|
1 | 1 | [[document-context]] |
2 | | -== Viewing Document Context |
| 2 | +== Viewing a document in context |
3 | 3 |
|
4 | | -For certain applications it can be useful to inspect a window of documents |
5 | | -surrounding a specific event. The context view enables you to do just that for |
6 | | -<<index-patterns, index patterns>> that are configured to contain time-based events. |
| 4 | +Once you've narrowed your search to a specific event, |
| 5 | +you might want to inspect the documents that occurred |
| 6 | +immediately before and after the event. With the Context view, |
| 7 | +you can do just that for index patterns that contain time-based events. |
7 | 8 |
|
8 | | -To show the context surrounding an anchor document, click the *Expand* button |
9 | | -image:images/ExpandButton.jpg[Expand Button] to the left of the document's |
10 | | -table entry and then click the *View surrounding documents* link. |
| 9 | +To open the Context view, click the expand icon (<) in the document table, and then click |
| 10 | +*View surrounding documents.* |
11 | 11 |
|
12 | | -image::images/Expanded-Document.png[Expanded Document] |
13 | | -{nbsp} |
| 12 | +The documents are sorted |
| 13 | +by the time field specified in the index pattern and displayed using the |
| 14 | +same set of columns as the *Discover* view from which the context was opened. |
| 15 | +The anchor document is highlighted in blue. |
14 | 16 |
|
15 | | -The context view displays a number of documents before and after the anchor |
16 | | -document. The anchor document itself is highlighted in blue. The view is sorted |
17 | | -by the time field specified in the index pattern configuration and uses the |
18 | | -same set of columns as the Discover view the context was opened from. If there |
19 | | -are multiple documents with the same time field value, the internal document |
20 | | -order is used as a secondary sorting criterion by default. |
21 | | - |
22 | | -[NOTE] |
23 | | --- |
24 | | -The field used for tiebreaking in case of equal time field values can be |
25 | | -configured using the advanced setting `context:tieBreakerFields` in |
26 | | -<<advanced-options, *Management > Advanced Settings*>>, which defaults to the |
27 | | -`_doc` field. The value of this setting can be a comma-separated list of field |
28 | | -names, which will be checked in sequence for suitability when a context is |
29 | | -about to be displayed. The first suitable field is then used as the tiebreaking |
30 | | -field. A field is suitable if the field exists and is sortable in the index |
31 | | -pattern the context is based on. |
32 | | - |
33 | | -While not required, it is recommended to only |
34 | | -use fields which have {ref}/doc-values.html[doc values] enabled to achieve |
35 | | -good performance and avoid unnecessary {ref}/modules-fielddata.html[field |
36 | | -data] usage. Common examples for suitable fields include log line numbers, |
37 | | -monotonically increasing counters and high-precision timestamps. |
38 | | --- |
39 | 17 |
|
| 18 | +[role="screenshot"] |
40 | 19 | image::images/Discover-ContextView.png[Context View] |
41 | 20 |
|
42 | | -NOTE: The number of documents displayed by default can be configured |
43 | | -via the `context:defaultSize` setting in <<advanced-options, *Management > |
44 | | -Advanced Settings*>>. |
45 | | - |
46 | 21 | [float] |
47 | | -[[change-context-size]] |
48 | | -=== Changing the Context Size |
49 | | - |
50 | | -You can change the number documents displayed before and after the anchor |
51 | | -document independently. |
52 | | - |
53 | | -To increase the number of displayed documents that are newer than the anchor |
54 | | -document, click the *Load 5 more* button above the document list or enter the |
55 | | -desired number into the input box right of the button. |
56 | | - |
57 | | -image::images/Discover-ContextView-SizePicker-Newer.png[] |
58 | | -{nbsp} |
59 | | - |
60 | | -To increase the number of displayed documents that are older than the anchor |
61 | | -document, click the *Load 5 more* button below the document list or enter the |
62 | | -desired number into the input box right of the button. |
| 22 | +[[filter-context]] |
| 23 | +=== Filter the context |
63 | 24 |
|
64 | | -image::images/Discover-ContextView-SizePicker-Older.png[] |
65 | | -{nbsp} |
| 25 | +The |
| 26 | +filters you applied in *Discover* are carried over to the Context view. Pinned filters remain active, while normal |
| 27 | +filters are copied in a disabled state. You can re-enable these filters to |
| 28 | +refine your context view. |
66 | 29 |
|
67 | | -NOTE: The default number of documents loaded with each button click can be |
68 | | -configured via the `context:step` setting in <<advanced-options, *Management > |
69 | | -Advanced Settings*>>. |
| 30 | +If the Context view contains a large number of documents not related to the event under |
| 31 | +investigation, you can use filters to restrict the documents to |
| 32 | +display. |
70 | 33 |
|
71 | 34 | [float] |
72 | | -[[filter-context]] |
73 | | -=== Filtering the Context |
74 | | - |
75 | | -Depending on how the documents are partitioned into index patterns, the context |
76 | | -view might contain a large number of documents not related to the event under |
77 | | -investigation. In order to adapt the focus of the context view to the task at |
78 | | -hand, you can use filters to restrict the documents considered by Kibana for |
79 | | -display in the context view. |
80 | | - |
81 | | -When switching from the discover view to the context view, the previously |
82 | | -applied filters are carried over. Pinned filters remain active while normal |
83 | | -filters are copied in a disabled state. You can selectively re-enabled them to |
84 | | -refine your context view. |
| 35 | +[[change-context-size]] |
| 36 | +=== Change the number of surrounding documents |
85 | 37 |
|
86 | | -New filters can be added via the *Add a filter* link in the filter bar, by |
87 | | -clicking the filter icons appearing when hovering a field, or by expanding |
88 | | -documents and clicking the filter icons in the table. |
| 38 | +By default, the five newest and oldest |
| 39 | +documents are listed. To increase the number of documents that surround the anchor document, |
| 40 | +click *Load*. Five documents are added with each click. |
89 | 41 |
|
90 | | -image::images/Discover-ContextView-FilterMontage.png[] |
| 42 | +[float] |
| 43 | +[[configure-context-ContextView]] |
| 44 | +=== Configure the context view |
| 45 | + |
| 46 | +To configure the Context view, use these settings in <<advanced-options, |
| 47 | +Advanced Settings>>. |
| 48 | + |
| 49 | +[horizontal] |
| 50 | +`context:defaultSize`:: The number of documents to display by default. |
| 51 | +`context:step`:: The default number of documents to load with each button click. |
| 52 | +`context:tieBreakerFields`:: The field to use for tiebreaking in case of equal time field values. |
| 53 | +The default is the |
| 54 | +`_doc` field. |
| 55 | ++ |
| 56 | +You can enter a comma-separated list of field |
| 57 | +names, which is checked in sequence for suitability when a context is |
| 58 | +displayed. The first suitable field is used as the tiebreaking |
| 59 | +field. A field is suitable if the field exists and is sortable in the index |
| 60 | +pattern the context is based on. |
| 61 | ++ |
| 62 | +Although not required, it is recommended to only |
| 63 | +use fields that have {ref}/doc-values.html[doc values] enabled to achieve |
| 64 | +good performance and avoid unnecessary {ref}/modules-fielddata.html[field |
| 65 | +data] usage. Common examples for suitable fields include log line numbers, |
| 66 | +monotonically increasing counters and high-precision timestamps. |
0 commit comments