated list of field | ||
names, which is checked in sequence for suitability when a context is | ||
displayed. The first suitable field is used as the tiebreaking | ||
field. A field is suitable if the field exists and is sortable in the index | ||
pattern the context is based on. | ||
+ | ||
Although not required, it is recommended to only | ||
use fields that have {ref}/doc-values.html[doc values] enabled to achieve | ||
good performance and avoid unnecessary {ref}/modules-fielddata.html[field | ||
data] usage. Common examples for suitable fields include log line numbers, | ||
monotonically increasing counters and high-precision timestamps. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,69 +1,55 @@ | ||
[[document-data]] | ||
== Viewing Document Data | ||
== Viewing document data | ||
|
||
When you submit a search query, the 500 most recent documents that match the query | ||
are listed in the Documents table. You can configure the number of documents shown | ||
in the table by setting the `discover:sampleSize` property in <<advanced-options, | ||
Advanced Settings>>. By default, the table shows the localized version of the time | ||
field configured for the selected <<index-patterns, index pattern>> and the document `_source`. You can | ||
<<adding-columns, add fields to the Documents table>> from the Fields list. | ||
You can <<sorting, sort the listed documents>> by any indexed field that's included | ||
in the table. | ||
|
||
To view a document's field data, click the *Expand* button | ||
image:images/ExpandButton.jpg[Expand Button] to the left of the document's table | ||
entry. | ||
|
||
image::images/Expanded-Document.png[] | ||
|
||
To view the original JSON document (pretty-printed), click the *JSON* tab. | ||
|
||
To view the document data as a separate page, click the *View single document* | ||
link. You can bookmark and share this link to provide direct access to a | ||
particular document. | ||
|
||
To display or hide a field's column in the Documents table, click the | ||
image:images/add-column-button.png[Add Column] *Toggle column in table* button. | ||
|
||
To collapse the document details, click the *Collapse* button | ||
image:images/CollapseButton.jpg[Collapse Button]. | ||
When you submit a search query in *Discover*, the most recent documents that match the query | ||
are listed in the documents table. | ||
By default, the table includes columns for | ||
the time field and the document `_source`, which shows all fields and values in the document. | ||
|
||
[float] | ||
[[sorting]] | ||
=== Sorting the Document List | ||
You can sort the documents in the Documents table by the values in any indexed | ||
field. If a time field is configured for the current index pattern, the | ||
documents are sorted in reverse chronological order by default. | ||
|
||
To change the sort order, hover over the name of the field you want to sort by | ||
and click the sort button. Click again to reverse the sort order. | ||
=== Modify the document table | ||
|
||
Use the following commands to | ||
tailor the documents table to suit your needs. | ||
|
||
[horizontal] | ||
Add a field column:: | ||
Hover over the list of *Available fields* and then click *add* next to each field you want include as a column in the table. | ||
The first field you add replaces the `_source` column. | ||
Change sort order:: By default, columns are sorted by the values in the field. | ||
If a time field is configured for the current index pattern, | ||
the documents are sorted in reverse chronological order. | ||
+ | ||
To change the sort order, hover over the column | ||
and click image:images/sort-icon.png[]. | ||
The first click sorts by ascending order, the second click sorts by descending order, and the third | ||
click removes the field from the sorted fields. | ||
|
||
Move a field column:: Hover over the column header and click the move left (<<) or move right icon (>>). | ||
Remove a field column :: Hover over the list of *Specified fields* | ||
and then click *remove*. | ||
Or, use the (x) control in the column header. | ||
|
||
[float] | ||
[[adding-columns]] | ||
=== Adding Field Columns to the Documents Table | ||
By default, the Documents table shows the localized version of the time field | ||
that's configured for the selected index pattern and the document `_source`. | ||
You can add fields to the table from the Fields list or from a document's | ||
field data. | ||
|
||
To add a field column from the Fields list, hover over the field and click its | ||
*add* button. | ||
=== Drill down into field-level details | ||
To view the document data in either table or JSON format, click the expand icon (>). | ||
The expanded view provides these options for viewing your document: | ||
|
||
To add a field column from a document's field data, expand the document | ||
and click the field's | ||
image:images/add-column-button.png[Add Column] *Toggle column in table* button. | ||
* View the events that surround your document. | ||
For example, you might want to see the 10 documents that occurred | ||
immediately before and after your event. | ||
|
||
Added field columns replace the `_source` column in the Documents table. The added | ||
fields are also added to the *Selected Fields* list. | ||
* View the document data as a separate page. You can bookmark and | ||
share the link for direct access to a particular document. | ||
|
||
To rearrange the field columns, hover over the header of the column you want to move | ||
and click the *Move left* or *Move right* button. | ||
[role="screenshot"] | ||
image::images/Expanded-Document.png[] | ||
|
||
image:images/Discover-MoveColumn.jpg[Move Column] | ||
|
||
[float] | ||
[[removing-columns]] | ||
=== Removing Field Columns from the Documents Table | ||
To remove a field column from the Documents table, hover over the header of the | ||
column you want to remove and click the *Remove* button | ||
image:images/RemoveFieldButton.jpg[Remove Field Button]. | ||
=== Configure the number of documents to show | ||
|
||
By default, the documents table includes the 500 most recent documents that | ||
match the query. To change this number, set the `discover:sampleSize` property in <<advanced-options, | ||
Advanced Settings>>. |
Oops, something went wrong.