Kibana Discover

Introduction

One of the unique capabilities of Discover is the ability to combine free text search with filtering based on structured data. To search all fields, enter a simple string in the query bar. To search particular fields and build more complex queries, use the Kibana Query language.

With Discover, you can quickly search and filter your data, get information about the structure of the fields, and display your findings in a visualization. You can also customize and save your searches and place them on a dashboard.

SIEM Source

Tell Kibana where to find the data you want to explore, and then specify the time range in which to view that data.

1. Open the main menu, and select Discover.

2. Select the data you want to work with.

3. Adjust the time range to view data
4. To view the count of documents for a given time in the specified range, click and drag the mouse over the chart.

Search your data

One of the unique capabilities of Discover is the ability to combine free text search with filtering based on structured data. To search all fields, enter a simple string in the query bar.

To search particular fields and build more complex queries, use the Kibana Query language. As you type, KQL prompts you with the fields you can search and the operators you can use to build a structured query.

Search the e-commerce data for documents where the country matches the US:

1. Enter g, and then select geoip.country_iso_code.
2. Select : for equals some value and US, and then click Update.
3. For a more complex search, try:
   geoip.country_iso_code : US and products.taxless_price >= 75

Filter your data

Whereas the query defines the set of documents you are interested in, filters enable you to zero in on subsets of those documents. You can filter results to include or exclude specific fields, filter for a value in a range, and more.

Exclude documents where a day of the week is not Wednesday:

1. Click Add filter.
2. Set Field to day_of_week, Operator to is not, and Value to Wednesday.

3. Save the filter.
4. Continue your exploration by adding more filters.
5. To remove a filter, click the close icon (x) next to its name in the filter bar.

Look inside a document

Dive into an individual document to view its fields and the documents that occurred before and after it.

1. In the document table, click the expand icon to show document details.

2. Scan through the fields and their values. If you find a field of interest, click the three dots icon (midline ellipsis) next to the data view dropdown in the Actions column for filters and other controls.
3. To view documents that occurred before or after the event you are looking at, click Surrounding documents.
4. To create a view of the document that you can bookmark and share, click Single document.

Save your search for later use

Save your search so you can use it later, generate a CSV report, or use it to create visualizations, dashboards, and Canvas work pads. Saving a search saves the query text, filters, and current view of Discover, including the columns selected in the document table, the sort order, and the data view.

1. In the toolbar, click Save.
2. Give your search a title, and then click Save.

Visualize your findings

If a field can be aggregated, you can quickly visualize it from Discover.

1. From the Available fields list, click day_of_week, and then click Visualize.

Kibana creates a visualization best suited for this field.

2. From the Available fields list, drag and drop manufacturer.keyword onto the workspace.

3. Save your visualization for use on a dashboard.

For geo point fields (Geo point field icon), if you click Visualize, your data appears on a map.

Share your findings

To share your findings with a larger audience, click Share in the Discover toolbar.