github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 17:59:23 -04:00
Code Issues Projects Releases Packages Wiki Activity
kibana/docs/concepts/index.asciidoc
gchaps 6f57c8597b
[DOCS] Adds concepts section for analysts (#96675) (#97167) 
* [DOCS] Adds concepts section for analysts

* [DOCS] Minor tweaks to concepts doc

* Update docs/concepts/index.asciidoc

Co-authored-by: Wylie Conlon <wylieconlon@gmail.com>

* Update docs/concepts/save-query.asciidoc

Co-authored-by: Wylie Conlon <wylieconlon@gmail.com>

Co-authored-by: Wylie Conlon <wylieconlon@gmail.com>

Co-authored-by: Wylie Conlon <wylieconlon@gmail.com>
2021-04-14 14:29:52 -04:00

149 lines
6.2 KiB
Text
Raw Blame History

[[kibana-concepts-analysts]]
== {kib} concepts for analysts
**_Learn the shared concepts for analyzing and visualizing your data_**
As an analyst, you will use a combination of {kib} apps to analyze and
visualize your data. {kib} contains both general-purpose apps and apps for the
https://www.elastic.co/guide/en/enterprise-search/current/index.html[*Enterprise Search*],
{observability-guide}/observability-introduction.html[*Elastic Observability*],
and {security-guide}/es-overview.html[*Elastic Security*] solutions.
These apps share a common set of concepts.
[float]
=== Three things to know about {es}
You don't need to know everything about {es} to use {kib}, but the most important concepts follow:
* *{es} makes JSON documents searchable and aggregatable.* The documents are
stored in an {ref}/documents-indices.html[index] or {ref}/data-streams.html[data stream], which represent one type of data.
* **_Searchable_ means that you can filter the documents for conditions.**
For example, you can filter for data "within the last 7 days" or data that "contains the word {kib}".
{kib} provides many ways for you to construct filters, which are also called queries or search terms.
* **_Aggregatable_ means that you can extract summaries from matching documents.**
The simplest aggregation is *count*, and it is frequently used in combination
with the *date histogram*, to see count over time. The *terms* aggregation shows the most frequent values.
[float]
=== Finding your apps and objects
{kib} offers a <<kibana-navigation-search,global search bar>> on every page that you can use to find any app or saved object.
Open the search bar using the keyboard shortcut Ctrl+/ on Windows and Linux, Command+/ on MacOS.
[role="screenshot"]
image:concepts/images/global-search.png["Global search showing matches to apps and saved objects for the word visualize"]
[float]
=== Accessing data with index patterns
{kib} requires an index pattern to tell it which {es} data you want to access,
and whether the data is time-based. An index pattern can point to one or more {es}
data streams, indices, or index aliases by name.
For example, `logs-elasticsearch-prod-*` is an index pattern,
and it is time-based with a time field of `@timestamp`. The time field is not editable.
Index patterns are typically created by an administrator when sending data to {es}.
You can <<index-patterns,create or update index patterns>> in *Stack Management*, or by using a script
that accesses the {kib} API.
{kib} uses the index pattern to show you a list of fields, such as
`event.duration`. You can customize the display name and format for each field.
For example, you can tell Kibana to display `event.duration` in seconds.
{kib} has <<managing-fields,field formatters>> for strings,
dates, geopoints,
and numbers.
[float]
=== Searching your data
{kib} provides you several ways to build search queries,
which will reduce the number of document matches that you get from {es}.
Each app in {kib} provides a time filter, and most apps also include semi-structured search and extra filters.
[role="screenshot"]
image:concepts/images/top-bar.png["Time filter, semi-structured search, and filters in a {kib} app"]
If you frequently use any of the search options, you can click the
save icon
image:concepts/images/save-icon.png["save icon"] next to the
semi-structured search to save or load a previously saved query.
The saved query will always contain the semi-structured search query,
and can optionally contain the time filter and extra filters.
[float]
==== Time filter
The <<set-time-filter, global time filter>> limits the time range of data displayed.
In most cases, the time filter applies to the time field in the index pattern,
but some apps allow you to use a different time field.
Using the time filter, you can configure a refresh rate to periodically
resubmit your searches. You can also click *Refresh* to resubmit the search.
This might be useful if you use {kib} to monitor the underlying data.
[role="screenshot"]
image:concepts/images/refresh-every.png["section of time filter where you can configure a refresh rate"]
[float]
==== Semi-structured search
Combine free text search with field-based search using the Kibana Query Language (KQL).
Type a search term to match across all fields, or start typing a field name to
get suggestions for field names and operators that you can use to build a structured query.
The semi-structured search will filter documents for matches, and only return matching documents.
Following are some example KQL queries. For more detailed examples, refer to <<kuery-query,Kibana Query Language>>.
[cols=2*]
|===
| Exact phrase query
| `http.response.body.content.text:"quick brown fox"`
| Terms query
| http.response.status_code:400 401 404
| Boolean query
| `response:200 or extension:php`
| Range query
| `account_number >= 100 and items_sold <= 200`
| Wildcard query
| `machine.os:win*`
|===
[float]
==== Additional filters with AND
Structured filters are a more interactive way to create {es} queries,
and are commonly used when building dashboards that are shared by multiple analysts.
Each filter can be disabled, inverted, or pinned across all apps.
The structured filters are the only way to use the {es} Query DSL in JSON form,
or to target a specific index pattern for filtering. Each of the structured
filters is combined with AND logic on the rest of the query.
[role="screenshot"]
image:concepts/images/add-filter-popup.png["Add filter popup"]
[float]
=== Saving objects
{kib} lets you save objects for your own future use or for sharing with others.
Each <<managing-saved-objects,saved object>> type has different abilities. For example, you can save
your search queries made with *Discover*, which lets you:
* Share a link to your search
* Download the full search results in CSV form
* Start an aggregated visualization using the same search query
* Embed the *Discover* search results into a dashboard
* Embed the *Discover* search results into a Canvas workpad
For organization, every saved object can have a name, <<kibana-navigation-search,tags>>, and type.
Use the global search to quickly open a saved object.
[float]
=== What's next?
* Try the {kib} <<get-started,Quick start>>, which shows you how to put these concepts into action.
* Go to <<discover, Discover>> for instructions on searching your data.
Reference in a new issue View git blame Copy permalink