Docs: Cleaning up Discover to match UI. (#8849)

docs/discover.asciidoc

@@ -9,17 +9,13 @@ You can also see the number of documents that match the search query and get fie
 configured for the selected index pattern, the distribution of documents over time is displayed in a histogram at the
 top of the page.
 
-image::images/Discover-Start-Annotated.jpg[Discover Page]
+image::images/Discover-Start-Annotated.jpg[Discover]
 --
 
 include::discover/set-time-filter.asciidoc[]
 
 include::discover/search.asciidoc[]
 
-[float]
-[[auto-refresh]]
-include::discover/autorefresh.asciidoc[]
-
 include::discover/field-filter.asciidoc[]
 
 include::discover/document-data.asciidoc[]

docs/discover/autorefresh.asciidoc

@@ -1,4 +1,4 @@
-=== Automatically Refreshing the Page
+=== Refreshing the Search Results
 You can configure a refresh interval to automatically refresh the page with the latest index data. This periodically
 resubmits the search query.
 

docs/discover/document-data.asciidoc

@@ -1,61 +1,68 @@
 [[document-data]]
 == Viewing Document Data
 
-When you submit a search query, the 500 most recent documents that match the query are listed in the Documents table.
-You can configure the number of documents shown in the table by setting the `discover:sampleSize` property in
-<<advanced-options,Advanced Settings>>. By default, the table shows the localized version of the time field specified
-in the selected index pattern and the document `_source`. You can <<adding-columns, add fields to the Documents table>>
-from the Fields list. You can <<sorting, sort the listed documents>> by any indexed field that's included in the table.
+When you submit a search query, the 500 most recent documents that match the query
+are listed in the Documents table. You can configure the number of documents shown
+in the table by setting the `discover:sampleSize` property in <<advanced-options,
+Advanced Settings>>. By default, the table shows the localized version of the time
+field configured for the selected index pattern and the document `_source`. You can
+<<adding-columns, add fields to the Documents table>> from the Fields list.
+You can <<sorting, sort the listed documents>> by any indexed field that's included
+in the table.
 
-To view a document's field data, click the *Expand* button image:images/ExpandButton.jpg[Expand Button] to the left of
-the document's entry in the first column (the first column is usually Time). Kibana reads the document data from
-Elasticsearch and displays the document fields in a table. The table contains a row for each field that contains the
-name of the field, add filter buttons, and the field value.
+To view a document's field data, click the *Expand* button 
+image:images/ExpandButton.jpg[Expand Button] to the left of the document's table
+entry. 
 
 image::images/Expanded-Document.png[]
 
-. To view the original JSON document (pretty-printed), click the *JSON* tab.
-. To view the document data as a separate page, click the link. You can bookmark and share this link to provide direct
-access to a particular document.
-. To collapse the document details, click the *Collapse* button image:images/CollapseButton.jpg[Collapse Button].
-. To toggle a particular field's column in the Documents table, click the
+To view the original JSON document (pretty-printed), click the *JSON* tab.
+
+To view the document data as a separate page, click the document link. You can
+bookmark and share this link to provide direct access to a particular document.
+
+To display or hide a field's column in the Documents table, click the
 image:images/add-column-button.png[Add Column] *Toggle column in table* button.
 
+To collapse the document details, click the *Collapse* button 
+image:images/CollapseButton.jpg[Collapse Button].
+
 [float]
 [[sorting]]
 === Sorting the Document List
-You can sort the documents in the Documents table by the values in any indexed field. Documents in index patterns that
-are configured with time fields are sorted in reverse chronological order by default.
+You can sort the documents in the Documents table by the values in any indexed
+field. If a time field is configured for the current index pattern, the 
+documents are sorted in reverse chronological order by default.
 
-To change the sort order, click the name of the field you want to sort by. The fields you can use for sorting have a
-sort button to the right of the field name. Clicking the field name a second time reverses the sort order.
+To change the sort order, hover over the name of the field you want to sort by
+and click the sort button. Click again to reverse the sort order.
 
 [float]
 [[adding-columns]]
 === Adding Field Columns to the Documents Table
-By default, the Documents table shows the localized version of the time field specified in the selected index pattern
-and the document `_source`. You can add fields to the table from the Fields list or from a document's expanded view.
+By default, the Documents table shows the localized version of the time field
+that's configured for the selected index pattern and the document `_source`. 
+You can add fields to the table from the Fields list or from a document's
+field data.
 
-To add field columns to the Documents table:
+To add a field column from the Fields list, hover over the field and click its
+*add* button.
 
-. Mouse over a field in the Fields list and click its  *add* button image:images/AddFieldButton.jpg[Add Field Button].
-. Repeat until you've added all the fields you want to display in the Documents table.
-. Alternately, add a field column directly from a document's expanded view by clicking the
+To add a field column from a document's field data, expand the document
+and click the field's
 image:images/add-column-button.png[Add Column] *Toggle column in table* button.
 
-The added field columns replace the `_source` column in the Documents table. The added fields are also
-listed in the *Selected Fields* section at the top of the field list.
+Added field columns replace the `_source` column in the Documents table. The added
+fields are also added to the *Selected Fields* list.
 
-To rearrange the field columns in the table, mouse over the header of the column you want to move and click the *Move*
-button.
+To rearrange the field columns, hover over the header of the column you want to move
+and click the *Move left* or *Move right* button.
 
 image:images/Discover-MoveColumn.jpg[Move Column]
 
 [float]
 [[removing-columns]]
 === Removing Field Columns from the Documents Table
-To remove field columns from the Documents table:
-
-. Mouse over the field you want to remove in the *Selected Fields* section of the Fields list and click its *remove*
-button image:images/RemoveFieldButton.jpg[Remove Field Button].
-. Repeat until you've removed all the fields you want to drop from the Documents table.
+To remove a field column from the Documents table, hover over the header of the 
+column you want to remove and click the *Remove* button 
+image:images/RemoveFieldButton.jpg[Remove Field Button].

docs/discover/field-filter.asciidoc

@@ -1,36 +1,111 @@
 [[field-filter]]
 == Filtering by Field
-You can filter the search results to display only those documents that contain a particular value in a field. You can
-also create negative filters that exclude documents that contain the specified field value.
+You can filter the search results to display only those documents that contain
+a particular value in a field. You can also create negative filters that
+exclude documents that contain the specified field value.
 
-You can add filters from the Fields list or from the Documents table. When you add a filter, it is displayed in the
-filter bar below the search query. From the filter bar, you can enable or disable a filter, invert the filter (change
-it from a positive filter to a negative filter and vice-versa), toggle the filter on or off, or remove it entirely.
-Click the small left-facing arrow to the right of the index pattern selection drop-down to collapse the Fields list.
+You add field filters from the Fields list or the Documents table. In addition
+to creating positive and negative filters, the Documents table enables you to
+filter on whether or not a field is present. The applied
+filters are shown below the Query bar. Negative filters are shown in red. 
 
 To add a filter from the Fields list:
 
-. Click the name of the field you want to filter on. This displays the top five values for that field. To the right of
-each value, there are two magnifying glass buttons--one for adding a regular (positive) filter, and
-one for adding a negative filter.
-. To add a positive filter, click the *Positive Filter* button image:images/PositiveFilter.jpg[Positive Filter Button].
-This filters out documents that don't contain that value in the field.
-. To add a negative filter, click the *Negative Filter* button image:images/NegativeFilter.jpg[Negative Filter Button].
+. Click the name of the field you want to filter on. This displays the top
+five values for that field. 
++
+image::images/filter-field.jpg[]
+. To add a positive filter, click the *Positive Filter* button
+image:images/PositiveFilter.jpg[Positive Filter].
+This includes only those documents that contain that value in the field.
+. To add a negative filter, click the *Negative Filter* button
+image:images/NegativeFilter.jpg[Negative Filter].
 This excludes documents that contain that value in the field.
 
 To add a filter from the Documents table:
 
-. Expand a document in the Documents table by clicking the *Expand* button image:images/ExpandButton.jpg[Expand Button]
-to the left of the document's entry in the first column (the first column is usually Time). To the right of each field
-name, there are two magnifying glass buttons--one for adding a regular (positive) filter, and one for adding a negative
-filter.
-. To add a positive filter  based on the document's value in a field, click the
-*Positive Filter* button image:images/PositiveFilter.jpg[Positive Filter Button]. This filters out documents that don't
-contain the specified value in that field.
-. To add a negative filter based on the document's value in a field, click the
-*Negative Filter* button image:images/NegativeFilter.jpg[Negative Filter Button]. This excludes documents that contain
-the specified value in that field.
+. Expand a document in the Documents table by clicking the *Expand* button
+image:images/ExpandButton.jpg[Expand Button] to the left of the document's
+table entry. 
++
+image::images/Expanded-Document.png[]
+. To add a positive filter, click the *Positive Filter* button
+image:images/PositiveFilter.jpg[Positive Filter Button] to the right of the
+field name. This includes only those documents that contain that value in the
+field.
+. To add a negative filter, click the *Negative Filter* button
+image:images/NegativeFilter.jpg[Negative Filter Button] to the right of the
+field name. This excludes documents that contain that value in the field.
+. To filter on whether or not documents contain the field, click the
+*Exists* button image:images/ExistsButton.jpg[Exists Button] to the right of the
+field name. This includes only those documents that contain the field.
 
 [float]
-[[discover-filters]]
-include::filter-pinning.asciidoc[]
+[[filter-pinning]]
+=== Managing Filters
+
+To modify a filter, hover over it and click one of the action buttons.
+
+image::images/filter-allbuttons.png[]
+
+ 
+
+image:images/filter-enable.png[] Enable Filter :: Disable the filter without
+removing it. Click again to reenable the filter. Diagonal stripes indicate
+that a filter is disabled.
+image:images/filter-pin.png[] Pin Filter :: Pin the filter. Pinned filters
+persist when you switch contexts in Kibana. For example, you can pin a filter
+in Discover and it remains in place when you switch to Visualize. 
+Note that a filter is based on a particular index field--if the indices being
+searched don't contain the field in a pinned filter, it has no effect. 
+image:images/filter-toggle.png[] Toggle Filter :: Switch from a positive
+filter to a negative filter and vice-versa. 
+image:images/filter-delete.png[] Remove Filter :: Remove the filter.
+image:images/filter-custom.png[] Edit Filter :: <<filter-edit, Edit the 
+filter>> definition.  Enables you to manually update the filter query and
+specify a label for the filter.
+
+To apply a filter action to all of the applied filters, 
+click *Actions* and select the action.
+
+[float]
+[[filter-edit]]
+=== Editing a Filter
+You can edit a filter to directly modify the filter query that is performed
+to filter your search results. This enables you to create more complex
+filters that are based on multiple fields.
+
+image::images/filter-custom-json.png[]
+
+&nbsp;
+
+For example, you could use a {es-ref}/query-dsl-bool-query.html[bool query]
+to create a filter for the sample log data that displays the hits that 
+originated from Canada or China that resulted in a 404 error:
+
+==========
+[source,json]
+{
+  "bool": {
+    "should": [
+      {
+        "term": {
+          "geoip.country_name.raw": "Canada"
+        }
+      },
+      {
+        "term": {
+          "geoip.country_name.raw": "China"
+        }
+      }
+    ],
+    "must": [
+      {
+        "term": {
+          "response": "404"
+        }
+      }
+    ]
+  }
+}
+==========

docs/discover/filter-pinning.asciidoc

@@ -1,98 +0,0 @@
-=== Working with Filters
-
-When you create a filter anywhere in Kibana, the filter conditions display in an oval under the search text
-entry box:
-
-image::images/filter-sample.png[]
-
-Hovering on the filter oval displays the following icons:
-
-image::images/filter-allbuttons.png[]
-
-Enable Filter image:images/filter-enable.png[]:: Click this icon to disable the filter without removing it. You can
-enable the filter again later by clicking the icon again. Disabled filters display a striped shaded color, grey for
-inclusion filters and red for exclusion filters.
-Pin Filter image:images/filter-pin.png[]:: Click this icon to _pin_ a filter. Pinned filters persist across Kibana tabs.
-You can pin filters from the _Visualize_ tab, click on the _Discover_ or _Dashboard_ tabs, and those filters remain in
-place.
-NOTE: If you have a pinned filter and you're not seeing any query results, that your current tab's index pattern is one
-that the filter applies to.
-Toggle Filter image:images/filter-toggle.png[]:: Click this icon to _toggle_ a filter. By default, filters are inclusion
-filters, and display in grey. Only elements that match the filter are displayed. To change this to an exclusion
-filters, displaying only elements that _don't_ match, toggle the filter. Exclusion filters display in red.
-Remove Filter image:images/filter-delete.png[]:: Click this icon to remove a filter entirely.
-Custom Filter image:images/filter-custom.png[]:: Click this icon to display a text field where you can customize the JSON
-representation of the filter and specify an alias to use for the filter name:
-+
-image::images/filter-custom-json.png[]
-+
-You can use JSON filter representation to implement predicate logic, with `should` for OR, `must` for AND, and `must_not`
-for NOT:
-+
-.OR Example
-==========
-[source,json]
-{
-  "bool": {
-    "should": [
-      {
-        "term": {
-          "geoip.country_name.raw": "Canada"
-        }
-      },
-      {
-        "term": {
-          "geoip.country_name.raw": "China"
-        }
-      }
-    ]
-  }
-}
-==========
-+
-.AND Example
-==========
-[source,json]
-{
-  "bool": {
-    "must": [
-      {
-        "term": {
-          "geoip.country_name.raw": "United States"
-        }
-      },
-      {
-        "term": {
-          "geoip.city_name.raw": "New York"
-        }
-      }
-    ]
-  }
-}
-
-==========
-+
-.NOT Example
-==========
-[source,json]
-{
-  "bool": {
-    "must_not": [
-      {
-        "term": {
-          "geoip.country_name.raw": "United States"
-        }
-      },
-      {
-        "term": {
-          "geoip.country_name.raw": "Canada"
-        }
-      }
-    ]
-  }
-}
-==========
-Click the *Done* button to update the filter with your changes.
-
-To apply any of the filter actions to all the filters currently in place, click the image:images/filter-actions.png[]
-*Global Filter Actions* button and select an action.

docs/discover/search.asciidoc

@@ -1,72 +1,104 @@
 [[search]]
 == Searching Your Data
-You can search the indices that match the current index pattern by submitting a search from the Discover page.
-You can enter simple query strings, use the
-Lucene https://lucene.apache.org/core/2_9_4/queryparsersyntax.html[query syntax], or use the full JSON-based
-{es-ref}query-dsl.html[Elasticsearch Query DSL].
+You can search the indices that match the current index pattern by entering
+your search criteria in the Query bar. You can perform a simple text search,
+use the Lucene https://lucene.apache.org/core/2_9_4/queryparsersyntax.html[
+query syntax], or use the full JSON-based {es-ref}query-dsl.html[Elasticsearch
+Query DSL].
 
-When you submit a search, the histogram, Documents table, and Fields list are updated to reflect
-the search results. The total number of hits (matching documents) is shown in the upper right corner of the
-histogram. The Documents table shows the first five hundred hits. By default, the hits are listed in reverse
-chronological order, with the newest documents shown first. You can reverse the sort order by by clicking on the Time
-column header. You can also sort the table using the values in any indexed field. For more information, see
-<<sorting,Sorting the Documents Table>>.
+When you submit a search request, the histogram, Documents table, and Fields
+list are updated to reflect the search results. The total number of hits
+(matching documents) is shown in the toolbar. The Documents table shows the
+first five hundred hits. By default, the hits are listed in reverse
+chronological order, with the newest documents shown first. You can reverse
+the sort order by clicking the Time column header. You can also sort the table
+by the values in any indexed field. For more information, see <<sorting,
+Sorting the Documents Table>>.
 
-To search your data:
+To search your data, enter your search criteria in the Query bar and
+press *Enter* or click *Search* image:images/search-button.jpg[] to submit
+the request to Elasticsearch.
 
-. Enter a query string in the Search field:
-+
-* To perform a free text search, simply enter a text string. For example, if you're searching web server logs, you
-could enter `safari` to search all fields for the term `safari`.
-+
-* To search for a value in a specific field, you prefix the value with the name of the field. For example, you could
-enter `status:200` to limit the results to entries that contain the value `200` in the `status` field.
-+
-* To search for a range of values, you can use the bracketed range syntax, `[START_VALUE TO END_VALUE]`. For example,
-to find entries that have 4xx status codes, you could enter `status:[400 TO 499]`.
-+
-* To specify more complex search criteria, you can use the Boolean operators `AND`, `OR`, and `NOT`. For example,
-to find entries that have 4xx status codes and have an extension of `php` or `html`, you could enter `status:[400 TO
+* To perform a free text search, simply enter a text string. For example, if
+you're searching web server logs, you could enter `safari` to search all
+fields for the term `safari`.
+
+* To search for a value in a specific field, prefix the value with the name
+of the field. For example, you could enter `status:200` to find all of
+the entries that contain the value `200` in the `status` field.
+
+* To search for a range of values, you can use the bracketed range syntax,
+`[START_VALUE TO END_VALUE]`. For example, to find entries that have 4xx
+status codes, you could enter `status:[400 TO 499]`.
+
+* To specify more complex search criteria, you can use the Boolean operators
+`AND`, `OR`, and `NOT`. For example, to find entries that have 4xx status
+codes and have an extension of `php` or `html`, you could enter `status:[400 TO
 499] AND (extension:php OR extension:html)`.
-+
-NOTE: These examples use the Lucene query syntax. You can also submit queries using the Elasticsearch Query DSL. For
-examples, see {es-ref}query-dsl-query-string-query.html#query-string-syntax[query string syntax] in the Elasticsearch
-Reference.
-+
-. Press *Enter* or click the *Search* button to submit your search query.
 
-[float]
-[[new-search]]
-=== Starting a New Search
-To clear the current search and start a new search, click the *New* button in the Discover toolbar.
+NOTE: These examples use the Lucene query syntax. You can also submit queries
+using the Elasticsearch Query DSL. For examples, see 
+{es-ref}query-dsl-query-string-query.html#query-string-syntax[query string syntax]
+in the Elasticsearch Reference.
 
 [float]
 [[save-search]]
 === Saving a Search
-You can reload saved searches on the Discover page and use them as the basis of <<visualize, visualizations>>.
-Saving a search saves both the search query string and the currently selected index pattern.
+Saving searches enables you to reload them into Discover and use them as the basis
+for <<visualize, visualizations>>. Saving a search saves both the search query string
+and the currently selected index pattern.
 
 To save the current search:
 
-. Click the *Save* button in the Discover toolbar.
+. Click *Save* in the Kibana toolbar.
 . Enter a name for the search and click *Save*.
 
+You can import, export and delete saved searches from *Management/Kibana/Saved Objects*. 
+
 [float]
 [[load-search]]
 === Opening a Saved Search
-To load a saved search:
+To load a saved search into Discover:
 
-. Click the *Open* button in the Discover toolbar.
+. Click *Open* in the Kibana toolbar.
 . Select the search you want to open.
 
-If the saved search is associated with a different index pattern than is currently selected, opening the saved search
-also changes the selected index pattern.
+If the saved search is associated with a different index pattern than is currently
+selected, opening the saved search also changes the selected index pattern.
 
 [float]
 [[select-pattern]]
 === Changing Which Indices You're Searching
-When you submit a search request, the indices that match the currently-selected index pattern are searched. The current
-index pattern is shown below the search field. To change which indices you are searching, click the name of the current
-index pattern to display a list of the configured index patterns and select a different index pattern.
+When you submit a search request, the indices that match the currently-selected
+index pattern are searched. The current index pattern is shown below the toolbar.
+To change which indices you are searching, click the index pattern and select a
+different index pattern. 
+
+For more information about index patterns, see <<settings-create-pattern,
+Creating an Index Pattern>>.
+
+[float]
+[[autorefresh]]
+=== Refreshing the Search Results
+As more documents are added to the indices you're searching, the search results
+shown in Discover and used to display visualizations get stale. You can
+configure a refresh interval to periodically resubmit your searches to
+retrieve the latest results.  
+
+To enable auto refresh:
+
+. Click the *Time Picker* image:images/time-picker.jpg[Time Picker] in the
+Kibana toolbar.
+. Click *Auto refresh*.
+. Choose a refresh interval from the list.
++
+image::images/autorefresh-intervals.png[]
+
+When auto refresh is enabled, the refresh interval is displayed next to the
+Time Picker, along with a Pause button. To temporarily disable auto refresh,
+click *Pause*.
+
+NOTE: If auto refresh is not enabled, you can manually refresh visualizations
+by clicking *Refresh*.
+
 
-For more information about index patterns, see <<settings-create-pattern, Creating an Index Pattern>>.

docs/discover/set-time-filter.asciidoc

@@ -1,29 +1,40 @@
 [[set-time-filter]]
 == Setting the Time Filter
-The Time Filter restricts the search results to a specific time period. You can set a time filter if your index
-contains time-based events and a time-field is configured for the selected index pattern.
+The time filter restricts the search results to a specific time period. You can
+set a time filter if your index contains time-based events and a time-field is
+configured for the selected index pattern.
 
-By default the time filter is set to the last 15 minutes. You can use the Time Picker to change the time filter
-or select a specific time interval or time range in the histogram at the top of the page.
+By default the time filter is set to the last 15 minutes. You can use the Time
+Picker to change the time filter or select a specific time interval or time
+range in the histogram at the top of the page.
 
 To set a time filter with the Time Picker:
 
-. Click the Time Filter displayed in the upper right corner of the menu bar to open the Time Picker.
-. To set a quick filter, simply click one of the shortcut links.
-. To specify a relative Time Filter, click *Relative* and enter the relative start time. You can specify
-the relative start time as any number of seconds, minutes, hours, days, months, or years ago.
-. To specify an absolute Time Filter, click *Absolute* and enter the start date in the *From* field and the end date in
-the *To* field.
-. Click the caret at the bottom of the Time Picker to hide it.
+. Click Time Picker image:images/time-picker.jpg[] in the Kibana toolbar.
+. To set a quick filter, click one of the shortcut links.
++
+image::images/time-filter.jpg[Time filter shortcuts]
+. To specify a time filter relative to the current time, click *Relative* and
+specify the start time as a number of seconds, minutes, hours, days,
+months, or years ago.
++
+image::images/time-filter-relative.jpg[Relative time filter]
+. To specify both the start and end times for the time filter, click
+*Absolute* and select a start and end date. You can adjust the time
+by editing the *To* and *From* fields.
++
+image::images/time-filter-absolute.jpg[Absolute time filter]
+. Click the caret in the bottom right corner to close the Time Picker.
 
-To set a Time Filter from the histogram, do one of the following:
+To set a time filter from the histogram, do one of the following:
 
 * Click the bar that represents the time interval you want to zoom in on.
-* Click and drag to view a specific timespan. You must start the selection with the cursor over the background of the
-chart--the cursor changes to a plus sign when you hover over a valid start point.
+* Click and drag to view a specific timespan. You must start the selection with
+the cursor over the background of the chart--the cursor changes to a plus sign
+when you hover over a valid start point.
 
 You can use the browser Back button to undo your changes.
 
-The histogram lists the time range you're currently exploring, as well as the intervals that range is currently using.
-To change the intervals, click the link and select an interval from the drop-down. The default behavior automatically
-sets an interval based on the time range.
+The displayed time range and interval are shown on the histogram. By default,
+the interval is set automatically based on the time range. To use a different
+interval, click the link and select an interval. 

docs/discover/viewing-field-stats.asciidoc

@@ -1,12 +1,10 @@
 [[viewing-field-stats]]
 == Viewing Field Data Statistics
 
-From the field list, you can see how many documents in the Documents table contain a particular field, what the top 5
-values are, and what percentage of documents contain each value.
+From the Fields list, you can see how many of the documents in the Documents
+table contain a particular field, what the top 5 values are, and what
+percentage of documents contain each value.
 
-To view field data statistics, click the name of a field in the Fields list. The field can be anywhere in the Fields
-list.
+To view field data statistics, click the name of a field in the Fields list.
 
-image:images/Discover-FieldStats.jpg[Field Statistics]
-
-TIP: To create a visualization based on the field, click the *Visualize* button below the field statistics.
+image:images/filter-field.jpg[Field Statistics]