Kibana provides the Discover feature, which enables you to quickly search for large volumes of data and have a command of your business data within a specific period of time. This topic describes how to use the Discover feature.

Background information

Discover helps Kibana find your data and search and filter it for hidden insights and relationships. For more information, see open source Kibana documentation.

Prerequisites

  • An Alibaba Cloud Elasticsearch cluster is created. For more information, see Create an Alibaba Cloud Elasticsearch cluster. In this example, an Alibaba Cloud Elasticsearch V7.10 cluster is used.
  • An index is created in the cluster. In this example, an index that stores NGINX logs is used.
  • You have logged on to the Kibana console of the cluster. For more information, see Log on to the Kibana console.

Procedure

  1. On the homepage of the Kibana console, click the Navigation bar icon icon in the upper-left corner to show the names of tabs in the left-side navigation pane.
  2. Create an index pattern.
    1. In the left-side navigation pane, click Stack Management below Management.
    2. In the Kibana section, click Index Patterns.
    3. Click Create index pattern.
    4. Enter an index pattern name in the Index pattern name field and click Next step. In this example, the index pattern name nginx* is used.
      Create an index pattern
    5. Configure the Time field parameter and click Create index pattern. In this example, the Time field parameter is set to @timestamp.
      Create an index pattern
      Important If you delete indexes whose names start with .kibana, index patterns will be lost.
  3. In the left-side navigation pane, click Discover below Kibana. On the page that appears, select the nginx* index pattern that you created from the drop-down list.
    Select an index pattern
  4. On the right side of the Discover page or in the histogram, select a time range to view the data within the time range.
    View the histogram provided by Discover

    For more information, see Configure a time filter in More features on the Discover page.

More features on the Discover page

Overview of the Discover page

Overview of the Discover page

Configure a time filter

You can configure a time filter on the Discover page. The time filter enables you to change the time range within which you want to query data. By default, the time filter is set to the previous 15 minutes. You can use one of the following methods to modify the time filter:
  • Click the Time picker icon and specify a time range.Configure a time filter
    • Quick select: allows you to select a recent time range and use back and forward arrows to switch between time ranges.
    • Commonly used: allows you to select a time range from options such as Last 15 minutes, Today, and This week.
    • Recently used date ranges: allows you to select a time range that you recently used.
    • Refresh every: allows you to specify a frequency for automatic refresh.
  • Click the start time or end time. In the time picker that appears, click Absolute, Relative, or Now, and specify a time range. Specify the start time and end time
  • Select a time range from the histogram. Select a time range from the histogram
    • Click the bar for the time range that you want to zoom in on.
    • Click and drag to view a specific time range.
      Note You can start the selection only after you move the pointer over the background of the histogram. After you move the pointer over a valid start point, the pointer changes to a plus sign.
    • Select an interval from the drop-down list.

Search for data

You must use Kibana Query Language (KQL) to search for data. After you enter a search criterion in the search box, the system provides recommended KQL statements that include the related fields, values, and operators. For more information, see open source Elasticsearch documentation - Kibana query syntax. Search for data

Modify displayed fields

After you search data, the Discover page displays all matching documents. By default, the time field and the _source field are displayed. You can change the fields to those you want to query. For example, if you want to query the path field, click the + icon on the right side of the path field. Modify displayed fields
As shown in the following figure, if you want to view error.log, you can click the + icon next to /var/log/nginx/error.log. Fields displayed on the Discover page (2)

View a document

You can expand a document, move the pointer over the document, and then perform operations such as filtering. If you want to view the documents occurred before and after the document, you can click View surrounding documents in the upper-right corner. If you want to view a specific document, you can click View single document. View a document

FAQ

  • Q: After I create an index pattern, no histogram is displayed on the Discover page. Why?

    A: You must check whether the index from which you search for data contains time series data. For example, you can check whether the mappings configuration part of the index contains a field whose type is timestamp.

  • Q: When I use the search feature to query index data, I must specify complete field messages. Otherwise, no data is returned. Why?

    A: You can add the wildcard * to complete fields when you query data. This issue is caused by the limits of the tokenizers for Alibaba Cloud Elasticsearch clusters.