[DOCS] Reorganizes concepts and discover sections (#97019) (#97877)

* [DOCS] Reorganizes concepts and discover sections

* [DOCS] Updates time filter and saved query sections

* Update docs/discover/save-search.asciidoc

Co-authored-by: Wylie Conlon <wylieconlon@gmail.com>

* [DOCS] Updates time filter and saved query doc

* [DOCS] Updates images

* [DOCS] Adds missing images

* [DOCS] Minor edits

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Wylie Conlon <wylieconlon@gmail.com>

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Wylie Conlon <wylieconlon@gmail.com>

docs/concepts/index-patterns.asciidoc

@@ -1,5 +1,5 @@
 [[index-patterns]]
-== Create an index pattern
+=== Create an index pattern
 
 {kib} requires an index pattern to access the {es} data that you want to explore.
 An index pattern selects the data to use and allows you to define properties of the fields.
@@ -126,7 +126,7 @@ pattern:
 ```
 
 You can use exclusions to exclude indices that might contain mapping errors.
-To match indices starting with `logstash-`, and exclude those starting with `logstash-old` from 
+To match indices starting with `logstash-`, and exclude those starting with `logstash-old` from
 all clusters having a name starting with `cluster_`, you can use `cluster_*:logstash-*,cluster*:logstash-old*`.
 To exclude a cluster, use `cluster_*:logstash-*,cluster_one:-*`.
 
@@ -152,7 +152,7 @@ move between {kib} apps.
 image:management/index-patterns/images/new-index-pattern.png["Create index pattern"]
 
 [float]
-==== Format the display of common field types
+=== Format the display of common field types
 
 Whenever possible, {kib} uses the same field type for display as
 {es}. However, some field types that {es} supports are not available

docs/concepts/index.asciidoc

@@ -1,5 +1,5 @@
 [[kibana-concepts-analysts]]
-== {kib} concepts for analysts
+== {kib} concepts
 **_Learn the shared concepts for analyzing and visualizing your data_**
 
 As an analyst, you will use a combination of {kib} apps to analyze and
@@ -65,7 +65,7 @@ Each app in {kib} provides a time filter, and most apps also include semi-struct
 image:concepts/images/top-bar.png["Time filter, semi-structured search, and filters in a {kib} app"]
 
 If you frequently use any of the search options, you can click the
-save icon
+save query icon
 image:concepts/images/save-icon.png["save icon"] next to the
 semi-structured search to save or load a previously saved query.
 The saved query will always contain the semi-structured search query,
@@ -127,6 +127,7 @@ filters is combined with AND logic on the rest of the query.
 [role="screenshot"]
 image:concepts/images/add-filter-popup.png["Add filter popup"]
 
+
 [float]
 === Saving objects
 {kib} lets you save objects for your own future use or for sharing with others.
@@ -147,3 +148,14 @@ Use the global search to quickly open a saved object.
 
 * Try the {kib} <<get-started,Quick start>>, which shows you how to put these concepts into action.
 * Go to <<discover, Discover>> for instructions on searching your data.
+
+
+include::index-patterns.asciidoc[]
+
+include::set-time-filter.asciidoc[]
+
+include::kuery.asciidoc[]
+
+include::lucene.asciidoc[]
+
+include::save-query.asciidoc[]

docs/concepts/lucene.asciidoc

@@ -0,0 +1,51 @@
+[[lucene-query]]
+=== Lucene query syntax
+Lucene query syntax is available to {kib} users who opt out of the <<kuery-query>>.
+Full documentation for this syntax is available as part of {es}
+{ref}/query-dsl-query-string-query.html#query-string-syntax[query string syntax].
+
+The main reason to use the Lucene query syntax in {kib} is for advanced
+Lucene features, such as regular expressions or fuzzy term matching. However,
+Lucene syntax is not able to search nested objects or scripted fields.
+
+To perform a free text search, simply enter a text string. For example, if
+you're searching web server logs, you could enter `safari` to search all
+fields:
+
+[source,yaml]
+-------------------
+safari
+-------------------
+
+To search for a value in a specific field, prefix the value with the name
+of the field:
+
+[source,yaml]
+-------------------
+status:200
+-------------------
+
+To search for a range of values, use the bracketed range syntax,
+`[START_VALUE TO END_VALUE]`. For example, to find entries that have 4xx
+status codes, you could enter `status:[400 TO 499]`.
+
+[source,yaml]
+-------------------
+status:[400 TO 499]
+-------------------
+
+For an open range, use a wildcard:
+
+[source,yaml]
+-------------------
+status:[400 TO *]
+-------------------
+
+To specify more complex search criteria, use the boolean operators
+`AND`, `OR`, and `NOT`. For example, to find entries that have 4xx status
+codes and have an extension of `php` or `html`:
+
+[source,yaml]
+-------------------
+status:[400 TO 499] AND (extension:php OR extension:html)
+-------------------

docs/concepts/save-query.asciidoc

@@ -1,39 +1,45 @@
 [[save-load-delete-query]]
-== Save a query
-A saved query is a collection of query text and filters that you can
-reuse in any app with a query bar, like <<discover, *Discover*>> and <<dashboard, *Dashboard*>>. Save a query when you want to:
+=== Save a query
 
-* Retrieve results from the same query at a later time without having to reenter the query text, add the filters or set the time filter
-* View the results of the same query in multiple apps
-* Share your query
+Have you ever built a query that you wanted to reuse?
+With saved queries, you can save your query text, filters, and time range for
+reuse anywhere a query bar is present.
 
-Saved queries don't include information specific to *Discover*,
-such as the currently selected columns in the document table, the sort order, and the index pattern.
-To save your current view of *Discover* for later retrieval and reuse,
-create a <<save-open-search, saved search>> instead.
+For example, suppose you're in *Discover*, and you've put time into building
+a query that includes query input text, multiple filters, and a specific time range.
+Save this query, and you can embed the search results in dashboards,
+use them as a foundation for building a visualization,
+and share them in a link or CVS form.
 
-NOTE::
+[role="screenshot"]
+image:concepts/images/saved-query.png["Example of the saved query management popover with a list of saved queries"]
 
-If you have insufficient privileges to save queries, the *Save current query*
-button isn't visible in the saved query management popover.
+
+Saved queries are different than <<save-open-search,saved searches>>,
+which include the *Discover* configuration&mdash;selected columns in the document table, sort order, and
+index pattern&mdash;in addition to the query.
+Saved searches are primarily used for adding search results to a dashboard.
+
+[role="xpack"]
+==== Read-only access
+If you have insufficient privileges to save queries,
+the *Save* button isn't visible in the saved query management popover.
 For more information, see <<xpack-security-authorization, Granting access to Kibana>>
 
-. Click *#* in the query bar.
+==== Save a query
+
+. Once you’ve built a query worth saving, click the save query icon image:concepts/images/save-icon.png["save query icon"].
 . In the popover, click *Save current query*.
-+
-[role="screenshot"]
-image::discover/images/saved-query-management-component-all-privileges.png["Example of the saved query management popover with a list of saved queries with write access",width="80%"]
-+
-. Enter a name, a description, and then select the filter options.
+. Enter a unique name to identify the query and an optional description that will appear in a tooltip in the saved query popover.
+. Choose whether to include or exclude filters and a time range.
 By default, filters are automatically included, but the time filter is not.
 +
 [role="screenshot"]
-image::discover/images/saved-query-save-form-default-filters.png["Example of the saved query management save form with the filters option included and the time filter option excluded",width="80%"]
+image:concepts/images/saved-query-popup.png["Example of the saved query management popover with a list of saved queries"]
+
 . Click *Save*.
-. To load a saved query into *Discover* or *Dashboard*, open the *Saved search* popover, and select the query.
-. To manage your saved queries, use these actions in the popover:
+. To load a saved query, select it in the *Saved query* popover.
 +
-* Save as new:  Save changes to the current query.
-* Clear.  Clear a query that is currently loaded in an app.
-* Delete.  You can’t recover a deleted query.
-. To import and export saved queries, go to <<managing-saved-objects, Saved Objects in Management>>.
+The query text, filters, and time range are updated and your data refreshed.
+If you’re loading a saved query that did not include the filters or time range, those components remain as-is.
+. To clear, modify, and delete saved queries, use the *Saved query* popover.

docs/concepts/set-time-filter.asciidoc

@@ -0,0 +1,31 @@
+[[set-time-filter]]
+=== Set the time range
+Display data within a
+specified time range when your index contains time-based events, and a time-field is configured for the
+selected <<index-patterns, index pattern>>.
+The default time range is 15 minutes, but you can customize
+it in <<advanced-options,Advanced Settings>>.
+
+. Click image:concepts/images/time-filter-icon.png[clock icon].
+
+. Choose one of the following:
+
+* *Quick select* to use a recent time range, then use the back and forward
+  arrows to move through the time ranges.
+
+* *Commonly used* to use a time range from options such as *Last 15 minutes*,
+  *Today*, and *Week to date*.
+
+* *Recently used date ranges* to use a previously selected data range.
+
+* *Refresh every* to specify an automatic refresh rate.
++
+[role="screenshot"]
+image::concepts/images/time-filter.png[Time filter menu]
+
+. To set start and end times, click the bar next to the time filter.
+In the popup, select *Absolute*, *Relative* or *Now*, then specify the required
+options.
++
+[role="screenshot"]
+image::concepts/images/time-relative.png[Time filter showing relative time]

docs/discover/save-search.asciidoc

@@ -0,0 +1,38 @@
+[[save-open-search]]
+== Save a search
+A saved search persists your current view of Discover for
+later retrieval and reuse. You can reload a saved search into Discover,
+add it to a dashboard, and use it as the basis for a visualization.
+
+A saved search includes the query text, filters, and optionally, the time filter. A saved search also includes the selected columns in the document table, the sort order, and the current index pattern.
+
+[role="xpack"]
+[[discover-read-only-access]]
+[float]
+=== Read-only access
+When you have insufficient privileges to save searches, the following indicator in Kibana will be
+displayed and the *Save* button won't be visible. For more information on granting access to
+Kibana see <<xpack-security-authorization>>.
+
+[role="screenshot"]
+image::discover/images/read-only-badge.png[Example of Discover's read only access indicator in Kibana's header]
+[float]
+=== Save a search
+To save the current search:
+
+. Click *Save* in the toolbar.
+. Enter a name for the search and click *Save*.
+
+To import, export, and delete saved searches, open the main menu,
+then click *Stack Management > Saved Objects*.
+
+[float]
+=== Open a saved search
+To load a saved search into Discover:
+
+. Click *Open* in the toolbar.
+. Select the search you want to open.
+
+If the saved search is associated with a different index pattern than is currently
+selected, opening the saved search changes the selected index pattern. The query language
+used for the saved search will also be automatically selected.

docs/discover/search-sessions.asciidoc

@@ -1,5 +1,5 @@
 [[search-sessions]]
-=== Run a search session in the background
+== Run a search session in the background
 
 Sometimes you might need to search through large amounts of data no matter
 how long the search takes. While this might not happen often,

docs/discover/set-time-filter.asciidoc

@@ -1,56 +0,0 @@
-[[set-time-filter]]
-== Set the time filter
-If your index contains time-based events, and a time-field is configured for the
-selected <<index-patterns, index pattern>>, set a time filter that displays only the data within the
-specified time range.
-
-You can use the time filter to change the time range, or select a specific time
-range in the histogram.
-
-[float]
-[[use-time-filter]]
-=== Use the time filter
-
-Use the time filter to change the time range. By default, the time filter is set
-to the last 15 minutes.
-
-. Click image:images/time-filter-calendar.png[Calendar icon].
-
-. Choose one of the following:
-
-* *Quick select* to use a recent time range, then use the back and forward
-  arrows to move through the time ranges.
-
-* *Commonly used* to use a time range from options such as *Last 15 minutes*,
-  *Today*, and *Week to date*.
-
-* *Recently used date ranges* to use a previously selected data range that
-  you recently used.
-
-* *Refresh every* to specify an automatic refresh rate.
-+
-[role="screenshot"]
-image::images/time-filter.png[Time filter menu]
-
-. To set the start and end times, click the bar next to the time filter.
-In the popup, select *Absolute*, *Relative* or *Now*, then specify the required
-options.
-+
-[role="screenshot"]
-image::images/time-filter-bar.png[Time filter bar]
-
-[float]
-=== Select a time range from the histogram
-
-To select a specific time range in the histogram, choose one of the following:
-
-* Click the bar that represents the time range you want to zoom in on.
-
-* Click and drag to view a specific time range. You must start the selection with
-the cursor over the background of the chart--the cursor changes to a plus sign
-when you hover over a valid start point.
-
-* Click the dropdown, then select an interval.
-
-[role="screenshot"]
-image::images/Histogram-Time.png[Time range selector in Histogram dropdown]

docs/redirects.asciidoc

@@ -313,3 +313,8 @@ This content has moved. Refer to <<release-notes, Release notes>>.
 == Tutorial: Use role-based access control to customize Kibana spaces
 
 This content has moved. refer to <<tutorial-secure-access-to-kibana>>.
+
+[role="exclude",id="search"]
+== Search your data
+
+This content has moved. refer to <<kuery-query>>.

docs/user/discover.asciidoc

@@ -189,7 +189,7 @@ Saving a search saves the query and the filters.
 . In the toolbar, click **Save**.
 
 . Give your search a title, and then click **Save**.
-+ 
++
 [role="screenshot"]
 image:images/discover-save-saved-search.png[Save saved search in Discover, width=50%]
 
@@ -215,7 +215,7 @@ image:images/visualize-from-discover.png[Visualization that opens from Discover
 
 If your documents contain geo point fields (image:images/geoip-icon.png[Geo point field icon, width=20px]), you can visualize them in **Maps**.
 
-. Make sure the index pattern is set to **kibana_sample_data_ecommerce** and the configured time range 
+. Make sure the index pattern is set to **kibana_sample_data_ecommerce** and the configured time range
 contains data.
 
 . From the **Available fields** list, click `geoip.location`, and then click **Visualize**.
@@ -243,12 +243,10 @@ the table columns that display by default, and more.
 
 --
 
-include::{kib-repo-dir}/management/index-patterns.asciidoc[]
-
-include::{kib-repo-dir}/discover/set-time-filter.asciidoc[]
-
-include::{kib-repo-dir}/discover/search.asciidoc[]
-
 include::{kib-repo-dir}/discover/context.asciidoc[]
 
 include::{kib-repo-dir}/discover/search-for-relevance.asciidoc[]
+
+include::{kib-repo-dir}/discover/save-search.asciidoc[]
+
+include::{kib-repo-dir}/discover/search-sessions.asciidoc[]