mirror of
https://github.com/elastic/kibana.git
synced 2025-04-25 10:23:14 -04:00
896b9cddbc
* [DOCS] Updates for navigation redesign * Getting started * Set up text * Discover * Dashboard, Graph, ML, Maps, APM, SIEM, Dev tools * Dev Tools, Stack Monitoring, Management * Management * Final changes * [DOCS] Updates for navigation redesign * [DOCS] Updates CCR monitoring screenshots * updates SIEM screenshot and Cases overview text * Added Brandon's APM image * [DOCS] Refines CCR shard screenshot * Removed merge conflict image file Co-authored-by: lcawl <lcawley@elastic.co> Co-authored-by: Ben Skelker <ben.skelker@elastic.co>
164 lines
6.4 KiB
Text
164 lines
6.4 KiB
Text
[[managing-fields]]
|
|
== Index patterns and fields
|
|
|
|
The *Index patterns* UI helps you create and manage
|
|
the index patterns that retrieve your data from {es}.
|
|
|
|
[role="screenshot"]
|
|
image::images/management-index-patterns.png[]
|
|
|
|
[float]
|
|
=== Create an index pattern
|
|
|
|
An index pattern is the glue that connects {kib} to your {es} data. Create an
|
|
index pattern whenever you load your own data into {kib}. To get started,
|
|
click *Create index pattern*, and then follow the guided steps. Refer to
|
|
<<index-patterns, Creating an index pattern>> for the types of index patterns
|
|
that you can create.
|
|
|
|
[float]
|
|
=== Manage your index pattern
|
|
|
|
To view the fields and associated data types in an index pattern, click its name in
|
|
the *Index patterns* overview.
|
|
|
|
[role="screenshot"]
|
|
image::management/index-patterns/images/new-index-pattern.png["Index files and data types"]
|
|
|
|
Use the icons to perform the following actions:
|
|
|
|
* [[set-default-pattern]]*Set the default index pattern.* {kib} uses a badge to make users
|
|
aware of which index pattern is the default. The first pattern
|
|
you create is automatically designated as the default pattern. The default
|
|
index pattern is loaded when you open *Discover*.
|
|
|
|
* *Refresh the index fields list.* You can refresh the index fields list to
|
|
pick up any newly-added fields. Doing so also resets the {kib} popularity counters
|
|
for the fields. The popularity counters are used in *Discover* to sort fields in lists.
|
|
|
|
* [[delete-pattern]]*Delete the index pattern.* This action removes the pattern from the list of
|
|
Saved Objects in {kib}. You will not be able to recover field formatters,
|
|
scripted fields, source filters, and field popularity data associated with the index pattern.
|
|
Deleting an index pattern does
|
|
not remove any indices or data documents from {es}.
|
|
+
|
|
WARNING: Deleting an index pattern breaks all visualizations, saved searches, and
|
|
other saved objects that reference the pattern.
|
|
|
|
[float]
|
|
=== Edit a field
|
|
|
|
To edit a field's properties, click the edit icon
|
|
image:management/index-patterns/images/edit_icon.png[] in the detail view.
|
|
You can set the field's format and popularity value.
|
|
|
|
Kibana has field formatters for the following field types:
|
|
|
|
* <<field-formatters-string, Strings>>
|
|
* <<field-formatters-date, Dates>>
|
|
* <<field-formatters-geopoint, Geopoints>>
|
|
* <<field-formatters-numeric, Numbers>>
|
|
|
|
[[field-formatters-string]]
|
|
=== String field formatters
|
|
|
|
String fields support the `String` and `Url` formatters.
|
|
|
|
include::field-formatters/string-formatter.asciidoc[]
|
|
|
|
include::field-formatters/url-formatter.asciidoc[]
|
|
|
|
[[field-formatters-date]]
|
|
=== Date field formatters
|
|
|
|
Date fields support the `Date`, `Url`, and `String` formatters.
|
|
|
|
The `Date` formatter enables you to choose the display format of date stamps using the https://momentjs.com/[moment.js]
|
|
standard format definitions.
|
|
|
|
include::field-formatters/string-formatter.asciidoc[]
|
|
|
|
include::field-formatters/url-formatter.asciidoc[]
|
|
|
|
[[field-formatters-geopoint]]
|
|
=== Geographic point field formatters
|
|
|
|
Geographic point fields support the `String` formatter.
|
|
|
|
include::field-formatters/string-formatter.asciidoc[]
|
|
|
|
[[field-formatters-numeric]]
|
|
=== Numeric field formatters
|
|
|
|
Numeric fields support the `Url`, `Bytes`, `Duration`, `Number`, `Percentage`, `String`, and `Color` formatters.
|
|
|
|
The `Bytes`, `Number`, and `Percentage` formatters enable you to choose the display formats of numbers in this field using
|
|
the <<numeral, Elastic numeral pattern>> syntax that {kib} maintains.
|
|
|
|
include::field-formatters/url-formatter.asciidoc[]
|
|
|
|
include::field-formatters/string-formatter.asciidoc[]
|
|
|
|
include::field-formatters/duration-formatter.asciidoc[]
|
|
|
|
include::field-formatters/color-formatter.asciidoc[]
|
|
|
|
[[scripted-fields]]
|
|
=== Scripted fields
|
|
|
|
Scripted fields compute data on the fly from the data in your {es} indices. The data is shown on
|
|
the Discover tab as part of the document data, and you can use scripted fields in your visualizations. You query scripted fields with the <<kuery-query, {kib} query language>>, and can filter them using the filter bar. The scripted field values are computed at query time, so they aren't indexed and cannot be searched using the {kib} default
|
|
query language.
|
|
|
|
WARNING: Computing data on the fly with scripted fields can be very resource intensive and can have a direct impact on
|
|
{kib} performance. Keep in mind that there's no built-in validation of a scripted field. If your scripts are
|
|
buggy, you'll get exceptions whenever you try to view the dynamically generated data.
|
|
|
|
When you define a scripted field in {kib}, you have a choice of scripting languages. In 5.0 and later, the default
|
|
options are {ref}/modules-scripting-expression.html[Lucene expressions] and {ref}/modules-scripting-painless.html[Painless].
|
|
While you can use other scripting languages if you enable dynamic scripting for them in {es}, this is not recommended
|
|
because they cannot be sufficiently {ref}/modules-scripting-security.html[sandboxed].
|
|
|
|
WARNING: In 5.0 and later, Groovy, JavaScript, and Python scripting are deprecated and unsupported.
|
|
|
|
You can reference any single value numeric field in your expressions, for example:
|
|
|
|
----
|
|
doc['field_name'].value
|
|
----
|
|
|
|
For more information on scripted fields and additional examples, refer to
|
|
https://www.elastic.co/blog/using-painless-kibana-scripted-fields[Using Painless in {kib} scripted fields]
|
|
|
|
[float]
|
|
[[create-scripted-field]]
|
|
=== Create a scripted field
|
|
|
|
. Open the menu, then go to *Stack Management > {kib} > Index Patterns*
|
|
. Select the index pattern you want to add a scripted field to.
|
|
. Go to the *Scripted fields* tab for the index pattern, then click *Add scripted field*.
|
|
. Enter a name for the scripted field.
|
|
. Enter the expression that you want to use to compute a value on the fly from your index data.
|
|
. Click *Create field*.
|
|
|
|
For more information about scripted fields in {es}, see
|
|
{ref}/modules-scripting.html[Scripting].
|
|
|
|
[float]
|
|
[[update-scripted-field]]
|
|
=== Update a scripted field
|
|
|
|
. Click the *Scripted fields* tab for the index pattern.
|
|
. Click the *Edit* button for the scripted field you want to change.
|
|
. Make your changes, then click *Save field*.
|
|
|
|
WARNING: Built-in validation is unsupported for scripted fields. If your scripts are buggy, you'll get
|
|
exceptions whenever you try to view the dynamically generated data.
|
|
|
|
[float]
|
|
[[delete-scripted-field]]
|
|
=== Delete a scripted field
|
|
|
|
. Click the *Scripted fields* tab for the index pattern.
|
|
. Click *Delete* for the scripted field you want to remove.
|
|
. Click *Delete* on the confirmation window.
|