Search data
editSearch data
editMany Kibana apps embed a query bar for real-time search, including Discover and Dashboard.
Search your data
editTo search the indices that match the current index pattern, enter your search criteria in the query bar. By default, you’ll use Kibana’s standard query language (KQL), which features autocomplete and a simple, easy-to-use syntax. If you prefer to use Kibana’s legacy query language, based on the Lucene query syntax, you can switch to it from the KQL popup in the query bar. When you enable the legacy query language, you can use the full JSON-based Elasticsearch Query DSL.
Refresh search results
editAs more documents are added to the indices you’re searching, the search results shown in Discover, and used to display visualizations, get stale. Using the time filter, you can configure a refresh interval to periodically resubmit your searches to retrieve the latest results.
You can also manually refresh the search results by clicking the Refresh button.
Searching large amounts of data
editSometimes you want to search through large amounts of data no matter how long the search takes. While this might not happen often, there are times that long-running queries are required. Consider a threat hunting scenario where you need to search through years of data.
If you run a query, and the run time gets close to the timeout, you’re presented the option to ignore the timeout. This enables you to run queries with large amounts of data to completion.
By default, a query times out after 30 seconds. The timeout is in place to avoid unintentional load on the cluster.