Searching across multiple indices
editSearching across multiple indices
editYour map might contain multiple Elasticsearch indices. This can occur when your map contains two or more layers with Elasticsearch sources from different indices. This can also occur with a single layer with an Elasticsearch source and a Term join.
Searching across multiple indices might sometimes result in empty layers. The most common cause for empty layers are searches for a field that exists in one index, but does not exist in other indices.
Disable search for layer
editYou can prevent the search bar from applying search context to a layer by configuring the following:
- In Filtering, clear the Apply global filter to layer data checkbox to turn off the global search context for the layer source.
- In Term joins, clear the Apply global filter to join checkbox to turn off the global search context for the term join.
Use _index in your search
editAdd _index to your search to include documents from indices that do not contain a search field.
For example, suppose you have a vector layer showing the kibana_sample_data_logs
documents
and another vector layer with kibana_sample_data_flights
documents.
(See adding sample data
to install the kibana_sample_data_logs
and kibana_sample_data_flights
indices.)
If you query for
machine.os.keyword : "osx"
the kibana_sample_data_flights
layer is empty because the index
kibana_sample_data_flights
does not contain the field machine.os.keyword
and no documents match the query.
If you instead query for
machine.os.keyword : "osx" or _index : "kibana_sample_data_flights"
the kibana_sample_data_flights
layer includes data.