Skip to content

Track 2 Kibana Discover, with queries and filters

Abstract

This track teaches you how to explore and search your data.

Refer to the Punch Kibana Discover guide.

Explore your data with Discover

Danger

Do not use a time range too wide, especially if your index pattern has a large amount of data

Query your data

Question

What are the differences between querying and filtering ?

ES queries gets you results with scores telling you how relevant the results are. The filters don't do relevancy scoring : each results has a 0 score, it just filters results without taking the score into account, unlike queries. Also unlike queries, filters are cached, which makes them faster.

Tip

If you don't care about relevancy and scoring, use the filter instead of query.

Tip

Always write global filters first, then filter for more specific fields.

Exercise

On the *-metrics-* index pattern, search for metrics for a storm document indexation rate between 500 and 1000 within the last 30 minutes, where the metric producer is the punchplatform. Did you use the search bar, and if yes for which criteria ? And the filter bar ?

Solution

  • Add a time filter : click on the Calendar icon > Commonly used > Last 30 minutes
  • Add a query for the metric producer, because it contains the word "punchplatform" but it's not the exact producer name (18656@punchplatform-5 is a metric producer, for example) so we need to perform a term search and to use scoring to get the most relevant documents first. Use the following query : metrics_producer_id: *punchplatform*
  • Add a filter for the document indexation rate, because we don't need scoring on that :
    • Field : storm.indexation.rate.count
    • Operator : is between
    • Range : 500 -> 1000