Filter Searches

Filter-based searches are similar to the field-based searches, but they have UI controls with options to enable and disable filters for search refinement. Filters are additive—working in combination with each other—and also with any free text or field-level search criteria you specify. The results must match all of the enabled text and filter criteria to be returned.

For example, for a set of ELB logs, you might want to know how many records relate to an iPhone, had more than 90,000 sent_bytes, and had a cs_method of POST. You can use the text search in combination with a filter on the cs_method field:

This example shows that with the addition of the filter, the results reduce from 6671 to 75 hits.

📘

Filter options

The options in the Available Fields filter pop-up are based on the values available in the currently displayed results. If a search has not yet been run for a view, the filters list is empty. After you run a search, if a desired filter option is not in the pop-up, you could expand the search results to see more filter values in the pop-up, or you can use Add filter and type the desired filter value.

Selecting Two or More Top 5 Values

The Available fields filters automatically convert multiple Top 5 Values selections for the same field into an is one of filter.

If the user clicks the + icon to select two or more Top 5 Values for the same field, the selected values are automatically combined to search for records that contain one of the selected values. Similarly, selecting two or more values for a field and clicking the - icon creates a NOT is one of filter to exclude records that contain any of the selected values for the field. A sample is one of operation is shown in the following screen, where the data set is filtered to only the records that have one of the two selected Top 5 client_ip values:

Filtering Within Record Results

After you run Discover and get results for your search, you can use filtering controls within the results to narrow the focus for analysis. For example, if you click the > (greater than) symbol next to the timestamp for a result before the histogram, the record expands to show the fields within the record. In the Table display, each field has pop-up filter controls including:

• Filtering for records that have specified field and value
• Filtering out the records with the specified field and value
• Toggling the field to display it as a column in the record results
• Adding a filter to display only the records in which the field exists

A sample screen follows that shows the expanded record Table display and the filtering controls.

When you use the toggle control to add a field as a named column in the results display, there are two additional controls to quickly create a filter that will include or exclude records for the selected field and value. The following sample screen shows how the column-level "filter out" option for a field will create a filter to exclude records with that field and value from the updated search results:

Using the Add filter Dialog

Click Add filter to open the Edit Filter dialog where you can create and refine filters to refine your Discover queries. The dialog allows you to create query options with the fields and a default set of operations like is, is not, exists, does not exist, and other options. You can then Save and update the Discover results for your filter options.

The Edit Filter dialog also supports the option to specify Elasticsearch Query DSL filters from a JSON editing window. Click Edit as Query DSL to switch from the UI to the editor where you can type or paste your Elasticsearch query API values:

The query DSL syntax supports query-section syntax like match and bool syntax, but not aggregations syntax. Including the query{} bounding syntax is optional.

Saving Queries

The free text, filter, and field options can be used in any combination to refine your search queries. As you use the search options more, you can start to develop useful combinations and save your favorite queries.

With saved queries, you can load your favorite or most used search combinations, either to quickly run those searches or to edit the saved queries to adjust the filters or time range. Saved searches are also helpful for creating visualizations of your favorite queries.