[7.2] [Logs UI][skip ci] Document the customizable columns feature (#37021) (#38870)

Backports the following commits to 7.2:
 - [Logs UI][skip ci] Document the customizable columns feature  (#37021)

docs/logs/configuring.asciidoc

@@ -0,0 +1,97 @@
+[role="xpack"]
+[[xpack-logs-configuring]]
+
+:ecs-link: {ecs-ref}[Elastic Common Schema (ECS)]
+
+== Configuring the Logs UI
+
+The `filebeat-*` index pattern is used to query data by default. If your logs
+are located in a different set of indices, use a different timestamp field, or
+contain parsed fields which you want to expose as individual columns, you can
+adjust the source configuration via the user interface or the {kib}
+configuration file.
+
+NOTE: Logs and Infrastructure share a common data source definition in
+each space. Changes in one of them can influence the data displayed in the
+other.
+
+[float]
+=== Configure source
+
+*Configure source* can be accessed via
+image:logs/images/logs-configure-source-gear-icon.png[Configure source icon]
+in the toolbar.
+
+[role="screenshot"]
+image::logs/images/logs-configure-source.png[Configure Logs UI source button in Kibana]
+
+This opens the source configuration fly-out dialog with multiple tabs, where
+you can inspect and adjust various index settings and log column configuration.
+
+TIP: If <<xpack-spaces>> are enabled in your Kibana instance, any configuration
+changes performed via *Configure source* are specific to that space. You can
+therefore easily make different subsets of the data available by creating
+multiple spaces with different data source configurations.
+
+[float]
+[[logs-read-only-access]]
+==== Read only access
+When you have insufficient privileges to change the source configuration, the
+following indicator in Kibana will be displayed, and the buttons to change the
+source configuration won't be visible. For more information, see
+<<xpack-security-authorization>>.
+
+[role="screenshot"]
+image::logs/images/read-only-badge.png[Example of Logs' read only access indicator in Kibana's header]
+
+[float]
+==== Indices and fields configuration
+
+The *Indices and fields* tab provides access to the following configuration
+items:
+
+* *Name*: The name of the source configuration.
+* *Indices*: The patterns of the Elasticsearch indices to read metrics and logs
+  from.
+* *Fields*: The names of particular fields in the indices that need to be known
+  to the Infrastructure and Logs UIs in order to query and interpret the data
+  correctly.
+
+[role="screenshot"]
+image::logs/images/logs-configure-source-dialog-indices-tab.png[Configure logs UI source indices and fields dialog in Kibana]
+
+[float]
+==== Log columns configuration
+
+The *Log columns* tab enables you to change the set of columns that are
+displayed in the Logs UI. By default the following columns are shown:
+
+* *Timestamp*: The log entry's timestamp as defined in the `timestamp` field.
+* *events.dataset*: The event dataset as indicated by this {ecs-link} field.
+* *Message*: The message extracted from the document. The exact content of that
+  field depends on the type of log message. If no special type is detected, the
+  {ecs-link} field `message` is used.
+
+[role="screenshot"]
+image::logs/images/logs-configure-source-dialog-log-columns-tab.png[Configure logs UI source columns dialog in Kibana]
+
+To add a new column, click
+image:logs/images/logs-configure-source-dialog-add-column-button.png[Add column]
+above the list. This will cause a popover to be shown in which you can filter a
+list of the available fields and select one for inclusion:
+
+[role="screenshot"]
+image::logs/images/logs-configure-source-dialog-add-column-popover.png[Configure logs UI source add columns popover in Kibana]
+
+To remove a column, click
+image:logs/images/logs-configure-source-dialog-remove-column-button.png[Remove column]
+in the respective entry. The list must contain at least one column to apply the
+changes.
+
+[float]
+=== Configuration file
+
+The settings in the configuration file are used as a fallback when no other
+configuration for that space has been defined. They are located in the
+configuration namespace `xpack.infra.sources.default`. See
+<<logs-ui-settings-kb>> for a complete list of the possible entries.

docs/logs/getting-started.asciidoc

@@ -0,0 +1,10 @@
+[role="xpack"]
+[[xpack-logs-getting-started]]
+== Getting started with the Logs UI
+
+Kibana provides step-by-step instructions to help you add log data. The
+{infra-guide}[Infrastructure Monitoring Guide] is a good source for more
+detailed information and instructions.
+
+[role="screenshot"]
+image::logs/images/logs-add-data.png[Included data ingestion tutorials in Kibana]

docs/logs/index.asciidoc

@@ -4,80 +4,20 @@
 
 [partintro]
 --
-
 Use the Logs UI to explore logs for common servers, containers, and services.  
 {kib} provides a compact, console-like display that you can customize.
 
+* <<xpack-logs-getting-started>>
+* <<xpack-logs-using>>
+* <<xpack-logs-configuring>>
+
 [role="screenshot"]
 image::logs/images/logs-console.png[Log Console in Kibana]
 
-
-[float]
-== Add data
-
-Kibana provides step-by-step instructions to help you add log data. The
-{infra-guide}[Infrastructure Monitoring Guide] is a good source for more
-detailed information and instructions.
-
-[float]
-== Configure data sources 
-
-The `filebeat-*` index pattern is used to query data by default.
-If your logs are located in a different set of indices, or use a different
-timestamp field, you can adjust the source configuration via the user interface
-or the {kib} configuration file.
-
-NOTE: Logs and Infrastructure share a common data source definition in
-each space. Changes in one of them can influence the data displayed in the
-other.
-
-[float]
-=== Configure source
-
-Configure source can be accessed via the corresponding
-image:logs/images/logs-configure-source-gear-icon.png[Configure source icon]
-button in the toolbar.
-
-[role="screenshot"]
-image::logs/images/logs-configure-source.png[Configure Logs UI source button in Kibana]
-
-This opens the source configuration fly-out dialog, in which the following
-configuration items can be inspected and adjusted:
-
-* *Name*: The name of the source configuration.
-* *Indices*: The patterns of the elasticsearch indices to read metrics and logs
-  from.
-* *Fields*: The names of particular fields in the indices that need to be known
-  to the Infrastructure and Logs UIs in order to query and interpret the data
-  correctly.
-
-[role="screenshot"]
-image::logs/images/logs-configure-source-dialog.png[Configure logs UI source dialog in Kibana]
-
-TIP: If <<xpack-spaces>> are enabled in your Kibana instance, any configuration
-changes performed via Configure source are specific to that space. You can
-therefore easily make different subsets of the data available by creating
-multiple spaces with different data source configurations.
-
-[float]
-[[logs-read-only-access]]
-=== Read only access
-When you have insufficient privileges to change the source configuration, the following
-indicator in Kibana will be displayed. The buttons to change the source configuration
-won't be visible. For more information on granting access to
-Kibana see <<xpack-security-authorization>>.
-
-[role="screenshot"]
-image::logs/images/read-only-badge.png[Example of Logs' read only access indicator in Kibana's header]
-
-[float]
-=== Configuration file
-
-The settings in the configuration file are used as a fallback when no other
-configuration for that space has been defined. They are located in the
-configuration namespace `xpack.infra.sources.default`. See
-<<logs-ui-settings-kb>> for a complete list of the possible entries.
-
 --
 
-include::logs-ui.asciidoc[]
+include::getting-started.asciidoc[]
+
+include::using.asciidoc[]
+
+include::configuring.asciidoc[]

docs/logs/logs-ui.asciidoc

@@ -1,41 +0,0 @@
-[role="xpack"]
-[[logs-ui]]
-== Using the Logs UI
-
-Customize the Logs UI to focus on the data you want to see and control how you see it.
-
-[role="screenshot"]
-image::logs/images/logs-console.png[Log Console in Kibana]
-
-[float]
-[[logs-search]]
-=== Use the power of Search
-The Search bar is always available. Use it to perform adhoc and structured searches.
-
-[float]
-[[logs-configure-source]]
-=== Adapt to your log source
-Using a custom index pattern to store the log entries, or want to limit the
-entries presented in a space? Use configure source to change the index pattern
-and other settings.
-
-[float]
-[[logs-time]]
-=== Jump to a specific time period
-Use the time selector to focus on a specific timeframe.  
-
-[float]
-[[logs-customize]]
-=== Customize your view
-Use *Customize* to adjust your console view and to set the time scale of the log data.
-
-* *Text size.*  Select `Small`, `Medium`, or `Large`.
-* *Wrap long lines.* Enable or disable line wrap.
-* *Minimap Scale.* Set the scale to 'year', 'month', 'week', 'day', 'hour', or 'minute'. 
-
-[float]
-[[logs-stream]]
-=== Stream or pause logs
-You can stream data for live log tailing, or pause streaming to focus on historical log data. 
-When you are streaming logs, the most recent log appears at the bottom on the console. 
-Historical data offers infinite scrolling. 

docs/logs/using.asciidoc

@@ -0,0 +1,73 @@
+[role="xpack"]
+[[xpack-logs-using]]
+== Using the Logs UI
+
+Customize the Logs UI to focus on the data you want to see and control how you see it.
+
+[role="screenshot"]
+image::logs/images/logs-console.png[Log Console in Kibana]
+
+[float]
+[[logs-search]]
+=== Use the power of Search
+The Search bar is always available. Use it to perform adhoc and structured
+searches by taking advantage of the <<kuery-query>> with autocompletion
+suggestions.
+
+[role="screenshot"]
+image::logs/images/logs-usage-query-bar.png[Logs query bar]
+
+[float]
+[[logs-configure-source]]
+=== Adapt to your log source
+Using a custom index pattern to store the log entries, want to limit the
+entries presented in a space or change the fields displayed in the columns? Use
+<<xpack-logs-configuring,configure source>> to change the index pattern and
+other settings.
+
+[role="screenshot"]
+image::logs/images/logs-usage-column-headers.png[Logs column headers]
+
+[float]
+[[logs-time]]
+=== Jump to a specific time period
+Use the time selector to focus on a specific timeframe.
+
+[role="screenshot"]
+image::logs/images/logs-usage-time-picker.png[Logs time selector]
+
+To quickly jump to a nearby point in time, click on the timeline to the right.
+
+[role="screenshot"]
+image::logs/images/logs-usage-timeline.png[Logs timeline]
+
+
+[float]
+[[logs-customize]]
+=== Customize your view
+Use *Customize* to adjust your console view and to set the time scale of the log data.
+
+* *Text size.*  Select `Small`, `Medium`, or `Large`.
+* *Wrap long lines.* Enable or disable line wrap.
+* *Minimap Scale.* Set the scale to 'year', 'month', 'week', 'day', 'hour', or 'minute'. 
+
+[role="screenshot"]
+image::logs/images/logs-usage-customize.png[Logs view customization popover]
+
+[float]
+[[logs-stream]]
+=== Stream or pause logs
+You can stream data for live log tailing, or pause streaming to focus on historical log data. 
+
+[role="screenshot"]
+image::logs/images/logs-usage-start-streaming.png[Logs start streaming]
+
+[role="screenshot"]
+image::logs/images/logs-usage-stop-streaming.png[Logs stop streaming]
+
+When you are streaming logs, the most recent log appears at the bottom on the console. 
+
+[role="screenshot"]
+image::logs/images/logs-usage-streaming-indicator.png[Logs streaming indicator]
+
+Historical data offers infinite scrolling.