Discover on Kibana

A Cyber Security Research Dumpsite

Discover on Kibana

Following my post on how to use Kibana, where I laid out the definitions on each section. This post  is focused on “How to use Discover on Kibana” and will show how to operate the section.

Note: As previous post, this “Discover on Kibana” documentation was gathered from the official documentation at Elastic website, and all the hyperlinks in this text links back to it. I cannot appreciate enough how detailed and understandable their documentation is, so please check that out too if you have any questions.

Discover on Kibana

This is the main page of Discover on Kibana.

Setting the Time Filter

The time filter restricts the search results to a specific time period. You can set a time filter if your index contains time-based events and a time-field is configured for the selected index pattern.

By default, the time filter is set to the last 15 minutes. You can use the Time Picker to change the time filter or select a specific time interval or time range in the histogram at the top of the page.

To set a time filter with the Time Picker:

  1. Click Time Picker  in the Kibana toolbar.
  2. To set a quick filter, click one of the shortcut links.
  3. To specify a time filter relative to the current time, click Relative and specify the start time as a number of seconds, minutes, hours, days, months, or years. You can also specify the end time relative to the current time. Relative times can be in the past or future.
  4. To specify both the start and end times for the time filter, click Absolute and select a start and end date. You can adjust the time by editing the To and From
  5. Click the caret in the bottom right corner to close the Time Picker.

To set a time filter from the histogram, do one of the following:

  • Click the bar that represents the time interval you want to zoom in on.
  • Click and drag to view a specific time-span. You must start the selection with the cursor over the background of the chart—the cursor changes to a plus sign when you hover over a valid start point.

To move forward/backward in time, click the arrows to the left or right of the Time Picker:

You can use the browser Back button to undo your changes.

The displayed time range and interval are shown on the histogram. By default, the interval is set automatically based on the time range. To use a different interval, click the link and select an interval.

Searching Your Data

You can search the indices that match the current index pattern by entering your search criteria in the Query bar. You can use Kibana’s standard query language (based on Lucene query syntax) or the full JSON-based Elasticsearch Query DSL. Autocomplete and a simplified query syntax are available for the Kibana query language as experimental features which you can opt-in to under the options menu in the Query Bar.

When you submit a search request, the histogram, Documents table, and Fields list are updated to reflect the search results. The total number of hits (matching documents) is shown in the toolbar. The Documents table shows the first five hundred hits. By default, the hits are listed in reverse chronological order, with the newest documents shown first. You can reverse the sort order by clicking the Time column header. You can also sort the table by the values in any indexed field. For more information, see Sorting the Documents Table.

To search your data, enter your search criteria in the Query bar and press Enter or click Search  to submit the request to Elasticsearch.

You can opt-in to our experimental query features by default by changing search:queryLanguage to kuery under Advanced Settings.

For more information on Searching your data visit Elastic official documentation where this was gotten from: https://www.elastic.co/guide/en/kibana/current/search.html and navigate to the left side bar under Discover > Searching your Data.

Viewing Document Data

When you submit a search query, the 500 most recent documents that match the query are listed in the Documents table. You can configure the number of documents shown in the table by setting the discover:sampleSize property in Advanced Settings. By default, the table shows the localized version of the time field configured for the selected index pattern and the document _source. You can add fields to the Documents table from the Fields list. You can sort the listed documents by any indexed field that’s included in the table.

To view a document’s field data, click the Expand button  to the left of the document’s table entry.

Viewing Field Data Statistics

From the Fields list, you can see how many of the documents in the Documents table contain a particular field, what the top 5 values are, and what percentage of documents contain each value.

Data can be visualized in various ways. The quick visualize can only be applied to aggregable fields. The keyword fields can be visualized, and they are available in the side bar if we uncheck “Hide missing fields”.

To view field data statistics, click the name of a field in the Fields list.

Filtering by Field

You can filter the search results to display only those documents that contain a particular value in a field. It also allows you to create negative filters that exclude documents that contain the specified field value.

You add field filters from the Fields list, the Documents table, or by manually adding a filter. In addition to creating positive and negative filters, the Documents table enables you to filter on whether or not a field is present. The applied filters are shown below the Query bar. Negative filters are shown in red.

To add a filter from the Fields list:

  1. Click the name of the field you want to filter on. This displays the top five values for that field.
  2. To add a positive filter, click the Positive Filter button . This includes only those documents that contain that value in the field.
  3. To add a negative filter, click the Negative Filter button . This excludes documents that contain that value in the field.

To add a filter from the Documents table:

  1. Expand a document in the Documents table by clicking the Expand button  to the left of the document’s table entry.
  2. To add a positive filter, click the Positive Filter button  to the right of the field name. This includes only those documents that contain that value in the field.
  3. To add a negative filter, click the Negative Filter  button  to the right of the field name. This excludes documents that contain that value in the field.
  4. To filter on whether or not documents contain the field, click the Exists button  to the right of the field name. This includes only those documents that contain the field.

To manually add a filter:

  1. Click Add Filter. A popup will be displayed for you to create the filter.
  2. Choose a field to filter by. This list of fields will include fields from the index pattern you are currently querying against.
  3. Choose an operation for your filter.

Operators

The following operators can be selected:

is
Filter where the value for the field matches the given value.
is not
Filter where the value for the field does not match the given value.
is one of
Filter where the value for the field matches one of the specified values.
is not one of
Filter where the value for the field does not match any of the specified values.
is between
Filter where the value for the field is in the given range.
is not between
Filter where the value for the field is not in the given range.
exists
Filter where any value is present for the field.
does not exist
Filter where no value is present for the field.

Choose the value(s) for your filter. Values from your indices may be suggested as selections if you are filtering against,an aggregable field.

1.       (Optional) Specify a label for the filter. If you specify a label, it will be displayed below the query bar instead of the filter definition.

2.       Click Save. The filter will be applied to your search and be displayed below the query bar.

Note: If you are experiencing long-running queries as a result of the value suggestions, you can turn off the suggestions by setting the advanced setting, filterEditor:suggestValues, to false.

Managing Filters

To modify a filter, hover over it and click one of the action buttons.

 Enable Filter

Disable the filter without removing it. Click again to reenable the filter. Diagonal stripes indicate that a filter is disabled.

 Pin Filter

Pin the filter. Pinned filters persist when you switch contexts in Kibana. For example, you can pin a filter in Discover and it remains in place when you switch to Visualize. Note that a filter is based on a particular index field—if the indices being searched don’t contain the field in a pinned filter, it has no effect.

 Invert Filter

Switch from a positive filter to a negative filter and vice-versa.

  Remove Filter

Remove the filter.

 Edit Filter

Edit the filter definition. Enables you to manually update the filter and specify a label for the filter.

To apply a filter action to all of the applied filters, click Actions and select the action.


That’s it for “Discover on Kibana”. I hope this section helped you gain a better understand on Kibana’s Discover section. Please click on the links below to either go back to the overall Definitions of Kibana sections or to the next post on Visualization and Dashboard.

Just landed on this page? Don’t know what Kibana is or how to install it? Check the following link on how to install it: