关闭

Kibana User Guide [4.2] » Discover

标签: ELKKibana
797人阅读 评论(0) 收藏 举报
分类:

Discover

发现

You can interactively explore your data from the Discover page. You have access to every document in every index that matches the selected index pattern. You can submit search queries, filter the search results, and view document data. You can also see the number of documents that match the search query and get field value statistics. If a time field is configured for the selected index pattern, the distribution of documents over time is displayed in a histogram at the top of the page.

在Discover页面,你可以交互地浏览你的数据。你可以访问符合索引模式的每个索引结果中的文件。你可以提交索引请求,过滤搜索结果,查看结果中的数据。你也可以查看符合索引结果文件的数量,得到字段结果的统计。如果一个时间字段符合选择的索引模式,那么,分布式文件将以柱状图的形式展现在页面顶部。


Setting the Time Filter

设置时间过滤

The Time Filter restricts the search results to a specific time period. You can set a time filter if your index contains time-based events and a time-field is configured for the selected index pattern.

时间过滤器把搜索结果限制到一个特殊的时期。你可以设置一个时间过滤器,如果你的索引包括基于时间的时间,一个时间字段将被选择的索引模式配置。

By default the time filter is set to the last 15 minutes. You can use the Time Picker to change the time filter or select a specific time interval or time range in the histogram at the top of the page.

一般情况下,时间过滤器被设置成15分钟。你可以使用Time Picker改变时间过滤器,或者选择一个明确的时间间隔,或者时间在页面顶部的柱状图上波动。

To set a time filter with the Time Picker:

使用Time Picker设置时间过滤器:

  1. Click the Time Filter displayed in the upper right corner of the menu bar to open the Time Picker.
  2. To set a quick filter, simply click one of the shortcut links.
  3. To specify a relative Time Filter, click Relative and enter the relative start time. You can specify the relative start time as any number of seconds, minutes, hours, days, months, or years ago.
  4. To specify an absolute Time Filter, click Absolute and enter the start date in the From field and the end date in the To field.
  5. Click the caret at the bottom of the Time Picker to hide it.

  1. 点击菜单栏的右上教来打开Time Picker。

  2. 想要设置一个快速过滤,只要点击一个快捷链接。

  3. 想要设置一个相关的Time Picker,点Relative然后输入相关的开始时间。你可以把开始时间设置成任意的年、月、日、小时、分和秒。

  4.  想要设置一个完全的Time Picker,点Absolute然后在From字段输入起始时间,在To字段输入结束时间。

  5.  点Time Picker 的底部来隐藏它。

To set a Time Filter from the histogram, do one of the following:

从柱状图设置时间过滤器,可以做下面的事情实现:

  • Click the bar that represents the time interval you want to zoom in on.
  • 点代表时间间隔的条。
  • Click and drag to view a specific timespan. You must start the selection with the cursor over the background of the chart—the cursor changes to a plus sign when you hover over a valid start point.
  • 点击和拖拽达到一个特点的时间维度。你必须用光标在图表的背景处进行选择,当光标在一个有效的开始点时,光标变成一个增加标志。

You can use the browser Back button to undo your changes.

你可以使用浏览器的后退按钮来撤销你的操作。

The histogram lists the time range you’re currently exploring, as well as the intervals that range is currently using. To change the intervals, click the link and select an interval from the drop-down. The default behavior automatically sets an interval based on the time range.

柱状图列出来你当前正在浏览数据的时间维度,也包括你正在使用的时间间隔。为了改变时间间隔,可以点击链接,从下拉菜单中选择。默认的行为会随着时间波动,被设置为一个时间间隔。

Searching Your Data

搜索你的数据

You can search the indices that match the current index pattern by submitting a search from the Discover page. You can enter simple query strings, use the Lucene query syntax, or use the full JSON-basedElasticsearch Query DSL.

你可以搜索符合现在索引结果的数据,通过在Discover页面提交一个搜索。你可以输入一些简单的请求字段,使用 Lucene搜索语法,或者使用完全基于JSON的Elasticsearch Query DSL

When you submit a search, the histogram, Documents table, and Fields list are updated to reflect the search results. The total number of hits (matching documents) is shown in the upper right corner of the histogram. The Documents table shows the first five hundred hits. By default, the hits are listed in reverse chronological order, with the newest documents shown first. You can reverse the sort order by by clicking on the Time column header. You can also sort the table using the values in any indexed field. For more information, see Sorting the Documents Table.

当你提交一个搜索,柱状图、文件列表、字段列表也会随着搜索结果而更新。所有的hits数(即符合的文件总数)在柱状图的右上方显示出来。文件列表展现了前500个满足的。一般情况下,hits会按时间反序排列,最新的文件排在最前面。你可以把索引顺序反过来,通过点击Time柱的头。你也可以对列表进行排序,通过使用所有索引的字段。关于更多信息,详见: Sorting the Documents Table

To search your data:

为了检索你的数据:

  1. Enter a query string in the Search field: 在搜索域输入一个请求字段:

    • To perform a free text search, simply enter a text string. For example, if you’re searching web server logs, you could enter safari to search all fields for the term safari.
    • 进行一个随意字段的检索,简单地输入一个字段。例如,如果你想搜索web服务日志,你可以输入safari 来搜索所有关于safari 的字段。
    • To search for a value in a specific field, you prefix the value with the name of the field. For example, you could enter status:200 to limit the results to entries that contain the value 200in the status field.
    • 为了检索一个确定字段的值,你可以在数字前加上字段名的前缀,你可以输入status:200来限制结果是status字段值是200的。
    • To search for a range of values, you can use the bracketed range syntax, [START_VALUE TO END_VALUE]. For example, to find entries that have 4xx status codes, you could enter status:[400 TO 499].
    • 为了检索值的范围,你可以使用括号范围语法,例如status:[400 TO 499]。
    • To specify more complex search criteria, you can use the Boolean operators ANDOR, andNOT. For example, to find entries that have 4xx status codes and have an extension of php orhtml, you could enter status:[400 TO 499] AND (extension:php OR extension:html).

      Note

      These examples use the Lucene query syntax. You can also submit queries using the Elasticsearch Query DSL. For examples, see query string syntax in the Elasticsearch Reference.

    • 为了检索更复杂的内容,你可以使用ANDOR, 和NOT。例如:status:[400 TO 499] AND (extension:php OR extension:html).

  2. Press Enter or click the Search button to submit your search query. 按 Enter键或点Search按钮来提交你的搜索请求。

Starting a New Search 开始一个新的检索

To clear the current search and start a new search, click the New Search button in the Discover toolbar.

清理现有的搜索结果,新建一个新的索引,可以点击工具栏中的New Search按钮。


Saving a Search

保存一次搜索

You can reload saved searches on the Discover page and use them as the basis of visualizations. Saving a search saves both the search query string and the currently selected index pattern.

你可以在Discover界面重新导入已有的搜索结果,并使用它们做新的可视化操作。该操作保存了搜索请求字段和当前选择的索引模式。

To save the current search:

保存过程:

  1. Click the Save Search button Save Search button in the Discover toolbar.点击此按钮
  2. Enter a name for the search and click Save.输入名字

Loading a Saved Search

加载一个保存的搜索

To load a saved search:

加载过程:

  1. Click the Load Search button Load Search button in the Discover toolbar.点击此按钮
  2. Select the search you want to load.输入名字

If the saved search is associated with a different index pattern than is currently selected, loading the saved search also changes the selected index pattern.

在保存的搜索结果中,含有不同的索引模式,而不仅仅是当前选择的,重新加载保存的搜索结果也改变了选择的索引模式。

Changing Which Indices You’re Searching

更改你正在检索的索引项

When you submit a search request, the indices that match the currently-selected index pattern are searched. The current index pattern is shown below the search field. To change which indices you are searching, click the name of the current index pattern to display a list of the configured index patterns and select a different index pattern.

当你提交一个搜索要求,符合当前选择索引模式的信息将被检索。当前索引模式将在搜索栏下展现。为了改变你正在检索的索引项,点击当前索引模式的名字,来展现一些列索引模式,然后选择一个新的。

For more information about index patterns, see Creating an Index Pattern.

关于索引模式的更多信息,详见:Creating an Index Pattern

Automatically Refreshing the Page

自动刷新页面

You can configure a refresh interval to automatically refresh the page with the latest index data. This periodically resubmits the search query.

你可以确定一个刷新间隔来自动刷新页面,显示最新的信息。这会周期性地重发搜索请求。

When a refresh interval is set, it is displayed to the left of the Time Filter in the menu bar.

当一个刷新间隔被设置后,它在菜单栏中Time Filter的左侧被展现。

To set the refresh interval:

怎样设置刷新间隔

  1. Click the Time Filter Time Filter in the upper right corner of the menu bar. 点按钮
  2. Click the Refresh Interval tab. 点刷新间隔标签
  3. Choose a refresh interval from the list. 从列表中选择一个刷新时间

To automatically refresh the data, click the images/autorefresh.png Auto-refresh button and select an autorefresh interval:

为了周期性刷新数据,点击Auto-refresh按钮选择一个自动刷新间隔:


When auto-refresh is enabled, Kibana’s top bar displays a pause button and the auto-refresh interval: images/autorefresh-pause.png. Click the Pause button to pause auto-refresh.

当自动刷新设置好后,Kibana的顶部条看起来像这样 images/autorefresh-pause.png,点击Pause按钮来终端自动刷新。

Filtering by Field

通过字段过滤

You can filter the search results to display only those documents that contain a particular value in a field. You can also create negative filters that exclude documents that contain the specified field value.

你可以过滤搜索结果,让其只显示一些特殊字段。你也可以排除过滤器来排除掉包含特殊字段值得数据。

You can add filters from the Fields list or from the Documents table. When you add a filter, it is displayed in the filter bar below the search query. From the filter bar, you can enable or disable a filter, invert the filter (change it from a positive filter to a negative filter and vice-versa), toggle the filter on or off, or remove it entirely. Click the small left-facing arrow to the right of the index pattern selection drop-down to collapse the Fields list.

你可以从Fields添加过滤器,或者从Documents表添加过滤器。当你添加时,在搜索栏下回显示出来过滤条。从过滤条,你可以是一个过滤器工作或不工作,更改它,打开或关闭它,或者完全删除它。点击向左的箭头到索引模式块的右边,可以折叠Fields列表。

To add a filter from the Fields list:

Fields列表增加过滤器:

  1. Click the name of the field you want to filter on. This displays the top five values for that field. To the right of each value, there are two magnifying glass buttons—one for adding a regular (positive) filter, and one for adding a negative filter.
  2. To add a positive filter, click the Positive Filter button Positive Filter Button. This filters out documents that don’t contain that value in the field.
  3. To add a negative filter, click the Negative Filter button Negative Filter Button. This excludes documents that contain that value in the field.

  1. 点击你想要过滤字段的名字,这里展现了字段中排名最高的5个值。在每个值得右边,有两个个放大镜按钮,一个用来普通过滤,一个用来排除过滤。

  2. 普通过滤,按钮Positive Filter Button.。

  3. 排除过滤,按钮 Negative Filter Button 

To add a filter from the Documents table:

Documents目录增加过滤器:

  1. Expand a document in the Documents table by clicking the Expand button Expand Button to the left of the document’s entry in the first column (the first column is usually Time). To the right of each field name, there are two magnifying glass buttons—one for adding a regular (positive) filter, and one for adding a negative filter.
  2. To add a positive filter based on the document’s value in a field, click the Positive Filter button Positive Filter Button. This filters out documents that don’t contain the specified value in that field.
  3. To add a negative filter based on the document’s value in a field, click the Negative Filter button Negative Filter Button. This excludes documents that contain the specified value in that field.

  1.在 Documents增加一个文件,可以在第一个圆柱体(它一般是Time),通过点击Expand按钮到文件入口的左边。在每个字段名的右边,有两个放大镜按钮,一个用来普通过滤,一个用来排除过滤。

  2. 普通过滤,按钮Positive Filter Button.。

  3. 排除过滤,按钮 Negative Filter Button 

Working with Filters

使用Filters工作

When you create a filter anywhere in Kibana, the filter conditions display in a green oval under the search text entry box:

当你再Kibana的任何地方创建一个过滤器后,这个过滤器的状态将在搜索输入框下的绿色椭圆体内展现:

images/filter-sample.png

Hovering on the filter oval displays the following icons:

绿色椭圆体上的按钮:

images/filter-allbuttons.png
Enable Filter images/filter-enable.png 使过滤器生效
Click this icon to disable the filter without removing it. You can enable the filter again later by clicking the icon again. Disabled filters display a striped shaded color, green for inclusion filters and red for exclusion filters.
点这个图表,就可以在不溢出过滤器的情况下,使其不再工作。再次点这个按钮,你可以使过滤器再次工作。未工作的过滤器展现为条状阴影颜色,绿色是包含型过滤器,红色是排除性过滤器。
Pin Filter images/filter-pin.png  别针过滤器
Click this icon to pin a filter. Pinned filters persist across Kibana tabs. You can pin filters from theVisualize tab, click on the Discover or Dashboard tabs, and those filters remain in place. NOTE: If you have a pinned filter and you’re not seeing any query results, that your current tab’s index pattern is one that the filter applies to.
点这个按钮来别住一个过滤器。别针型过滤器广泛存在与Kibana的标签页。你可以把过滤器别到可视化的标签,点击Discover 或 Dashboard标签,然后这些标签还在工作,注意:如果你有一个别针型过滤器,而且你没有看到任何请求结果,那么,你当前标签的索引模式是这种过滤器应用的一种模式。
Toggle Filter images/filter-toggle.png  切换过滤器
Click this icon to toggle a filter. By default, filters are inclusion filters, and display in green. Only elements that match the filter are displayed. To change this to an exclusion filters, displaying only elements that don’t match, toggle the filter. Exclusion filters display in red.
点这个按钮,可以切换过滤器。一般情况下,过滤器是包括型过滤器,而且颜色是绿色的。只有符合过滤规则的结果被展示。为了把它转化成排除性过滤器,只展示不符合的结果,需要切换过滤器。排除型过滤器的颜色是红色的。
Remove Filter images/filter-delete.png  移除过滤器
Click this icon to remove a filter entirely.
点这个按钮可以移除一个过滤器。

To apply any of the filter actions to all the filters currently in place, click the images/filter-actions.png Global Filter Actionsbutton and select an action.

想要为当前工作的过滤器应用任何上面的行为,可以点击Global Filter Actions按钮,选择一种行为。

Viewing Document Data

查看文档数据

When you submit a search query, the 500 most recent documents that match the query are listed in the Documents table. You can configure the number of documents shown in the table by setting thediscover:sampleSize property in Advanced Settings. By default, the table shows the localized version of the time field specified in the selected index pattern and the document _source. You can add fields to the Documents table from the Fields list. You can sort the listed documents by any indexed field that’s included in the table.

当你提交一个查询请求,500个最近符合的文档被列在Documents表中。你可以在列表中设置符合文档的数目,设置方法是在Advanced Settings.设置discover:sampleSize。一般情况下,列表中展现了时间字段的局限化版本,被确定在选择的索引模式和文件_source中。你可以从Fields列表为 Documents表增加字段。你可以用包含在表中的任何索引字段为文件排序。

To view a document’s field data, click the Expand button Expand Button to the left of the document’s entry in the first column (the first column is usually Time). Kibana reads the document data from Elasticsearch and displays the document fields in a table. The table contains a row for each field that contains the name of the field, add filter buttons, and the field value.

想要查看文件中的字段信息,可以在第一个圆柱体(它一般是Time),点击Expand 按钮到文件入口左侧。Kibana从ES读取文件数据,然后展现在表中。表的每一行包含了每个字段的名字、添加过滤器按钮和字段值。


  1. To view the original JSON document (pretty-printed), click the JSON tab.
  2. To view the document data as a separate page, click the link. You can bookmark and share this link to provide direct access to a particular document.
  3. To collapse the document details, click the Collapse button Collapse Button.
  4. To toggle a particular field’s column in the Documents table, click the Add Column Toggle column in table button.

 1. 想要查看原始的JSON文件,点JSON标签。

  2. 想要以分页的形式查看文件,点击链接。你可以把链接加书签或者分享,来直接访问特殊的文件。
  3. 想要折叠文件详情,请点击Collapse按钮。
  4. 想要切换一个特殊字段在文件列表中的量,请点击Toggle column in table标签。

Sorting the Document List

为文件列表排序

You can sort the documents in the Documents table by the values in any indexed field. If a time field is configured for the selected index pattern, by default the documents are sorted in reverse chronological order.

可以使用索引字段的值,为文件列表排序。如果一个时间字段被设置到索引模式中了,那么产生的结果是按照反时间顺序排列的。

To change the sort order:

改变索引顺序:

  • Click the name of the field you want to sort by. The fields you can use for sorting have a sort button to the right of the field name. Clicking the field name a second time reverses the sort order.
  • 点击你想要的索引排序名。你可以用于排序的字段名在右边有一个排序按钮。点击字段名凉子可以反排序。

Adding Field Columns to the Documents Table


By default, the Documents table shows the localized version of the time field specified in the selected index pattern and the document _source. You can add fields to the table from the Fields list or from a document’s expanded view.

To add field columns to the Documents table:

一般情况下,Documents列表中展现了时间字段的局限化版本,被确定在选择的索引模式和文件_source中。你可以从Fields表或从文件的扩展视图,给列表中增加字段。

怎样增加字段柱到Documents列表。

  1. Mouse over a field in the Fields list and click its add button Add Field Button.
  2. Repeat until you’ve added all the fields you want to display in the Documents table.
  3. Alternately, add a field column directly from a document’s expanded view by clicking the Add ColumnToggle column in table button.

 1. 鼠标在字段列表的一个字段上,点击它的 add 按钮。

 2. 重复操作,直到你把所有字段都加进去了。

 3. 然后,增加一个字段住从文件的扩展视图,点击Toggle column in table按钮。

The added field columns replace the _source column in the Documents table. The added fields are also listed in the Selected Fields section at the top of the field list.

新添加的字段住会代替文件列表中的_source柱。在字段列表的上方,添加的字段也列在Selected Fields部分。

To rearrange the field columns in the table, mouse over the header of the column you want to move and click the Move button.

想要重新布置列表中的柱形,可以吧鼠标放在你想要移动的柱形上,点移动按钮。


Removing Field Columns from the Documents Table

移除

To remove field columns from the Documents table:

方法

  1. Mouse over the field you want to remove in the Selected Fields section of the Fields list and click its remove button 。点击移除按钮
  2. Repeat until you’ve removed all the fields you want to drop from the Documents table.直到全部移除

Viewing Field Data Statistics

查看统计结果

From the field list, you can see how many documents in the Documents table contain a particular field, what the top 5 values are, and what percentage of documents contain each value.

从字段列表,你需要文件列表中 包含了多少文件,5个关键字段是什么,占的比例又是多少。

To view field data statistics:

方法

  • Click the name of a field in the Fields list. The field can be anywhere in the Fields list—Selected Fields, Popular Fields, or the list of other fields.
  • 点击字段列表中的字段名。字段可以在字段列表中的任何位置 — 选择字段表,流行字段表,或者其它字段表。


Tip

To create a visualization based on the field, click the Visualize button below the field statistics.

小建议:想要查看基于字段的可视化结果,可以点击字段统计结果下的Visualize按钮。




备注:
材料来自elastic官网。
地址:
https://www.elastic.co/guide/en/kibana/current/discover.html

0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:398259次
    • 积分:6008
    • 等级:
    • 排名:第4190名
    • 原创:110篇
    • 转载:366篇
    • 译文:37篇
    • 评论:27条
    文章分类