ChaosSearch Index Views are logical indexes based on the physical indexes created in the Storage section of the ChaosSearch Platform. The refinery allows users the unique ability to clean, prepare, and transform the index data. Schema Transformation can be applied to one or many fields and the changing of Types between a String, Number, or TimeVal without the need to re-index data.
Index Views replace Index Patterns
All created indexes in the Storage section are available in the left-hand menu. To create a new view:
- Click Create View
- Click the drop-down menu and select the index(s) you wish to work with
- Click Next
By selecting a view, you can drill into its summary details by click View Summary. The summary provides insights on the Identifier (Index ID), if a Time Field was set, and whether or not Case Insensitivity has been set. These three fields are important to review especially if searches are not returning the expected results or a histogram is not present when working in the Analytics section.
Once you've selected the View(s) to include in the new Index pattern users will also have the ability to define a specific time window for that index. Index Windows are a rolling time period in which the index pattern covers when executing searches in the Analysis section. For example, if you've indexed 1 month's worth of data, but set the Index Window to 7 days, the max number of days to returned when executing a search and/or build visualizations will be 7 days. The benefit of Index windows for users is to ensure they stay within the scope of the time periods that matter and will also increase performance when searching against the index.
To edit Index Windows, navigate to the Refinery and select the view from the left-hand menu. Click View Summary and then modify the Index Window under view details.
After selecting the View, you will have the opportunity to select whether or not you want to enable
case-insensitivity when executing searches on the new view. By selecting Case insensitive users will now be able to search against terms regardless of case.
Case Insensitive searches
If the toggle button is not selected searches will require you to input the exact case when searching on the data set. If the toggle button is selected searches will not require you to input exact case when searching.
After selecting the View, you will have the opportunity to transform the schema of any of the fields within the index structure.
- Select or Search for the field to transform
- Click the Gear Icon
- Input the regex into the Field Transform Pattern to structure the new schema
- Users can add additional Materialized Fields and select the appropriate Type
- Click Save Transformation
In the Field Transform Pattern section, the regex defined for each capture groups’ backreference(s) is what will be stored in each Materialized Field
In the next section select the appropriate Timestamp Field, select the new Time type required for the Index View
The final step in the Index View creation is to assign it a name. The View name will be present in the Discover part in the Visual section of the platform.
View names must comply with DNS naming conventions.
Updated 4 months ago
|Index View Visualization|