[DOCS] Adds concepts section for analysts (#96675)

* [DOCS] Adds concepts section for analysts * [DOCS] Minor tweaks to concepts doc * Update docs/concepts/index.asciidoc Co-authored-by: Wylie Conlon <wylieconlon@gmail.com> * Update docs/concepts/save-query.asciidoc Co-authored-by: Wylie Conlon <wylieconlon@gmail.com> Co-authored-by: Wylie Conlon <wylieconlon@gmail.com>
2025-04-24 01:38:56 -04:00 · 2021-04-13 07:49:38 -07:00 · 2021-04-13 07:49:38 -07:00 · 417776d9b6
commit 417776d9b6
parent 27c191d405
8 changed files with 190 additions and 0 deletions
--- a/docs/concepts/images/add-filter-popup.png
+++ b/docs/concepts/images/add-filter-popup.png
--- a/docs/concepts/images/global-search.png
+++ b/docs/concepts/images/global-search.png
--- a/docs/concepts/images/refresh-every.png
+++ b/docs/concepts/images/refresh-every.png
--- a/docs/concepts/images/save-icon.png
+++ b/docs/concepts/images/save-icon.png
--- a/docs/concepts/images/top-bar.png
+++ b/docs/concepts/images/top-bar.png
--- a/docs/concepts/index.asciidoc
+++ b/docs/concepts/index.asciidoc
@ -0,0 +1,149 @@
+[[kibana-concepts-analysts]]
+== {kib} concepts for analysts
+**_Learn the shared concepts for analyzing and visualizing your data_**
+
+As an analyst, you will use a combination of {kib} apps to analyze and
+visualize your data. {kib} contains both general-purpose apps and apps for the
+https://www.elastic.co/guide/en/enterprise-search/current/index.html[*Enterprise Search*],
+{observability-guide}/observability-introduction.html[*Elastic Observability*],
+and {security-guide}/es-overview.html[*Elastic Security*] solutions.
+These apps share a common set of concepts.
+
+[float]
+=== Three things to know about {es}
+
+You don't need to know everything about {es} to use {kib}, but the most important concepts follow:
+
+* *{es} makes JSON documents searchable and aggregatable.* The documents are
+stored in an {ref}/documents-indices.html[index] or {ref}/data-streams.html[data stream], which represent one type of data.
+
+* **_Searchable_ means that you can filter the documents for conditions.**
+For example, you can filter for data "within the last 7 days" or data that "contains the word {kib}".
+{kib} provides many ways for you to construct filters, which are also called queries or search terms.
+
+* **_Aggregatable_ means that you can extract summaries from matching documents.**
+The simplest aggregation is *count*, and it is frequently used in combination
+with the *date histogram*, to see count over time. The *terms* aggregation shows the most frequent values.
+
+[float]
+=== Finding your apps and objects
+
+{kib} offers a <<kibana-navigation-search,global search bar>> on every page that you can use to find any app or saved object.
+Open the search bar using the keyboard shortcut Ctrl+/ on Windows and Linux, Command+/ on MacOS.
+
+[role="screenshot"]
+image:concepts/images/global-search.png["Global search showing matches to apps and saved objects for the word visualize"]
+
+[float]
+=== Accessing data with index patterns
+
+{kib} requires an index pattern to tell it which {es} data you want to access,
+and whether the data is time-based. An index pattern can point to one or more {es}
+data streams, indices, or index aliases by name.
+For example, `logs-elasticsearch-prod-*` is an index pattern,
+and it is time-based with a time field of `@timestamp`. The time field is not editable.
+
+Index patterns are typically created by an administrator when sending data to {es}.
+You can <<index-patterns,create or update index patterns>> in *Stack Management*, or by using a script
+that accesses the {kib} API.
+
+{kib} uses the index pattern to show you a list of fields, such as
+`event.duration`. You can customize the display name and format for each field.
+For example, you can tell Kibana to display `event.duration` in seconds.
+{kib} has <<managing-fields,field formatters>> for strings,
+dates, geopoints,
+and numbers.
+
+[float]
+=== Searching your data
+
+{kib} provides you several ways to build search queries,
+which will reduce the number of document matches that you get from {es}.
+Each app in {kib} provides a time filter, and most apps also include semi-structured search and extra filters.
+
+[role="screenshot"]
+image:concepts/images/top-bar.png["Time filter, semi-structured search, and filters in a {kib} app"]
+
+If you frequently use any of the search options, you can click the
+save icon
+image:concepts/images/save-icon.png["save icon"] next to the
+semi-structured search to save or load a previously saved query.
+The saved query will always contain the semi-structured search query,
+and can optionally contain the time filter and extra filters.
+
+[float]
+==== Time filter
+
+The <<set-time-filter, global time filter>> limits the time range of data displayed.
+In most cases, the time filter applies to the time field in the index pattern,
+but some apps allow you to use a different time field.
+
+Using the time filter, you can configure a refresh rate to periodically
+resubmit your searches. You can also click *Refresh* to resubmit the search.
+This might be useful if you use {kib} to monitor the underlying data.
+
+[role="screenshot"]
+image:concepts/images/refresh-every.png["section of time filter where you can configure a refresh rate"]
+
+
+[float]
+==== Semi-structured search
+
+Combine free text search with field-based search using the Kibana Query Language (KQL).
+Type a search term to match across all fields, or start typing a field name to
+get suggestions for field names and operators that you can use to build a structured query.
+The semi-structured search will filter documents for matches, and only return matching documents.
+
+Following are some example KQL queries.  For more detailed examples, refer to <<kuery-query,Kibana Query Language>>.
+
+[cols=2*]
+|===
+| Exact phrase query
+| `http.response.body.content.text:"quick brown fox"`
+
+| Terms query
+| http.response.status_code:400 401 404
+
+| Boolean query
+| `response:200 or extension:php`
+
+| Range query
+| `account_number >= 100 and items_sold <= 200`
+
+| Wildcard query
+| `machine.os:win*`
+|===
+
+[float]
+==== Additional filters with AND
+
+Structured filters are a more interactive way to create {es} queries,
+and are commonly used when building dashboards that are shared by multiple analysts.
+Each filter can be disabled, inverted, or pinned across all apps.
+The structured filters are the only way to use the {es} Query DSL in JSON form,
+or to target a specific index pattern for filtering. Each of the structured
+filters is combined with AND logic on the rest of the query.
+
+[role="screenshot"]
+image:concepts/images/add-filter-popup.png["Add filter popup"]
+
+[float]
+=== Saving objects
+{kib} lets you save objects for your own future use or for sharing with others.
+Each <<managing-saved-objects,saved object>> type has different abilities. For example, you can save
+your search queries made with *Discover*, which lets you:
+
+* Share a link to your search
+* Download the full search results in CSV form
+* Start an aggregated visualization using the same search query
+* Embed the *Discover* search results into a dashboard
+* Embed the *Discover* search results into a Canvas workpad
+
+For organization, every saved object can have a name, <<kibana-navigation-search,tags>>, and type.
+Use the global search to quickly open a saved object.
+
+[float]
+=== What's next?
+
+* Try the {kib} <<get-started,Quick start>>, which shows you how to put these concepts into action.
+* Go to <<discover, Discover>> for instructions on searching your data.
--- a/docs/concepts/save-query.asciidoc
+++ b/docs/concepts/save-query.asciidoc
@ -0,0 +1,39 @@
+[[save-load-delete-query]]
+== Save a query
+A saved query is a collection of query text and filters that you can
+reuse in any app with a query bar, like <<discover, *Discover*>> and <<dashboard, *Dashboard*>>. Save a query when you want to:
+
+* Retrieve results from the same query at a later time without having to reenter the query text, add the filters or set the time filter
+* View the results of the same query in multiple apps
+* Share your query
+
+Saved queries don't include information specific to *Discover*,
+such as the currently selected columns in the document table, the sort order, and the index pattern.
+To save your current view of *Discover* for later retrieval and reuse,
+create a <<save-open-search, saved search>> instead.
+
+NOTE::
+
+If you have insufficient privileges to save queries, the *Save current query*
+button isn't visible in the saved query management popover.
+For more information, see <<xpack-security-authorization, Granting access to Kibana>>
+
+. Click *#* in the query bar.
+. In the popover, click *Save current query*.
+
+[role="screenshot"]
+image::discover/images/saved-query-management-component-all-privileges.png["Example of the saved query management popover with a list of saved queries with write access",width="80%"]
+
+. Enter a name, a description, and then select the filter options.
+By default, filters are automatically included, but the time filter is not.
+
+[role="screenshot"]
+image::discover/images/saved-query-save-form-default-filters.png["Example of the saved query management save form with the filters option included and the time filter option excluded",width="80%"]
+. Click *Save*.
+. To load a saved query into *Discover* or *Dashboard*, open the *Saved search* popover, and select the query.
+. To manage your saved queries, use these actions in the popover:
+
+* Save as new:  Save changes to the current query.
+* Clear.  Clear a query that is currently loaded in an app.
+* Delete.  You can’t recover a deleted query.
+. To import and export saved queries, go to <<managing-saved-objects, Saved Objects in Management>>.
--- a/docs/user/index.asciidoc
+++ b/docs/user/index.asciidoc
@ -2,6 +2,8 @@ include::introduction.asciidoc[]

 include::whats-new.asciidoc[]

+include::{kib-repo-dir}/concepts/index.asciidoc[]
+
 include::{kib-repo-dir}/getting-started/quick-start-guide.asciidoc[]

 include::setup.asciidoc[]