github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-22 08:49:27 -04:00
Code Issues Projects Releases Packages Wiki Activity
kibana/docs/discover/search.asciidoc

104 lines
4.2 KiB
Text
Raw Permalink Blame History

[[search]]
== Searching Your Data
You can search the indices that match the current index pattern by entering
your search criteria in the Query bar. You can perform a simple text search,
use the Lucene https://lucene.apache.org/core/2_9_4/queryparsersyntax.html[
query syntax], or use the full JSON-based {es-ref}query-dsl.html[Elasticsearch
Query DSL].
When you submit a search request, the histogram, Documents table, and Fields
list are updated to reflect the search results. The total number of hits
(matching documents) is shown in the toolbar. The Documents table shows the
first five hundred hits. By default, the hits are listed in reverse
chronological order, with the newest documents shown first. You can reverse
the sort order by clicking the Time column header. You can also sort the table
by the values in any indexed field. For more information, see <<sorting,
Sorting the Documents Table>>.
To search your data, enter your search criteria in the Query bar and
press *Enter* or click *Search* image:images/search-button.jpg[] to submit
the request to Elasticsearch.
* To perform a free text search, simply enter a text string. For example, if
you're searching web server logs, you could enter `safari` to search all
fields for the term `safari`.
* To search for a value in a specific field, prefix the value with the name
of the field. For example, you could enter `status:200` to find all of
the entries that contain the value `200` in the `status` field.
* To search for a range of values, you can use the bracketed range syntax,
`[START_VALUE TO END_VALUE]`. For example, to find entries that have 4xx
status codes, you could enter `status:[400 TO 499]`.
* To specify more complex search criteria, you can use the Boolean operators
`AND`, `OR`, and `NOT`. For example, to find entries that have 4xx status
codes and have an extension of `php` or `html`, you could enter `status:[400 TO
499] AND (extension:php OR extension:html)`.
NOTE: These examples use the Lucene query syntax. You can also submit queries
using the Elasticsearch Query DSL. For examples, see
{es-ref}query-dsl-query-string-query.html#query-string-syntax[query string syntax]
in the Elasticsearch Reference.
[float]
[[save-search]]
=== Saving a Search
Saving searches enables you to reload them into Discover and use them as the basis
for <<visualize, visualizations>>. Saving a search saves both the search query string
and the currently selected index pattern.
To save the current search:
. Click *Save* in the Kibana toolbar.
. Enter a name for the search and click *Save*.
You can import, export and delete saved searches from *Management/Kibana/Saved Objects*.
[float]
[[load-search]]
=== Opening a Saved Search
To load a saved search into Discover:
. Click *Open* in the Kibana toolbar.
. Select the search you want to open.
If the saved search is associated with a different index pattern than is currently
selected, opening the saved search also changes the selected index pattern.
[float]
[[select-pattern]]
=== Changing Which Indices You're Searching
When you submit a search request, the indices that match the currently-selected
index pattern are searched. The current index pattern is shown below the toolbar.
To change which indices you are searching, click the index pattern and select a
different index pattern.
For more information about index patterns, see <<settings-create-pattern,
Creating an Index Pattern>>.
[float]
[[autorefresh]]
=== Refreshing the Search Results
As more documents are added to the indices you're searching, the search results
shown in Discover and used to display visualizations get stale. You can
configure a refresh interval to periodically resubmit your searches to
retrieve the latest results.
To enable auto refresh:
. Click the *Time Picker* image:images/time-picker.jpg[Time Picker] in the
Kibana toolbar.
. Click *Auto refresh*.
. Choose a refresh interval from the list.
+
image::images/autorefresh-intervals.png[]
When auto refresh is enabled, the refresh interval is displayed next to the
Time Picker, along with a Pause button. To temporarily disable auto refresh,
click *Pause*.
NOTE: If auto refresh is not enabled, you can manually refresh visualizations
by clicking *Refresh*.
Reference in a new issue View git blame Copy permalink