DocumentationChaosSearch Blog
StatusHome Page

Filter Searches

Use filter searches to narrow Discover results with filters on specific fields.

Suggest Edits

Filter-based searches are similar to the field-based searches. They offer a GUI and some helpful options and controls to enable or disable filters on the view columns for search refinement. Filters are additive, meaning that they work in combination with each other, and also with any free text or field-level search criteria you specify. The results must match all of the text and filter criteria to be returned.

For example, for a set of ELB logs, you might want to know how many records relate to an iPhone, had more than 90,000 sent_bytes, and had a cs_method of POST. You can use the text search in combination with a filter on the cs_method field as in the following example:

1634

This example shows that with the addition of the filter, the results reduce from 6671 to 75 hits.

πŸ“˜

Filter options

The options in the Available Fields filter pop-up are based on the values available in the currently displayed results. If a search has not yet been run for a view, the filters list is empty. After you run a search, if a desired filter option is not in the pop-up, expand the search results to see more filter values in the pop-up, or you can use Add filter and type the desired filter value.

Using the Add filter Dialog

Click Add filter to open the Edit Filter dialog where you can create and refine filters to refine your Discover queries. The dialog allows you to create query options with the fields and a default set of operations like is, is not, exists, does not exist, and other options. You can then Save and update the Discover results for your filter options.

2752

The Edit Filter dialog also supports the option to specify Elasticsearch Query DSL filters from a JSON editing window. Click Edit as Query DSL to switch from the UI to the editor where you can type or paste your Elasticsearch query API values:

The query DSL syntax supports query-section syntax like match and bool syntax, but not aggregations syntax. Including the query{} bounding syntax is optional.

Saving Queries

The free text, filter, and field options can be used in any combination to refine your search queries. As you use the search options more, you can start to develop useful combinations and save your favorite queries.

With saved queries, you can load your favorite or most used search combinations, either to quickly run those searches or to edit the saved queries to adjust the filters or time range. Saved searches are also helpful for creating visualizations of your favorite queries.

Updated about 1 hour ago